Details
-
Task
-
Resolution: Done
-
Major
-
None
-
None
Description
TL;DR: Are Gateways with multiple port definitions supported by Maistra's IOR controller and/or is there a way to automatically redirect HTTP to HTTPS on the Route or Gateway level using Maistra's IOR?
Replicated from GitHub issue maistra/ior#9
My scenario:
- I have a deployment and an associated HTTP service.
- I would like to create a Gateway (and associated VirtualService, etc.) which allows ingress to this HTTP service.
- I would also like to expose this service as HTTPS to the outside world, and automatically redirect any incoming HTTP ingress traffic to HTTPS (using either the Gateway's spec.servers.tls.httpsRedirect: true field, or the Route's spec.tls.insecureEdgeTerminationPolicy: Redirect field).
- I would like to use IOR to expose both the HTTP and HTTPS ports of the Gateway via an OpenShift Route.
Here is my example Gateway:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
namespace: httpbin
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
tls:
httpsRedirect: true
hosts:
- httpbin.apps.example.com
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- httpbin.apps.example.com
When deploying a ServiceMeshControlPlane with spec.istio.gateways.istio-ingressgateway.ior_enabled: true, the IOR controller creates the following route which only listens for HTTPS traffic:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
annotations:
maistra.io/original-host: httpbin.apps.example.com
creationTimestamp: "2020-06-04T12:54:55Z"
generateName: httpbin-httpbin-gateway-
labels:
maistra.io/gateway-name: httpbin-gateway
maistra.io/gateway-namespace: httpbin
maistra.io/generated-by: ior
name: httpbin-httpbin-gateway-w5zlz
namespace: istio-system
resourceVersion: "21713361"
selfLink: /apis/route.openshift.io/v1/namespaces/istio-system/routes/httpbin-httpbin-gateway-w5zlz
uid: 8f4c024a-b3ee-4ce3-af46-f910113a2511
spec:
host: httpbin.apps.example.com
port:
targetPort: https
tls:
termination: passthrough
to:
kind: Service
name: istio-ingressgateway
weight: 100
wildcardPolicy: None
status:
ingress:
- conditions:
- lastTransitionTime: "2020-06-04T12:54:55Z"
status: "True"
type: Admitted
host: httpbin.apps.example.com
routerCanonicalHostname: apps.example.com
routerName: default
wildcardPolicy: None
Troubleshooting steps I've taken:
When removing either the HTTP or HTTP port blocks from the Gateway, the generated Route is correctly configured for either HTTP or HTTPS. However, when both ports are specified in the Gateway (as shown above), the route doesn't allow redirecting HTTP traffic to HTTPS.
I would expect that the IOR controller can either forward HTTP and HTTPS traffic to the Gateway and configure HTTP redirection to HTTPS on that level, or it should set the spec.tls.insecureEdgeTerminationPolicy to Redirect on the Route level.
*Is there a way to automatically redirect HTTP to HTTPS on the Route or Gateway level using Maistra's IOR?*
