envoyproxy/gateway

Update CTP status to highlight that any TLS setting requires HTTPS to be enabled in the listener

Open

#3,083 opened on Apr 3, 2024

View on GitHub
 (1 comment) (0 reactions) (0 assignees)Go (802 forks)auto 404
help wanted

Repository metrics

Stars
 (2,871 stars)
PR merge metrics
 (PR metrics pending)

Description

@jhouston1604

Looking at the listener configuration, none of those listeners are configured to use TLS.

Your gateway is defined like this:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: envoy-public
  namespace: envoy-public
spec:
  gatewayClassName: envoy-public
  listeners:
    - name: http
      protocol: HTTP
      port: 80
      allowedRoutes:
        namespaces:
          from: All
    - name: https
      protocol: HTTP
      port: 443
      allowedRoutes:
        namespaces:
          from: All

Simply using port 443 doesn't transform the listener to a TLS enabled listener. You need to add a TLS section at the very least:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: envoy-public
  namespace: envoy-public
spec:
  gatewayClassName: envoy-public
  listeners:
    - name: http
      protocol: HTTP
      port: 80
      allowedRoutes:
        namespaces:
          from: All
    - name: https
      protocol: HTTPS # The protocol needs to be HTTPS and not HTTP
      port: 443
      allowedRoutes:
        namespaces:
          from: All
      tls: # This section is missing in the configuration files you listed above
         certificateRefs:  # The place where the server X.509 certificate can be found
         - group: "" 
            kind: Secret
            name: example-cert
          mode: Terminate  

Since TLS is not configured for any of the listeners, limiting the supported TLS version to 1.3 in a ClientTrafficPolicy doesn't really make any sense here.

Originally posted by @liorokman in https://github.com/envoyproxy/gateway/issues/3060#issuecomment-2029849962

Contributor guide