fix(tranlator): SubjectAltNames were being dropped from BackendTLSPolicy.validation by ankushagarwal · Pull Request #6092 · envoyproxy/gateway

ankushagarwal · 2025-05-16T05:15:05Z

What this PR does / why we need it:

This PR adds support for configuring Subject Alternative Names (SANs) in the mTLS validation context for upstream connections, based on the BackendTLSPolicy.validation.subjectAltNames field as defined in the Gateway API (reference).

Previously, only the hostname field was used to populate the Envoy config for upstream TLS validation. This change ensures that entries from subjectAltNames are also translated and included in the generated Envoy configuration, allowing for more flexible and secure mTLS setups (e.g., with Istio-managed sidecars or other backends requiring SAN matching).

Release Notes: Yes

- Added support for configuring Subject Alternative Names (SANs) in upstream mTLS validation via `BackendTLSPolicy.validation.subjectAltNames`.

arkodg · 2025-05-16T16:54:56Z

internal/ir/xds.go

can we omit Type to save space, and convert Hostname and URI to pointers

the switch logic can be moved into the gateway api layer, so if we add any additional validation failure, it can be reported back in the status

codecov · 2025-05-16T16:55:10Z

Codecov Report

Attention: Patch coverage is 94.44444% with 2 lines in your changes missing coverage. Please review.

Project coverage is 70.49%. Comparing base (d776c6f) to head (0575f16).
Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/gatewayapi/backendtlspolicy.go	84.61%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6092   +/-   ##
=======================================
  Coverage   70.49%   70.49%           
=======================================
  Files         217      217           
  Lines       36191    36226   +35     
=======================================
+ Hits        25512    25539   +27     
- Misses       9166     9172    +6     
- Partials     1513     1515    +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

arkodg · 2025-05-16T16:58:23Z

thanks @ankushagarwal ! the PR looks good, added a comment
can you also add a test case in

make testdata is useful to generate testdata output

ankushagarwal · 2025-05-17T03:30:20Z

internal/gatewayapi/testdata/backendtlspolicy-subjectaltnames.in.yaml

test both types of subjectAltNames: URI and DNS

ankushagarwal · 2025-05-17T03:31:26Z

internal/xds/translator/testdata/in/xds-ir/http-route-with-tlsbundle.yaml

Extend the tldbundle test and add subjectAltNames with both uri and hostname types

ankushagarwal · 2025-05-17T03:32:19Z

Thank you for the feedback, @arkodg

Addressed your comment and added tests in both the places

arkodg

LGTM thanks !

Signed-off-by: Ankush Agarwal <[email protected]>

ankushagarwal · 2025-05-19T17:16:57Z

(attempted to fix lint failure)

arkodg · 2025-05-19T17:45:00Z

still seeing them @ankushagarwal

./internal/xds/translator/testdata/in/xds-ir/http-route-with-tlsbundle.yaml
  Error: 30:17 [indentation] wrong indentation: expected 18 but found 16

./internal/gatewayapi/testdata/backendtlspolicy-subjectaltnames.in.yaml
  Error: 134:9 [indentation] wrong indentation: expected 10 but found 8

internal/gatewayapi/testdata/backendtlspolicy-subjectaltnames.in.yaml
  Error: 134:9 [indentation] wrong indentation: expected 10 but found 8

internal/xds/translator/testdata/in/xds-ir/http-route-with-tlsbundle.yaml
  Error: 30:17 [indentation] wrong indentation: expected 18 but found 16

arkodg · 2025-05-19T17:45:45Z

running make lint.fix-golint may fix it

arkodg · 2025-05-19T17:46:17Z

nvm it won't, because the error is from yamllint

Signed-off-by: Ankush Agarwal <[email protected]>

ankushagarwal · 2025-05-19T17:59:20Z

Another attempt at fixing yamllint

ankushagarwal · 2025-05-20T18:27:39Z

@arkodg : Is the failing e2e-test a flake or a true test failure

arkodg · 2025-05-20T18:46:36Z

its a flake, just waiting on a 2nd approval to merge this one

guydc

LGTM, Thanks!

…icy.validation (envoyproxy#6092) * Add support for SubjectAltNames from BackendTLSPolicy.validation Signed-off-by: Ankush Agarwal <[email protected]> (cherry picked from commit 35420d5) Signed-off-by: Arko Dasgupta <[email protected]>

* feat: set OverlappingTLSConfig condition for merged Gateways (#5862) * set OverlappingTLSConfig condition for merged Gateways Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix lint Signed-off-by: Huabing (Robin) Zhao <[email protected]> * minor change Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> (cherry picked from commit be51e5b) Signed-off-by: Arko Dasgupta <[email protected]> * e2e: fix backend tls test (#6029) * fix backend tls test Signed-off-by: Huabing (Robin) Zhao <[email protected]> * enable backend tls test Signed-off-by: Huabing (Robin) Zhao <[email protected]> * remove gateway TLS to simplify the test Signed-off-by: Huabing (Robin) Zhao <[email protected]> * rename secret to avoid conflicts Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> (cherry picked from commit a685667) Signed-off-by: Arko Dasgupta <[email protected]> * validate gateway namespace mode and merged gateways (#6041) * validate gateway namespace mode and merged gateways in translator Signed-off-by: Karol Szwaj <[email protected]> * fix lint Signed-off-by: Karol Szwaj <[email protected]> * skip merge gateways test Signed-off-by: Karol Szwaj <[email protected]> * validate on gatewayclass and set the status Signed-off-by: Karol Szwaj <[email protected]> * skip e2e test Signed-off-by: Karol Szwaj <[email protected]> * add valid testcases Signed-off-by: Karol Szwaj <[email protected]> * Update internal/provider/kubernetes/controller.go Co-authored-by: Arko Dasgupta <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix lint Signed-off-by: Karol Szwaj <[email protected]> * skip merge gateways test Signed-off-by: Karol Szwaj <[email protected]> * rebase Signed-off-by: Karol Szwaj <[email protected]> --------- Signed-off-by: Karol Szwaj <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Arko Dasgupta <[email protected]> (cherry picked from commit c5f6831) Signed-off-by: Arko Dasgupta <[email protected]> * Fix shared=true when no clientSelector, (#6072) * Fix shared=true when no clientSelector, cleanup filter logic, fix rl descriptor logic Signed-off-by: Ryan Hristovski <[email protected]> * testdata update Signed-off-by: Ryan Hristovski <[email protected]> * Linting, remove unused funcs Signed-off-by: Ryan Hristovski <[email protected]> * fix e2e Signed-off-by: Ryan Hristovski <[email protected]> (cherry picked from commit bb3c8da) Signed-off-by: Arko Dasgupta <[email protected]> * fix(tranlator): SubjectAltNames were being dropped from BackendTLSPolicy.validation (#6092) * Add support for SubjectAltNames from BackendTLSPolicy.validation Signed-off-by: Ankush Agarwal <[email protected]> (cherry picked from commit 35420d5) Signed-off-by: Arko Dasgupta <[email protected]> * feat: add ownerreference to infra resources when gateway namespace mode (#6100) * feat: add ownerreference to infra resources when gateway namespace mode Signed-off-by: kkk777-7 <[email protected]> (cherry picked from commit fc462a8) Signed-off-by: Arko Dasgupta <[email protected]> * fix: add FullDuplexStreamed to enum (#6103) * fix: add FullDuplexStreamed to enum Signed-off-by: Guy Daich <[email protected]> (cherry picked from commit 020d60a) Signed-off-by: Arko Dasgupta <[email protected]> * fix: Use quoted values zone annotation in topology injector (#6133) * Quoted string for zone values Signed-off-by: jukie <[email protected]> * release note Signed-off-by: jukie <[email protected]> * regen Signed-off-by: jukie <[email protected]> (cherry picked from commit ea9cb05) Signed-off-by: Arko Dasgupta <[email protected]> * fix: return early from buildwasms (#6169) return early from buildwasms Signed-off-by: Guy Daich <[email protected]> (cherry picked from commit 64624fe) Signed-off-by: Arko Dasgupta <[email protected]> * chore: bump go and purego (#6174) * chore: bump go and purego Signed-off-by: zirain <[email protected]> * fix gen Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> (cherry picked from commit 40ae9e3) Signed-off-by: Arko Dasgupta <[email protected]> * fix: translate xds udp listener (#6183) * fix: translate udp listener Signed-off-by: kkk777-7 <[email protected]> * add: tcp/udp no routes testdata in xds translator Signed-off-by: kkk777-7 <[email protected]> * add: release note Signed-off-by: kkk777-7 <[email protected]> (cherry picked from commit 8f538e7) Signed-off-by: Arko Dasgupta <[email protected]> * Change static uid to for global ratelimit dashboard (#6193) Signed-off-by: Emin Aktas <[email protected]> (cherry picked from commit f721925) Signed-off-by: Arko Dasgupta <[email protected]> * Fix broken btp ratelimit merge (#6214) * Fix broken btp ratelimit merge Signed-off-by: Ryan Hristovski <[email protected]> * lint Signed-off-by: Ryan Hristovski <[email protected]> --------- Signed-off-by: Ryan Hristovski <[email protected]> (cherry picked from commit 0f6f363) Signed-off-by: Arko Dasgupta <[email protected]> * Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set via ClientTrafficPolicy (#6217) Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set in ClientTrafficPolicy Signed-off-by: Huabing (Robin) Zhao <[email protected]> (cherry picked from commit de816a6) Signed-off-by: Arko Dasgupta <[email protected]> * fix testdata Signed-off-by: Arko Dasgupta <[email protected]> * Allow for headless envoy services (#6250) * Allow for headless envoy services Signed-off-by: Ryan Hristovski <[email protected]> * Allow headless service, cleanup Signed-off-by: Ryan Hristovski <[email protected]> * clean Signed-off-by: Ryan Hristovski <[email protected]> * Add test and comment Signed-off-by: Ryan Hristovski <[email protected]> * Fix tests Signed-off-by: Ryan Hristovski <[email protected]> (cherry picked from commit 2e168a8) Signed-off-by: Arko Dasgupta <[email protected]> * remove infra ENVOY_GATEWAY_NAMESPACE and introduce ENVOY_POD_NAMESPACE envVar for accesslog (#6221) * remove infra ENVOY_GATEWAY_NAMESPACE and introduce ENVOY_POD_NAMESPACE envVar for accesslog Signed-off-by: Karol Szwaj <[email protected]> * fix e2e test Signed-off-by: Karol Szwaj <[email protected]> --------- Signed-off-by: Karol Szwaj <[email protected]> (cherry picked from commit b7ed197) Signed-off-by: Arko Dasgupta <[email protected]> * fix lint Signed-off-by: Arko Dasgupta <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> Signed-off-by: Ryan Hristovski <[email protected]> Signed-off-by: Ankush Agarwal <[email protected]> Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: Guy Daich <[email protected]> Signed-off-by: jukie <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: Emin Aktas <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Karol Szwaj <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Ryan Hristovski <[email protected]> Co-authored-by: Ankush Agarwal <[email protected]> Co-authored-by: Kota Kimura <[email protected]> Co-authored-by: Guy Daich <[email protected]> Co-authored-by: Isaac <[email protected]> Co-authored-by: Emin AKTAS <[email protected]>

* feat: set OverlappingTLSConfig condition for merged Gateways (envoyproxy#5862) * set OverlappingTLSConfig condition for merged Gateways Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix lint Signed-off-by: Huabing (Robin) Zhao <[email protected]> * minor change Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> (cherry picked from commit be51e5b) Signed-off-by: Arko Dasgupta <[email protected]> * e2e: fix backend tls test (envoyproxy#6029) * fix backend tls test Signed-off-by: Huabing (Robin) Zhao <[email protected]> * enable backend tls test Signed-off-by: Huabing (Robin) Zhao <[email protected]> * remove gateway TLS to simplify the test Signed-off-by: Huabing (Robin) Zhao <[email protected]> * rename secret to avoid conflicts Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> (cherry picked from commit a685667) Signed-off-by: Arko Dasgupta <[email protected]> * validate gateway namespace mode and merged gateways (envoyproxy#6041) * validate gateway namespace mode and merged gateways in translator Signed-off-by: Karol Szwaj <[email protected]> * fix lint Signed-off-by: Karol Szwaj <[email protected]> * skip merge gateways test Signed-off-by: Karol Szwaj <[email protected]> * validate on gatewayclass and set the status Signed-off-by: Karol Szwaj <[email protected]> * skip e2e test Signed-off-by: Karol Szwaj <[email protected]> * add valid testcases Signed-off-by: Karol Szwaj <[email protected]> * Update internal/provider/kubernetes/controller.go Co-authored-by: Arko Dasgupta <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix lint Signed-off-by: Karol Szwaj <[email protected]> * skip merge gateways test Signed-off-by: Karol Szwaj <[email protected]> * rebase Signed-off-by: Karol Szwaj <[email protected]> --------- Signed-off-by: Karol Szwaj <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Arko Dasgupta <[email protected]> (cherry picked from commit c5f6831) Signed-off-by: Arko Dasgupta <[email protected]> * Fix shared=true when no clientSelector, (envoyproxy#6072) * Fix shared=true when no clientSelector, cleanup filter logic, fix rl descriptor logic Signed-off-by: Ryan Hristovski <[email protected]> * testdata update Signed-off-by: Ryan Hristovski <[email protected]> * Linting, remove unused funcs Signed-off-by: Ryan Hristovski <[email protected]> * fix e2e Signed-off-by: Ryan Hristovski <[email protected]> (cherry picked from commit bb3c8da) Signed-off-by: Arko Dasgupta <[email protected]> * fix(tranlator): SubjectAltNames were being dropped from BackendTLSPolicy.validation (envoyproxy#6092) * Add support for SubjectAltNames from BackendTLSPolicy.validation Signed-off-by: Ankush Agarwal <[email protected]> (cherry picked from commit 35420d5) Signed-off-by: Arko Dasgupta <[email protected]> * feat: add ownerreference to infra resources when gateway namespace mode (envoyproxy#6100) * feat: add ownerreference to infra resources when gateway namespace mode Signed-off-by: kkk777-7 <[email protected]> (cherry picked from commit fc462a8) Signed-off-by: Arko Dasgupta <[email protected]> * fix: add FullDuplexStreamed to enum (envoyproxy#6103) * fix: add FullDuplexStreamed to enum Signed-off-by: Guy Daich <[email protected]> (cherry picked from commit 020d60a) Signed-off-by: Arko Dasgupta <[email protected]> * fix: Use quoted values zone annotation in topology injector (envoyproxy#6133) * Quoted string for zone values Signed-off-by: jukie <[email protected]> * release note Signed-off-by: jukie <[email protected]> * regen Signed-off-by: jukie <[email protected]> (cherry picked from commit ea9cb05) Signed-off-by: Arko Dasgupta <[email protected]> * fix: return early from buildwasms (envoyproxy#6169) return early from buildwasms Signed-off-by: Guy Daich <[email protected]> (cherry picked from commit 64624fe) Signed-off-by: Arko Dasgupta <[email protected]> * chore: bump go and purego (envoyproxy#6174) * chore: bump go and purego Signed-off-by: zirain <[email protected]> * fix gen Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> (cherry picked from commit 40ae9e3) Signed-off-by: Arko Dasgupta <[email protected]> * fix: translate xds udp listener (envoyproxy#6183) * fix: translate udp listener Signed-off-by: kkk777-7 <[email protected]> * add: tcp/udp no routes testdata in xds translator Signed-off-by: kkk777-7 <[email protected]> * add: release note Signed-off-by: kkk777-7 <[email protected]> (cherry picked from commit 8f538e7) Signed-off-by: Arko Dasgupta <[email protected]> * Change static uid to for global ratelimit dashboard (envoyproxy#6193) Signed-off-by: Emin Aktas <[email protected]> (cherry picked from commit f721925) Signed-off-by: Arko Dasgupta <[email protected]> * Fix broken btp ratelimit merge (envoyproxy#6214) * Fix broken btp ratelimit merge Signed-off-by: Ryan Hristovski <[email protected]> * lint Signed-off-by: Ryan Hristovski <[email protected]> --------- Signed-off-by: Ryan Hristovski <[email protected]> (cherry picked from commit 0f6f363) Signed-off-by: Arko Dasgupta <[email protected]> * Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set via ClientTrafficPolicy (envoyproxy#6217) Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set in ClientTrafficPolicy Signed-off-by: Huabing (Robin) Zhao <[email protected]> (cherry picked from commit de816a6) Signed-off-by: Arko Dasgupta <[email protected]> * fix testdata Signed-off-by: Arko Dasgupta <[email protected]> * Allow for headless envoy services (envoyproxy#6250) * Allow for headless envoy services Signed-off-by: Ryan Hristovski <[email protected]> * Allow headless service, cleanup Signed-off-by: Ryan Hristovski <[email protected]> * clean Signed-off-by: Ryan Hristovski <[email protected]> * Add test and comment Signed-off-by: Ryan Hristovski <[email protected]> * Fix tests Signed-off-by: Ryan Hristovski <[email protected]> (cherry picked from commit 2e168a8) Signed-off-by: Arko Dasgupta <[email protected]> * remove infra ENVOY_GATEWAY_NAMESPACE and introduce ENVOY_POD_NAMESPACE envVar for accesslog (envoyproxy#6221) * remove infra ENVOY_GATEWAY_NAMESPACE and introduce ENVOY_POD_NAMESPACE envVar for accesslog Signed-off-by: Karol Szwaj <[email protected]> * fix e2e test Signed-off-by: Karol Szwaj <[email protected]> --------- Signed-off-by: Karol Szwaj <[email protected]> (cherry picked from commit b7ed197) Signed-off-by: Arko Dasgupta <[email protected]> * fix lint Signed-off-by: Arko Dasgupta <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> Signed-off-by: Ryan Hristovski <[email protected]> Signed-off-by: Ankush Agarwal <[email protected]> Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: Guy Daich <[email protected]> Signed-off-by: jukie <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: Emin Aktas <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Karol Szwaj <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Ryan Hristovski <[email protected]> Co-authored-by: Ankush Agarwal <[email protected]> Co-authored-by: Kota Kimura <[email protected]> Co-authored-by: Guy Daich <[email protected]> Co-authored-by: Isaac <[email protected]> Co-authored-by: Emin AKTAS <[email protected]> Signed-off-by: shawnh2 <[email protected]>

ankushagarwal requested a review from a team as a code owner May 16, 2025 05:15

ankushagarwal force-pushed the support-san branch 2 times, most recently from 634c33d to 50038d4 Compare May 16, 2025 05:18

arkodg mentioned this pull request May 16, 2025

[Gateway API v1.2] Implement GEP-3155 / BackendTLS #4381

Open

arkodg reviewed May 16, 2025

View reviewed changes

ankushagarwal force-pushed the support-san branch 2 times, most recently from 3ebd3dd to 0376285 Compare May 17, 2025 03:29

ankushagarwal commented May 17, 2025

View reviewed changes

arkodg previously approved these changes May 19, 2025

View reviewed changes

arkodg requested review from a team May 19, 2025 16:23

arkodg added this to the v1.5.0-rc.1 Release milestone May 19, 2025

Add support for SubjectAltNames from BackendTLSPolicy.validation

ef5be49

Signed-off-by: Ankush Agarwal <[email protected]>

ankushagarwal dismissed arkodg’s stale review via ef5be49 May 19, 2025 17:13

ankushagarwal force-pushed the support-san branch from 0376285 to ef5be49 Compare May 19, 2025 17:13

Fix yaml lint issues

88a551f

Signed-off-by: Ankush Agarwal <[email protected]>

ankushagarwal force-pushed the support-san branch from becf0a5 to 88a551f Compare May 19, 2025 17:58

arkodg approved these changes May 19, 2025

View reviewed changes

arkodg requested review from a team May 20, 2025 01:33

guydc approved these changes May 20, 2025

View reviewed changes

Merge branch 'main' into support-san

0575f16

arkodg merged commit 35420d5 into envoyproxy:main May 20, 2025
10 checks passed

arkodg added the cherrypick/release-v1.4.1 label May 21, 2025

BrewTestBot mentioned this pull request Aug 8, 2025

egctl 1.5.0 Homebrew/homebrew-core#232799

Merged

Conversation

ankushagarwal commented May 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

arkodg May 16, 2025

Choose a reason for hiding this comment

Uh oh!

ankushagarwal May 17, 2025

Choose a reason for hiding this comment

Uh oh!

codecov bot commented May 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

arkodg commented May 16, 2025

Uh oh!

ankushagarwal May 17, 2025

Choose a reason for hiding this comment

Uh oh!

ankushagarwal May 17, 2025

Choose a reason for hiding this comment

Uh oh!

ankushagarwal commented May 17, 2025

Uh oh!

arkodg left a comment

Choose a reason for hiding this comment

Uh oh!

ankushagarwal commented May 19, 2025

Uh oh!

arkodg commented May 19, 2025

Uh oh!

arkodg commented May 19, 2025

Uh oh!

arkodg commented May 19, 2025

Uh oh!

ankushagarwal commented May 19, 2025

Uh oh!

ankushagarwal commented May 20, 2025

Uh oh!

arkodg commented May 20, 2025

Uh oh!

guydc left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

ankushagarwal commented May 16, 2025 •

edited

Loading

codecov bot commented May 16, 2025 •

edited

Loading