enhancement: only downgrade ALPN for overlapping HTTPS listeners when certificate SANs overlap

[zhaohuabing]

Description:

Envoy Gateway currently sets OverlappingTLSConfig and downgrades ALPN to HTTP/1.1 when HTTPS listeners are considered overlapping based on listener hostname configuration, even when the certificates attached to those listeners are disjoint.

This is overly conservative.

The HTTP/2 connection coalescing concern described in GEP-3567 is fundamentally tied to certificate validity across multiple origins. If two HTTPS listeners do not have overlapping certificate SANs, then the coalescing risk does not appear to exist, even if the listeners are considered overlapping from a hostname-matching perspective.

For example, consider two HTTPS listeners on the same port:

• listener A:
  • hostname: unset
  • certificate SANs:
    • *.example-a.com
• listener B:
  • hostname: service.example-b.com
  • certificate SANs:
    • service.example-b.com

In this setup, Envoy Gateway can consider the listeners overlapping because listener A has no hostname.

However, the certificates are disjoint:

• listener A's certificate is not valid for service.example-b.com
• listener B's certificate is not valid for *.example-a.com

So the warning may be acceptable, but automatically downgrading ALPN to HTTP/1.1 seems unnecessary because the certificate boundary already prevents the cross-origin reuse that GEP-3567 is concerned with.

[Aditya7880900936]

hi @zhaohuabing ,
i would like to work on this issue,
please assign it to me if it is available
regards

[zhaohuabing]

Hi @Aditya7880900936 thanks for volunteering! We'll need to wait for #8334 to land first.