问题现象

部署以下配置，发现以下问题

• https协议：wh-member1-kiali.domain.com和wh-member1-grafana.domain.com只有一个可以正常访问
• http协议：wh-member1-kiali.domain.com和wh-member1-grafana.domain.com都正常访问

$ kubectl create secret tls istio-ingressgateway-certs --key /tmp/nginx.key --cert /tmp/nginx.crt

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: kiali
  namespace: istio-system
spec:
  selector:
    app: istio-ingressgateway
  servers:
    - hosts:
        - wh-member1-kiali.domain.com
      port:
        name: http
        number: 80
        protocol: HTTP
    - hosts:
        - wh-member1-kiali.domain.com
        name: https
        number: 443
        protocol: HTTPS
      tls:
        credentialName: istio-ingressgateway-certs
        mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: kiali
  namespace: istio-system
spec:
  gateways:
  - kiali
  - mesh
  hosts:
  - wh-member1-kiali.domain.com
  http:
  - route:
    - destination:
        host: kiali.istio-system.svc.cluster.local
        port:
          number: 20001

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: grafana
  namespace: istio-system
spec:
  selector:
    app: istio-ingressgateway
  servers:
    - hosts:
        - wh-member1-grafana.domain.com
      port:
        name: http
        number: 80
        protocol: HTTP
    - hosts:
        - wh-member1-grafana.domain.com
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        credentialName: istio-ingressgateway-certs
        mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
  name: grafana
  namespace: istio-system
spec:
  gateways:
  - grafana
  - mesh
  hosts:
  - wh-member1-grafana.domain.com
  http:
  - route:
    - destination:
        host: grafana.istio-system.svc.cluster.local
        port:
          number: 3000

问题解决

• 定义一个Gateway资源，配置通配符hosts，相同根域名的VirtualService都关联该网关

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: domain-com-gateway
  namespace: istio-system
spec:
  selector:
    app: istio-ingressgateway
  servers:
    - hosts:
        - '*.domain.com'
      port:
        name: http
        number: 80
        protocol: HTTP
    - hosts:
        - '*.domain.com'
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        credentialName: istio-ingressgateway-certs
        mode: SIMPLE

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: kiali
  namespace: istio-system
spec:
  gateways:
  - domain-com-gateway.istio-system
  - mesh
  hosts:
  - wh-member1-kiali.domain.com
  http:
  - route:
    - destination:
        host: kiali.istio-system.svc.cluster.local
        port:
          number: 20001
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
  name: grafana
  namespace: istio-system
spec:
  gateways:
  - domain-com-gateway.istio-system
  - mesh
  hosts:
  - wh-member1-grafana.domain.com
  http:
  - route:
    - destination:
        host: grafana.istio-system.svc.cluster.local
        port:
          number: 3000

问题原因

怀疑是一个Secrets只能关联一个Gateway，以上解决方式是参考官网通配符方式，刚好解决！https://istio.io/latest/zh/docs/reference/config/networking/gateway/

正在进一步验证中.......