kgateway version
v2.3.5
Kubernetes Version
v1.36.2
Describe the bug
Using an xRoute resource, e.g. an HTTPRoute, as targetRef in a BackendTLSPolicy renders the policy status with the corresponding Gateway and an Accepted condition set to status True. However, the ResolvedRefs condition is absent. The resulting Envoy configuration does not have any reference to the options specified in the policy (e.g. on any cluster referenced by the route resource, as one could reasonably expect).
Expected Behavior
The BackendTLSPolicy should not get accepted on the Gateway owning the target route. Some error state should indicate that a route is an invalid target.
Steps to reproduce the bug
Apply the following resources:
---
apiVersion: v1
kind: Service
metadata:
name: httpbin
labels:
app: httpbin
spec:
ports:
- name: http
port: 8080
targetPort: 8080
selector:
app: httpbin
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: httpbin
spec:
hostnames:
- httpbin.example.com
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: example-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: httpbin
port: 8080
---
apiVersion: gateway.networking.k8s.io/v1
kind: BackendTLSPolicy
metadata:
name: httpbin
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: httpbin
validation:
hostname: hostname.com
wellKnownCACertificates: System
Then run kubectl get backendtlspolicy httpbin -oyaml and observe the following output:
---
apiVersion: gateway.networking.k8s.io/v1
kind: BackendTLSPolicy
metadata:
name: httpbin
namespace: default
spec:
targetRefs:
- group: ""
kind: Service
name: httpbin
- group: gateway.kgateway.dev
kind: Backend
name: httpbin
validation:
hostname: hostname.com
wellKnownCACertificates: System
status:
ancestors:
- ancestorRef:
group: gateway.networking.k8s.io
kind: Gateway
name: example-gateway
namespace: default
conditions:
- lastTransitionTime: "..."
message: Policy accepted
observedGeneration: 1
reason: Accepted
status: "True"
type: Accepted
controllerName: kgateway.dev/kgatewayyaml
Helm Values
No response
Kgateway pod logs
No response
Proxy pod logs
No response
Additional Environment Detail
No response
Additional Context
kgateway's own BackendConfigPolicy limits itself to Backend, Service, and Istio Hostname targets on an API level. The standard Gateway API BackendTLSPolicy has to be more lax in its validation, however.
kgateway version
v2.3.5
Kubernetes Version
v1.36.2
Describe the bug
Using an
xRouteresource, e.g. anHTTPRoute, astargetRefin aBackendTLSPolicyrenders the policy status with the corresponding Gateway and anAcceptedcondition set to statusTrue. However, theResolvedRefscondition is absent. The resulting Envoy configuration does not have any reference to the options specified in the policy (e.g. on any cluster referenced by the route resource, as one could reasonably expect).Expected Behavior
The
BackendTLSPolicyshould not get accepted on the Gateway owning the target route. Some error state should indicate that a route is an invalid target.Steps to reproduce the bug
Apply the following resources:
Then run
kubectl get backendtlspolicy httpbin -oyamland observe the following output:Helm Values
No response
Kgateway pod logs
No response
Proxy pod logs
No response
Additional Environment Detail
No response
Additional Context
kgateway's own
BackendConfigPolicylimits itself toBackend,Service, and IstioHostnametargets on an API level. The standard Gateway APIBackendTLSPolicyhas to be more lax in its validation, however.