TLS Mode Terminate asking for CertificateRefs

[sachinshaji]

All our workloads are in AWS EKS. For users to access our application we have a domain name lets say "example.company.cloud"
The domain name is acquired and a the corresponding certificate is stored in Amazon Certificate Manager(ACM) as the certificate is issued by AWS.
We use envoy gateway as our API gateway. We install envoy from helm chart and needed CRD's are created in the EKS cluster. Now when i create a 'Gateway' object in kubernetes a NetworkLoadBalancer is getting created in the backend. I wish to terminate the TLS certificate at the NLB level, hence I uses TLS mode and "Terminate".

I have even tried "Passthrough" but then the gateway pod giving the below logs

[2024-11-20 03:19:06.846][1][warning][config] [source/extensions/config_subscription/grpc/grpc_subscription_impl.cc:138] gRPC config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) envoy-gateway-system/eg/https-company-cloud: error adding listener '0.0.0.0:10443': no filter chains specified

The need of certificate confuses me as the certificates are issues by AWS I cant get the private key, I only have an arn(amazon resource name) of my certificate. How can I proceed here? I am stuck from last 1 week trying to figure this out. Any help here is really appreciated.

[arkodg]

hey @sachinshaji recommend asking this question in the Envoy Gateway repo https://github.com/envoyproxy/gateway/discussions, where someone from the Envoy Gateway community can help you

[sachinshaji]

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: apps
  namespace: test
spec:
  gatewayClassName: eg
  listeners:
    - name: https
      protocol: HTTP
      port: 443
      
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: custom-proxy-config
  namespace: envoy-gateway-system
spec:
  provider:
    type: Kubernetes
    kubernetes:
      envoyService:
        annotations:
          service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
          service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
          service.beta.kubernetes.io/aws-load-balancer-type: external
          service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
          service.beta.kubernetes.io/aws-load-balancer-scheme: internal
          service.beta.kubernetes.io/aws-load-balancer-subnets: my subnets
          service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:region:234463:certificate/dweqw

I could make it work with this settings. Don't specify any tls details in the gateway and give certificate details to EnvoyProxy so that TLS termination happens from NLB and NLB sends unencrypted traffic to your backend pods.
I my case I got the domain created in AWS Route 53 and a certificate added in ACM. The same certificate I have referred in EnvoyProxy with the annotation 'service.beta.kubernetes.io/aws-load-balancer-ssl-cert'

Please feel free to delete the discussion or mark it as solved/answered.