Networking-istio pod: Failed to list *v1alpha3.Gateway #5936
Description
In what area(s)?
/area networking
What version of Knative?
0.10.0
Expected Behavior
No error.
Actual Behavior
In networking-istio pod
E1105 09:00:56.866862 1 reflector.go:125] knative.dev/pkg/controller/controller.go:437: Failed to list *v1alpha3.Gateway: v1alpha3.GatewayList.Items: []v1alpha3.Gateway: v1alpha3.Gateway.Spec: v1alpha3.GatewaySpec.Servers: []v1alpha3.Server: v1alpha3.Server.v1alpha3.Server.TLS: v1alpha3.TLSOptions.Mode: ReadString: expects " or n, but found 1, error found in #10 byte of ...|","mode":1,"private_|..., bigger context ...|ert-ba7c25e5-ebce-4c97-849f-9f5cb4cc4f0d","mode":1,"private_key":"sds","server_certificate":"sds"}},|...
EDIT:
This bug is actually quite serious because it's fucking up the pod (I have more than 1 gateway like below) and I get IngressNotConfigured for all my kservice. After changing the mode to SIMPLE, it works again.
Steps to Reproduce the Problem
Create a gateway with spec.servers[*].tls.mode=1 (instead of SIMPLE)
Apply this gateway
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: gw-fe381766-df4d-4fb8-b17c-7e0f4d3ad8ef
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- something.com
port:
name: https-fe381766-df4d-4fb8-b17c-7e0f4d3ad8ef
number: 443
protocol: HTTPS
tls:
credential_name: cert-fe381766-df4d-4fb8-b17c-7e0f4d3ad8ef
mode: 1
private_key: sds
server_certificate: sds
- hosts:
- something.com
port:
name: http-fe381766-df4d-4fb8-b17c-7e0f4d3ad8ef
number: 80
protocol: HTTP
FYI
// TLS modes enforced by the proxy
type Server_TLSOptions_TLSmode int32
const (
// The SNI string presented by the client will be used as the match
// criterion in a VirtualService TLS route to determine the
// destination service from the service registry.
Server_TLSOptions_PASSTHROUGH Server_TLSOptions_TLSmode = 0
// Secure connections with standard TLS semantics.
Server_TLSOptions_SIMPLE Server_TLSOptions_TLSmode = 1
// Secure connections to the downstream using mutual TLS by presenting
// server certificates for authentication.
Server_TLSOptions_MUTUAL Server_TLSOptions_TLSmode = 2
// Similar to the passthrough mode, except servers with this TLS mode
// do not require an associated VirtualService to map from the SNI
// value to service in the registry. The destination details such as
// the service/subset/port are encoded in the SNI value. The proxy
// will forward to the upstream (Envoy) cluster (a group of
// endpoints) specified by the SNI value. This server is typically
// used to provide connectivity between services in disparate L3
// networks that otherwise do not have direct connectivity between
// their respective endpoints. Use of this mode assumes that both the
// source and the destination are using Istio mTLS to secure traffic.
Server_TLSOptions_AUTO_PASSTHROUGH Server_TLSOptions_TLSmode = 3
// Secure connections from the downstream using mutual TLS by presenting
// server certificates for authentication.
// Compared to Mutual mode, this mode uses certificates, representing
// gateway workload identity, generated automatically by Istio for
// mTLS authentication. When this mode is used, all other fields in
// `TLSOptions` should be empty.
Server_TLSOptions_ISTIO_MUTUAL Server_TLSOptions_TLSmode = 4
)