Filter Chain xDS difference between HTTP and HTTPS Listeners

[funkluk]

When defining HTTP and HTTPS listeners, the generated xDS looks different for these two types.

HTTP listeners create only one Listener, use the default_filter_chain, and distinguish the different hosts in the route configs.

In contrast, HTTPS listeners use the filter_chain and filter_chain_match option for the different listeners.

My question is, why was this implemented like this?
I could imagine that this is also somewhat related to the xDS Name Scheme V2?! But I could find anything about it.

I stumbled over this when I tried to apply different Client Traffic Policies(CTP) to different HTTP Listeners, which is not allowed:

ClientTrafficPolicy is being applied to multiple http (non https) listeners (...)  on the same port, which is not allowed.

Also, this needs to be handled properly in the implementation of an extension server as we need to distinguish these two cases.

So wouldn't it make sense to align the HTTP xDS using filter_chain instead default_filter_chain? This would allow the use of different CTP for HTTP and ease the extension server implementation.

I tried to illustrate the current situation a bit:

HTTPS

Listener (port 443)
├── FilterChain 1
│   └── filter_chain_match.server_names: ["foo.example.com"]
│   └── filters
│       └── Network Filters
│       └── HTTP Connection Manager
│       └── RouteConfigName: envoy-gateway-system/gw/foo.example.com-443
├── FilterChain 2
│   └── filter_chain_match.server_names: ["bar.example.com"]
│       └── Network Filters
│       └── HTTP Connection Manager
│       └── RouteConfigName: envoy-gateway-system/gw/bar.example.com-443

RouteConfigs
├── RouteConfig "envoy-gateway-system/gw/foo.example.com-443"
│   └── VirtualHost 1
│       └── domains: ["foo.example.com"]
│       └── Route → Cluster httproute/.../.../rule/0/...
├── RouteConfig "envoy-gateway-system/gw/bar.example.com-443"
│   └── VirtualHost 1
│       └── domains: ["bar.example.com"]
│       └── Route → Cluster httproute/.../.../rule/0/...

HTTP:

Listener (port 80)
├── DefaultFilterChain
│   └── Network Filters
│   └── HTTP Connection Manager
│       └── RouteConfigName: http-80

RouteConfigs
├── RouteConfig "http-80"
│   └── VirtualHost 1
│   │   └── domains: ["foo.example.com"]
│   │   └── Route → Cluster httproute/.../.../rule/0/...
│   └── VirtualHost 2
│       └── domains: ["bar.example.com"]
│       └── Route → Cluster httproute/.../.../rule/0/...

[arkodg]

https listeners can be mapped to a unique filter chain because they can be demuxed on SNI, http listeners cannot, so they are attached to the same filter chain

[funkluk]

Thanks for the reply, I totally missed that it is not possible to apply the filter_chains on the HTTP layer objects (RTFM).