Skip to content

All HTTPRoutes fail to resolve when a single route's SecurityPolicy fails to load #5581

New issue
New issue
Open
#5683
#5679
Open
All HTTPRoutes fail to resolve when a single route's SecurityPolicy fails to load#5581
#5683
#5679
Labels
area/translatorIssues related to Gateway's translation service, e.g. translating Gateway APIs into the IR.help wantedExtra attention is neededkind/bugSomething isn't working
Milestone
 
v1.4.0-rc.1
@kraashen

Description

@kraashen
kraashen
opened on Mar 22, 2025

Description:

We encountered an odd issue where user had accidentally defined an invalid htpasswd secret, which lead to all the HTTPRoutes in the cluster being unresponsive. Not sure if HTTPRoute registration is working as intended or if it's a bug in case of misconfigurations.

Setup was as follows:

  • Cluster has multiple HTTPRoutes and one proxy deployment with 2 replicas
  • A single route has a SecurityPolicy with basic auth enabled
  • SecurityPolicy has an invalid Basic Auth with other than SHA format in the htpasswd secret

After this, all the HTTPRoutes fail to resolve properly. Gateway status in the kube resource seem to indicate loaded routes though.

Logs showed this as:

[2025-03-21 14:01:51.985][1][warning][config] [source/extensions/config_subscription/grpc/delta_subscription_state.cc:296] delta config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) envoy-gateway-system/internal/https: basic auth: unsupported htpasswd format: please use {SHA}
[2025-03-21 14:01:51.985][1][warning][config] [source/extensions/config_subscription/grpc/grpc_subscription_impl.cc:138] gRPC config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) envoy-gateway-system/internal/https: basic auth: unsupported htpasswd format: please use {SHA}

Gateway showed that N listeners had been registered, but none of the routes worked with following CLI logs:

❯ curl https://... -v
* Host ...:443 was resolved.
* IPv6: (none)
* IPv4: ...
*   Trying ...:443...
* Connected to ... (...) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ...:443
* Closing connection
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ...:443

❯ openssl s_client -connect ...:443
Connecting to ...
CONNECTED(00000005)
40C842FE01000000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:693:

After fixing the htpasswd secret to correct SHA format (as it's the supported value), all the routes started working again. So a misconfiguration made the cluster's endpoints unavailable.

Repro steps:

  • Define HTTPRoutes A and B for a cluster. Whether they are in the same namespace or not doesn't matter.
  • Include a SecurityPolicy to route A with Basic Auth for user foo with e.g. SHA-512 htpasswd hash as long as it's not the correct supported SHA format.
  • Neither of the routes are working

Environment:
Envoy Gateway v1.3.0 installed via Helm chart.

Logs:
Included in the description.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/translatorIssues related to Gateway's translation service, e.g. translating Gateway APIs into the IR.help wantedExtra attention is neededkind/bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions