TLS Passthrough Query

[TPSKaizen]

Goodnight all, I've noticed that when setting up TLS Passthrough that the only consistent pattern is I deploy a solution ( Deployment + Service + TLSRoute )in one namespace with a TLSRoute.

If I try to set up multiple solutions in the same namespace, the routing behaves like a load balanced solution even if I specify different hostnames.

I've almost noticed if I have the same hostname with different ports (433, 10443) I've noticed that the 443 port would work and not the 10443.

This is on NGF 2.5.0 with Gateway API CRDs 1.5.0 on the standard channel.

Has anyone else observed this behaviour?

[sjberman]

@TPSKaizen would you be able to provide the Gateway/TLSRoute configurations you're using? We can attempt to reproduce the issue.

[TPSKaizen]

Yes please I will send the manifests later this week. Apologies for the late reply

[TPSKaizen]

OS Information

WSL version: 2.7.3.0
Kernel version: 6.6.114.1-1
WSLg version: 1.0.73
MSRDC version: 1.2.6676
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.26100.1-240331-1435.ge-release
Windows version: 10.0.26200.8457

Windows Host File Configuration

127.0.0.1 brian-dev.personapp.com
127.0.0.1 brian-sit.personapp.com
127.0.0.1 api.brian-dev.personapp.com
127.0.0.1 api.brian-sit.personapp.com

WSL Resolve Conf

This file was automatically generated by WSL. To stop automatic generation of this file, add the following entry to /etc/wsl.conf:

[network]

generateResolvConf = false

nameserver 10.255.255.254

Minikube Version

minikube version: v1.38.1
commit: c93a4cb9311efc66b90d33ea03f75f2c4120e9b0

Docker Desktop Version ( Windows )

Version

4.55.0 (213807)

Engine: 29.1.3

Compose: v2.40.3-desktop.1

Credential Helper: v0.9.4

Kubernetes: v1.34.1

Gateway.yaml :

apiVersion: v1
items:

• apiVersion: gateway.networking.k8s.io/v1
  kind: Gateway
  metadata:
  annotations:
  meta.helm.sh/release-name: prepersonapp
  meta.helm.sh/release-namespace: default
  creationTimestamp: "2026-05-24T23:56:48Z"
  generation: 1
  labels:
  app.kubernetes.io/managed-by: Helm
  name: nginx-gateway
  namespace: gateways
  resourceVersion: "3651"
  uid: 43793b24-8f0a-442c-8690-2ed629f6c798
  spec:
  gatewayClassName: nginx
  listeners:

  • allowedRoutes:
    kinds:
    • group: gateway.networking.k8s.io
      kind: TLSRoute
      namespaces:
      from: All
      hostname: brian-dev.personapp.com
      name: fedev
      port: 443
      protocol: TLS
      tls:
      mode: Passthrough
  • allowedRoutes:
    kinds:
    • group: gateway.networking.k8s.io
      kind: TLSRoute
      namespaces:
      from: All
      hostname: brian-sit.personapp.com
      name: fesit
      port: 443
      protocol: TLS
      tls:
      mode: Passthrough
  • allowedRoutes:
    kinds:
    • group: gateway.networking.k8s.io
      kind: TLSRoute
      namespaces:
      from: All
      hostname: api.brian-dev.personapp.com
      name: bedev
      port: 443
      protocol: TLS
      tls:
      mode: Passthrough
  • allowedRoutes:
    kinds:
    • group: gateway.networking.k8s.io
      kind: TLSRoute
      namespaces:
      from: All
      hostname: api.brian-sit.personapp.com
      name: besit
      port: 443
      protocol: TLS
      tls:
      mode: Passthrough
      status:
      addresses:
  • type: IPAddress
    value: 127.0.0.1
    conditions:
  • lastTransitionTime: "2026-05-25T00:15:45Z"
    message: The Gateway is accepted
    observedGeneration: 1
    reason: Accepted
    status: "True"
    type: Accepted
  • lastTransitionTime: "2026-05-25T00:15:45Z"
    message: The Gateway is programmed
    observedGeneration: 1
    reason: Programmed
    status: "True"
    type: Programmed
    listeners:
  • attachedRoutes: 1
    conditions:
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: The Listener is accepted
      observedGeneration: 1
      reason: Accepted
      status: "True"
      type: Accepted
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: The Listener is programmed
      observedGeneration: 1
      reason: Programmed
      status: "True"
      type: Programmed
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: All references are resolved
      observedGeneration: 1
      reason: ResolvedRefs
      status: "True"
      type: ResolvedRefs
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: No conflicts
      observedGeneration: 1
      reason: NoConflicts
      status: "False"
      type: Conflicted
      name: fedev
      supportedKinds:
    • group: gateway.networking.k8s.io
      kind: TLSRoute
  • attachedRoutes: 1
    conditions:
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: The Listener is accepted
      observedGeneration: 1
      reason: Accepted
      status: "True"
      type: Accepted
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: The Listener is programmed
      observedGeneration: 1
      reason: Programmed
      status: "True"
      type: Programmed
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: All references are resolved
      observedGeneration: 1
      reason: ResolvedRefs
      status: "True"
      type: ResolvedRefs
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: No conflicts
      observedGeneration: 1
      reason: NoConflicts
      status: "False"
      type: Conflicted
      name: fesit
      supportedKinds:
    • group: gateway.networking.k8s.io
      kind: TLSRoute
  • attachedRoutes: 1
    conditions:
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: The Listener is accepted
      observedGeneration: 1
      reason: Accepted
      status: "True"
      type: Accepted
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: The Listener is programmed
      observedGeneration: 1
      reason: Programmed
      status: "True"
      type: Programmed
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: All references are resolved
      observedGeneration: 1
      reason: ResolvedRefs
      status: "True"
      type: ResolvedRefs
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: No conflicts
      observedGeneration: 1
      reason: NoConflicts
      status: "False"
      type: Conflicted
      name: bedev
      supportedKinds:
    • group: gateway.networking.k8s.io
      kind: TLSRoute
  • attachedRoutes: 1
    conditions:
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: The Listener is accepted
      observedGeneration: 1
      reason: Accepted
      status: "True"
      type: Accepted
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: The Listener is programmed
      observedGeneration: 1
      reason: Programmed
      status: "True"
      type: Programmed
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: All references are resolved
      observedGeneration: 1
      reason: ResolvedRefs
      status: "True"
      type: ResolvedRefs
    • lastTransitionTime: "2026-05-25T00:15:45Z"
      message: No conflicts
      observedGeneration: 1
      reason: NoConflicts
      status: "False"
      type: Conflicted
      name: besit
      supportedKinds:
    • group: gateway.networking.k8s.io
      kind: TLSRoute
      kind: List
      metadata:
      resourceVersion: "

  Frontend YAML - DEV

  apiVersion: gateway.networking.k8s.io/v1
  kind: TLSRoute
  metadata:
  annotations:
  meta.helm.sh/release-name: react-dev
  meta.helm.sh/release-namespace: personappfe
  creationTimestamp: "2026-05-25T00:15:42Z"
  generation: 1
  labels:
  app.kubernetes.io/managed-by: Helm
  name: react-tls-route-dev
  namespace: personappfe
  resourceVersion: "3611"
  uid: 8fff8d06-0ff8-431f-9bc4-dec095086965
  spec:
  hostnames:

  • brian-dev.personapp.com
    parentRefs:
  • group: gateway.networking.k8s.io
    kind: Gateway
    name: nginx-gateway
    namespace: gateways
    sectionName: fedev
    rules:
  • backendRefs:
    • group: ""
      kind: Service
      name: personappfe-dev
      port: 8443
      weight: 1
      status:
      parents:
  • conditions:
    • lastTransitionTime: "2026-05-25T00:15:42Z"
      message: The Route is accepted
      observedGeneration: 1
      reason: Accepted
      status: "True"
      type: Accepted
    • lastTransitionTime: "2026-05-25T00:15:42Z"
      message: All references are resolved
      observedGeneration: 1
      reason: ResolvedRefs
      status: "True"
      type: ResolvedRefs
      controllerName: gateway.nginx.org/nginx-gateway-controller
      parentRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: nginx-gateway
      namespace: gateways
      sectionName: fedev

---

Frontend YAML - SIT

apiVersion: gateway.networking.k8s.io/v1
kind: TLSRoute
metadata:
annotations:
meta.helm.sh/release-name: react-sit
meta.helm.sh/release-namespace: personappfe
creationTimestamp: "2026-05-25T00:15:45Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: react-tls-route-sit
namespace: personappfe
resourceVersion: "3650"
uid: ebd0ccbf-8910-46b1-aae0-fbe7902c6300
spec:
hostnames:

• brian-sit.personapp.com
  parentRefs:
• group: gateway.networking.k8s.io
  kind: Gateway
  name: nginx-gateway
  namespace: gateways
  sectionName: fesit
  rules:
• backendRefs:
  • group: ""
    kind: Service
    name: personappfe-sit
    port: 8443
    weight: 1
    status:
    parents:
• conditions:

  • lastTransitionTime: "2026-05-25T00:15:45Z"
    message: The Route is accepted
    observedGeneration: 1
    reason: Accepted
    status: "True"
    type: Accepted

  • lastTransitionTime: "2026-05-25T00:15:45Z"
    message: All references are resolved
    observedGeneration: 1
    reason: ResolvedRefs
    status: "True"
    type: ResolvedRefs
    controllerName: gateway.nginx.org/nginx-gateway-controller
    parentRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: nginx-gateway
    namespace: gateways
    sectionName: fesit

    Essentially, when I curl https://brian-dev.personapp.com, sometimes I get a response from the SIT Pod as well.

    For example -
    while true; do date && curl https://brian-dev.personapp.com -k | grep -i title; done
    Sun May 24 08:23:05 PM -04 2026
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    100 465 100 465 0 0 7088 0 --:--:-- --:--:-- --:--:-- 7153

  <title>Person App - DEV</title>

Sun May 24 08:23:05 PM -04 2026
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 465 100 465 0 0 7663 0 --:--:-- --:--:-- --:--:-- 7622
<title>Person App - SIT</title>
Sun May 24 08:23:05 PM -04 2026
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 465 100 465 0 0 7433 0 --:--:-- --:--:-- --:--:-- 7500
<title>Person App - SIT</title>
Sun May 24 08:23:05 PM -04 2026
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 465 100 465 0 0 7767 0 --:--:-- --:--:-- --:--:-- 7881
<title>Person App - SIT</title>
Sun May 24 08:23:05 PM -04 2026
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 465 100 465 0 0 7811 0 --:--:-- --:--:-- --:--:-- 7881
<title>Person App - DEV</title>
Sun May 24 08:23:05 PM -04 2026
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 465 100 465 0 0 7784 0 --:--:-- --:--:-- --:--:-- 7881
<title>Person App - SIT</title>
Sun May 24 08:23:05 PM -04 2026
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 465 100 465 0 0 7292 0 --:--:-- --:--:-- --:--:-- 7380
<title>Person App - DEV</title>

[salonichf5]

Hi, I tried to reproduce this on NGF 2.6.3 with the following setup:

A Gateway in the gateways namespace with 4 TLS Passthrough listeners on port 443 for brian-dev.personapp.com, brian-sit.personapp.com, api.brian-dev.personapp.com, and api.brian-sit.personapp.com
Two backend deployments (personappfe-dev and personappfe-sit) both in the same personappfe namespace, each serving TLS on port 8443 with self-signed certs.
Two TLSRoutes also in the same personappfe namespace, each pointing to their respective backend and listener via sectionName

I ran a continuous curl loop against brian-dev.personapp.com and consistently got responses only from the DEV pod, no responses from the SIT pod at all.

The generated NGINX stream config also looked correct with separate unix sockets and upstreams per hostname, with the SNI map correctly isolating each route.

It's possible this was a bug in an earlier version that has since been fixed. I'd recommend upgrading to 2.6.3 and seeing if the behavior goes away.