envoyproxy
Update CTP status to highlight that any TLS setting requires HTTPS to be enabled in the listener
@jhouston1604
Looking at the listener configuration, none of those listeners are configured to use TLS.
Your gateway is defined like this:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: envoy-public
namespace: envoy-public
spec:
gatewayClassName: envoy-public
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- name: https
protocol: HTTP
port: 443
allowedRoutes:
namespaces:
from: All
Simply using port 443 doesn't transform the listener to a TLS enabled listener. You need to add a TLS section at the very least:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: envoy-public
namespace: envoy-public
spec:
gatewayClassName: envoy-public
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- name: https
protocol: HTTPS # The protocol needs to be HTTPS and not HTTP
port: 443
allowedRoutes:
namespaces:
from: All
tls: # This section is missing in the configuration files you listed above
certificateRefs: # The place where the server X.509 certificate can be found
- group: ""
kind: Secret
name: example-cert
mode: Terminate
Since TLS is not configured for any of the listeners, limiting the supported TLS version to 1.3 in a ClientTrafficPolicy doesn't really make any sense here.
Originally posted by @liorokman in https://github.com/envoyproxy/gateway/issues/3060#issuecomment-2029849962
Thankyou - I literally spent the whole night on this issue banging my head...
such a tiny change that made it work - for anyone else stuck on this - my fix that made it work:
