ClientTrafficPolicy headers not applied on HTTPS routes in Envoy Gateway #7647
Description
Description:
When applying a ClientTrafficPolicy to inject HTTP headers, the headers are applied correctly for HTTP traffic but not for HTTPS traffic, even though the Gateway has TLS termination configured.
Repro steps:
Apply the Gateway manifest:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: main-gateway
namespace: envoy-gateway-system
spec:
gatewayClassName: eg
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: secret
allowedRoutes:
namespaces:
from: All
Apply the ClientTrafficPolicy manifest:
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
name: security-headers
namespace: envoy-gateway-system
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: main-gateway
tls:
minVersion: "1.2"
maxVersion: "1.3"
ciphers:
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
headers:
requestID: PreserveOrGenerate
lateResponseHeaders:
remove:
- X-Powered-By
set:
- name: Permissions-Policy
value: "camera=self, microphone=self, geolocation=self, autoplay=self, fullscreen=self, payment=self, usb=(), accelerometer=(), gyroscope=(), magnetometer=()"
- name: X-Content-Type-Options
value: "nosniff"
earlyRequestHeaders:
remove:
- X-Powered-By
set:
- name: Permissions-Policy
value: "camera=self, microphone=self, geolocation=self, autoplay=self, fullscreen=self, payment=self, usb=(), accelerometer=(), gyroscope=(), magnetometer=()"
- name: X-Content-Type-Options
value: "nosniff"
apply app manifest:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo-app
namespace: traffic-gateway-example
spec:
replicas: 1
selector:
matchLabels:
app: demo-app
template:
metadata:
labels:
app: demo-app
spec:
containers:
- image: gcr.io/k8s-staging-gateway-api/echo-basic:v20231214-v1.0.0-140-gf544a46e
name: demo-app
ports:
- containerPort: 3000
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
---
apiVersion: v1
kind: Service
metadata:
name: demo-app
namespace: traffic-gateway-example
spec:
ports:
- port: 80
targetPort: 3000
selector:
app: demo-app
---
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: demo-app
namespace: traffic-gateway-example
spec:
parentRefs:
- name: main-gateway
namespace: envoy-gateway-system
hostnames:
- demo-app-use1.xxx.com
- demo-app.xxxx.com
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: demo-app
port: 80
weight: 1
Make a request via HTTP:
curl -I http://demo-app-use1.xxx.com
HTTP/1.1 200 OK
content-type: application/json
date: Thu, 04 Dec 2025 00:07:16 GMT
content-length: 756
permissions-policy: camera=self, microphone=self, geolocation=self, autoplay=self, fullscreen=self, payment=self, usb=(), accelerometer=(), gyroscope=(), magnetometer=()
x-content-type-options: nosniff
Make a request via HTTPS:
curl -I https://demo-app-use1.xxx.com
HTTP/2 200
content-type: application/json
x-content-type-options: nosniff
date: Thu, 04 Dec 2025 00:07:28 GMT
content-length: 523
permissions-policy header missing
Environment:
Envoy Gateway version: v1.6.0