Skip to content

feat(gateway-api): support TLSRoute #2594

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AlinsRan merged 6 commits into from
Oct 12, 2025
Merged

feat(gateway-api): support TLSRoute #2594

AlinsRan merged 6 commits into from
Oct 12, 2025

Conversation

@AlinsRan
Copy link
Contributor

@AlinsRan AlinsRan commented Oct 10, 2025
edited
Loading

Type of change:

  • Bugfix
  • New feature provided
  • Improve performance
  • Backport patches
  • Documentation
  • Refactor
  • Chore
  • CI/CD or Tests

What this PR does / why we need it:

Implement TLSRoute.

⚠️ Limitation: TLS Passthrough is not supported in APISIX

According to the Gateway API specification, tls.mode: Passthrough means the gateway does not participate in the TLS handshake or decryption, simply forwarding encrypted traffic to the backend.

However, in APISIX, SNI-based routing depends on ssl objects (which require certificate loading).
Once an SSL object is involved, APISIX must terminate or participate in the TLS handshake.

Therefore, in the current implementation, APISIX rejects configurations with tls.mode: Passthrough.

Pre-submission checklist:

  • Did you explain what problem does this PR solve? Or what new features have been added?
  • Have you added corresponding test cases?
  • Have you modified the corresponding document?
  • Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

@AlinsRan AlinsRan marked this pull request as ready for review October 10, 2025 08:01
@AlinsRan AlinsRan requested a review from Copilot October 10, 2025 08:01
Copilot AI reviewed Oct 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements TLSRoute support for the Gateway API in APISIX Ingress Controller. The implementation adds full TLSRoute resource handling including controller reconciliation, translation to APISIX configuration, and test infrastructure, but does not support TLS passthrough mode due to APISIX limitations.

Key changes:

  • Added TLSRouteReconciler controller with complete lifecycle management
  • Implemented TLSRoute to APISIX stream route translation logic
  • Extended test infrastructure with TLS proxy support and conformance testing

Reviewed Changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
test/e2e/scaffold/scaffold.go Added TLS tunnel support for E2E testing
test/e2e/gatewayapi/tlsroute.go Added comprehensive TLSRoute E2E test cases
test/e2e/framework/manifests/ingress.yaml Updated RBAC permissions for TLSRoute resources
test/e2e/framework/manifests/apisix.yaml Added TLS port configuration to APISIX deployment
test/e2e/framework/manifests/apisix-standalone.yaml Added TLS port configuration to standalone APISIX
test/conformance/conformance_test.go Added TLS conformance testing with passthrough limitation
internal/types/k8s.go Added TLSRoute type definitions and mappings
internal/provider/apisix/provider.go Integrated TLSRoute translation into provider
internal/manager/controllers.go Registered TLSRouteReconciler controller
internal/controller/utils.go Added TLSRoute hostname and protocol matching logic
internal/controller/tlsroute_controller..go Implemented complete TLSRoute controller
internal/controller/indexer/tlsroute.go Added TLSRoute indexing for efficient queries
internal/controller/indexer/indexer.go Registered TLSRoute indexer setup
internal/adc/translator/tlsroute.go Implemented TLSRoute to APISIX stream route translation
docs/en/latest/concepts/gateway-api.md Updated documentation to reflect TLSRoute support
config/rbac/role.yaml Added TLSRoute RBAC permissions
api/v2/shared_types.go Added TLS scheme constant
Makefile Added TLS conformance profile to testing

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

ronething
ronething reviewed Oct 11, 2025
View reviewed changes
@AlinsRan AlinsRan requested review from bzp2010 and ronething October 11, 2025 06:09
ronething
ronething reviewed Oct 11, 2025
View reviewed changes
ronething
ronething approved these changes Oct 11, 2025
View reviewed changes
Copy link
Contributor

@ronething ronething left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

others lgtm.

@AlinsRan AlinsRan merged commit 1afb9ac into apache:master Oct 12, 2025
28 of 29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@nic-6443 nic-6443 nic-6443 approved these changes

@ronething ronething ronething approved these changes

@Revolyssup Revolyssup Awaiting requested review from Revolyssup

@bzp2010 bzp2010 Awaiting requested review from bzp2010

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AlinsRan @nic-6443 @ronething