`network.http-protocol=Redirected` breaks custom Istio ingress gateways

[braunsonm]

/area networking

What version of Knative?

1.12.3

Expected Behavior

Enabling this option with a custom Istio gateway should simply keep the custom-namespace.custom-gateway in the VirtualService so that requests coming in on 443 will match.

Actual Behavior

When enabling network.http-protocol=Redirected, Knative Serving will create a custom Gateway for every service to set httpRedirect. This way requests are immediately redirected to port 443. The problem is when this setting is enabled it replaces the custom Istio ingress gateway with the app-specific ingress gateway that is only configured with port 80, and not the custom gateway that may have been configured with TLS certificates.

This means all requests to your app after the redirect will 404.

Steps to Reproduce the Problem

1. Create a custom Istio gateway setup to terminate TLS
2. Configure Knative Serving to use that gateway
3. Enable http-protocol=Redirected
4. Notice requests will always 404.

[github-actions[bot]]

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Reopen the issue with /reopen. Mark the issue as fresh by adding the comment /remove-lifecycle stale.

[skonto]

/remove-lifecycle stale

[skonto]

cc @ReToCode may have more to add here.

[ReToCode]

I don't think we support that combination. Knative will create dynamic gateways for configuration with TLS for istio. I don't think you can mix that with a static custom Gateway. IMHO, If you want need to do that, you must not use the Knative TLS features but handle this on your custom gateway on your own.