<!-- NOTICE: This Issue tracker is for the GitLab Helm chart, not the GitLab Rails application. Support: Please do not raise support issues for GitLab.com on this tracker. See https://about.gitlab.com/support/ --> ## Summary Internal TLS is required for FedRAMP compliance on GitLab Dedicated for US PubSec. This is currently supported on nginx but not on Envoy Gateay. ## Steps to reproduce For the Ingress nginx implementation on GitLab Dedicated we currently set these settings for FedRAMP tenants: - global.workhorse.tls.enabled: true - registry.tls.enabled: true - gitlab.kas.tls.enabled: true Once enabled, this makes the services within the K8s cluster accept only TLS connections for those services. ## Current behavior Current implementation of Envoy Gateway will not be able to route traffic to these endpoints because it will send HTTP traffic to these HTTPS points. ## Expected behavior We should be able to turn this on with Envoy Gateway and have internal TLS traffic between the Gateway pods and the Webservice/Registry/Kas pods. This can be accomplished by adding implementing a [BackendTLSPolicy](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/) when internal TLS is enabled. ## Versions - Chart: 9.10.0 - Platform: - Cloud: AWS EKS - Kubernetes: 1.30 - Helm: v3.20