Skip to content

fix: disable http3 when client tls is configured#8583

Open
zhaohuabing wants to merge 3 commits intoenvoyproxy:mainfrom
zhaohuabing:fix-8581
Open

fix: disable http3 when client tls is configured#8583
zhaohuabing wants to merge 3 commits intoenvoyproxy:mainfrom
zhaohuabing:fix-8581

Conversation

@zhaohuabing
Copy link
Copy Markdown
Member

@zhaohuabing zhaohuabing commented Mar 24, 2026
edited
Loading

This PR disables HTTP/3 for HTTP listeners with client TLS configured, since Envoy does not yet support downstream client TLS for QUIC. A warning is surfaced in the ClientTrafficPolicy status.

fixes: #8581
relase-note: yes

@zhaohuabing zhaohuabing requested a review from a team as a code owner March 24, 2026 02:54
@netlify
Copy link
Copy Markdown

netlify bot commented Mar 24, 2026
edited
Loading

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit f12d320
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69c9fa26ca70af00082d11a1
😎 Deploy Preview https://deploy-preview-8583--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@zhaohuabing zhaohuabing force-pushed the fix-8581 branch 3 times, most recently from a45d858 to 241283f Compare March 24, 2026 03:41
zhaohuabing
zhaohuabing commented Mar 24, 2026
View reviewed changes
internal/gatewayapi/testdata/clienttrafficpolicy-http3-client-validation.out.yaml
type: Accepted
- lastTransitionTime: null
message: HTTP/3 was disabled for listener "https" because Envoy does not support
downstream client TLS validation over QUIC
Copy link
Copy Markdown
Member Author

@zhaohuabing zhaohuabing Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A Warning condition is added to the CTP status for the listener when HTTP3 is disabled because of client tls is configured.

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 24, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 74.39024% with 21 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.28%. Comparing base (945fe9f) to head (f12d320).

Files with missing lines Patch % Lines
internal/gatewayapi/status/policy.go 72.50% 10 Missing and 1 partial ⚠️
internal/gatewayapi/clienttrafficpolicy.go 76.19% 6 Missing and 4 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8583      +/-   ##
==========================================
- Coverage   74.33%   74.28%   -0.06%     
==========================================
  Files         243      243              
  Lines       38155    38231      +76     
==========================================
+ Hits        28364    28401      +37     
- Misses       7802     7832      +30     
- Partials     1989     1998       +9

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zhaohuabing zhaohuabing added this to the v1.8.0 Release milestone Mar 24, 2026
@zhaohuabing zhaohuabing requested review from a team and arkodg and removed request for a team March 24, 2026 11:59
zirain
zirain reviewed Mar 25, 2026
View reviewed changes
@zhaohuabing zhaohuabing requested a review from a team March 25, 2026 09:52
@zhaohuabing
disable http3 when client tls is configured
f025db6 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing
address comments
3d6abc9 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing
Merge branch 'main' into fix-8581
f12d320
@zhaohuabing zhaohuabing requested a review from zirain March 30, 2026 04:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arkodg arkodg Awaiting requested review from arkodg

@zirain zirain Awaiting requested review from zirain

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v1.8.0 Release

Development

Successfully merging this pull request may close these issues.

ClientTrafficPolicy should handle http3 + client TLS gracefully instead of generating a rejected QUIC listener

2 participants

@zhaohuabing @zirain