Using allowedRoutes with both http and tls is rejected

[chrismlee42]

Is there an existing issue for this?

• I have searched the existing issues

Version

equal or higher than v1.18.2 and lower than v1.19.0

What happened?

I have a Gateway:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: tls-passthrough
spec:
  gatewayClassName: cilium
  listeners:
    - name: http
      protocol: HTTP
      port: 80
      allowedRoutes:
        kinds:
          - kind: HTTPRoute
        namespaces:
          from: Same
    - name: tls
      protocol: TLS
      port: 443
      allowedRoutes:
        kinds:
          - kind: TLSRoute
        namespaces:
          from: All
      tls:
        mode: Passthrough
        certificateRefs:
          - kind: Secret
            name: clee-private-morphacy-net

I also have a tls-redirect HTTPRoute on the http listener:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: tls-redirect
spec:
  hostnames:
    - "*.service.example.com"
  parentRefs:
    - name: tls-passthrough
      namespace: default
      port: 80
      sectionName: http
  rules:
    - filters:
        - type: RequestRedirect
          requestRedirect:
            scheme: https
            # statusCode: 301

This HTTPRoute is rejected with:

- lastTransitionTime: '2025-10-02T16:09:23Z'
          message: >-
            HTTPRoute is not allowed to attach to this Gateway due to route kind
            restrictions
          observedGeneration: 1
          reason: NotAllowedByListeners
          status: 'False'
          type: Accepted

They are definitely in the same namespace (default), I'm just omitting the kustomization.yaml here for the sake of brevity.

Furthermore, when I try to add a TLSRoute to the tls listener:

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: argocd
spec:
  hostnames:
    - argocd.service.example.com
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: tls-passthrough
      namespace: default
      port: 443
      sectionName: tls
  rules:
    - backendRefs:
        - group: ""
          kind: Service
          name: argocd-server
          port: 443
          weight: 1

this route is also rejected with NotAllowedByListeners.

If I then remove the http listener, the argocd TLSRoute works properly.

I would expect that the tls-redirect HTTPRoute would be accepted by the http listener and the argocd TLSRoute would be accepted by the tls listener even with the http listener present.

How can we reproduce the issue?

Duplicate above manifests.

Cilium Version

Client: 1.18.1 e8a7070 2025-08-13T14:47:02+00:00 go version go1.24.6 linux/amd64
Daemon: 1.18.1 e8a7070 2025-08-13T14:47:02+00:00 go version go1.24.6 linux/amd64

Kernel Version

Linux chris-pc 6.8.0-63-generic #66-Ubuntu SMP PREEMPT_DYNAMIC Fri Jun 13 20:25:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Kubernetes Version

Client Version: v1.34.0
Kustomize Version: v5.7.1
Server Version: v1.32.5

Regression

No response

Sysdump

No response

Relevant log output

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct