[SUPPORT] How to Use Envoy Gateway to Proxy Kubernetes API Server

[ZhengXinwei-F]

Description:
I am using Envoy Gateway to proxy the Kubernetes API Server. However, there seems to be an issue with the TLS communication between the gateway and the backend. Could you help me modify the following configuration to resolve this issue?

Thank you in advance for any responses, regardless of their usefulness. I look forward to hearing from everyone!

Gateway:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: envoy-http-gateway
  namespace: headlamp
spec:
  gatewayClassName: envoy-gateway-class
  listeners:
  - allowedRoutes:
      namespaces:
        from: All
    name: http
    port: 80
    protocol: HTTP
  - name: https
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate
      certificateRefs:
          - name: kube-apiserver-tls

BackendTLSPolicy:

apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
  name: kubernetes-tls-policy
spec:
  targetRefs:
  - group: ''
    kind: Service
    name: kubernetes
    sectionName: "443"
  validation:
    caCertificateRefs:
    - name: ca-secret
      group: ''
      kind: Secret
    hostname: kubernetes

HTTPRoute

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: dashboard-route
  namespace: headlamp
spec:
  hostnames:
  - dashboard.example.com
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: envoy-http-gateway
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /clusters/main/healthz
      filters:
      - type: URLRewrite
        urlRewrite:
          path:
            type: ReplacePrefixMatch
            replacePrefixMatch: /healthz
      backendRefs:
        - name: kubernetes
          namespace: default
          port: 443
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: headlamp
          port: 80

Error:

{"start_time":"2024-12-09T11:18:40.005Z","method":"GET","x-envoy-origin-path":"/api/v1/namespaces","protocol":"HTTP/2","response_code":"400","response_flags":"-","response_code_details":"via_upstream","connection_termination_details":"-","upstream_transport_failure_reason":"-","bytes_received":"0","bytes_sent":"48","duration":"0","x-envoy-upstream-service-time":"-","x-forwarded-for":"10.244.1.14","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0","x-request-id":"6faa243a-58d4-4c1b-9a80-637c73e0123c",":authority":"dashboard.example.com:8445","upstream_host":"172.18.0.9:6443","upstream_cluster":"httproute/headlamp/dashboard-route/rule/0","upstream_local_address":"10.244.1.14:39536","downstream_local_address":"127.0.0.1:10443","downstream_remote_address":"127.0.0.1:54324","requested_server_name":"-","route_name":"httproute/headlamp/dashboard-route/rule/0/match/0/dashboard_example_com"}

[arkodg]

can you try rm'ing the sectionName from the BTLSPolicy ?

[ZhengXinwei-F]

can you try rm'ing the sectionName from the BTLSPolicy ?

Thank you for your guidance! It's working fine now, and I'll close this issue soon.
But could you please explain why the sectionName need to be removed and why configuring it caused the 400 error?

https://github.com/kubernetes-sigs/gateway-api/blob/main/apis/v1alpha2/policy_types.go#L87-L100

[ZhengXinwei-F]

/close

[arkodg]

there was a issue with docs and a bug, both of which have been fixed, and should be available in the next release
#4868
#4784

[ZhengXinwei-F]

there was a issue with docs and a bug, both of which have been fixed, and should be available in the next release #4868 #4784

I got it now! Thank you so much for your explanation. 😊