I have a manually deployed istio gateway (from this helm chart) and I'm trying to configure a kubernetes api gateway resource using TLS. However whenever I set the hostname: field on the gateway resource istio responds with 2025-02-05T18:51:09.844430Z debug envoy conn_handler external/envoy/source/common/listener_manager/active_stream_listener_base:45 closing connection from XXX.XXX.XXX.0:39292: no matching filter chain found thread=21. My Gateway and HTTPRoute are configures as follows. NOTE: I'm running the manually deployed gateway on ports 81 and 444 for testing purposes. The service port redirects to 443 on the istio-ingress pod
---
apiVersion: gatewayworking.k8s.io/v1
kind: Gateway
metadata:
name: gateway
namespace: istio-ingress
spec:
gatewayClassName: istio
listeners:
- name: default
port: 81
protocol: HTTP
allowedRoutes:
namespaces:
from: All
- name: default-tls
hostname: "httpbin.example"
port: 444
protocol: HTTPS
tls:
certificateRefs:
- kind: Secret
name: httpbin-example
namespace: default
allowedRoutes:
namespaces:
from: All
addresses:
- value: istio-ingress.istio-ingress.svc.cluster.local
type: Hostname
---
apiVersion: gatewayworking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-istio-ingress-to-ref-secrets
namespace: default
spec:
from:
- group: gatewayworking.k8s.io
kind: Gateway
namespace: istio-ingress
to:
- group: ""
kind: Secret
---
apiVersion: gatewayworking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http
namespace: default
spec:
parentRefs:
- name: gateway
namespace: istio-ingress
hostnames:
- httpbin.example
rules:
- matches:
- path:
type: PathPrefix
value: /get
backendRefs:
- name: httpbin
port: 8000
The response I receive from a curl request is
$ curl -kLvv -H "Host: httpbin.example" https://XXX.XXX.XXX.XXX:444/get?foo=bar
* TCP_NODELAY set
* Connected to XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX) port 444 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to XXX.XXX.XXX.XXX:444
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to XXX.XXX.XXX.XXX:444
Adding --resolve httpbin.example:444:XXX.XXX.XXX.XXX does not seem to help either.
When I print out the envoy listener config for the istio-ingress pod for I see the following.
.....
{
"name": "0.0.0.0_443",
"address": {
"socketAddress": {
"address": "0.0.0.0",
"portValue": 443
}
},
"filterChains": [
{
"filterChainMatch": {
"serverNames": [
"httpbin.example"
]
},
"filters": [
{
"name": "envoy.filterswork.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis/envoy.extensions.filterswork.http_connection_manager.v3.HttpConnectionManager",
"statPrefix": "outbound_0.0.0.0_443",
"rds": {
"configSource": {
"ads": {},
"initialFetchTimeout": "0s",
"resourceApiVersion": "V3"
},
"routeConfigName": "https.444.default.gateway-istio-autogenerated-k8s-gateway-default-tls.istio-ingress"
},
"httpFilters": [
{
"name": "istio.metadata_exchange",
"typedConfig": {
"@type": "type.googleapis/udpa.type.v1.TypedStruct",
"typeUrl": "type.googleapis/io.istio.http.peer_metadata.Config",
"value": {
"upstream_discovery": [
{
"istio_headers": {}
},
{
"workload_discovery": {}
}
],
"upstream_propagation": [
{
"istio_headers": {}
}
]
}
}
},
....
If I remove hostname: from the Gateway resource. Istio removes thes filterChainMatch from the listener and traffic flows properly. How can I specify the hostname in the Gateway resource and have istio route traffic properly?
The version of istio is 1.21.6
I have a manually deployed istio gateway (from this helm chart) and I'm trying to configure a kubernetes api gateway resource using TLS. However whenever I set the hostname: field on the gateway resource istio responds with 2025-02-05T18:51:09.844430Z debug envoy conn_handler external/envoy/source/common/listener_manager/active_stream_listener_base.cc:45 closing connection from XXX.XXX.XXX.0:39292: no matching filter chain found thread=21. My Gateway and HTTPRoute are configures as follows. NOTE: I'm running the manually deployed gateway on ports 81 and 444 for testing purposes. The service port redirects to 443 on the istio-ingress pod
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: gateway
namespace: istio-ingress
spec:
gatewayClassName: istio
listeners:
- name: default
port: 81
protocol: HTTP
allowedRoutes:
namespaces:
from: All
- name: default-tls
hostname: "httpbin.example.com"
port: 444
protocol: HTTPS
tls:
certificateRefs:
- kind: Secret
name: httpbin-example
namespace: default
allowedRoutes:
namespaces:
from: All
addresses:
- value: istio-ingress.istio-ingress.svc.cluster.local
type: Hostname
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-istio-ingress-to-ref-secrets
namespace: default
spec:
from:
- group: gateway.networking.k8s.io
kind: Gateway
namespace: istio-ingress
to:
- group: ""
kind: Secret
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http
namespace: default
spec:
parentRefs:
- name: gateway
namespace: istio-ingress
hostnames:
- httpbin.example.com
rules:
- matches:
- path:
type: PathPrefix
value: /get
backendRefs:
- name: httpbin
port: 8000
The response I receive from a curl request is
$ curl -kLvv -H "Host: httpbin.example.com" https://XXX.XXX.XXX.XXX:444/get?foo=bar
* TCP_NODELAY set
* Connected to XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX) port 444 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to XXX.XXX.XXX.XXX:444
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to XXX.XXX.XXX.XXX:444
Adding --resolve httpbin.example.com:444:XXX.XXX.XXX.XXX does not seem to help either.
When I print out the envoy listener config for the istio-ingress pod for I see the following.
.....
{
"name": "0.0.0.0_443",
"address": {
"socketAddress": {
"address": "0.0.0.0",
"portValue": 443
}
},
"filterChains": [
{
"filterChainMatch": {
"serverNames": [
"httpbin.example.com"
]
},
"filters": [
{
"name": "envoy.filters.network.http_connection_manager",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
"statPrefix": "outbound_0.0.0.0_443",
"rds": {
"configSource": {
"ads": {},
"initialFetchTimeout": "0s",
"resourceApiVersion": "V3"
},
"routeConfigName": "https.444.default.gateway-istio-autogenerated-k8s-gateway-default-tls.istio-ingress"
},
"httpFilters": [
{
"name": "istio.metadata_exchange",
"typedConfig": {
"@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
"typeUrl": "type.googleapis.com/io.istio.http.peer_metadata.Config",
"value": {
"upstream_discovery": [
{
"istio_headers": {}
},
{
"workload_discovery": {}
}
],
"upstream_propagation": [
{
"istio_headers": {}
}
]
}
}
},
....
If I remove hostname: from the Gateway resource. Istio removes thes filterChainMatch from the listener and traffic flows properly. How can I specify the hostname in the Gateway resource and have istio route traffic properly?
The version of istio is 1.21.6
1 Answer
Reset to default 0It seems the issue was with my curl command. and the resolve
curl -kLvv --resolve httpbin.example.com:444:XXX.XXX.XXX.XXX https://httpbin.example.com:444/get?foo=bar
Use the resolve option and changing from the IP address to the actual hostname works. Not sure what the difference is.