I recently switched my personal cluster from using Ingress with ingress-nginx to the Gateway API, specifically with Istio in ambient mode. I'm facing a couple of problems that I'm hoping to get some help on.
First, I've got two containers that only provide an HTTPS endpoint. One container generates its own self-signed certificate upon startup and allows me to mount my own certificates. The other container also generates its own self-signed certificate, but I can't override it, which is blocking my ability to connect. When I used Ingress, it was simple to configure with an annotation: `nginx.ingress.kubernetes.io/backend-protocol: HTTPS`. Now, with the Gateway API, I found `BackendTLSPolicy`, but it doesn't support options like `tlsInsecureVerify: false`, so I'm unable to connect to my second container. I tried generating a self-signed certificate with cert-manager and linking it in the `caCertificateRefs` section of the `HTTPRoute`, but it resulted in an error saying the reference was invalid. It seems cert-manager only creates secrets, not ConfigMaps.
Secondly, I want to set up a global HTTP to HTTPS redirect for certain gateways. With Ingress, it automatically handled the redirect based on the TLS section without additional configuration. But with the Gateway API, I've defined an `HTTPRoute` for redirects, but it appears ineffective. I checked Istio's logs, and everything says it's fine, so I'm at a loss for how to debug this. With over 100 services exposed, I really want to avoid having to configure each one manually. I thought the Gateway API was ready for production use, but it seems it's missing some key functionalities. Any guidance would be appreciated!
3 Answers
For your BackendTLSPolicy issue, keep in mind that only a ConfigMap is supported for `caCertRef`. You can make cert-manager inject the CA certificate into a ConfigMap, which helps in this scenario. As for the `tlsInsecureVerify`, there’s an ongoing issue tracking this feature, so you might have to wait on that one. Also, about the HTTP to HTTPS redirect, have you tried sending a `curl -v` request to see what the proxy is actually returning? That might give you more insight.
Glad to hear adding a `sectionName` to the parent ref worked! It's important when dealing with multiple routes targeting the same listener. Just remember, if you don't specify a `sectionName`, it can lead to multiple routes conflicting without any clear error messages from Istio, making debugging tough. If you’re up against a wall with too many overlapping routes, you might need a strategy to manage your route configuration better.
We’re in the process of migrating to the API Gateway too and are facing similar issues, especially with SSO annotations from Ingress. We’ve tried implementing the external `oauth2-proxy` but have run into problems using the `extauth` feature with the API Gateway. If you've managed to tackle this, could you share how you did it?
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically