Skip to content

fix: restore last transition time in merge status conditions#8962

Merged
rudrakhp merged 2 commits into
envoyproxy:mainfrom
rudrakhp:restore_ltt_merge
May 12, 2026
Merged

fix: restore last transition time in merge status conditions#8962
rudrakhp merged 2 commits into
envoyproxy:mainfrom
rudrakhp:restore_ltt_merge

Conversation

@rudrakhp

Copy link
Copy Markdown
Member

Restore #7451
Fixes #8953

@rudrakhp rudrakhp requested a review from a team as a code owner May 11, 2026 17:07
@netlify

netlify Bot commented May 11, 2026

Copy link
Copy Markdown

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit 600e467
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/6a02c83382c04d00083b1898
😎 Deploy Preview https://deploy-preview-8962--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@codecov

codecov Bot commented May 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.72%. Comparing base (cbb4337) to head (600e467).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8962      +/-   ##
==========================================
- Coverage   74.75%   74.72%   -0.04%     
==========================================
  Files         251      251              
  Lines       40394    40397       +3     
==========================================
- Hits        30197    30187      -10     
- Misses       8130     8142      +12     
- Partials     2067     2068       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@rudrakhp rudrakhp added this to the v1.8.0 Release milestone May 12, 2026
zirain
zirain previously approved these changes May 12, 2026

@zirain zirain left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Release note requried for backport.

zhaohuabing
zhaohuabing previously approved these changes May 12, 2026
Signed-off-by: Rudrakh Panigrahi <[email protected]>
@rudrakhp rudrakhp dismissed stale reviews from zhaohuabing and zirain via 600e467 May 12, 2026 06:26
@rudrakhp rudrakhp requested review from zhaohuabing and zirain May 12, 2026 06:28
@rudrakhp rudrakhp merged commit 9430ab9 into envoyproxy:main May 12, 2026
61 of 65 checks passed
jukie added a commit to jukie/gateway that referenced this pull request May 13, 2026
Resolved release-notes/current.yaml conflict:
- Dropped 4 bug fixes already migrated to release-notes/v1.8.0.yaml
- Kept envoyproxy#8962 fix (cherrypick targets v1.6.8/v1.7.4, not v1.8)
jukie added a commit to jukie/gateway that referenced this pull request May 13, 2026
Resolved release-notes/current.yaml conflict:
- Dropped 4 bug fixes already migrated to release-notes/v1.8.0.yaml
- Kept envoyproxy#8962 fix (cherrypick targets v1.6.8/v1.7.4, not v1.8)

Signed-off-by: jukie <[email protected]>
jukie added a commit that referenced this pull request May 13, 2026
* fix(api): increase RateLimitSelectCondition.headers MaxItems from 16 to 64 (#8906)

* fix(api): increase RateLimitSelectCondition.headers MaxItems from 16 to 64

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
Signed-off-by: wucm667 <[email protected]>
Signed-off-by: jukie <[email protected]>

* feat: policy field owner (#8538)

* feat: policy field owner

Signed-off-by: kkk777-7 <[email protected]>
Signed-off-by: jukie <[email protected]>

* skip invalid listener first in IR (#8577)

* skip invalid listener

Signed-off-by: zirain <[email protected]>

* fix specValid

Signed-off-by: zirain <[email protected]>

* nit

Signed-off-by: zirain <[email protected]>

* fix

Signed-off-by: zirain <[email protected]>

* MUST NOT pick one conflicting Listener as the winner

Signed-off-by: zirain <[email protected]>

* update

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: zirain <[email protected]>
Co-authored-by: Isaac Wilson <[email protected]>
Signed-off-by: jukie <[email protected]>

* fix: remove cross ns policy attachment status (#8901)

* Revert "add warning for partially accepted targets"

This reverts commit 5d88fbb.

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* remove warning condition for cross-ns policy attachments without referenceGrants

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

---------

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: jukie <[email protected]>

* feat: add runner event metrics (#8802)

* add metrics for runner

Signed-off-by: zirain <[email protected]>

* rename

Signed-off-by: zirain <[email protected]>

* rename

Signed-off-by: zirain <[email protected]>

* reuse

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: zirain <[email protected]>
Signed-off-by: Arko Dasgupta <[email protected]>
Co-authored-by: Arko Dasgupta <[email protected]>
Signed-off-by: jukie <[email protected]>

* fix: respect backend endpoint hostname for health checks (#8929)

* fix: respect backend endpoint hostname for health checks

### Summary
- Keep BackendTrafficPolicy HTTP health check hostnames as explicit cluster-level hosts, and leave route-derived host fallback to xDS cluster translation.
- Preserve Backend endpoint hostnames as per-endpoint overrides via Endpoint.HealthCheckConfig.hostname, ahead of the route fallback.
- Update gatewayapi/xDS fixtures, release notes, and generated API docs/CRDs for the host selection order.

### Test plan
- go test ./internal/ir
- go test ./internal/xds/translator
- go test ./internal/gatewayapi -run TestTranslate/backendtrafficpolicy
- go test ./internal/gatewayapi -run TestTranslate/(clienttrafficpolicy-http-health-check|envoyextensionpolicy-with-extproc-with-retries|envoyextensionpolicy-with-extproc-with-traffic-features|envoyproxy-accesslog-with-traffic|envoyproxy-tracing-backend-uds|envoyproxy-tracing-backend|securitypolicy-with-jwt-backendcluster|securitypolicy-with-jwt-backendsettings)
- make generate
- make manifests
- git diff --check

Signed-off-by: Arko Dasgupta <[email protected]>
Co-authored-by: Codex <[email protected]>

* fix gen

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: Arko Dasgupta <[email protected]>
Signed-off-by: zirain <[email protected]>
Co-authored-by: Codex <[email protected]>
Co-authored-by: zirain <[email protected]>
Signed-off-by: jukie <[email protected]>

* fix(helm): propagate commonLabels to RBAC resources (#8818)

* feat(helm): propagate commonLabels to RBAC resources

Issue #8817 reported that 'helm template ... --set
commonLabels.custom-label=custom-value' left ClusterRole,
ClusterRoleBinding, Role, and RoleBinding resources unlabelled.
The other resources in the chart already include 'eg.labels' in
their metadata - which picks up 'commonLabels' via the helper
at _helpers.tpl:43 - but envoy-gateway-rbac.yaml didn't set any
labels block.

Add 'labels: {{- include "eg.labels" . | nindent 4 }}' on every
Role / RoleBinding / ClusterRole / ClusterRoleBinding declared in
envoy-gateway-rbac.yaml. Matches the existing labels pattern used
in certgen-rbac.yaml and envoy-gateway-deployment.yaml. Scopes are
'$' inside the watched-namespaces 'range' and '.' at the template
root, same rule the helper block inside the file already used.

Verified locally with:
  helm dependency update charts/gateway-helm
  envsubst < charts/gateway-helm/values.tmpl.yaml > \
    charts/gateway-helm/values.yaml
  helm template eg charts/gateway-helm \
    --set commonLabels.custom-label=custom-value | yq ...

All four RBAC resources now emit 'custom-label: custom-value' in
their metadata.labels, matching the issue's repro steps. Cert-gen
RBAC resources already carried it; this PR brings the core
envoy-gateway RBAC set into parity.

Fixes #8817

Signed-off-by: Matt Van Horn <[email protected]>

* chore: regenerate helm-template snapshots for RBAC labels

Run 'make helm-template.gateway-helm' to regenerate the snapshot fixtures
after the envoy-gateway-rbac.yaml labels change. Adds the 'labels:' block
to the RBAC resources in all 27 test cases.

Signed-off-by: Matt Van Horn <[email protected]>

* fix gen

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* add release note

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

---------

Signed-off-by: Matt Van Horn <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Matt Van Horn <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: jukie <[email protected]>

* fix(translator): set ListenerSet and listener Accepted:True for InvalidCertificateRef (#8871)

* fix(translator): set ListenerSet and listener Accepted:True for InvalidCertificateRef

When a ListenerSet listener has an unresolvable TLS certificate reference
(InvalidCertificateRef or RefNotPermitted), Accepted: False was incorrectly
set on both the listener and ListenerSet object. The Gateway API spec places
InvalidCertificateRef exclusively under ResolvedRefs, not Accepted — a missing
certificate is a reference resolution concern, not a structural one.

Fixes #8870

Signed-off-by: apkatsikas <[email protected]>

* chore: fix gofumpt formatting in validateListenerConditions

Signed-off-by: apkatsikas <[email protected]>

* fix(translator): separate RefNotPermitted from InvalidCertificateRef handling

Unlike InvalidCertificateRef, RefNotPermitted should not set Accepted:True.
Update unit test fixtures to match.

Signed-off-by: apkatsikas <[email protected]>

* fix gen

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: apkatsikas <[email protected]>
Signed-off-by: zirain <[email protected]>
Signed-off-by: jukie <[email protected]>

* fix: do not downgrade ALPN for only hostnames-overlapping listeners (#8934)

fix: do not downgrade ALPN for overlapping hostnames withoug SANs overlapping

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: jukie <[email protected]>

* feat: enableDeferredCreationStats by default (#8937)

* feat: enableDeferredCreationStats by default

Signed-off-by: zirain <[email protected]>
Signed-off-by: jukie <[email protected]>

* fix: restore last transition time in merge status conditions (#8962)

* fix: restore last transition time in merge status conditions

Signed-off-by: Rudrakh Panigrahi <[email protected]>

* add release note

Signed-off-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: jukie <[email protected]>

* [release/v1.8] v1.8.0 release notes

Cherry-picked release-notes/v1.8.0.yaml and VERSION bump from #8942.

Signed-off-by: jukie <[email protected]>

---------

Signed-off-by: wucm667 <[email protected]>
Signed-off-by: jukie <[email protected]>
Signed-off-by: kkk777-7 <[email protected]>
Signed-off-by: zirain <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Arko Dasgupta <[email protected]>
Signed-off-by: Arko Dasgupta <[email protected]>
Signed-off-by: Matt Van Horn <[email protected]>
Signed-off-by: apkatsikas <[email protected]>
Signed-off-by: Rudrakh Panigrahi <[email protected]>
Co-authored-by: wucm667 <[email protected]>
Co-authored-by: Claude Sonnet 4.6 <[email protected]>
Co-authored-by: Kota Kimura <[email protected]>
Co-authored-by: zirain <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Arko Dasgupta <[email protected]>
Co-authored-by: Codex <[email protected]>
Co-authored-by: Matt Van Horn <[email protected]>
Co-authored-by: Matt Van Horn <[email protected]>
Co-authored-by: Andrew Katsikas <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>
rudrakhp added a commit to rudrakhp/gateway that referenced this pull request May 13, 2026
…oxy#8962)

* fix: restore last transition time in merge status conditions

Signed-off-by: Rudrakh Panigrahi <[email protected]>

* add release note

Signed-off-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
rudrakhp added a commit to rudrakhp/gateway that referenced this pull request May 13, 2026
…oxy#8962)

* fix: restore last transition time in merge status conditions

Signed-off-by: Rudrakh Panigrahi <[email protected]>

* add release note

Signed-off-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
rudrakhp added a commit to rudrakhp/gateway that referenced this pull request May 13, 2026
…oxy#8962)

* fix: restore last transition time in merge status conditions

Signed-off-by: Rudrakh Panigrahi <[email protected]>

* add release note

Signed-off-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
rudrakhp added a commit that referenced this pull request May 13, 2026
…tus conditions (#8962) (#8980)

fix: restore last transition time in merge status conditions (#8962)

* fix: restore last transition time in merge status conditions



* add release note



---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
nguyenptk pushed a commit to nguyenptk/gateway that referenced this pull request May 15, 2026
…oxy#8962)

* fix: restore last transition time in merge status conditions

Signed-off-by: Rudrakh Panigrahi <[email protected]>

* add release note

Signed-off-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: nguyenptk <[email protected]>
@arkodg

arkodg commented May 17, 2026

Copy link
Copy Markdown
Contributor

hey @rudrakhp, did we hit this issue because we dont reset the Status for the Gateway ?
im trying to understand how we reached a case, where the LastTransitionTime was set

@rudrakhp

Copy link
Copy Markdown
Member Author

@arkodg LastTransitionTime is always set in the K8s informer cache. So it always evaluates to condition changed when compared to the one generated by us with no LastTransitionTime. So this is definitely the right thing to do.
But on second thought, I don't think this actually fixes the issue. See #8987

zirain pushed a commit to zirain/gateway that referenced this pull request Jun 3, 2026
…oxy#8962)

* fix: restore last transition time in merge status conditions

Signed-off-by: Rudrakh Panigrahi <[email protected]>

* add release note

Signed-off-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: zirain <[email protected]>
zirain added a commit that referenced this pull request Jun 3, 2026
* fix: encode TLS secrets with canonical PEM formatting (#8744)

* exclude non-ready https

Signed-off-by: Karol Szwaj <[email protected]>

* prevent BoringSSL errors

Signed-off-by: Karol Szwaj <[email protected]>

* Add trailing newline to testdata PEMs

Signed-off-by: Karol Szwaj <[email protected]>

* add release notes

Signed-off-by: Karol Szwaj <[email protected]>

* use shallow copy instead of DeepCopy

Signed-off-by: Karol Szwaj <[email protected]>

* use maps.Clone for the data and split the PRs

Signed-off-by: Karol Szwaj <[email protected]>

---------

Signed-off-by: Karol Szwaj <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix: restore last transition time in merge status conditions (#8962)

* fix: restore last transition time in merge status conditions

Signed-off-by: Rudrakh Panigrahi <[email protected]>

* add release note

Signed-off-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix(xds): hot-reload xDS server cert in GatewayNamespaceMode (#8959)

* fix(xds): hot-reload xDS server cert in GatewayNamespaceMode

Signed-off-by: nguyenptk <[email protected]>

* extract loadServerTLSConfig helper and add tests

Signed-off-by: nguyenptk <[email protected]>

---------

Signed-off-by: nguyenptk <[email protected]>
Signed-off-by: Nguyên (Harry) <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix(helm): correct typo in HPA maxReplicas required message (#9032)

Signed-off-by: benjaminch <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target (#9068)

* add passing testcase showing wildcard overriding sectioned backendTLSPolicy

Signed-off-by: AlecDiraimondo <[email protected]>

* fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target

When two BackendTLSPolicies target the same backend — one with sectionName
set, one without — the wildcard wins whenever it sorts earlier, since
policies are iterated in creationTimestamp order with no specificity
preference. The sectioned policy is silently dropped: never selected by
the translator, no status written.

Make getBackendTLSPolicy prefer policies with an explicit sectionName
match before falling back to wildcard matches. Matches the specificity
ordering SecurityPolicy already implements.

Refs #9035

Signed-off-by: AlecDiraimondo <[email protected]>

* update release notes

Signed-off-by: AlecDiraimondo <[email protected]>

* fixes from review: dedup helper, return early if backendTarget has no section specified

Signed-off-by: AlecDiraimondo <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: AlecDiraimondo <[email protected]>
Signed-off-by: Alec Diraimondo <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix(egctl): skip missing CRDs in `x status` bulk modes (#9099)

`egctl x status all` (and `xroute`/`xpolicy`) aborted with an error when a
Gateway API CRD was not installed in the cluster (e.g. TCPRoute). Missing
CRDs are now skipped, and reported on stderr when `-v` is set. Explicit
single-resource invocations still error loudly so users get a clear signal
when a kind they asked for is unavailable.

Signed-off-by: Jeremiah Snapp <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix(gatewayapi): reject unsupported BackendRef URLRewrite path rewrites (#9131)

gatewayapi: reject BackendRef URLRewrite path modifiers

Signed-off-by: Aditya7880900936 <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix: force HTTP1 for Service/ServiceImport with websocket appProtocol (#9138)

force HTTP1 for Service/ServiceImport with websocket appProtocol

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: zirain <[email protected]>

* fix gen

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: Karol Szwaj <[email protected]>
Signed-off-by: zirain <[email protected]>
Signed-off-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: nguyenptk <[email protected]>
Signed-off-by: Nguyên (Harry) <[email protected]>
Signed-off-by: benjaminch <[email protected]>
Signed-off-by: AlecDiraimondo <[email protected]>
Signed-off-by: Alec Diraimondo <[email protected]>
Signed-off-by: Jeremiah Snapp <[email protected]>
Signed-off-by: Aditya7880900936 <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Co-authored-by: Karol Szwaj <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>
Co-authored-by: Nguyên (Harry) <[email protected]>
Co-authored-by: BenjaminCh <[email protected]>
Co-authored-by: Alec Diraimondo <[email protected]>
Co-authored-by: Jeremiah Snapp <[email protected]>
Co-authored-by: Aditya Sanskar Srivastav <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
zirain pushed a commit to cnvergence/gateway that referenced this pull request Jun 3, 2026
…oxy#8962)

* fix: restore last transition time in merge status conditions

Signed-off-by: Rudrakh Panigrahi <[email protected]>

* add release note

Signed-off-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>
zirain added a commit that referenced this pull request Jun 4, 2026
* fix: encode TLS secrets with canonical PEM formatting (#8744)

* exclude non-ready https

Signed-off-by: Karol Szwaj <[email protected]>

* prevent BoringSSL errors

Signed-off-by: Karol Szwaj <[email protected]>

* Add trailing newline to testdata PEMs

Signed-off-by: Karol Szwaj <[email protected]>

* add release notes

Signed-off-by: Karol Szwaj <[email protected]>

* use shallow copy instead of DeepCopy

Signed-off-by: Karol Szwaj <[email protected]>

* use maps.Clone for the data and split the PRs

Signed-off-by: Karol Szwaj <[email protected]>

---------

Signed-off-by: Karol Szwaj <[email protected]>

* fix(xds): hot-reload xDS server cert in GatewayNamespaceMode (#8959)

* fix(xds): hot-reload xDS server cert in GatewayNamespaceMode

Signed-off-by: nguyenptk <[email protected]>

* extract loadServerTLSConfig helper and add tests

Signed-off-by: nguyenptk <[email protected]>

---------

Signed-off-by: nguyenptk <[email protected]>
Signed-off-by: Nguyên (Harry) <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>

* fix: restore last transition time in merge status conditions (#8962)

* fix: restore last transition time in merge status conditions

Signed-off-by: Rudrakh Panigrahi <[email protected]>

* add release note

Signed-off-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>

* fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target (#9068)

* add passing testcase showing wildcard overriding sectioned backendTLSPolicy

Signed-off-by: AlecDiraimondo <[email protected]>

* fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target

When two BackendTLSPolicies target the same backend — one with sectionName
set, one without — the wildcard wins whenever it sorts earlier, since
policies are iterated in creationTimestamp order with no specificity
preference. The sectioned policy is silently dropped: never selected by
the translator, no status written.

Make getBackendTLSPolicy prefer policies with an explicit sectionName
match before falling back to wildcard matches. Matches the specificity
ordering SecurityPolicy already implements.

Refs #9035

Signed-off-by: AlecDiraimondo <[email protected]>

* update release notes

Signed-off-by: AlecDiraimondo <[email protected]>

* fixes from review: dedup helper, return early if backendTarget has no section specified

Signed-off-by: AlecDiraimondo <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: AlecDiraimondo <[email protected]>
Signed-off-by: Alec Diraimondo <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>

* skip invalid listener first in IR (#8577)

* skip invalid listener

Signed-off-by: zirain <[email protected]>

* fix specValid

Signed-off-by: zirain <[email protected]>

* nit

Signed-off-by: zirain <[email protected]>

* fix

Signed-off-by: zirain <[email protected]>

* MUST NOT pick one conflicting Listener as the winner

Signed-off-by: zirain <[email protected]>

* update

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: zirain <[email protected]>
Co-authored-by: Isaac Wilson <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>

* fix testdata

Signed-off-by: Karol Szwaj <[email protected]>

* Add v1.7.4 release notes

Signed-off-by: Karol Szwaj <[email protected]>

* update release notes

Signed-off-by: Karol Szwaj <[email protected]>
Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: Karol Szwaj <[email protected]>
Signed-off-by: nguyenptk <[email protected]>
Signed-off-by: Nguyên (Harry) <[email protected]>
Signed-off-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: AlecDiraimondo <[email protected]>
Signed-off-by: Alec Diraimondo <[email protected]>
Signed-off-by: zirain <[email protected]>
Co-authored-by: Nguyên (Harry) <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>
Co-authored-by: Alec Diraimondo <[email protected]>
Co-authored-by: zirain <[email protected]>
Co-authored-by: Isaac Wilson <[email protected]>
jukie added a commit that referenced this pull request Jun 5, 2026
* fix: restore last transition time in merge status conditions (#8962)

* fix: restore last transition time in merge status conditions

Signed-off-by: Rudrakh Panigrahi <[email protected]>

* add release note

Signed-off-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
(cherry picked from commit 9430ab9)
Signed-off-by: jukie <[email protected]>

* fix: applyBackendTLSSetting panic (#8998)

* fix: applyBackendTLSSetting panic

Signed-off-by: zirain <[email protected]>
(cherry picked from commit b754b68)
Signed-off-by: jukie <[email protected]>

* fix(xds): hot-reload xDS server cert in GatewayNamespaceMode (#8959)

* fix(xds): hot-reload xDS server cert in GatewayNamespaceMode

Signed-off-by: nguyenptk <[email protected]>

* extract loadServerTLSConfig helper and add tests

Signed-off-by: nguyenptk <[email protected]>

---------

Signed-off-by: nguyenptk <[email protected]>
Signed-off-by: Nguyên (Harry) <[email protected]>
(cherry picked from commit 35c5a12)
Signed-off-by: jukie <[email protected]>

* fix(helm): correct typo in HPA maxReplicas required message (#9032)

Signed-off-by: benjaminch <[email protected]>
(cherry picked from commit 8da6dc7)
Signed-off-by: jukie <[email protected]>

* fix: allow IANA cipher names (#9073)

allow IANA cipher names

Signed-off-by: Huabing Zhao <[email protected]>
(cherry picked from commit ea41d6f)
Signed-off-by: jukie <[email protected]>

* fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target (#9068)

* add passing testcase showing wildcard overriding sectioned backendTLSPolicy

Signed-off-by: AlecDiraimondo <[email protected]>

* fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target

When two BackendTLSPolicies target the same backend — one with sectionName
set, one without — the wildcard wins whenever it sorts earlier, since
policies are iterated in creationTimestamp order with no specificity
preference. The sectioned policy is silently dropped: never selected by
the translator, no status written.

Make getBackendTLSPolicy prefer policies with an explicit sectionName
match before falling back to wildcard matches. Matches the specificity
ordering SecurityPolicy already implements.

Refs #9035

Signed-off-by: AlecDiraimondo <[email protected]>

* update release notes

Signed-off-by: AlecDiraimondo <[email protected]>

* fixes from review: dedup helper, return early if backendTarget has no section specified

Signed-off-by: AlecDiraimondo <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: AlecDiraimondo <[email protected]>
Signed-off-by: Alec Diraimondo <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>
(cherry picked from commit 07ec95c)
Signed-off-by: jukie <[email protected]>

* fix: encode TLS secrets with canonical PEM formatting (#8744)

* exclude non-ready https

Signed-off-by: Karol Szwaj <[email protected]>

* prevent BoringSSL errors

Signed-off-by: Karol Szwaj <[email protected]>

* Add trailing newline to testdata PEMs

Signed-off-by: Karol Szwaj <[email protected]>

* add release notes

Signed-off-by: Karol Szwaj <[email protected]>

* use shallow copy instead of DeepCopy

Signed-off-by: Karol Szwaj <[email protected]>

* use maps.Clone for the data and split the PRs

Signed-off-by: Karol Szwaj <[email protected]>

---------

Signed-off-by: Karol Szwaj <[email protected]>
(cherry picked from commit 560a262)
Signed-off-by: jukie <[email protected]>

* fix: MaxStreamDuration should worked for non-route cluster (#9028)

* fix: MaxStreamDuration should worked on commonHttpProtocolOptions

Signed-off-by: zirain <[email protected]>

* should only worked for non-route cluster

Signed-off-by: zirain <[email protected]>

* fix

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: zirain <[email protected]>
(cherry picked from commit 0edf51a)
Signed-off-by: jukie <[email protected]>

* fix(egctl): skip missing CRDs in `x status` bulk modes (#9099)

`egctl x status all` (and `xroute`/`xpolicy`) aborted with an error when a
Gateway API CRD was not installed in the cluster (e.g. TCPRoute). Missing
CRDs are now skipped, and reported on stderr when `-v` is set. Explicit
single-resource invocations still error loudly so users get a clear signal
when a kind they asked for is unavailable.

Signed-off-by: Jeremiah Snapp <[email protected]>
(cherry picked from commit 3ab110e)
Signed-off-by: jukie <[email protected]>

* fix(gatewayapi): reject unsupported BackendRef URLRewrite path rewrites (#9131)

gatewayapi: reject BackendRef URLRewrite path modifiers

Signed-off-by: Aditya7880900936 <[email protected]>
(cherry picked from commit acaf4cd)
Signed-off-by: jukie <[email protected]>

* fix: force HTTP1 for Service/ServiceImport with websocket appProtocol (#9138)

force HTTP1 for Service/ServiceImport with websocket appProtocol

Signed-off-by: Huabing Zhao <[email protected]>
(cherry picked from commit b1aa5d9)
Signed-off-by: jukie <[email protected]>

* fix: move validation admission policy outside of crds directory (#9024)

* move validation admission policy outside of crds directory

Signed-off-by: Huabing Zhao <[email protected]>

* fix upgrade

Signed-off-by: Huabing Zhao <[email protected]>

* add release note

Signed-off-by: Huabing Zhao <[email protected]>

* fix

Signed-off-by: Huabing Zhao <[email protected]>

* update docs

Signed-off-by: Huabing Zhao <[email protected]>

* address comment

Signed-off-by: Huabing Zhao <[email protected]>

* address comment

Signed-off-by: Huabing Zhao <[email protected]>

* address comments

Signed-off-by: Huabing Zhao <[email protected]>

* update relese note

Signed-off-by: Huabing Zhao <[email protected]>

* address comments

Signed-off-by: Huabing Zhao <[email protected]>

* fix gen

Signed-off-by: Huabing Zhao <[email protected]>

* use a more general name for this option

Signed-off-by: Huabing Zhao <[email protected]>

* update docs

Signed-off-by: Huabing Zhao <[email protected]>

* rename

Signed-off-by: Huabing Zhao <[email protected]>

* update test

Signed-off-by: Huabing Zhao <[email protected]>

* update release note

Signed-off-by: Huabing Zhao <[email protected]>

* fix gen

Signed-off-by: Huabing Zhao <[email protected]>

* rename supportingResources to safeUpgradePolicy

Signed-off-by: Huabing Zhao <[email protected]>

* update

Signed-off-by: Huabing Zhao <[email protected]>

---------

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: zirain <[email protected]>
(cherry picked from commit 35ad8f2)
Signed-off-by: jukie <[email protected]>

* fix: alway include the controller namespace in the watched namespaces (#9100)

* always include the controller namespace in the k8s provider

Signed-off-by: Huabing Zhao <[email protected]>

* update docs

Signed-off-by: Huabing Zhao <[email protected]>
(cherry picked from commit 84be503d855e968b7b6999d476a6897e98d4e330)

* address comment

Signed-off-by: Huabing Zhao <[email protected]>

* address comments

Signed-off-by: Huabing Zhao <[email protected]>

* address comments

Signed-off-by: Huabing Zhao <[email protected]>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* minor changes

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix lint

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

---------

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
(cherry picked from commit 5266322)
Signed-off-by: jukie <[email protected]>

* test(helm): regenerate safe-upgrade-policy-disabled golden for release/v1.8

The safe-upgrade-policy-disabled test case added in #9024 shipped a golden
rendered against main's chart templates, which include features not present
on release/v1.8 (automountServiceAccountToken, expanded HPA RBAC verbs,
serviceaccount securityContext, ArgoCD/Flux hook comment). Regenerate the
golden against the release branch templates and restore the release-pinned
ratelimit image tag (ff287602).

Signed-off-by: jukie <[email protected]>

* regen

Signed-off-by: jukie <[email protected]>

* chore: bump golang to 1.26.4 (#9147)

Signed-off-by: zirain <[email protected]>
Signed-off-by: jukie <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: jukie <[email protected]>
Signed-off-by: zirain <[email protected]>
Signed-off-by: nguyenptk <[email protected]>
Signed-off-by: Nguyên (Harry) <[email protected]>
Signed-off-by: benjaminch <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: AlecDiraimondo <[email protected]>
Signed-off-by: Alec Diraimondo <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>
Signed-off-by: Jeremiah Snapp <[email protected]>
Signed-off-by: Aditya7880900936 <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>
Co-authored-by: zirain <[email protected]>
Co-authored-by: Nguyên (Harry) <[email protected]>
Co-authored-by: BenjaminCh <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Alec Diraimondo <[email protected]>
Co-authored-by: Karol Szwaj <[email protected]>
Co-authored-by: Jeremiah Snapp <[email protected]>
Co-authored-by: Aditya Sanskar Srivastav <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
cleman95 pushed a commit to cleman95/gateway that referenced this pull request Jun 25, 2026
…oxy#8962)

* fix: restore last transition time in merge status conditions

Signed-off-by: Rudrakh Panigrahi <[email protected]>

* add release note

Signed-off-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: Gateway remains stuck in Programmed=False after backing LoadBalancer IP is restored

4 participants