fix: secure by default (defaults from Gateway), working sectionName for HTTPRoute (#7901)

Author: programmer04

CHANGELOG.md

@@ -122,6 +122,19 @@ Adding a new version? You'll need three changes:
 - [0.0.5](#005)
 - [0.0.4 and prior](#004-and-prior)
 
+## Unreleased
+
+> Release date: TBD
+
+### Fixed
+
+- **Changed (potentially breaking):** As part of our secure-by-default initiative, everything out of the box relies on
+  defaults from Kong Gateway. It may break existing configurations that relied on previous implicit protocol behavior
+  (access via http will result `426` status code.), when version of Kong Gateway will change.
+  - For `HTTPRoute`, protocol now matches the attached Gateway listener protocol (and when `parentRef.sectionName` is set, it must match that specific listener). When `parentRef.sectionName` is not specified it binds to all `Gateway`s listeners.
+  - For `Ingress`, default protocol relies on Kong Gateway, can be set explicitly via `konghq.com/protocols: "http"` (or `https`)
+    annotation on particular `Ingress`.
+
 ## [3.5.6]
 
 > Release date: 2026-03-31

examples/gateway-httproute-broken-plugin-fallback.yaml

@@ -107,9 +107,9 @@ metadata:
 spec:
   gatewayClassName: kong
   listeners:
-  - name: http
-    protocol: HTTP
-    port: 80
+  - name: https
+    protocol: HTTPS
+    port: 443
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute

examples/gateway-httproute-rewrite-path.yaml

@@ -74,9 +74,9 @@ metadata:
 spec:
   gatewayClassName: kong
   listeners:
-  - name: http
-    protocol: HTTP
-    port: 80
+  - name: https
+    protocol: HTTPS
+    port: 443
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute

examples/gateway-httproute.yaml

@@ -108,6 +108,9 @@ metadata:
 spec:
   gatewayClassName: kong
   listeners:
+  - name: https
+    protocol: HTTPS
+    port: 443
   - name: http
     protocol: HTTP
     port: 80
@@ -121,6 +124,7 @@ metadata:
 spec:
   parentRefs:
   - name: kong
+    sectionName: https
   rules:
   - matches:
     - path:

examples/ingress.yaml examples/ingress-http.yamlexamples/ingress.yaml renamed to examples/ingress-http.yaml

@@ -1,8 +1,6 @@
-# Usage:
-# -----
-# go run internal/cmd/main.go
-# kubectl apply -f examples/httpbin.yaml
-# kubectl get secrets kong-config -o=go-template='{{index .data "networking.k8s.io-v1-Ingress-default-httpbin-ingress" }}' | base64 -d
+# By default Ingress relies on Kong Gateway default setting, which differ by version.
+# To ensure HTTP, add annotation `konghq.com/protocols: "http"` on Ingress resource.
+# See examples/ingress-https.yaml for a HTTPS example .
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -47,6 +45,7 @@ metadata:
   name: httpbin-ingress
   annotations:
     konghq.com/strip-path: "true"
+    konghq.com/protocols: "http"
 spec:
   ingressClassName: kong
   rules:

examples/ingress-https.yaml

@@ -0,0 +1,60 @@
+# By default Ingress relies on Kong Gateway default setting, which differ by version.
+# To ensure HTTPS, add annotation `konghq.com/protocols: "https"` on Ingress resource.
+# See examples/ingress-http.yaml for a HTTP example .
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: httpbin-deployment
+  labels:
+    app: httpbin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: httpbin
+  template:
+    metadata:
+      labels:
+        app: httpbin
+    spec:
+      containers:
+      - name: httpbin
+        image: kong/httpbin:0.1.0
+        ports:
+        - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: httpbin
+  name: httpbin-deployment
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: httpbin
+  type: ClusterIP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: httpbin-ingress
+  annotations:
+    konghq.com/protocols: "https"
+    konghq.com/strip-path: "true"
+spec:
+  ingressClassName: kong
+  rules:
+  - http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: httpbin-deployment
+            port:
+              number: 80

internal/dataplane/testdata/golden/fallback-config-ingress/default_golden.yaml

@@ -19,9 +19,6 @@ services:
     paths:
     - ~/valid$
     preserve_host: true
-    protocols:
-    - http
-    - https
     regex_priority: 0
     request_buffering: true
     response_buffering: true

internal/dataplane/testdata/golden/fallback-config-kong-custom-entities-ee/default_golden.yaml

@@ -35,9 +35,6 @@ services:
     paths:
     - /
     preserve_host: true
-    protocols:
-    - http
-    - https
     regex_priority: 0
     request_buffering: true
     response_buffering: true

internal/dataplane/testdata/golden/fallback-config-service/default_golden.yaml

@@ -19,9 +19,6 @@ services:
     paths:
     - ~/valid$
     preserve_host: true
-    protocols:
-    - http
-    - https
     regex_priority: 0
     request_buffering: true
     response_buffering: true

internal/dataplane/testdata/golden/host-header-annotation-httproute/default_golden.yaml

@@ -17,9 +17,6 @@ services:
     - ~/httpbin$
     - /httpbin/
     preserve_host: true
-    protocols:
-    - http
-    - https
     strip_path: true
     tags:
     - k8s-name:httpbin