envoyproxy/gateway

Update CTP status to highlight that any TLS setting requires HTTPS to be enabled in the listener

Open

#3,083 opened on 2024年4月3日

GitHub で見る
 (1 comment) (0 reactions) (0 assignees)Go (802 forks)auto 404
help wanted

Repository metrics

Stars
 (2,871 stars)
PR merge metrics
 (PR metrics pending)

説明

@jhouston1604

Looking at the listener configuration, none of those listeners are configured to use TLS.

Your gateway is defined like this:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: envoy-public
  namespace: envoy-public
spec:
  gatewayClassName: envoy-public
  listeners:
    - name: http
      protocol: HTTP
      port: 80
      allowedRoutes:
        namespaces:
          from: All
    - name: https
      protocol: HTTP
      port: 443
      allowedRoutes:
        namespaces:
          from: All

Simply using port 443 doesn't transform the listener to a TLS enabled listener. You need to add a TLS section at the very least:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: envoy-public
  namespace: envoy-public
spec:
  gatewayClassName: envoy-public
  listeners:
    - name: http
      protocol: HTTP
      port: 80
      allowedRoutes:
        namespaces:
          from: All
    - name: https
      protocol: HTTPS # The protocol needs to be HTTPS and not HTTP
      port: 443
      allowedRoutes:
        namespaces:
          from: All
      tls: # This section is missing in the configuration files you listed above
         certificateRefs:  # The place where the server X.509 certificate can be found
         - group: "" 
            kind: Secret
            name: example-cert
          mode: Terminate  

Since TLS is not configured for any of the listeners, limiting the supported TLS version to 1.3 in a ClientTrafficPolicy doesn't really make any sense here.

Originally posted by @liorokman in https://github.com/envoyproxy/gateway/issues/3060#issuecomment-2029849962

コントリビューターガイド