Gateway API: TLSRoutes erroneously attaching to HTTPS-listeners

[vehagn]

Is there an existing issue for this?

• I have searched the existing issues

What happened?

Following up on #32292 with @youngnick.

Creating the following Gateway resource with a HTTPS-listener

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: test
  namespace: test
spec:
  gatewayClassName: cilium
  listeners:
    - protocol: HTTPS
      port: 443
      name: https-gateway
      hostname: "*.example.com"
      tls:
        mode: Terminate
        certificateRefs:
          - kind: Secret
            name: test-cert

and a TLSRoute

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: test
  namespace: test
spec:
  parentRefs:
    - name: test
      namespace: gateway
  hostnames:
    - "test.example.com"
  rules:
    - backendRefs:
        - name: test-svc
          port: 443

we see that the TLSRoute is successfully attached to the Gateway by looking at the status of both resources

kubectl -n test get tlsroute test -oyaml | yq '.status'

parents:
  - conditions:
      - lastTransitionTime: "2024-05-04T08:35:56Z"
        message: Accepted TLSRoute
        observedGeneration: 1
        reason: Accepted
        status: "True"
        type: Accepted
      - lastTransitionTime: "2024-05-04T08:35:56Z"
        message: Service reference is valid
        observedGeneration: 1
        reason: ResolvedRefs
        status: "True"
        type: ResolvedRefs
    controllerName: io.cilium/gateway-controller
    parentRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: test
      namespace: gateway

kubectl -n test get gateway test -oyaml | yq '.status'

addresses:
  - type: IPAddress
    value: 192.168.1.224
conditions:
  - lastTransitionTime: "2024-05-04T08:35:43Z"
    message: Gateway successfully scheduled
    observedGeneration: 1
    reason: Accepted
    status: "True"
    type: Accepted
  - lastTransitionTime: "2024-05-04T08:35:43Z"
    message: Gateway successfully reconciled
    observedGeneration: 1
    reason: Programmed
    status: "True"
    type: Programmed
listeners:
  - attachedRoutes: 1
    conditions:
      - lastTransitionTime: "2024-05-04T08:35:56Z"
        message: Invalid CertificateRef
        reason: Invalid
        status: "False"
        type: Programmed
      - lastTransitionTime: "2024-05-04T08:35:56Z"
        message: Listener Accepted
        observedGeneration: 1
        reason: Accepted
        status: "True"
        type: Accepted
      - lastTransitionTime: "2024-05-04T08:35:56Z"
        message: Invalid CertificateRef
        reason: InvalidCertificateRef
        status: "False"
        type: ResolvedRefs
    name: https-gateway
    supportedKinds:
      - group: gateway.networking.k8s.io
        kind: HTTPRoute

According to the Gateway API spec this shouldn't be allowed.

As @youngnick mentions in the above issue this should work with Cilium, but goes against the Gateway API spec.

I've tried a TLSRoute with a Gateway HTTPS-listener in both tls.mode: Passthrough and tls.mode: Terminate. They both appear to work. I especially wouldn't expect the Terminate one to work, though Nick gave a good explanation as to why it does in his comment.

Cilium Version

1.51.1

Kernel Version

6.1.0-20-amd64

Kubernetes Version

v1.29.3

Regression

No response

Sysdump

No response

Relevant log output

No response

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[youngnick]

Yeah, we should be checking tls.mode and protocol match as well as the Route types. Thanks again for logging this @vehagn!

[vehagn]

Thanks again for looking into this @youngnick.

I did some more testing when trying to debug what I though was a Cert-manager issue, but I now unfortunately think is a shortcoming with Cilium. I've tried to summarise my testing in this comment over at the Cert-manager GitHub. I can repeat it here if needed.