fix: respect backend endpoint hostname for health checks#8929
Conversation
✅ Deploy Preview for cerulean-figolla-1f9435 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a75aca7348
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // If active HTTP health check has an explicit hostname override, keep that cluster-level host. | ||
| // A route-derived host is only a default, so Backend endpoint hostname can still override it | ||
| // through EndpointHealthCheckConfig. | ||
| if hc.Active.HTTP != nil && hc.Active.HTTP.Host != "" && hc.Active.HTTP.Host != "*" && !hc.Active.HTTP.HostFromRoute { |
There was a problem hiding this comment.
Add a release note for this bug fix
This change fixes user-visible health-check behavior and changes generated xDS by emitting Endpoint.HealthCheckConfig.hostname when the cluster-level host was only route-derived, but release-notes/current.yaml was not updated. The repo review checklist requires bug fixes (and generated Envoy config behavior changes) to be called out so operators relying on health-check behavior or xDS extensions can discover the change during upgrade.
Useful? React with 👍 / 👎.
| // Hostname defines the HTTP Host header used for active HTTP health checks. | ||
| // Host selection uses this order: this field, the associated Backend endpoint | ||
| // hostname if available, then the effective HTTPRoute or GRPCRoute hostname | ||
| // for the Gateway listener. |
There was a problem hiding this comment.
the API changed in a patch release?
There was a problem hiding this comment.
changed the doc string, to highlight the API
There was a problem hiding this comment.
need to update the v1.7 doc site manually, otherwise LGTM.
### Summary - Keep BackendTrafficPolicy HTTP health check hostnames as explicit cluster-level hosts, and leave route-derived host fallback to xDS cluster translation. - Preserve Backend endpoint hostnames as per-endpoint overrides via Endpoint.HealthCheckConfig.hostname, ahead of the route fallback. - Update gatewayapi/xDS fixtures, release notes, and generated API docs/CRDs for the host selection order. ### Test plan - go test ./internal/ir - go test ./internal/xds/translator - go test ./internal/gatewayapi -run TestTranslate/backendtrafficpolicy - go test ./internal/gatewayapi -run TestTranslate/(clienttrafficpolicy-http-health-check|envoyextensionpolicy-with-extproc-with-retries|envoyextensionpolicy-with-extproc-with-traffic-features|envoyproxy-accesslog-with-traffic|envoyproxy-tracing-backend-uds|envoyproxy-tracing-backend|securitypolicy-with-jwt-backendcluster|securitypolicy-with-jwt-backendsettings) - make generate - make manifests - git diff --check Signed-off-by: Arko Dasgupta <[email protected]> Co-authored-by: Codex <[email protected]>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8929 +/- ##
==========================================
- Coverage 74.74% 74.73% -0.01%
==========================================
Files 251 251
Lines 40372 40370 -2
==========================================
- Hits 30176 30171 -5
- Misses 8130 8132 +2
- Partials 2066 2067 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@albsga4 will this help on your case? |
Signed-off-by: zirain <[email protected]>
…8929) * fix: respect backend endpoint hostname for health checks - Keep BackendTrafficPolicy HTTP health check hostnames as explicit cluster-level hosts, and leave route-derived host fallback to xDS cluster translation. - Preserve Backend endpoint hostnames as per-endpoint overrides via Endpoint.HealthCheckConfig.hostname, ahead of the route fallback. - Update gatewayapi/xDS fixtures, release notes, and generated API docs/CRDs for the host selection order. - go test ./internal/ir - go test ./internal/xds/translator - go test ./internal/gatewayapi -run TestTranslate/backendtrafficpolicy - go test ./internal/gatewayapi -run TestTranslate/(clienttrafficpolicy-http-health-check|envoyextensionpolicy-with-extproc-with-retries|envoyextensionpolicy-with-extproc-with-traffic-features|envoyproxy-accesslog-with-traffic|envoyproxy-tracing-backend-uds|envoyproxy-tracing-backend|securitypolicy-with-jwt-backendcluster|securitypolicy-with-jwt-backendsettings) - make generate - make manifests - git diff --check Signed-off-by: Arko Dasgupta <[email protected]> Co-authored-by: Codex <[email protected]> * fix gen Signed-off-by: zirain <[email protected]> --------- Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: zirain <[email protected]> Co-authored-by: Codex <[email protected]> Co-authored-by: zirain <[email protected]>
…8929) * fix: respect backend endpoint hostname for health checks - Keep BackendTrafficPolicy HTTP health check hostnames as explicit cluster-level hosts, and leave route-derived host fallback to xDS cluster translation. - Preserve Backend endpoint hostnames as per-endpoint overrides via Endpoint.HealthCheckConfig.hostname, ahead of the route fallback. - Update gatewayapi/xDS fixtures, release notes, and generated API docs/CRDs for the host selection order. - go test ./internal/ir - go test ./internal/xds/translator - go test ./internal/gatewayapi -run TestTranslate/backendtrafficpolicy - go test ./internal/gatewayapi -run TestTranslate/(clienttrafficpolicy-http-health-check|envoyextensionpolicy-with-extproc-with-retries|envoyextensionpolicy-with-extproc-with-traffic-features|envoyproxy-accesslog-with-traffic|envoyproxy-tracing-backend-uds|envoyproxy-tracing-backend|securitypolicy-with-jwt-backendcluster|securitypolicy-with-jwt-backendsettings) - make generate - make manifests - git diff --check Signed-off-by: Arko Dasgupta <[email protected]> Co-authored-by: Codex <[email protected]> * fix gen Signed-off-by: zirain <[email protected]> --------- Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: zirain <[email protected]> Co-authored-by: Codex <[email protected]> Co-authored-by: zirain <[email protected]>
* fix json report (#8614) Signed-off-by: Huabing (Robin) Zhao <[email protected]> (cherry picked from commit 4768ca7) * fix: deep copy status in translator layer to avoid race (#8778) Signed-off-by: Rudrakh Panigrahi <[email protected]> (cherry picked from commit 3f70a89) * fix: force HTTP1 for upstream connections for WS and WSS backends (#8699) * force HTTP1 for upstream connections for WS and WSS backends Signed-off-by: Huabing (Robin) Zhao <[email protected]> * use different clusters for mixed upstream protocols Signed-off-by: Huabing (Robin) Zhao <[email protected]> * update Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix lint Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> (cherry picked from commit 7633125) * fix: reason with multiple errors rejected validation (#8859) * fix: reason with multiple errors rejected validation Signed-off-by: zirain <[email protected]> * release notes Signed-off-by: zirain <[email protected]> * fix lint Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> (cherry picked from commit 7811d86) * feat(chart): Allow configuring envoy proxy image via helm chart (#8785) * feat: Allow configuring envoy proxy defaults via helm chart This commit is a continuation of the previous work to support supplying default proxy settings added in #7698 and adds three new chart values under `global.images.envoyProxy`: | Value | Type | Default | Description | |----------------------------------------|--------|------|---------------------------------------------------------------------| | `global.images.envoyProxy.image` | string | `""` | Full image name (`registry/repo:tag`) for the Envoy Proxy container | | `global.images.envoyProxy.pullPolicy` | string | `""` | Image pull policy | | `global.images.envoyProxy.pullSecrets` | list | `[]` | Image pull secrets | When any of these are set, the chart generates an `envoyProxy:` block inside the `EnvoyGateway` ConfigMap, wiring into the existing `EnvoyGatewaySpec.envoyProxy` field (added in #7698). The global `imageRegistry` override takes highest precedence, consistent with other chart components. Full EnvoyProxy defaults (replicas, resources, etc.) can be provided via `config.envoyGateway.envoyProxy`; the image values are merged on top. Closes #4764. Signed-off-by: Michael Sommerville <[email protected]> (cherry picked from commit 8570285) * add rn and version bump Signed-off-by: Karol Szwaj <[email protected]> * fix: respect backend endpoint hostname for health checks (#8929) * fix: respect backend endpoint hostname for health checks - Keep BackendTrafficPolicy HTTP health check hostnames as explicit cluster-level hosts, and leave route-derived host fallback to xDS cluster translation. - Preserve Backend endpoint hostnames as per-endpoint overrides via Endpoint.HealthCheckConfig.hostname, ahead of the route fallback. - Update gatewayapi/xDS fixtures, release notes, and generated API docs/CRDs for the host selection order. - go test ./internal/ir - go test ./internal/xds/translator - go test ./internal/gatewayapi -run TestTranslate/backendtrafficpolicy - go test ./internal/gatewayapi -run TestTranslate/(clienttrafficpolicy-http-health-check|envoyextensionpolicy-with-extproc-with-retries|envoyextensionpolicy-with-extproc-with-traffic-features|envoyproxy-accesslog-with-traffic|envoyproxy-tracing-backend-uds|envoyproxy-tracing-backend|securitypolicy-with-jwt-backendcluster|securitypolicy-with-jwt-backendsettings) - make generate - make manifests - git diff --check Signed-off-by: Arko Dasgupta <[email protected]> Co-authored-by: Codex <[email protected]> * fix gen Signed-off-by: zirain <[email protected]> --------- Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: zirain <[email protected]> Co-authored-by: Codex <[email protected]> Co-authored-by: zirain <[email protected]> * update release notes Signed-off-by: Karol Szwaj <[email protected]> * fix gen-check Signed-off-by: Karol Szwaj <[email protected]> * Revert "feat(chart): Allow configuring envoy proxy image via helm chart (#8785)" This reverts commit 092cc67. Signed-off-by: Karol Szwaj <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: Michael Sommerville <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> Signed-off-by: Arko Dasgupta <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Michael Sommerville <[email protected]> Co-authored-by: Arko Dasgupta <[email protected]> Co-authored-by: Codex <[email protected]>
* fix(api): increase RateLimitSelectCondition.headers MaxItems from 16 to 64 (#8906) * fix(api): increase RateLimitSelectCondition.headers MaxItems from 16 to 64 Co-Authored-By: Claude Sonnet 4.6 <[email protected]> Signed-off-by: wucm667 <[email protected]> Signed-off-by: jukie <[email protected]> * feat: policy field owner (#8538) * feat: policy field owner Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: jukie <[email protected]> * skip invalid listener first in IR (#8577) * skip invalid listener Signed-off-by: zirain <[email protected]> * fix specValid Signed-off-by: zirain <[email protected]> * nit Signed-off-by: zirain <[email protected]> * fix Signed-off-by: zirain <[email protected]> * MUST NOT pick one conflicting Listener as the winner Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Co-authored-by: Isaac Wilson <[email protected]> Signed-off-by: jukie <[email protected]> * fix: remove cross ns policy attachment status (#8901) * Revert "add warning for partially accepted targets" This reverts commit 5d88fbb. Signed-off-by: Huabing (Robin) Zhao <[email protected]> * remove warning condition for cross-ns policy attachments without referenceGrants Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: jukie <[email protected]> * feat: add runner event metrics (#8802) * add metrics for runner Signed-off-by: zirain <[email protected]> * rename Signed-off-by: zirain <[email protected]> * rename Signed-off-by: zirain <[email protected]> * reuse Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Signed-off-by: Arko Dasgupta <[email protected]> Co-authored-by: Arko Dasgupta <[email protected]> Signed-off-by: jukie <[email protected]> * fix: respect backend endpoint hostname for health checks (#8929) * fix: respect backend endpoint hostname for health checks ### Summary - Keep BackendTrafficPolicy HTTP health check hostnames as explicit cluster-level hosts, and leave route-derived host fallback to xDS cluster translation. - Preserve Backend endpoint hostnames as per-endpoint overrides via Endpoint.HealthCheckConfig.hostname, ahead of the route fallback. - Update gatewayapi/xDS fixtures, release notes, and generated API docs/CRDs for the host selection order. ### Test plan - go test ./internal/ir - go test ./internal/xds/translator - go test ./internal/gatewayapi -run TestTranslate/backendtrafficpolicy - go test ./internal/gatewayapi -run TestTranslate/(clienttrafficpolicy-http-health-check|envoyextensionpolicy-with-extproc-with-retries|envoyextensionpolicy-with-extproc-with-traffic-features|envoyproxy-accesslog-with-traffic|envoyproxy-tracing-backend-uds|envoyproxy-tracing-backend|securitypolicy-with-jwt-backendcluster|securitypolicy-with-jwt-backendsettings) - make generate - make manifests - git diff --check Signed-off-by: Arko Dasgupta <[email protected]> Co-authored-by: Codex <[email protected]> * fix gen Signed-off-by: zirain <[email protected]> --------- Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: zirain <[email protected]> Co-authored-by: Codex <[email protected]> Co-authored-by: zirain <[email protected]> Signed-off-by: jukie <[email protected]> * fix(helm): propagate commonLabels to RBAC resources (#8818) * feat(helm): propagate commonLabels to RBAC resources Issue #8817 reported that 'helm template ... --set commonLabels.custom-label=custom-value' left ClusterRole, ClusterRoleBinding, Role, and RoleBinding resources unlabelled. The other resources in the chart already include 'eg.labels' in their metadata - which picks up 'commonLabels' via the helper at _helpers.tpl:43 - but envoy-gateway-rbac.yaml didn't set any labels block. Add 'labels: {{- include "eg.labels" . | nindent 4 }}' on every Role / RoleBinding / ClusterRole / ClusterRoleBinding declared in envoy-gateway-rbac.yaml. Matches the existing labels pattern used in certgen-rbac.yaml and envoy-gateway-deployment.yaml. Scopes are '$' inside the watched-namespaces 'range' and '.' at the template root, same rule the helper block inside the file already used. Verified locally with: helm dependency update charts/gateway-helm envsubst < charts/gateway-helm/values.tmpl.yaml > \ charts/gateway-helm/values.yaml helm template eg charts/gateway-helm \ --set commonLabels.custom-label=custom-value | yq ... All four RBAC resources now emit 'custom-label: custom-value' in their metadata.labels, matching the issue's repro steps. Cert-gen RBAC resources already carried it; this PR brings the core envoy-gateway RBAC set into parity. Fixes #8817 Signed-off-by: Matt Van Horn <[email protected]> * chore: regenerate helm-template snapshots for RBAC labels Run 'make helm-template.gateway-helm' to regenerate the snapshot fixtures after the envoy-gateway-rbac.yaml labels change. Adds the 'labels:' block to the RBAC resources in all 27 test cases. Signed-off-by: Matt Van Horn <[email protected]> * fix gen Signed-off-by: Huabing (Robin) Zhao <[email protected]> * add release note Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Matt Van Horn <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Matt Van Horn <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: jukie <[email protected]> * fix(translator): set ListenerSet and listener Accepted:True for InvalidCertificateRef (#8871) * fix(translator): set ListenerSet and listener Accepted:True for InvalidCertificateRef When a ListenerSet listener has an unresolvable TLS certificate reference (InvalidCertificateRef or RefNotPermitted), Accepted: False was incorrectly set on both the listener and ListenerSet object. The Gateway API spec places InvalidCertificateRef exclusively under ResolvedRefs, not Accepted — a missing certificate is a reference resolution concern, not a structural one. Fixes #8870 Signed-off-by: apkatsikas <[email protected]> * chore: fix gofumpt formatting in validateListenerConditions Signed-off-by: apkatsikas <[email protected]> * fix(translator): separate RefNotPermitted from InvalidCertificateRef handling Unlike InvalidCertificateRef, RefNotPermitted should not set Accepted:True. Update unit test fixtures to match. Signed-off-by: apkatsikas <[email protected]> * fix gen Signed-off-by: zirain <[email protected]> --------- Signed-off-by: apkatsikas <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: jukie <[email protected]> * fix: do not downgrade ALPN for only hostnames-overlapping listeners (#8934) fix: do not downgrade ALPN for overlapping hostnames withoug SANs overlapping Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: jukie <[email protected]> * feat: enableDeferredCreationStats by default (#8937) * feat: enableDeferredCreationStats by default Signed-off-by: zirain <[email protected]> Signed-off-by: jukie <[email protected]> * fix: restore last transition time in merge status conditions (#8962) * fix: restore last transition time in merge status conditions Signed-off-by: Rudrakh Panigrahi <[email protected]> * add release note Signed-off-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: jukie <[email protected]> * [release/v1.8] v1.8.0 release notes Cherry-picked release-notes/v1.8.0.yaml and VERSION bump from #8942. Signed-off-by: jukie <[email protected]> --------- Signed-off-by: wucm667 <[email protected]> Signed-off-by: jukie <[email protected]> Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: Arko Dasgupta <[email protected]> Signed-off-by: Matt Van Horn <[email protected]> Signed-off-by: apkatsikas <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> Co-authored-by: wucm667 <[email protected]> Co-authored-by: Claude Sonnet 4.6 <[email protected]> Co-authored-by: Kota Kimura <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Arko Dasgupta <[email protected]> Co-authored-by: Codex <[email protected]> Co-authored-by: Matt Van Horn <[email protected]> Co-authored-by: Matt Van Horn <[email protected]> Co-authored-by: Andrew Katsikas <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]>
Uh oh!
There was an error while loading. Please reload this page.