ISTIO HTTPS-HTTP 404 NR route_not_found

Question

I am trying to configure TLS termination via Istio HTTPS -> HTTP.

HTTP 80 works fine.

HTTPS 443 works only for / path.

HTTP 200:

curl https://serviceA.example.com

HTTP 404:

curl https://serviceA.example.com/blabla

Istio access logs:

GET /blabla HTTP/2" 404 NR route_not_found

---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: serviceA-gateway
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: HTTP
        protocol: HTTP
      hosts:
        - "serviceA.example.com"
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: serviceA.example.com
      hosts:
        - "*"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: serviceA-swearl
  namespace: default
spec:
  hosts:
    - serviceA.example.com
  gateways:
    - serviceA-gateway
  HTTP:
    - route:
        - destination:
            host: serviceA.default.svc.cluster.local
            port:
              number: 80

I am not sure what I did wrong. By looking at the docs everything should be working. Setup is ISTIO operator on AWS EKS with NLB.

Also, I have a certificate - secret in the istio-system namespace. Service and Deployment have required labels.

FIX: The issue was that I had on Ingress definition

pathType: ImplementationSpecific

It should be:

pathType: Prefix

Configure Ingress pathType ImplementationSpecific behavior #26883

Answer 1

Community wiki answer for better visibility.

As the OP mentioned in the question, problem is solved by setting

pathType: Prefix

in the ingress.

Original message:

FIX: The issue was that I had on Ingress definition

pathType: ImplementationSpecific

It should be pathType: Prefix https://github.com/istio/istio/issues/26883

You can find an explanation in this official documentation:

Each path in an Ingress is required to have a corresponding path type. Paths that do not include an explicit pathType will fail validation. There are three supported path types:

• ImplementationSpecific: With this path type, matching is up to the IngressClass. Implementations can treat this as a separate pathType or treat it identically to Prefix or Exact path types.

• Exact: Matches the URL path exactly and with case sensitivity.

• Prefix: Matches based on a URL path prefix split by /. Matching is case sensitive and done on a path element by element basis. A path element refers to the list of labels in the path split by the / separator. A request is a match for path p if every p is an element-wise prefix of p of the request path.