TIS0304 - Gateway Server Credentials Not Found

The gateway server credentials were not found.

Recommendation: Ensure Gateway Server Credentials Are Available

To prevent TLS configuration failures, ensure that the gateway server credentials (credentialName) are properly created as secrets in the namespace and accessible by the Gateway resource.

Examples

1. Gateway with Missing TLS Credentials

   apiVersion: networking.istio.io/v1beta1
   kind: Gateway
   metadata:
     name: missing-credentials-gateway
     namespace: example-namespace
   spec:
     selector:
       istio: ingressgateway
     servers:
     - port:
         number: 443
         name: https
         protocol: HTTPS
       hosts:
       - "example.com"
       tls:
         mode: SIMPLE
         credentialName: missing-cert

   Explanation: The Gateway is configured to use a TLS certificate identified by credentialName: missing-cert, but the credentials were not found in the secret store. This means the gateway cannot serve HTTPS traffic for the specified host, leading to potential SSL/TLS handshake failures.

Recommendation

Ensure the specified credentials are correctly created and accessible in the namespace.

1. Create the Missing TLS Secret

   Create the TLS secret with the required credentials in the appropriate namespace.

   kubectl create secret tls missing-cert \
     --cert=path/to/tls.crt \
     --key=path/to/tls.key \
     -n example-namespace

2. Verify the Credential Name

   Ensure the credential name specified in the Gateway matches the name of an existing secret in the same namespace.

   apiVersion: networking.istio.io/v1beta1
   kind: Gateway
   metadata:
     name: valid-credentials-gateway
     namespace: example-namespace
   spec:
     selector:
       istio: ingressgateway
     servers:
     - port:
         number: 443
         name: https
         protocol: HTTPS
       hosts:
       - "example.com"
       tls:
         mode: SIMPLE
         credentialName: valid-cert