v0.0.13 gateway server ignores TLS config, starts plaintext HTTP/1.1 only — gRPC unusable

[stw-SP]

Environment

• OS: macOS 26.4.0 (Darwin, Apple Silicon)
• Docker Desktop: 29.2.1
• OpenShell CLI: v0.0.13
• Gateway image: ghcr.io/nvidia/openshell/gateway:0.0.13

Problem

The v0.0.13 gateway server starts in plaintext HTTP/1.1 mode despite having TLS configured and valid certificates mounted. Since gRPC requires HTTP/2, the CLI cannot communicate with the gateway at all.

Symptoms

With TLS (default):

openshell status
Error: × client error (Connect)
  ╰─▶ received corrupt message of type InvalidContentType

With --plaintext:

openshell sandbox list
Error: × status: Unknown, message: "h2 protocol error: http2 error"
  ├─▶ transport error
  ├─▶ http2 error
  ╰─▶ connection error detected: frame with invalid size

Root Cause

The server binary does not enable TLS even though:

• disableTls: false in helm chart values
• OPENSHELL_TLS_CERT and OPENSHELL_TLS_KEY env vars are set
• Valid certs are mounted at /etc/openshell-tls/server/
• I tried manually regenerating PKI certs and restarting the pod — no effect

Server startup log shows no TLS initialization:

INFO openshell_server: Starting OpenShell server bind=0.0.0.0:8080
INFO openshell_server: Server listening address=0.0.0.0:8080

Verified with curl:

# Server only speaks HTTP/1.1
curl -v http://127.0.0.1:8080/
> GET / HTTP/1.1
< HTTP/1.1 404 Not Found

# TLS probe fails — server sends plaintext
echo | openssl s_client -connect 127.0.0.1:8080
SSL routines:tls_get_more_records:packet length too long

# grpcurl over h2c times out — no HTTP/2 support
grpcurl -plaintext 127.0.0.1:8080 list
Failed to dial target host: context deadline exceeded

The server also logs continuous sandbox watcher errors:

WARN openshell_server::sandbox: Sandbox watcher error error=watch stream failed: Error reading events stream: ServiceError: error reading a body from connection

This repeats every 30 seconds.

Steps to Reproduce

openshell --version  # 0.0.13
openshell gateway start --name test
# Wait for "Gateway ready"
openshell status     # InvalidContentType
openshell gateway destroy -g test
openshell gateway start --name test --plaintext
openshell sandbox list  # h2 protocol error

Expected Behavior

The server should either:

1. Start with TLS enabled when disableTls: false and certs are mounted
2. Support h2c (HTTP/2 cleartext) when running in --plaintext mode so gRPC works without TLS

Related Issues

• bug: gateway start times out before PKI generation on first run #433 — gateway start times out before PKI generation (different symptom, possibly related)
• openshell gateway start times out on Apple Silicon Mac — K8s namespace timeout too short #531 — similar timeout on Apple Silicon
• sandbox create fails with "h2 protocol error: frame with invalid size" #389 — h2 protocol error on sandbox create
• feat(inference): support plaintext HTTP in inference interception #38 — InvalidContentType from TLS/plaintext mismatch

[matz3]

I also came across this or a similar issue, e.g.

❯ openshell sandbox list
Error:   × transport error
  ├─▶ received corrupt message of type InvalidContentType
  ╰─▶ received corrupt message of type InvalidContentType

It turned out that I already had a http server (Node.js) running on port 8080, but the gateway was still also started on port 8080 and I did not see any error saying that the port is already in use. After stopping the Node.js http server it worked again.

[johntmyers]

Thanks for the detailed report and the follow-up from @matz3 — we've confirmed the port-collision scenario is a real issue. We're tracking this internally and will address it as part of upcoming core single-tenant infrastructure changes. Closing for now.