CFP: BackendTLSPolicy for Cilium Gateway API and HTTPRoutes

[dhaugli]

Cilium Feature Proposal

We have a need to be able to use BackendTLSPolicy in Cilium Gateway API for HTTProutes to our services, which is defined in the Gateway API standard in Kubernetes: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/?h=backendtlspolicy

Describe the feature you'd like

We are currently experiencing issues when using Cilium Gateway API, especially for services that has its own TLS already pre-configured.

[kenlasko]

Am I to assume that Cilium Gateway API does not currently support BackendTLSPolicy for HTTPRoutes as of 1.15.2? That would explain why its not working for me after following the Gateway API docs on configuring it. I don't get any errors, but I also don't see any Status in the BackendTLSPolicy object.

I also would like to see this implemented.

[OevreFlataeker]

I make the same observation like @kenlasko - I "think" I configured everything correct(?) but it just does not seem to work. I try to do terminate-and-reencrypt on my gateway to my backend service but the backend keeps on saying I am talking http to it instead of https as specified via the BackendTLSPolicy

[RyanMnM]

Having the same issue as @OevreFlataeker where a backend service is expecting a HTTPS connection but is only getting a HTTP one from the gateway.

I can get this working with the below but I then loose the use of the signed certificate from Cert-Manager and only the Self Signed from the service is presented.

Listener Protocol	TLS Mode	Route Type Supported
TLS	Passthrough	TLSRoute

[OevreFlataeker]

Could you kindly provide a full example what you did so I can check this with my setup? (Still beginner...) Thanks!

[kenlasko]

Here's my config:

---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: kubeapi
  namespace: cilium
spec:
  gatewayClassName: cilium
  infrastructure:
    annotations:
      io.cilium/lb-ipam-ips: 192.168.1.14
  listeners:
  - name: https
    protocol: TLS
    port: 443
    hostname: "k3s.mydomain.com"
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        name: letsencrypt-wildcard-cert
        namespace: cilium
    allowedRoutes: 
      namespaces:
        from: All

---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: kubeapi
  namespace: default
spec:
  parentRefs:
  - name: kubeapi
    namespace: cilium
    sectionName: https
  hostnames:
  - "k3s.mydomain.com"
  rules:
  - backendRefs:
    - name: kubernetes
      namespace: default
      group: ""
      kind: Service
      port: 443

---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: BackendTLSPolicy
metadata:
  name: k3s-tls-policy
  namespace: default
spec:
  targetRef:
    kind: Service
    name: kubernetes
    group: ""
    namespace: default
  tls:
    caCertRefs: 
      - kind: ConfigMapReference
        name: kube-root-ca.crt
        group: ""
    hostname: k3s.mydomain.com

Everything gets created, but the BackendTLSPolicy object doesn't have a Status like every other Gateway API object, which implies that its not actually active at all. The spec for BackendTLSPolicy states that Status should be there.

The end result is that the HTTPRoute gets passed through to the service over port 443, but without TLS.

This would make sense as it appears that BackendTLSPolicy has yet to be implemented in Cilium.

[OevreFlataeker]

And this serves you the service's webpage but just with a different/untrusted cert? In my case I get "http spoken on a https port" as the response as the service apparently receives a http request from the gateway instead of https... will check my config for deviation

[kenlasko]

In my particular case, I get an error because my webpage requires a certificate, but I get a similar error. It makes sense because the HTTPRoute is passing port 443 but the TLS connection is terminated at the gateway and the BackendTLSPolicy isn't being used to apply the desired cert.

If I remove the BackendTLSPolicy and change the TLS listener to Passthrough, then it works. Its not ideal, but is better than nothing until BackendTLSPolicy is implemented.

[youngnick]

Sorry about the delay here, but yes, Cilium does not currently support BackendTLSPolicy, as it's moving forward in Gateway v1.1. Thanks for the feedback, and we'll make sure we prioritize appropriately once Gateway v1.1 is out. (There may be changes to his API in v1.1 or v1.2, let me check about that first though).

[github-actions]

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.