[api] lowercase Backend.spec.protocol on write

dilyevsky · dilyevsky · commit 25bb5596637d · 2026-04-17T14:42:14.000-07:00
The xDS translator switches on Spec.Protocol case-sensitively
(pkg/gateway/gatewayapi/route.go). A stray "H2" slipped past the
kubebuilder enum and silently fell through the switch, so the upstream
TLS context was never applied and Envoy spoke plaintext to port 443 —
the server reset the connection and the gateway returned 503s.

Add a Defaulter on Backend (v1alpha + v1alpha2) that lowercases
Spec.Protocol before validation runs. "H2", "H2c", "TLS" now persist
as their lowercase enum values and match the translator. Unknown
values get lowercased too so they at least show up consistently in
logs and describe output.

No behavior change for routes whose Backend was already stored with a
valid lowercase value.
diff --git a/api/core/v1alpha/backend_validate.go b/api/core/v1alpha/backend_validate.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"strings"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation"
@@ -12,10 +13,18 @@ import (
 )
 
 var (
+	_ resourcestrategy.Defaulter       = &Backend{}
 	_ resourcestrategy.Validater       = &Backend{}
 	_ resourcestrategy.ValidateUpdater = &Backend{}
 )
 
+// Default normalizes user-supplied fields before validation. The xDS
+// translator matches Spec.Protocol case-sensitively, so lowercase on
+// write to keep "H2" from silently falling through to plaintext.
+func (r *Backend) Default() {
+	r.Spec.Protocol = BackendProto(strings.ToLower(string(r.Spec.Protocol)))
+}
+
 func (r *Backend) Validate(ctx context.Context) field.ErrorList {
 	return r.validate()
 }
diff --git a/api/core/v1alpha2/backend_validate.go b/api/core/v1alpha2/backend_validate.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"strings"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation"
@@ -12,9 +13,18 @@ import (
 	"sigs.k8s.io/apiserver-runtime/pkg/builder/resource/resourcestrategy"
 )
 
+var _ resourcestrategy.Defaulter = &Backend{}
 var _ resourcestrategy.Validater = &Backend{}
 var _ resourcestrategy.ValidateUpdater = &Backend{}
 
+// Default normalizes user-supplied fields before validation. The xDS
+// translator switches on Spec.Protocol case-sensitively, so a stray "H2"
+// would silently drop the upstream TLS context and Envoy would send
+// plaintext to port 443. Lowercase on write to match the enum.
+func (r *Backend) Default() {
+	r.Spec.Protocol = BackendProto(strings.ToLower(string(r.Spec.Protocol)))
+}
+
 func (r *Backend) Validate(ctx context.Context) field.ErrorList {
 	return r.validate()
 }
diff --git a/api/core/v1alpha2/backend_validate_test.go b/api/core/v1alpha2/backend_validate_test.go
@@ -0,0 +1,30 @@
+package v1alpha2
+
+import (
+	"testing"
+)
+
+func TestBackend_Default_NormalizesProtocolCase(t *testing.T) {
+	tests := []struct {
+		in, want BackendProto
+	}{
+		{"", ""},
+		{"h2", BackendProtoH2},
+		{"H2", BackendProtoH2},
+		{"H2c", BackendProtoH2C},
+		{"TLS", BackendProtoTLS},
+		// Unknown values stay lowercased; the xDS translator will fall
+		// through to its plaintext default, but at least diagnostic logs
+		// show a stable value rather than whatever case the user typed.
+		{"HTTP3", "http3"},
+	}
+	for _, tt := range tests {
+		t.Run(string(tt.in), func(t *testing.T) {
+			b := &Backend{Spec: BackendSpec{Protocol: tt.in, Endpoints: []BackendEndpoint{{FQDN: "example.com"}}}}
+			b.Default()
+			if b.Spec.Protocol != tt.want {
+				t.Fatalf("Default: protocol = %q, want %q", b.Spec.Protocol, tt.want)
+			}
+		})
+	}
+}
