Kiali: KIA0301 validation rule does not work for multiple ingress-gateways

Created on 17 Sep 2020  Â·  3Comments  Â·  Source: kiali/kiali

Describe the bug
I get KIA0301 warning in Kiali UI, that my Gateway configuration is bad, but Kiali doesn't check that I have 2 different ingress-gateways.

KIA0301 documentation says:

Gateway creates a proxy that forwards the inbound traffic for the exposed ports. If two different gateways expose the same ports for the same host, this creates ambiguity inside Istio as either of these gateways could handle the traffic. This is most likely a configuration error. This check is done across all namespaces the user has access to.

but it doesn't check if used istio-ingress resources are different

Versions used
Kiali: 1.23.0
Istio: 1.6.5
Kubernetes flavour and version: AWS EKS 1.16

To Reproduce
Steps to reproduce the behavior:

  1. I have 2 istio-ingresses - one is private and the other one is public facing. This is 2 different AWS NLB.
➜ kubectl -n istio-system get svc
NAME                       TYPE           CLUSTER-IP       EXTERNAL-IP                                                                     PORT(S)                                                      AGE
istio-ingressgateway-prv   LoadBalancer   10.100.16.14     supersecret.amazonaws.com   15021:30378/TCP,80:32260/TCP,443:30289/TCP,15443:32552/TCP   13d
istio-ingressgateway-pub   LoadBalancer   10.100.227.209   supersecret.amazonaws.com   15021:32017/TCP,80:30360/TCP,443:31177/TCP,15443:30967/TCP   13d
istiod                     ClusterIP      10.100.137.149   <none>                      15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP                13d
➜ 
  1. I have 2 istio Gateways private and public which map istio-ingress private or public.
---
kind: Gateway
apiVersion: networking.istio.io/v1alpha3
metadata:
  name: istio-gateway-prv
  namespace: istio-system
spec:
  servers:
    - hosts:
        - '*'
      port:
        name: http-prv
        number: 80
        protocol: HTTP
      tls:
        httpsRedirect: true
    - hosts:
        - '*'
      port:
        name: https-prv
        number: 443
        protocol: HTTPS
      tls:
        credentialName: supersecret
        mode: SIMPLE
  selector:
    istio: istio-ingressgateway-prv
---
kind: Gateway
apiVersion: networking.istio.io/v1alpha3
metadata:
  name: istio-gateway-pub
  namespace: istio-system
spec:
  servers:
    - hosts:
        - '*'
      port:
        name: http-prv
        number: 80
        protocol: HTTP
      tls:
        httpsRedirect: true
    - hosts:
        - '*'
      port:
        name: https-prv
        number: 443
        protocol: HTTPS
      tls:
        credentialName: supersecret
        mode: SIMPLE
  selector:
    istio: istio-ingressgateway-pub
  1. I get validation warning in Kiali UI
    image

Expected behavior
Check should take into account if the same ingress-gateway is being used or not.
My setup is actual working without any issues.

backlog bug

All 3 comments

Thanks @tehleet, I'll cc @xeviknal to check if this is fixed in next 1.24 but thanks for pointing out the use case !

I can confirm 1.24.0 doesn't solve this.

@tehleet it does make a lot of sense. Sorry for the delay in the response and fix. I expect to put my hands later next week.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

clebs picture clebs  Â·  6Comments

mtho11 picture mtho11  Â·  5Comments

abonas picture abonas  Â·  4Comments

YuriyKrasilnikov picture YuriyKrasilnikov  Â·  4Comments

hhovsepy picture hhovsepy  Â·  5Comments