Skip to content

Gateway: Combining listeners with HTTPS and TLS protocol #32292

New issue
New issue
Closed
Closed
Gateway: Combining listeners with HTTPS and TLS protocol#32292
Labels
area/agentCilium agent related.area/servicemeshGH issues or PRs regarding servicemeshfeature/k8s-gateway-apikind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.needs/triageThis issue requires triaging to establish severity and next steps.
@vehagn

Description

@vehagn
vehagn
opened on May 1, 2024

Is there an existing issue for this?

  • I have searched the existing issues

What happened?

I'm trying to create a Gateway that combines both HTTPS and TLS listeners to proxy external services, but I'm met with

Skipped a listener block: [spec.listeners[1].tls.certificateRef: Required value: listener has no certificateRefs, spec.listeners[1].tls.mode: Unsupported value: "Passthrough": supported values: "Terminate"]

from the Gateway resource when trying to add a TLS listener. From what I gather from the Gateway API documentation I should be able to combine these two listener types.

The Gateway I'm trying to create is

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway
  namespace: gateway
  annotations:
    cert-manager.io/issuer: cloudflare-issuer
spec:
  gatewayClassName: cilium
  infrastructure:
    annotations:
      io.cilium/lb-ipam-ips: 192.168.1.221
  listeners:
    - name: https-gateway
      protocol: HTTPS
      port: 443
      hostname: "*.<DOMAIN>"
      tls:
        certificateRefs:
          - kind: Secret
            name: cert-stonegarden
      allowedRoutes:
        namespaces:
          from: All
    - name: proxmox-tls-passthrough
      protocol: TLS
      port: 443
      hostname: "proxmox.<DOMAIN>"
      tls:
        mode: Passthrough
      allowedRoutes:
        namespaces:
          from: All

with the following Routes

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: home-assistant
  namespace: home-assistant
spec:
  parentRefs:
    - name: gateway
      namespace: gateway
  hostnames:
    - "home-assistant.<DOMAIN>"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: home-assistant
          port: 80

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: proxmox
  namespace: proxmox
spec:
  parentRefs:
    - name: gateway
      namespace: gateway
  hostnames:
    - "proxmox.<DOMAIN>"
  rules:
    - backendRefs:
        - name: proxmox
          port: 443

each having their own Service and EndpointSlice resources.

As a workaround I'm able to create two separate Gateways, one with each listener. This works, but I then have two different Gateways and consequently two IPs to maintain.

Cilium Version

1.51.1

Kernel Version

6.1.0-20-amd64

Kubernetes Version

v1.29.3

Regression

No response

Sysdump

No response

Relevant log output

No response

Anything else?

I encountered this issue trying to proxy both Home Assistant OS and Proxmox as external services through a Gateway.
If it's any help I've described it further in a blog post here.

Cilium Users Document

  • Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/agentCilium agent related.area/servicemeshGH issues or PRs regarding servicemeshfeature/k8s-gateway-apikind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.needs/triageThis issue requires triaging to establish severity and next steps.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions