404 when using wildcard gateway with ingress

[nbragin4]

If you are reporting any crash or any potential security issue, do not
open an issue in this repo. Please report the issue via ASRC(Alibaba Security Response Center) where the issue will be triaged appropriately.

• I have searched the issues of this repository and believe that this is not a duplicate.

Ⅰ. Issue Description

Encountering a 404 error when using a wildcard gateway in conjunction with ingress rules. It appears that the wildcard Gateway may be overriding specific non-wildcard ingress rules.

Ⅱ. Describe what happened

When creating a gateway with the following configuration, I intermittently receive a 404 error when accessing specific routes defined by ingress resources.

If there is an exception, please attach the exception trace:

No trace for this behavior.

Ⅲ. Describe what you expected to happen

I expected the wildcard gateway to coexist with the non-wildcard ingress rules without causing conflicts, allowing access to both wildcard and specific routes without resulting in 404 errors.

Ⅳ. How to reproduce it (as minimally and precisely as possible)

1. Create a Gateway using the following YAML configuration:

   apiVersion: networking.istio.io/v1beta1
   kind: Gateway
   metadata:
     name: test-gateway
     namespace: test-gateway
   spec:
     selector:
       higress: test-gateway
     servers:
       - hosts:
           - '*.example.com'
         port:
           name: https
           number: 443
           protocol: HTTPS
         tls:
           cipherSuites:
             - ECDHE-ECDSA-AES128-GCM-SHA256
             - ECDHE-RSA-AES128-GCM-SHA256
             - ECDHE-ECDSA-AES256-GCM-SHA384
             - ECDHE-RSA-AES256-GCM-SHA384
           credentialName: test-gateway-certificate
           minProtocolVersion: TLSV1_2
           mode: SIMPLE

2. Define a non-wildcard ingress rule for a specific host (e.g., test.example.com).
3. Attempt to access both the wildcard and non-wildcard routes and observe the 404 errors.
4. restart higress gateway pod every time when you change related to this gateway virtualservices or ingresses .

Ⅴ. Anything else we need to know?

It would be beneficial to understand if there are any existing mechanisms to resolve priority issues between wildcard gateways and specific ingress rules automatically.

Ⅵ. Environment:

• Higress version: 1.4.1
• OS: Cloud Provider deployed Linux k8s distro (Ubuntu)
• Others: works inside istio 1.19.3 mesh

[CH3CHO]

Is istio CRD enabled in Higress?

https://higress.io/docs/latest/ops/deploy-by-helm/#%E6%94%AF%E6%8C%81-istio-crd%E5%8F%AF%E9%80%89

[johnlanni]

Does the selector of your Gateway resource match the labels of the higress-gateway pods? By default, when installed, the label for higress-gateway is higress: {install-namespace}-higress-gateway.

[nbragin4]

Istio CRD enabled in higress. gateway selector is correct - virtualservices binded to that gateway work as expected, but, if gateway works, then ingress doesn't untill i restart higress pods. looks like after pod reloading the ingresses getting higher priority than wildcard gateway and work as expected.

[johnlanni]

higress: test-gateway

@nbragin4 Does your higress-gateway pod have this label? Higress standard installation mode does not add this label, did you modify the helm chart to add it yourself? In that case, did you modify anything else?

[johnlanni]

If it's convenient, you can enter the higress-controller container and execute the following command to verify the control plane configuration. Please paste the output configuration content.

curl localhost:15014/debug/configz

[nbragin4]

higress: test-gateway

@johnlanni i redacted sensitive data before submitting issue, it's just redacted sample, original sample consists with higress: {install-namespace}-higress-gateway labeling.

curl localhost:15014/debug/configz

i'll gather debug info when problem shows up again and will send it here. thanks for patience