knative
`network.http-protocol=Redirected` breaks custom Istio ingress gateways
/area networking
What version of Knative?
1.12.3
Expected Behavior
Enabling this option with a custom Istio gateway should simply keep the custom-namespace.custom-gateway in the VirtualService so that requests coming in on 443 will match.
Actual Behavior
When enabling network.http-protocol=Redirected, Knative Serving will create a custom Gateway for every service to set httpRedirect. This way requests are immediately redirected to port 443. The problem is when this setting is enabled it replaces the custom Istio ingress gateway with the app-specific ingress gateway that is only configured with port 80, and not the custom gateway that may have been configured with TLS certificates.
This means all requests to your app after the redirect will 404.
Steps to Reproduce the Problem
- Create a custom Istio gateway setup to terminate TLS
- Configure Knative Serving to use that gateway
- Enable
http-protocol=Redirected - Notice requests will always 404.
This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I don't think we support that combination. Knative will create dynamic gateways for configuration with TLS for istio. I don't think you can mix that with a static custom Gateway. IMHO, If you want need to do that, you must not use the Knative TLS features but handle this on your custom gateway on your own.
This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.