@@ -182,17 +182,34 @@ resource "kubectl_manifest" "main_gateway" {
182182 protocol = " HTTP"
183183 allowedRoutes = { namespaces = { from = " All"
184184 },
185+ // TLS termination without proxying for *.e.httptoolk.it:
185186 {
186- name = " https-httptoolk-it"
187+ name = " tls-httptoolk-it"
188+ port = 443
189+ protocol = " TLS"
190+ hostname = " *.e.httptoolk.it"
191+ allowedRoutes = {
192+ namespaces = { from = " All"
193+ kinds = [{ kind = " TCPRoute"
194+ }
195+ tls = {
196+ mode = " Terminate"
197+ certificateRefs = [{ kind = " Secret" = " cert-httptoolk-it"
198+ }
199+ },
200+ // TLS termination but then raw TCP passthrough for the endpoint admin:
201+ {
202+ name = " tls-endpoint-admin-httptoolkit-tech"
187203 port = 443
188- protocol = " HTTPS "
189- hostname = " *.e.httptoolk.it "
204+ protocol = " TLS "
205+ hostname = " public-endpoint.httptoolkit.tech "
190206 allowedRoutes = { namespaces = { from = " All"
191207 tls = {
192208 mode = " Terminate"
193- certificateRefs = [{ kind = " Secret" = " cert-httptoolk-it "
209+ certificateRefs = [{ kind = " Secret" = " cert-httptoolkit-tech "
194210 }
195211 },
212+ // Normal HTTPS for all other httptoolkit.tech sites:
196213 {
197214 name = " https-httptoolkit-tech"
198215 port = 443
@@ -218,4 +235,27 @@ resource "kubectl_manifest" "main_gateway" {
218235 helm_release . envoy_gateway ,
219236 kubectl_manifest . letsencrypt_prod
220237 ]
238+ }
239+
240+ # Force HTTP/2 for all endpoint admin TLS connections:
241+ resource "kubectl_manifest" "force_h2_policy" {
242+ yaml_body = yamlencode ({
243+ apiVersion = " gateway.envoyproxy.io/v1alpha1"
244+ kind = " ClientTrafficPolicy"
245+ metadata = {
246+ name = " force-h2-endpoint-admin"
247+ namespace = " envoy-gateway-system"
248+ }
249+ spec = {
250+ targetRef = {
251+ group = " gateway.networking.k8s.io"
252+ kind = " Gateway"
253+ name = " main-gateway"
254+ sectionName = " tls-endpoint-admin-httptoolkit-tech"
255+ }
256+ tls = {
257+ alpnProtocols = [" h2"
258+ }
259+ }
260+ })
221261}
0 commit comments