Securing Gateway resources with non HTTPS listeners generate BadConfig events #6197
Description
Describe the bug:
Cert-manager generates BadConfig events when using Gateway with non-HTTPS protocol listeners. This behavior causes frequent SYNC operations to the GatewayClass provider.
Expected behaviour:
Cert-manager should process Gateway listeners only when the protocol is set to HTTPS and silently skip HTTP listeners.
Steps to reproduce the bug:
Gateway definition:
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: external-lb
annotations:
cert-manager.io/cluster-issuer: letsencrypt
spec:
gatewayClassName: gke-l7-global-external-managed
listeners:
- name: http
protocol: HTTP
port: 80
- name: https
hostname: example.com
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: example-com-tls
Note: There is a HTTPS listener and also a HTTP listener to enable http-to-https redirection on the HTTPRoute side.
After applying this Gateway, the following events are frequently generated:
Warning BadConfig 92s (x266 over 11h) cert-manager-gateway-shim Skipped a listener block: [spec.listeners[0].hostname: Required value: the hostname cannot be empty, spec.listeners[0].tls: Required value: the TLS block cannot be empty]
The requirement of having a "tls" field for HTTP listeners is also not correct.
Anything else we need to know?:
Environment details::
- Kubernetes version:
Client Version: v1.27.3
Kustomize Version: v5.0.1
Server Version: v1.26.3-gke.1000
- Cloud-provider/provisioner: GKE
- cert-manager version: v1.12.2
/kind bug