[Feature] [Platform] Enable HTTP to HTTPS Redirect (#1942)

Author: ajanikow

CHANGELOG.md

@@ -12,6 +12,7 @@
 - (Feature) Compact Action
 - (DebugPackage) Fetch All logs
 - (Feature) (Platform) MetaV1 List Operation
+- (Feature) (Platform) Enable HTTP to HTTPS Redirect
 
 ## [1.2.50](https://github.com/arangodb/kube-arangodb/tree/1.2.50) (2025-07-04)
 - (Feature) (Platform) MetaV1 Integration Service

pkg/deployment/resources/gateway/gateway_config.go

@@ -391,16 +391,97 @@ func (c Config) RenderDefaultFilterChain() (*pbEnvoyListenerV3.FilterChain, erro
 }
 
 func (c Config) RenderSecondaryFilterChains() ([]*pbEnvoyListenerV3.FilterChain, error) {
-	if len(c.SNI) == 0 {
+	var r []*pbEnvoyListenerV3.FilterChain
+
+	if chain, err := c.HttpToHttpsChain(); err != nil {
+		return nil, err
+	} else if chain != nil {
+		r = append(r, chain)
+	}
+
+	if len(c.SNI) > 0 {
+		filters, err := c.RenderFilters()
+		if err != nil {
+			return nil, err
+		}
+
+		chain, err := c.SNI.RenderFilterChain(filters)
+		if err != nil {
+			return nil, err
+		}
+
+		r = append(r, chain...)
+	}
+
+	return r, nil
+}
+
+func (c Config) HttpToHttpsChain() (*pbEnvoyListenerV3.FilterChain, error) {
+	if c.DefaultTLS == nil {
 		return nil, nil
 	}
 
-	filters, err := c.RenderFilters()
+	httpFilterConfigType, err := anypb.New(&routerAPI.Router{})
 	if err != nil {
-		return nil, err
+		return nil, errors.Wrapf(err, "Unable to create router filter configuration for HTTP to HTTPS redirect")
 	}
 
-	return c.SNI.RenderFilterChain(filters)
+	filterConfigType, err := anypb.New(&httpConnectionManagerAPI.HttpConnectionManager{
+		StatPrefix: "ingress_http",
+		CodecType:  httpConnectionManagerAPI.HttpConnectionManager_AUTO,
+		RouteSpecifier: &httpConnectionManagerAPI.HttpConnectionManager_RouteConfig{
+			RouteConfig: &pbEnvoyRouteV3.RouteConfiguration{
+				Name: "local_http",
+				VirtualHosts: []*pbEnvoyRouteV3.VirtualHost{
+					{
+						Name:    "local_http",
+						Domains: []string{"*"},
+						Routes: []*pbEnvoyRouteV3.Route{
+							{
+								Match: &pbEnvoyRouteV3.RouteMatch{
+									PathSpecifier: &pbEnvoyRouteV3.RouteMatch_Prefix{
+										Prefix: "/",
+									},
+								},
+								Action: &pbEnvoyRouteV3.Route_Redirect{
+									Redirect: &pbEnvoyRouteV3.RedirectAction{
+										SchemeRewriteSpecifier: &pbEnvoyRouteV3.RedirectAction_HttpsRedirect{
+											HttpsRedirect: true,
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		HttpFilters: []*httpConnectionManagerAPI.HttpFilter{
+			{
+				Name: "envoy.filters.http.router",
+				ConfigType: &httpConnectionManagerAPI.HttpFilter_TypedConfig{
+					TypedConfig: httpFilterConfigType,
+				},
+			},
+		},
+	})
+	if err != nil {
+		return nil, errors.Wrapf(err, "Unable to create HTTP connection manager configuration for HTTP to HTTPS redirect")
+	}
+
+	return &pbEnvoyListenerV3.FilterChain{
+		FilterChainMatch: &pbEnvoyListenerV3.FilterChainMatch{
+			TransportProtocol: "raw_buffer",
+		},
+		Filters: []*pbEnvoyListenerV3.Filter{
+			{
+				Name: "envoy.filters.network.http_connection_manager",
+				ConfigType: &pbEnvoyListenerV3.Filter_TypedConfig{
+					TypedConfig: filterConfigType,
+				},
+			},
+		},
+	}, nil
 }
 
 func (c Config) RenderListener() (*pbEnvoyListenerV3.Listener, error) {

pkg/deployment/resources/gateway/gateway_config_sni.go

@@ -64,7 +64,8 @@ func (c ConfigSNI) RenderFilterChain(filters []*pbEnvoyListenerV3.Filter) (*pbEn
 	return &pbEnvoyListenerV3.FilterChain{
 		TransportSocket: transport,
 		FilterChainMatch: &pbEnvoyListenerV3.FilterChainMatch{
-			ServerNames: util.CopyList(c.ServerNames),
+			ServerNames:       util.CopyList(c.ServerNames),
+			TransportProtocol: "tls",
 		},
 		Filters: filters,
 	}, nil