Skip to content

Gateway: Combining HTTPS listener with TLS-termination and TLS listener with TLS-passthrough #6985

New issue
New issue
Closed
#6986
Closed
Gateway: Combining HTTPS listener with TLS-termination and TLS listener with TLS-passthrough#6985
#6986
Labels
kind/bugCategorizes issue or PR as related to a bug.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.
@vehagn

Description

@vehagn
vehagn
opened on May 4, 2024

Describe the bug:

I'm trying to create a Gateway where I use both a HTTPS listener with a certificate provided by Cert-manager, and a TLS listener with TLS-passthrough.

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: test
  namespace: gateway
  annotations:
    cert-manager.io/issuer: cloudflare-issuer
spec:
  gatewayClassName: cilium
  listeners:
    - protocol: HTTPS
      port: 443
      name: https-gateway
      hostname: "*.example.com"
      tls:
        certificateRefs:
          - kind: Secret
            name: test-cert
      allowedRoutes:
        namespaces:
          from: All
    - protocol: TLS
      port: 443
      name: proxmox-tls-passthrough
      hostname: "proxmox.example.com"
      tls:
        mode: Passthrough
      allowedRoutes:
        namespaces:
          from: All

When I add the TLS listener the Gateway becomes unresponsive for all HTTPRoutes and TLSRoutes connected to it.
The event log for the the Gateway states:

Skipped a listener block: [spec.listeners[1].tls.certificateRef: Required value: listener has no certificateRefs, spec.listeners[1].tls.mode: Unsupported value: "Passthrough": supported values: "Terminate"]

Expected behaviour:

I expect the Gateway to work with both listeners.
Cert-manager should allow/ignore the TLS listener running in Passthrough mode.

Steps to reproduce the bug:

Create the above Gateway.

Anything else we need to know?:

Cilium 1.15.1 provides the GatewayClass.
I initially believed this to be a Cilium-issue, but with further investigation it looks to be an issue with Cert-manager.

A workaround is to create two Gateways, each with their own listener. Alternatively route the HTTPS listener Gateway Service through to the TLS listener Gateway to only expose one LoadBalancer IP.

Environment details::

  • Kubernetes version: 1.29.3
  • Cloud-provider/provisioner: Bare metal
  • cert-manager version: 1.14.4
  • Install method: Kustomize + Helm
# kustomization.yaml
helmCharts:
  - name: cert-manager
    repo: https://charts.jetstack.io
    version: 1.14.4
    includeCRDs: true
    releaseName: cert-manager
    namespace: cert-manager
    valuesFile: values.yaml
# values.yaml
installCRDs: true

config:
  apiVersion: controller.config.cert-manager.io/v1alpha1
  kind: ControllerConfiguration
  featureGates:
    ExperimentalGatewayAPISupport: true

/kind bug

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.priority/important-longtermImportant over the long term, but may not be staffed and/or may need multiple releases to complete.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions