Jimmy Bourque requested to merge gateway-tls-bug into master Dec 17, 2024

Package Merge Request

Package Changes

Fixed bug in umbrella template for istio gateways that was preventing the tls section from being added when TLS was the protocl

Steps to test:

Add the following sections under ingressGateways and gateways (added one for tcp and one for tls to make sure it didn't revert the original fix):

IngressGateway

    mtls-ingressgateway:
      type: "LoadBalancer"
      kubernetesResourceSpec:
        service:
          ports:
            - name: tcp-health-status
              port: 15021
              targetPort: 15021
              nodePort: 30300
            - name: tcp-mtls
              port: 8443
              targetPort: 8443
              nodePort: 30301
    tcp-ingressgateway:
      type: "LoadBalancer"
      k8s:
        service:
          ports:
            - name: tcp-health-status
              port: 15021
              targetPort: 15021
              nodePort: 30200
            - name: tcp-twistlock-wss
              port: 22
              targetPort: 22
              nodePort: 30201

Gateways

    app-tcp:
      ingressGateway: "mtls-ingressgateway"
      autoHttpRedirect:
        enabled: false
      hosts:
        - "app-tcp.staging.dso.mil"
      servers:
        - hosts:
            - "app-tcp.staging.dso.mil"
          port:
            name: tcp-mtls
            number: 8443
            protocol: TLS
          tls:
            mode: MUTUAL
    tcp:
      ingressGateway: "tcp-ingressgateway"
      autoHttpRedirect:
        enabled: false
      servers:
        - hosts:
            - "*"
          port:
            name: tcp-ssh
            number: 22
            protocol: TCP

Run the following command to validate tls section is now present in tls gateway:

kubectl get gateways app-tcp -n istio-system -o yaml

Create a dummy virtual service, doesn't matter what it's pointing to so long as the target is valid (I used the minio service as its there by default):

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: logging-ssh
  namespace: logging
spec:
  gateways:
  - istio-system/app-tcp
  hosts:
  - '*'
  tcp:
  - match:
    - port: 8443
    route: 
    - destination:
        host: minio.minio.svc.cluster.local
        port:
          number: 80

Run the following command to get the pod name for the gateway:

kubectl get po -n istio-system

Run the following command to validate listeners are present for the port (They won't show up unless a virtual service exists first)

istioctl proxy-config listeners <Pod Name from Previous Step> -n istio-system

Package MR

N/A

For Issue

Closes #2381 (closed)

Upgrade Notices

N/A

Edited Dec 17, 2024 by Christopher O'Connell

Admin message

Gateway tls bug