bug: Gateway API HTTPRoute with BackendTrafficPolicy still forwards HTTP to HTTPS upstream

[kayx23]

Summary

When using Gateway API with an HTTPRoute that points to an ExternalName Service on port 443, attaching a BackendTrafficPolicy with scheme: https is not sufficient in API7 Ingress Controller 2.0.17.

The route is accepted and the BackendTrafficPolicy is accepted, but requests are still forwarded as plain HTTP to the upstream HTTPS port, which returns:

400 The plain HTTP request was sent to HTTPS port

Environment

• API7 Ingress Controller: 2.0.17
• Gateway runtime: API7/3.9.10
• Gateway API: gateway.networking.k8s.io/v1

Minimal repro

Apply the following manifest:

apiVersion: v1
kind: Service
metadata:
  namespace: aic
  name: httpbin-external-domain-repro
spec:
  type: ExternalName
  externalName: httpbin.org
---
apiVersion: apisix.apache.org/v1alpha1
kind: BackendTrafficPolicy
metadata:
  namespace: aic
  name: httpbin-external-domain-repro
spec:
  targetRefs:
    - group: ""
      kind: Service
      name: httpbin-external-domain-repro
  passHost: node
  scheme: https
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  namespace: aic
  name: httpbin-upstream-tls-repro
spec:
  parentRefs:
    - name: apisix
  rules:
    - matches:
        - path:
            type: Exact
            value: /httpbin-repro
      backendRefs:
        - name: httpbin-external-domain-repro
          port: 443

Observed behavior

The resources are accepted:

status:
  parents:
  - conditions:
    - type: Accepted
      status: "True"
      reason: Accepted
    - type: ResolvedRefs
      status: "True"
      reason: ResolvedRefs

status:
  ancestors:
  - conditions:
    - type: Accepted
      status: "True"
      reason: Accepted
      message: Policy has been accepted

But the request still fails:

$ curl -i http://127.0.0.1:9080/httpbin-repro
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=utf-8

<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
</body>
</html>

Expected behavior

With BackendTrafficPolicy.spec.scheme: https, the upstream request should be sent over HTTPS and the route should succeed.

Additional note

The translator code appears to intend to apply the policy scheme to the upstream, but this Gateway API + HTTPRoute + ExternalName Service + BackendTrafficPolicy + port 443 path still reproduces the HTTPS-upstream bug in practice.

[coderabbitai]

🔗 Related PRs

#388 - fix: cannot use ingress when disabling gateway API [merged]
#392 - fix: remove redundant route.Hosts to prevent false diffs in ADC sync [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!