DynamicResolver can support tlsroute using sni?

[joel-pre]

I checked the dynamic-forward-proxy function in the document below and confirmed that it is working properly.

https://gateway.envoyproxy.io/docs/tasks/traffic/backend/#dynamic-forward-proxy

However, when I tried to use dynamic-forward-proxy as tls passthrough for HTTPS destinations, it did not work.

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: eg
  namespace: default
spec:
  gatewayClassName: eg
  listeners:
    - name: http
      protocol: HTTP
      port: 80
    - name: tls
      protocol: TLS
      port: 443
      tls:
        mode: Passthrough
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: dynamic-forward-proxy
spec:
  parentRefs:
    - name: eg
  rules:
    - backendRefs:
      - group: gateway.envoyproxy.io
        kind: Backend
        name: backend-dynamic-resolver
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
  name: backend-dynamic-resolver
spec:
  type: DynamicResolver
  tls:
    wellKnownCACertificates: System

So I'm wondering if it's possible to use dynamic-forward-proxy for HTTPS destinations with TLS passthrough (encryption via final destination's certificate) rather than TLS termination.

Thank you for your help!

cf) The backend with TLS Passthrough to a single HTTPS destination worked fine. (I wonder if the dynamic-forward-proxy approach also supports this kind of communication.)

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: eg
  namespace: default
spec:
  gatewayClassName: eg
  listeners:
    - name: http
      protocol: HTTP
      port: 80
    - name: tls
      protocol: TLS
      port: 443
      tls:
        mode: Passthrough
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: backend
  namespace: default
spec:
  parentRefs:
    - name: eg
  hostnames:
    - "ifconfig.me"
  rules:
    - backendRefs:
        - group: gateway.envoyproxy.io
          kind: Backend
          name: ifconfig-https
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
  name: ifconfig-https
  namespace: default
spec:
  endpoints:
    - fqdn:
        hostname: ifconfig.me
        port: 443

[missBerg]

Unless I'm missing what you are asking... this is what I can find:

• Dynamic forward proxy in Envoy Gateway does not support TLS passthrough to arbitrary dynamic destinations.
• TLS passthrough is supported for static backends (where the backend FQDN is known and configured).
• There is no documented support for combining DFP with TLS passthrough in Envoy Gateway as of the current knowledge sources.

If you require dynamic routing with TLS passthrough (i.e., SNI-based dynamic routing at Layer 4 without TLS termination), I don't believe that to be supported with DFP. You can only use TLS passthrough with defined backends.

If you need SNI-based dynamic TCP proxying, you may want to follow the progress of the SNI dynamic forward proxy in Envoy core, but it is not production-ready and not available in Envoy Gateway [SNI dynamic forward proxy].

[joel-pre]

Hi missBerg!
I understood.
Thank you for your check.