MINOR: add TLS route example

Author: ivanmatmati

example/README.md

@@ -1,5 +1,47 @@
 ## HUG
 
+## HTTP Echo docker image
+
+### Building the `http-echo` Docker Image
+
+This example requires the **http-echo** Docker image, which is used as a simple backend application for testing TLS passthrough and HTTP routing.
+
+The source code for the image is located in the HAProxy Unified Gateway repository:
+
+[https://github.com/haproxytech/haproxy-unified-gateway](https://github.com/haproxytech/haproxy-unified-gateway)
+
+#### Steps to build the image
+
+1. Clone the repository (or navigate to the folder if you already have it):
+
+```bash
+git clone --depth 1 https://github.com/haproxytech/haproxy-unified-gateway
+cd haproxy-unified-gateway/ci/http-echo
+```
+
+2. Build the Docker image
+
+```sh
+docker build -t http-echo:latest .
+```
+
+3. Make the image available to your Kubernetes cluster
+
+* Option 1: Push to a Docker registry accessible from the cluster:
+
+```bash
+docker tag http-echo:latest <your-registry>/http-echo:latest
+docker push <your-registry>/http-echo:latest
+```
+
+* Option 2: Load the image into a Kind cluster (if you are using Kind)
+
+```sh
+kind load docker-image http-echo:latest --name <kind-cluster-name>
+```
+
+After the image is available in your cluster, you can apply the example manifests, and the TLSRoute/HTTPRoute examples will use this image as the backend.
+
 ### Gateway API
 
 * [Gateway API](./deploy/gateway-api/README.md): Gateway API resource.

example/tlsroute/sslpassthrough/README.md

@@ -0,0 +1,71 @@
+# TLSRoute SSL Passthrough Example
+
+This example demonstrates how to expose a backend application using **TLS passthrough** with a `TLSRoute` and the **HAProxy Kubernetes Gateway**.
+
+When using passthrough mode, the Gateway forwards the encrypted TLS stream directly to the backend service **without terminating TLS**. This allows the backend to present its own certificate.
+
+---
+
+## What is deployed
+
+This example installs the following resources:
+
+- **GatewayClass**:  
+  `haproxy` — defines a class of Gateways managed by the HAProxy Kubernetes Gateway controller.
+
+- **Gateway**:  
+  `tls-gateway` — exposes a listener on port **31443** configured for **TLS passthrough** and accepting routes for the hostname `example.local`.
+
+- **TLSRoute**:
+  - `tlsroute` — matches:
+    - SNI: `example.local`
+    - Any path  
+    and forwards traffic to the backend service `http-echo`, which terminates TLS.
+
+---
+
+## Deploying the example
+
+```bash
+kubectl apply -n <your example namespace> -f .
+```
+
+## Validating passthrough functionality
+
+To test traffic flow, open a shell inside the Gateway controller pod (or anywhere with network access to the Gateway listener).
+
+## Using curl
+
+Because the Gateway is in passthrough mode, the backend’s certificate should be presented directly to the client.
+
+Run:
+
+```sh
+curl -v -k \
+  -H "Host: example.local" \
+  --resolve "example.local:31443:127.0.0.1" \
+  https://example.local:31443/
+```
+You should observe:
+* The TLS handshake showing the backend’s certificate, not the Gateway’s.
+* A successful HTTP 200 response from the echo application.
+
+Example excerpt from the curl -v output:
+
+```
+* Server certificate:
+*  subject: C=FR; L=PARIS; O=Echo HTTP; CN=http-echo-5fbc86ccc-db9hh
+*  start date: Dec  2 09:22:28 2025 GMT
+*  expire date: Dec  2 09:22:28 2026 GMT
+*  issuer: C=FR; L=PARIS; O=Echo HTTP; CN=http-echo-5fbc86ccc-db9hh
+*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
+*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
+```
+
+This confirms that:
+
+1. The request reached the Gateway.
+
+2. The Gateway routed the encrypted TLS stream through to the backend.
+
+3. TLS termination occurred on the backend, proving that passthrough mode is functioning correctly.

example/tlsroute/sslpassthrough/gateway.yaml

@@ -0,0 +1,17 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: tls-gateway
+spec:
+  gatewayClassName: haproxy
+  listeners:
+    - allowedRoutes:
+        kinds:
+          - group: gateway.networking.k8s.io
+            kind: TLSRoute
+      hostname: example.local
+      name: tls
+      port: 31443
+      protocol: TLS
+      tls:
+        mode: Passthrough

example/tlsroute/sslpassthrough/gatewayclass.yaml

@@ -0,0 +1,6 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: haproxy
+spec:
+  controllerName: gate.haproxy.org/hug

example/tlsroute/sslpassthrough/http-echo.yaml

@@ -0,0 +1,42 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: http-echo
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: http-echo
+  template:
+    metadata:
+      labels:
+        app: http-echo
+    spec:
+      containers:
+        - name: http-echo
+          image: "haproxytech/http-echo:latest"
+          imagePullPolicy: Never
+          ports:
+            - name: http
+              containerPort: 8888
+              protocol: TCP
+            - name: https
+              containerPort: 8443
+              protocol: TCP
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: http-echo
+spec:
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+      targetPort: http
+    - name: https
+      protocol: TCP
+      port: 443
+      targetPort: https
+  selector:
+    app: http-echo

example/tlsroute/sslpassthrough/tlsroute.yaml

@@ -0,0 +1,14 @@
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: tlsroute
+spec:
+  parentRefs:
+    - name: tls-gateway
+      sectionName: tls
+  hostnames:
+    - "example.local"
+  rules:
+    - backendRefs:
+        - name: http-echo
+          port: 443