-
Notifications
You must be signed in to change notification settings - Fork 515
Open
Labels
kind/bugSomething isn't workingSomething isn't working
Description
Description:
- listener set to listen on port 443
- proxy protocol enabled by backendtrafficpolicy
- proxy protocol header to the backend contains 10443 port
This is probably due to envoy actually listening on 10443 port and service rewriting it to 443
Repro steps:
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
name: proxy-protocol-route-knyfyrtel-ingress-tls
namespace: knyfyrtel
spec:
proxyProtocol:
version: V2
targetRef:
group: gateway.networking.k8s.io
kind: TLSRoute
name: knyfyrtel-ingress-tls
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: default
namespace: envoy-gateway-system
spec:
gatewayClassName: envoy-gateway
listeners:
- allowedRoutes:
namespaces:
from: All
name: http-0
port: 80
protocol: HTTP
- allowedRoutes:
namespaces:
from: All
name: tls-pass-0
port: 443
protocol: TLS
tls:
mode: Passthrough
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: knyfyrtel-ingress-tls
namespace: knyfyrtel
spec:
hostnames:
- <REDACTED>
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: default
namespace: envoy-gateway-system
sectionName: tls-pass-0
rules:
- backendRefs:
- group: ''
kind: Service
name: ingress-nginx-controller-x-ingress-nginx-x-knyfyrtel-vcluster
port: 443
weight: 1
tshark -i - --disable-protocol tls -V -Y "proxy.src.ipv4"
Environment:
Envoy Gateway Helm Chart deployment 1.4.1
Metadata
Metadata
Assignees
Labels
kind/bugSomething isn't workingSomething isn't working