Gateway API TLSRoute with Envoy Gateway¶

TLSRoute vs TCPRoute¶

TLSRoute and TCPRoute both handle L4 traffic, but they differ in how much they understand about TLS:

• TLSRoute: TLS-aware routing (typically based on SNI) while keeping end-to-end TLS between client and backend.
• TCPRoute: raw TCP forwarding with no TLS-specific matching.

In practice, TCPRoute often means dedicating a listener/port per application because there is no hostname match, while TLSRoute enables hostname fanout on the same port.

TCPRoute still offers the simplest, most stable path if you do not need SNI-based routing logic.

What was I doing that had issues with TLSRoute?¶

I have HomeAssistant running in my Talos k8s cluster, and I'm also hosting an MQTT broker for some automations related to HA. I want services to reach MQTT securely over TLS with a certificate provided by cert-manager for an internal domain name, reachable only via Tailscale or the LAN.

Envoy Gateway is used as the Gateway API implementation. MQTT serves the TLS certificate, so when TLSRoute was working the Gateway used a TLS listener with tls.mode: Passthrough. With TCPRoute, there is no tls.mode; the Gateway uses a TCP listener and forwards raw TCP bytes, so TLS still passes through end-to-end to MQTT.

TLSRoute support was available only via the experimental CRDs up until somewhere around early 2026 (v1.5.0), after which it was moved to standard. But it seems to have changed, and I'll need to keep investigating how to get it to work, while I settle with TCPRoute for now.

For a Homelab, it's really a non-issue to stay with TCPRoute, but I do want to understand what changed and why. For now, port 8883 is dedicated to MQTT and I cannot route based on SNI for other services that would use the same port, which again, is a non-issue for a home lab.

Last known working TLSRoute config¶

Current/Recent config with TCPRoute¶