Can I have enableProxyProtocol: true for all listeners if I merge my Gateways?

[pingiun]

I have mergeGateways set on my EnvoyProxy using this config:

---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass
metadata:
  name: eg
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
  parametersRef:
    group: gateway.envoyproxy.io
    kind: EnvoyProxy
    name: enable-merge-gateways
    namespace: envoy-gateway-system
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: enable-merge-gateways
  namespace: envoy-gateway-system
spec:
  mergeGateways: true

My envoy gateway is behind a load balancer that does not do TLS termination for me, so I have set up PROXY protocol so that I know the upstream IP address of the TLS connections. For one of my gateways this is setup correctly with this config:

---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: eg
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
spec:
  gatewayClassName: eg
  listeners:
  - name: http
    protocol: HTTP
    port: 80
  - name: https
    protocol: HTTPS
    hostname: ...
    port: 443
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        name: eg-https
    allowedRoutes:
      namespaces:
        from: Selector
        selector:
          matchLabels:
            shared-gateway-access: "true"
  - name: symfexit-https
    protocol: HTTPS
    hostname: ...
    port: 443
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        name: eg-https
    allowedRoutes:
      namespaces:
        from: Selector
        selector:
          matchLabels:
            shared-gateway-access: "true"
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
  name: client-traffic-config
  namespace: default
spec:
  enableProxyProtocol: true
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: eg

Now, in a different namespace, I have setup another gateway with the same gateway class and so they should be merged into a single gateway configuration. I gave this new gateway a ClientTrafficPolicy like the original one:

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
  name: {{ include "wp-instance.fullname" . }}
  namespace: ...
spec:
  enableProxyProtocol: true
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: {{ include "wp-instance.fullname" . }}

However, this traffic policy gets the following condition applied and the listener does not work.

This is the condition:

status:
  ancestors:
    - ancestorRef:
        group: gateway.networking.k8s.io
        kind: Gateway
        name: ...
        namespace: ...
      conditions:
        - lastTransitionTime: '2024-07-29T05:33:42Z'
          message: >-
            ClientTrafficPolicy is being applied to multiple http (non https)
            listeners (default/eg/http) on the same port, which is not allowed.
          observedGeneration: 1
          reason: Invalid
          status: 'False'
          type: Accepted
      controllerName: gateway.envoyproxy.io/gatewayclass-controller

And this is the log of the gateway:

{"start_time":"2024-07-29T05:46:02.004Z","method":"-","x-envoy-origin-path":"-","protocol":"HTTP/1.1","response_code":"400","response_flags":"DPE","response_code_details":"http1.codec_error","connection_termination_details":"-","upstream_transport_failure_reason":"-","bytes_received":"0","bytes_sent":"11","duration":"0","x-envoy-upstream-service-time":"-","x-forwarded-for":"-","user-agent":"-","x-request-id":"-",":authority":"-","upstream_host":"-","upstream_cluster":"-","upstream_local_address":"-","downstream_local_address":"10.1.2.25:10080","downstream_remote_address":"10.1.1.0:42477","requested_server_name":"-","route_name":"-"}

It seems like the log just confirms that PROXY protocol is not enabled, because it says it cannot parse the request (http1.codec_error). How should I configure my ClientTrafficPolicy so that PROXY protocol is applied on all incoming requests?

[arkodg]

its not possible to merge some clientTrafficPolicy features across Gateways where the listeners are non tls / http
can you reuse the Gateway listener resource for only http ?
cc @liorokman

[pingiun]

Just tried this real quick but it seems like I'm doing something wrong because I get this condition: "There were no hostname intersections between the HTTPRoute and this parent ref's Listener(s)."

Does the single http gateway listener resource need all the hostnames listed that I wanna use? In that case this is a non-starter and I don't really know how to do this setup

[arkodg]

can you try to specify * in the listener hostname section and see if it resolves the issue, you can later limit the list

[pingiun]

I had to use *.mydomain but unfortunately it still gives the same error

[pingiun]

Sorry it seems I was doing something wrong, and having the wildcard prefix does indeed allow matching the routes. I don't know why I was still seeing the error before

[pingiun]

Unfortunately this still is not a perfect solution, as it requires me to enumerate all the domains I want to listen to on the central Gateway. I want to specify the domain names in seperate gateways so I can easily make new instances of my Helm chart and have them receive https traffic via cert-manager