Allow the configuration of ALPN negotiation when using Gateway API in TLS Terminate mode

[hbobenicio]

Problem

I'm using Contour with Dynamically Provisioned mode using the Contour Gateway Provisioner.
I'm also using the Gateway API listeners using TLS in Terminate mode for connecting to TLSRoute's.
The upstream service I'm trying to serve is Postgres.
I'd like to use tls in client connections for obvious reasons.
I'm focusing on postgres client and server on version 17 which enable sslnegotiation=direct, which means, it runs directly the tls after tcp without that clunky SSL Request extra roundtrip from postgres protocol, but it also requires the TLS Server to respond to ALPN for application protocol "postgresql".

If I terminate the TLS conection in the gateway, I need to configure it to respond to custom a ALPN (with "postgresql"). ATM Contour doesn't allow us to do that (but envoy itself does!).

This may apply to any protocol or upstream service that requires ALPN negotiation.

Related Links

• GEP: TLS ALPN Routing kubernetes-sigs/gateway-api#1958

[github-actions]

Hey @hbobenicio! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

[github-actions]

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

• After 60d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

• Mark this Issue as fresh by commenting
• Close this Issue
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack