Skip to content

fix: move validation admission policy outside of crds directory#9024

Merged
zirain merged 22 commits into
envoyproxy:mainfrom
zhaohuabing:fix-9015
Jun 3, 2026
Merged

fix: move validation admission policy outside of crds directory#9024
zirain merged 22 commits into
envoyproxy:mainfrom
zhaohuabing:fix-9015

Conversation

@zhaohuabing

@zhaohuabing zhaohuabing commented May 18, 2026

Copy link
Copy Markdown
Member

This PR moves validationAdmissionPolicy out of the crds directory and into the templates directory.

This fixes Flux installation as it treats all resources in the crds directory as CRDs.

Fixes #9015

Release Notes: Yes

@zhaohuabing zhaohuabing requested a review from a team as a code owner May 18, 2026 11:28
@netlify

netlify Bot commented May 18, 2026

Copy link
Copy Markdown

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit 1dd9595
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/6a1fd0fb8fc9ff00084c9f67
😎 Deploy Preview https://deploy-preview-9024--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a0caaf38c2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@zhaohuabing zhaohuabing marked this pull request as draft May 18, 2026 11:37
@codecov

codecov Bot commented May 18, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.77%. Comparing base (8d3cfb4) to head (1dd9595).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #9024   +/-   ##
=======================================
  Coverage   74.77%   74.77%           
=======================================
  Files         252      252           
  Lines       40675    40707   +32     
=======================================
+ Hits        30415    30440   +25     
- Misses       8179     8187    +8     
+ Partials     2081     2080    -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zhaohuabing

Copy link
Copy Markdown
Member Author

@codex review

@zhaohuabing zhaohuabing marked this pull request as ready for review May 22, 2026 03:15

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c499193462

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@zhaohuabing zhaohuabing force-pushed the fix-9015 branch 2 times, most recently from 2e05bcc to d3ade13 Compare May 22, 2026 03:33
@zhaohuabing

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d3ade13519

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@zhaohuabing

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a12ec94e88

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@zhaohuabing

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 31c07399ba

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@zhaohuabing

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4376333a5d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
@zhaohuabing

Copy link
Copy Markdown
Member Author

@jukie @arkodg the release note has been updated to explain the required upgrade steps according to the discussion at today's meeting.

zirain
zirain previously approved these changes May 29, 2026
jukie
jukie previously approved these changes May 30, 2026
@@ -0,0 +1,3 @@
gatewayAPI:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zhaohuabing zhaohuabing Jun 1, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it’s technically possible, but I think crds.gatewayAPI.supportingResources.enabled reads more clearly: the full path makes it explicit that these supporting resources are associated with the Gateway API CRDs. It also fits Helm’s existing value-scoping model better and stays consistent with crds.gatewayAPI.enabled / crds.gatewayAPI.channel.

If we prefer a top-level gatewayAPI.supportingResources.enabled value, I can move the VAP template into the main gateway-helm chart so it can read that value directly. My slight preference is to keep it in the crds subchart and expose it as crds.gatewayAPI.supportingResources.enabled, since these supporting resources are used for the Gateway API CRDs

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

its not a CRD so living under a crds.* field feels off

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

chatting with @zhaohuabing in DM, its fine to for it to live under crds since its related to CRDs, prefer a better enable/disable field

 gatewayAPI:
    safeUpgradePolicy:
      enabled: true

@zhaohuabing zhaohuabing requested a review from arkodg June 1, 2026 03:33
@zhaohuabing zhaohuabing dismissed stale reviews from jukie and zirain via 9338aef June 3, 2026 06:54
arkodg
arkodg previously approved these changes Jun 3, 2026
@arkodg arkodg requested a review from jukie June 3, 2026 06:55
Signed-off-by: Huabing Zhao <[email protected]>
@zirain zirain merged commit 35ad8f2 into envoyproxy:main Jun 3, 2026
66 of 68 checks passed
@zhaohuabing zhaohuabing deleted the fix-9015 branch June 3, 2026 08:59
jukie added a commit that referenced this pull request Jun 5, 2026
* fix: restore last transition time in merge status conditions (#8962)

* fix: restore last transition time in merge status conditions

Signed-off-by: Rudrakh Panigrahi <[email protected]>

* add release note

Signed-off-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
(cherry picked from commit 9430ab9)
Signed-off-by: jukie <[email protected]>

* fix: applyBackendTLSSetting panic (#8998)

* fix: applyBackendTLSSetting panic

Signed-off-by: zirain <[email protected]>
(cherry picked from commit b754b68)
Signed-off-by: jukie <[email protected]>

* fix(xds): hot-reload xDS server cert in GatewayNamespaceMode (#8959)

* fix(xds): hot-reload xDS server cert in GatewayNamespaceMode

Signed-off-by: nguyenptk <[email protected]>

* extract loadServerTLSConfig helper and add tests

Signed-off-by: nguyenptk <[email protected]>

---------

Signed-off-by: nguyenptk <[email protected]>
Signed-off-by: Nguyên (Harry) <[email protected]>
(cherry picked from commit 35c5a12)
Signed-off-by: jukie <[email protected]>

* fix(helm): correct typo in HPA maxReplicas required message (#9032)

Signed-off-by: benjaminch <[email protected]>
(cherry picked from commit 8da6dc7)
Signed-off-by: jukie <[email protected]>

* fix: allow IANA cipher names (#9073)

allow IANA cipher names

Signed-off-by: Huabing Zhao <[email protected]>
(cherry picked from commit ea41d6f)
Signed-off-by: jukie <[email protected]>

* fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target (#9068)

* add passing testcase showing wildcard overriding sectioned backendTLSPolicy

Signed-off-by: AlecDiraimondo <[email protected]>

* fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target

When two BackendTLSPolicies target the same backend — one with sectionName
set, one without — the wildcard wins whenever it sorts earlier, since
policies are iterated in creationTimestamp order with no specificity
preference. The sectioned policy is silently dropped: never selected by
the translator, no status written.

Make getBackendTLSPolicy prefer policies with an explicit sectionName
match before falling back to wildcard matches. Matches the specificity
ordering SecurityPolicy already implements.

Refs #9035

Signed-off-by: AlecDiraimondo <[email protected]>

* update release notes

Signed-off-by: AlecDiraimondo <[email protected]>

* fixes from review: dedup helper, return early if backendTarget has no section specified

Signed-off-by: AlecDiraimondo <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: AlecDiraimondo <[email protected]>
Signed-off-by: Alec Diraimondo <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>
(cherry picked from commit 07ec95c)
Signed-off-by: jukie <[email protected]>

* fix: encode TLS secrets with canonical PEM formatting (#8744)

* exclude non-ready https

Signed-off-by: Karol Szwaj <[email protected]>

* prevent BoringSSL errors

Signed-off-by: Karol Szwaj <[email protected]>

* Add trailing newline to testdata PEMs

Signed-off-by: Karol Szwaj <[email protected]>

* add release notes

Signed-off-by: Karol Szwaj <[email protected]>

* use shallow copy instead of DeepCopy

Signed-off-by: Karol Szwaj <[email protected]>

* use maps.Clone for the data and split the PRs

Signed-off-by: Karol Szwaj <[email protected]>

---------

Signed-off-by: Karol Szwaj <[email protected]>
(cherry picked from commit 560a262)
Signed-off-by: jukie <[email protected]>

* fix: MaxStreamDuration should worked for non-route cluster (#9028)

* fix: MaxStreamDuration should worked on commonHttpProtocolOptions

Signed-off-by: zirain <[email protected]>

* should only worked for non-route cluster

Signed-off-by: zirain <[email protected]>

* fix

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: zirain <[email protected]>
(cherry picked from commit 0edf51a)
Signed-off-by: jukie <[email protected]>

* fix(egctl): skip missing CRDs in `x status` bulk modes (#9099)

`egctl x status all` (and `xroute`/`xpolicy`) aborted with an error when a
Gateway API CRD was not installed in the cluster (e.g. TCPRoute). Missing
CRDs are now skipped, and reported on stderr when `-v` is set. Explicit
single-resource invocations still error loudly so users get a clear signal
when a kind they asked for is unavailable.

Signed-off-by: Jeremiah Snapp <[email protected]>
(cherry picked from commit 3ab110e)
Signed-off-by: jukie <[email protected]>

* fix(gatewayapi): reject unsupported BackendRef URLRewrite path rewrites (#9131)

gatewayapi: reject BackendRef URLRewrite path modifiers

Signed-off-by: Aditya7880900936 <[email protected]>
(cherry picked from commit acaf4cd)
Signed-off-by: jukie <[email protected]>

* fix: force HTTP1 for Service/ServiceImport with websocket appProtocol (#9138)

force HTTP1 for Service/ServiceImport with websocket appProtocol

Signed-off-by: Huabing Zhao <[email protected]>
(cherry picked from commit b1aa5d9)
Signed-off-by: jukie <[email protected]>

* fix: move validation admission policy outside of crds directory (#9024)

* move validation admission policy outside of crds directory

Signed-off-by: Huabing Zhao <[email protected]>

* fix upgrade

Signed-off-by: Huabing Zhao <[email protected]>

* add release note

Signed-off-by: Huabing Zhao <[email protected]>

* fix

Signed-off-by: Huabing Zhao <[email protected]>

* update docs

Signed-off-by: Huabing Zhao <[email protected]>

* address comment

Signed-off-by: Huabing Zhao <[email protected]>

* address comment

Signed-off-by: Huabing Zhao <[email protected]>

* address comments

Signed-off-by: Huabing Zhao <[email protected]>

* update relese note

Signed-off-by: Huabing Zhao <[email protected]>

* address comments

Signed-off-by: Huabing Zhao <[email protected]>

* fix gen

Signed-off-by: Huabing Zhao <[email protected]>

* use a more general name for this option

Signed-off-by: Huabing Zhao <[email protected]>

* update docs

Signed-off-by: Huabing Zhao <[email protected]>

* rename

Signed-off-by: Huabing Zhao <[email protected]>

* update test

Signed-off-by: Huabing Zhao <[email protected]>

* update release note

Signed-off-by: Huabing Zhao <[email protected]>

* fix gen

Signed-off-by: Huabing Zhao <[email protected]>

* rename supportingResources to safeUpgradePolicy

Signed-off-by: Huabing Zhao <[email protected]>

* update

Signed-off-by: Huabing Zhao <[email protected]>

---------

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: zirain <[email protected]>
(cherry picked from commit 35ad8f2)
Signed-off-by: jukie <[email protected]>

* fix: alway include the controller namespace in the watched namespaces (#9100)

* always include the controller namespace in the k8s provider

Signed-off-by: Huabing Zhao <[email protected]>

* update docs

Signed-off-by: Huabing Zhao <[email protected]>
(cherry picked from commit 84be503d855e968b7b6999d476a6897e98d4e330)

* address comment

Signed-off-by: Huabing Zhao <[email protected]>

* address comments

Signed-off-by: Huabing Zhao <[email protected]>

* address comments

Signed-off-by: Huabing Zhao <[email protected]>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* minor changes

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix lint

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

---------

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
(cherry picked from commit 5266322)
Signed-off-by: jukie <[email protected]>

* test(helm): regenerate safe-upgrade-policy-disabled golden for release/v1.8

The safe-upgrade-policy-disabled test case added in #9024 shipped a golden
rendered against main's chart templates, which include features not present
on release/v1.8 (automountServiceAccountToken, expanded HPA RBAC verbs,
serviceaccount securityContext, ArgoCD/Flux hook comment). Regenerate the
golden against the release branch templates and restore the release-pinned
ratelimit image tag (ff287602).

Signed-off-by: jukie <[email protected]>

* regen

Signed-off-by: jukie <[email protected]>

* chore: bump golang to 1.26.4 (#9147)

Signed-off-by: zirain <[email protected]>
Signed-off-by: jukie <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: jukie <[email protected]>
Signed-off-by: zirain <[email protected]>
Signed-off-by: nguyenptk <[email protected]>
Signed-off-by: Nguyên (Harry) <[email protected]>
Signed-off-by: benjaminch <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: AlecDiraimondo <[email protected]>
Signed-off-by: Alec Diraimondo <[email protected]>
Signed-off-by: Karol Szwaj <[email protected]>
Signed-off-by: Jeremiah Snapp <[email protected]>
Signed-off-by: Aditya7880900936 <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>
Co-authored-by: zirain <[email protected]>
Co-authored-by: Nguyên (Harry) <[email protected]>
Co-authored-by: BenjaminCh <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Alec Diraimondo <[email protected]>
Co-authored-by: Karol Szwaj <[email protected]>
Co-authored-by: Jeremiah Snapp <[email protected]>
Co-authored-by: Aditya Sanskar Srivastav <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
cleman95 pushed a commit to cleman95/gateway that referenced this pull request Jun 25, 2026
…yproxy#9024)

* move validation admission policy outside of crds directory

Signed-off-by: Huabing Zhao <[email protected]>

* fix upgrade

Signed-off-by: Huabing Zhao <[email protected]>

* add release note

Signed-off-by: Huabing Zhao <[email protected]>

* fix

Signed-off-by: Huabing Zhao <[email protected]>

* update docs

Signed-off-by: Huabing Zhao <[email protected]>

* address comment

Signed-off-by: Huabing Zhao <[email protected]>

* address comment

Signed-off-by: Huabing Zhao <[email protected]>

* address comments

Signed-off-by: Huabing Zhao <[email protected]>

* update relese note

Signed-off-by: Huabing Zhao <[email protected]>

* address comments

Signed-off-by: Huabing Zhao <[email protected]>

* fix gen

Signed-off-by: Huabing Zhao <[email protected]>

* use a more general name for this option

Signed-off-by: Huabing Zhao <[email protected]>

* update docs

Signed-off-by: Huabing Zhao <[email protected]>

* rename

Signed-off-by: Huabing Zhao <[email protected]>

* update test

Signed-off-by: Huabing Zhao <[email protected]>

* update release note

Signed-off-by: Huabing Zhao <[email protected]>

* fix gen

Signed-off-by: Huabing Zhao <[email protected]>

* rename supportingResources to safeUpgradePolicy

Signed-off-by: Huabing Zhao <[email protected]>

* update

Signed-off-by: Huabing Zhao <[email protected]>

---------

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: zirain <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ValidatingAdmissionPolicy in charts/crds/crds/ (Helm CRD dir) breaks external CRD management tools

6 participants