Gateway API: TLSRoutes erroneously attaching to HTTPS-listeners #32371
Labels
area/servicemesh
GH issues or PRs regarding servicemesh
feature/k8s-gateway-api
kind/bug
This is a bug in the Cilium logic.
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
needs/triage
This issue requires triaging to establish severity and next steps.
sig/agent
Cilium agent related.
Is there an existing issue for this?
What happened?
Following up on #32292 with @youngnick.
Creating the following
Gateway
resource with a HTTPS-listenerand a
TLSRoute
we see that the
TLSRoute
is successfully attached to theGateway
by looking at the status of both resourceskubectl -n test get tlsroute test -oyaml | yq '.status'
kubectl -n test get gateway test -oyaml | yq '.status'
According to the Gateway API spec this shouldn't be allowed.
As @youngnick mentions in the above issue this should work with Cilium, but goes against the Gateway API spec.
I've tried a TLSRoute with a Gateway HTTPS-listener in both
tls.mode: Passthrough
andtls.mode: Terminate
. They both appear to work. I especially wouldn't expect theTerminate
one to work, though Nick gave a good explanation as to why it does in his comment.Cilium Version
1.51.1
Kernel Version
6.1.0-20-amd64
Kubernetes Version
v1.29.3
Regression
No response
Sysdump
No response
Relevant log output
No response
Anything else?
No response
Cilium Users Document
Code of Conduct
The text was updated successfully, but these errors were encountered: