fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target#9068
Conversation
✅ Deploy Preview for cerulean-figolla-1f9435 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e23c272bf6
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…Policy Signed-off-by: AlecDiraimondo <[email protected]>
…same target When two BackendTLSPolicies target the same backend — one with sectionName set, one without — the wildcard wins whenever it sorts earlier, since policies are iterated in creationTimestamp order with no specificity preference. The sectioned policy is silently dropped: never selected by the translator, no status written. Make getBackendTLSPolicy prefer policies with an explicit sectionName match before falling back to wildcard matches. Matches the specificity ordering SecurityPolicy already implements. Refs envoyproxy#9035 Signed-off-by: AlecDiraimondo <[email protected]>
1ff61c0 to
e5cfd08
Compare
|
Codex Review: Didn't find any major issues. Swish! ℹ️ About Codex in GitHubCodex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback". |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #9068 +/- ##
==========================================
- Coverage 74.80% 74.78% -0.03%
==========================================
Files 252 252
Lines 40592 40596 +4
==========================================
- Hits 30365 30359 -6
- Misses 8156 8164 +8
- Partials 2071 2073 +2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
zirain
left a comment
There was a problem hiding this comment.
Can you add a release notes for this?
Signed-off-by: AlecDiraimondo <[email protected]>
Signed-off-by: Alec Diraimondo <[email protected]>
|
@zirain sorry had to rebase and dismiss review. Also how do I rerun the ci-checks? Was unable to find the button |
There was a problem hiding this comment.
| func backendTLSTargetMatched(policy *gwapiv1.BackendTLSPolicy, target gwapiv1.LocalPolicyTargetReferenceWithSectionName, backendNamespace string, shouldSectionNameMatch bool) bool { |
There was a problem hiding this comment.
Thanks ya thats what I was thinking to. Will commit the full changes and add you as coauthor
There was a problem hiding this comment.
Ok pushed these suggestions
… section specified Signed-off-by: AlecDiraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]>
|
/retest |
1 similar comment
|
/retest |
| 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q== | ||
| -----END CERTIFICATE----- | ||
|
|
||
| # Demonstrates a bug in backendtlspolicy.go::getBackendTLSPolicy: |
…same target (envoyproxy#9068) * add passing testcase showing wildcard overriding sectioned backendTLSPolicy Signed-off-by: AlecDiraimondo <[email protected]> * fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target When two BackendTLSPolicies target the same backend — one with sectionName set, one without — the wildcard wins whenever it sorts earlier, since policies are iterated in creationTimestamp order with no specificity preference. The sectioned policy is silently dropped: never selected by the translator, no status written. Make getBackendTLSPolicy prefer policies with an explicit sectionName match before falling back to wildcard matches. Matches the specificity ordering SecurityPolicy already implements. Refs envoyproxy#9035 Signed-off-by: AlecDiraimondo <[email protected]> * update release notes Signed-off-by: AlecDiraimondo <[email protected]> * fixes from review: dedup helper, return early if backendTarget has no section specified Signed-off-by: AlecDiraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: AlecDiraimondo <[email protected]> Signed-off-by: Alec Diraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: zirain <[email protected]>
* fix: encode TLS secrets with canonical PEM formatting (#8744) * exclude non-ready https Signed-off-by: Karol Szwaj <[email protected]> * prevent BoringSSL errors Signed-off-by: Karol Szwaj <[email protected]> * Add trailing newline to testdata PEMs Signed-off-by: Karol Szwaj <[email protected]> * add release notes Signed-off-by: Karol Szwaj <[email protected]> * use shallow copy instead of DeepCopy Signed-off-by: Karol Szwaj <[email protected]> * use maps.Clone for the data and split the PRs Signed-off-by: Karol Szwaj <[email protected]> --------- Signed-off-by: Karol Szwaj <[email protected]> Signed-off-by: zirain <[email protected]> * fix: restore last transition time in merge status conditions (#8962) * fix: restore last transition time in merge status conditions Signed-off-by: Rudrakh Panigrahi <[email protected]> * add release note Signed-off-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: zirain <[email protected]> * fix(xds): hot-reload xDS server cert in GatewayNamespaceMode (#8959) * fix(xds): hot-reload xDS server cert in GatewayNamespaceMode Signed-off-by: nguyenptk <[email protected]> * extract loadServerTLSConfig helper and add tests Signed-off-by: nguyenptk <[email protected]> --------- Signed-off-by: nguyenptk <[email protected]> Signed-off-by: Nguyên (Harry) <[email protected]> Signed-off-by: zirain <[email protected]> * fix(helm): correct typo in HPA maxReplicas required message (#9032) Signed-off-by: benjaminch <[email protected]> Signed-off-by: zirain <[email protected]> * fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target (#9068) * add passing testcase showing wildcard overriding sectioned backendTLSPolicy Signed-off-by: AlecDiraimondo <[email protected]> * fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target When two BackendTLSPolicies target the same backend — one with sectionName set, one without — the wildcard wins whenever it sorts earlier, since policies are iterated in creationTimestamp order with no specificity preference. The sectioned policy is silently dropped: never selected by the translator, no status written. Make getBackendTLSPolicy prefer policies with an explicit sectionName match before falling back to wildcard matches. Matches the specificity ordering SecurityPolicy already implements. Refs #9035 Signed-off-by: AlecDiraimondo <[email protected]> * update release notes Signed-off-by: AlecDiraimondo <[email protected]> * fixes from review: dedup helper, return early if backendTarget has no section specified Signed-off-by: AlecDiraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: AlecDiraimondo <[email protected]> Signed-off-by: Alec Diraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: zirain <[email protected]> * fix(egctl): skip missing CRDs in `x status` bulk modes (#9099) `egctl x status all` (and `xroute`/`xpolicy`) aborted with an error when a Gateway API CRD was not installed in the cluster (e.g. TCPRoute). Missing CRDs are now skipped, and reported on stderr when `-v` is set. Explicit single-resource invocations still error loudly so users get a clear signal when a kind they asked for is unavailable. Signed-off-by: Jeremiah Snapp <[email protected]> Signed-off-by: zirain <[email protected]> * fix(gatewayapi): reject unsupported BackendRef URLRewrite path rewrites (#9131) gatewayapi: reject BackendRef URLRewrite path modifiers Signed-off-by: Aditya7880900936 <[email protected]> Signed-off-by: zirain <[email protected]> * fix: force HTTP1 for Service/ServiceImport with websocket appProtocol (#9138) force HTTP1 for Service/ServiceImport with websocket appProtocol Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: zirain <[email protected]> * fix gen Signed-off-by: zirain <[email protected]> --------- Signed-off-by: Karol Szwaj <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: nguyenptk <[email protected]> Signed-off-by: Nguyên (Harry) <[email protected]> Signed-off-by: benjaminch <[email protected]> Signed-off-by: AlecDiraimondo <[email protected]> Signed-off-by: Alec Diraimondo <[email protected]> Signed-off-by: Jeremiah Snapp <[email protected]> Signed-off-by: Aditya7880900936 <[email protected]> Signed-off-by: Huabing Zhao <[email protected]> Co-authored-by: Karol Szwaj <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> Co-authored-by: Nguyên (Harry) <[email protected]> Co-authored-by: BenjaminCh <[email protected]> Co-authored-by: Alec Diraimondo <[email protected]> Co-authored-by: Jeremiah Snapp <[email protected]> Co-authored-by: Aditya Sanskar Srivastav <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]>
…same target (envoyproxy#9068) * add passing testcase showing wildcard overriding sectioned backendTLSPolicy Signed-off-by: AlecDiraimondo <[email protected]> * fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target When two BackendTLSPolicies target the same backend — one with sectionName set, one without — the wildcard wins whenever it sorts earlier, since policies are iterated in creationTimestamp order with no specificity preference. The sectioned policy is silently dropped: never selected by the translator, no status written. Make getBackendTLSPolicy prefer policies with an explicit sectionName match before falling back to wildcard matches. Matches the specificity ordering SecurityPolicy already implements. Refs envoyproxy#9035 Signed-off-by: AlecDiraimondo <[email protected]> * update release notes Signed-off-by: AlecDiraimondo <[email protected]> * fixes from review: dedup helper, return early if backendTarget has no section specified Signed-off-by: AlecDiraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: AlecDiraimondo <[email protected]> Signed-off-by: Alec Diraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: Karol Szwaj <[email protected]>
* fix: encode TLS secrets with canonical PEM formatting (#8744) * exclude non-ready https Signed-off-by: Karol Szwaj <[email protected]> * prevent BoringSSL errors Signed-off-by: Karol Szwaj <[email protected]> * Add trailing newline to testdata PEMs Signed-off-by: Karol Szwaj <[email protected]> * add release notes Signed-off-by: Karol Szwaj <[email protected]> * use shallow copy instead of DeepCopy Signed-off-by: Karol Szwaj <[email protected]> * use maps.Clone for the data and split the PRs Signed-off-by: Karol Szwaj <[email protected]> --------- Signed-off-by: Karol Szwaj <[email protected]> * fix(xds): hot-reload xDS server cert in GatewayNamespaceMode (#8959) * fix(xds): hot-reload xDS server cert in GatewayNamespaceMode Signed-off-by: nguyenptk <[email protected]> * extract loadServerTLSConfig helper and add tests Signed-off-by: nguyenptk <[email protected]> --------- Signed-off-by: nguyenptk <[email protected]> Signed-off-by: Nguyên (Harry) <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix: restore last transition time in merge status conditions (#8962) * fix: restore last transition time in merge status conditions Signed-off-by: Rudrakh Panigrahi <[email protected]> * add release note Signed-off-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target (#9068) * add passing testcase showing wildcard overriding sectioned backendTLSPolicy Signed-off-by: AlecDiraimondo <[email protected]> * fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target When two BackendTLSPolicies target the same backend — one with sectionName set, one without — the wildcard wins whenever it sorts earlier, since policies are iterated in creationTimestamp order with no specificity preference. The sectioned policy is silently dropped: never selected by the translator, no status written. Make getBackendTLSPolicy prefer policies with an explicit sectionName match before falling back to wildcard matches. Matches the specificity ordering SecurityPolicy already implements. Refs #9035 Signed-off-by: AlecDiraimondo <[email protected]> * update release notes Signed-off-by: AlecDiraimondo <[email protected]> * fixes from review: dedup helper, return early if backendTarget has no section specified Signed-off-by: AlecDiraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: AlecDiraimondo <[email protected]> Signed-off-by: Alec Diraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * skip invalid listener first in IR (#8577) * skip invalid listener Signed-off-by: zirain <[email protected]> * fix specValid Signed-off-by: zirain <[email protected]> * nit Signed-off-by: zirain <[email protected]> * fix Signed-off-by: zirain <[email protected]> * MUST NOT pick one conflicting Listener as the winner Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Co-authored-by: Isaac Wilson <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix testdata Signed-off-by: Karol Szwaj <[email protected]> * Add v1.7.4 release notes Signed-off-by: Karol Szwaj <[email protected]> * update release notes Signed-off-by: Karol Szwaj <[email protected]> Signed-off-by: zirain <[email protected]> --------- Signed-off-by: Karol Szwaj <[email protected]> Signed-off-by: nguyenptk <[email protected]> Signed-off-by: Nguyên (Harry) <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: AlecDiraimondo <[email protected]> Signed-off-by: Alec Diraimondo <[email protected]> Signed-off-by: zirain <[email protected]> Co-authored-by: Nguyên (Harry) <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> Co-authored-by: Alec Diraimondo <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Isaac Wilson <[email protected]>
* fix: restore last transition time in merge status conditions (#8962) * fix: restore last transition time in merge status conditions Signed-off-by: Rudrakh Panigrahi <[email protected]> * add release note Signed-off-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: Rudrakh Panigrahi <[email protected]> (cherry picked from commit 9430ab9) Signed-off-by: jukie <[email protected]> * fix: applyBackendTLSSetting panic (#8998) * fix: applyBackendTLSSetting panic Signed-off-by: zirain <[email protected]> (cherry picked from commit b754b68) Signed-off-by: jukie <[email protected]> * fix(xds): hot-reload xDS server cert in GatewayNamespaceMode (#8959) * fix(xds): hot-reload xDS server cert in GatewayNamespaceMode Signed-off-by: nguyenptk <[email protected]> * extract loadServerTLSConfig helper and add tests Signed-off-by: nguyenptk <[email protected]> --------- Signed-off-by: nguyenptk <[email protected]> Signed-off-by: Nguyên (Harry) <[email protected]> (cherry picked from commit 35c5a12) Signed-off-by: jukie <[email protected]> * fix(helm): correct typo in HPA maxReplicas required message (#9032) Signed-off-by: benjaminch <[email protected]> (cherry picked from commit 8da6dc7) Signed-off-by: jukie <[email protected]> * fix: allow IANA cipher names (#9073) allow IANA cipher names Signed-off-by: Huabing Zhao <[email protected]> (cherry picked from commit ea41d6f) Signed-off-by: jukie <[email protected]> * fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target (#9068) * add passing testcase showing wildcard overriding sectioned backendTLSPolicy Signed-off-by: AlecDiraimondo <[email protected]> * fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target When two BackendTLSPolicies target the same backend — one with sectionName set, one without — the wildcard wins whenever it sorts earlier, since policies are iterated in creationTimestamp order with no specificity preference. The sectioned policy is silently dropped: never selected by the translator, no status written. Make getBackendTLSPolicy prefer policies with an explicit sectionName match before falling back to wildcard matches. Matches the specificity ordering SecurityPolicy already implements. Refs #9035 Signed-off-by: AlecDiraimondo <[email protected]> * update release notes Signed-off-by: AlecDiraimondo <[email protected]> * fixes from review: dedup helper, return early if backendTarget has no section specified Signed-off-by: AlecDiraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: AlecDiraimondo <[email protected]> Signed-off-by: Alec Diraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> (cherry picked from commit 07ec95c) Signed-off-by: jukie <[email protected]> * fix: encode TLS secrets with canonical PEM formatting (#8744) * exclude non-ready https Signed-off-by: Karol Szwaj <[email protected]> * prevent BoringSSL errors Signed-off-by: Karol Szwaj <[email protected]> * Add trailing newline to testdata PEMs Signed-off-by: Karol Szwaj <[email protected]> * add release notes Signed-off-by: Karol Szwaj <[email protected]> * use shallow copy instead of DeepCopy Signed-off-by: Karol Szwaj <[email protected]> * use maps.Clone for the data and split the PRs Signed-off-by: Karol Szwaj <[email protected]> --------- Signed-off-by: Karol Szwaj <[email protected]> (cherry picked from commit 560a262) Signed-off-by: jukie <[email protected]> * fix: MaxStreamDuration should worked for non-route cluster (#9028) * fix: MaxStreamDuration should worked on commonHttpProtocolOptions Signed-off-by: zirain <[email protected]> * should only worked for non-route cluster Signed-off-by: zirain <[email protected]> * fix Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> (cherry picked from commit 0edf51a) Signed-off-by: jukie <[email protected]> * fix(egctl): skip missing CRDs in `x status` bulk modes (#9099) `egctl x status all` (and `xroute`/`xpolicy`) aborted with an error when a Gateway API CRD was not installed in the cluster (e.g. TCPRoute). Missing CRDs are now skipped, and reported on stderr when `-v` is set. Explicit single-resource invocations still error loudly so users get a clear signal when a kind they asked for is unavailable. Signed-off-by: Jeremiah Snapp <[email protected]> (cherry picked from commit 3ab110e) Signed-off-by: jukie <[email protected]> * fix(gatewayapi): reject unsupported BackendRef URLRewrite path rewrites (#9131) gatewayapi: reject BackendRef URLRewrite path modifiers Signed-off-by: Aditya7880900936 <[email protected]> (cherry picked from commit acaf4cd) Signed-off-by: jukie <[email protected]> * fix: force HTTP1 for Service/ServiceImport with websocket appProtocol (#9138) force HTTP1 for Service/ServiceImport with websocket appProtocol Signed-off-by: Huabing Zhao <[email protected]> (cherry picked from commit b1aa5d9) Signed-off-by: jukie <[email protected]> * fix: move validation admission policy outside of crds directory (#9024) * move validation admission policy outside of crds directory Signed-off-by: Huabing Zhao <[email protected]> * fix upgrade Signed-off-by: Huabing Zhao <[email protected]> * add release note Signed-off-by: Huabing Zhao <[email protected]> * fix Signed-off-by: Huabing Zhao <[email protected]> * update docs Signed-off-by: Huabing Zhao <[email protected]> * address comment Signed-off-by: Huabing Zhao <[email protected]> * address comment Signed-off-by: Huabing Zhao <[email protected]> * address comments Signed-off-by: Huabing Zhao <[email protected]> * update relese note Signed-off-by: Huabing Zhao <[email protected]> * address comments Signed-off-by: Huabing Zhao <[email protected]> * fix gen Signed-off-by: Huabing Zhao <[email protected]> * use a more general name for this option Signed-off-by: Huabing Zhao <[email protected]> * update docs Signed-off-by: Huabing Zhao <[email protected]> * rename Signed-off-by: Huabing Zhao <[email protected]> * update test Signed-off-by: Huabing Zhao <[email protected]> * update release note Signed-off-by: Huabing Zhao <[email protected]> * fix gen Signed-off-by: Huabing Zhao <[email protected]> * rename supportingResources to safeUpgradePolicy Signed-off-by: Huabing Zhao <[email protected]> * update Signed-off-by: Huabing Zhao <[email protected]> --------- Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: zirain <[email protected]> (cherry picked from commit 35ad8f2) Signed-off-by: jukie <[email protected]> * fix: alway include the controller namespace in the watched namespaces (#9100) * always include the controller namespace in the k8s provider Signed-off-by: Huabing Zhao <[email protected]> * update docs Signed-off-by: Huabing Zhao <[email protected]> (cherry picked from commit 84be503d855e968b7b6999d476a6897e98d4e330) * address comment Signed-off-by: Huabing Zhao <[email protected]> * address comments Signed-off-by: Huabing Zhao <[email protected]> * address comments Signed-off-by: Huabing Zhao <[email protected]> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> * minor changes Signed-off-by: Huabing Zhao <[email protected]> * fix test Signed-off-by: Huabing Zhao <[email protected]> * fix lint Signed-off-by: Huabing Zhao <[email protected]> * fix test Signed-off-by: Huabing Zhao <[email protected]> * fix test Signed-off-by: Huabing Zhao <[email protected]> * fix test Signed-off-by: Huabing Zhao <[email protected]> --------- Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Copilot Autofix powered by AI <[email protected]> (cherry picked from commit 5266322) Signed-off-by: jukie <[email protected]> * test(helm): regenerate safe-upgrade-policy-disabled golden for release/v1.8 The safe-upgrade-policy-disabled test case added in #9024 shipped a golden rendered against main's chart templates, which include features not present on release/v1.8 (automountServiceAccountToken, expanded HPA RBAC verbs, serviceaccount securityContext, ArgoCD/Flux hook comment). Regenerate the golden against the release branch templates and restore the release-pinned ratelimit image tag (ff287602). Signed-off-by: jukie <[email protected]> * regen Signed-off-by: jukie <[email protected]> * chore: bump golang to 1.26.4 (#9147) Signed-off-by: zirain <[email protected]> Signed-off-by: jukie <[email protected]> --------- Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: jukie <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: nguyenptk <[email protected]> Signed-off-by: Nguyên (Harry) <[email protected]> Signed-off-by: benjaminch <[email protected]> Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: AlecDiraimondo <[email protected]> Signed-off-by: Alec Diraimondo <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> Signed-off-by: Jeremiah Snapp <[email protected]> Signed-off-by: Aditya7880900936 <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Nguyên (Harry) <[email protected]> Co-authored-by: BenjaminCh <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Alec Diraimondo <[email protected]> Co-authored-by: Karol Szwaj <[email protected]> Co-authored-by: Jeremiah Snapp <[email protected]> Co-authored-by: Aditya Sanskar Srivastav <[email protected]> Co-authored-by: Copilot Autofix powered by AI <[email protected]>
…same target (envoyproxy#9068) * add passing testcase showing wildcard overriding sectioned backendTLSPolicy Signed-off-by: AlecDiraimondo <[email protected]> * fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target When two BackendTLSPolicies target the same backend — one with sectionName set, one without — the wildcard wins whenever it sorts earlier, since policies are iterated in creationTimestamp order with no specificity preference. The sectioned policy is silently dropped: never selected by the translator, no status written. Make getBackendTLSPolicy prefer policies with an explicit sectionName match before falling back to wildcard matches. Matches the specificity ordering SecurityPolicy already implements. Refs envoyproxy#9035 Signed-off-by: AlecDiraimondo <[email protected]> * update release notes Signed-off-by: AlecDiraimondo <[email protected]> * fixes from review: dedup helper, return early if backendTarget has no section specified Signed-off-by: AlecDiraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: AlecDiraimondo <[email protected]> Signed-off-by: Alec Diraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]>
What this PR does / why we need it
This PR makes
getBackendTLSPolicyprefer policies with an explicitsectionNamematch before falling back to wildcard matches. The pattern mirrors the specificity orderingSecurityPolicyimplements, for example.Currently, when two
BackendTLSPoliciestarget the same backend — one withsectionNameset, one without — the wildcard policy wins whenever it sorts earlier, since policies are iterated increationTimestamporder with no specificity preference. The sectioned policy is silently dropped: never selected by the translator, no status written.The Gateway API BackendTLSPolicy spec states precedence checks should happen at matching sectionName and target. This is slightly up for interpretation, but honoring the more specific match seems to be the more idiomatic approach.
The existing conformity test for gatewayAPI passes https://github.com/kubernetes-sigs/gateway-api/blob/3e4ef89ce6d9a21202275739566d7c649211620c/conformance/tests/backendtlspolicy-conflict-resolution.go#L117-L152 due to the sectioned backendTLSPolicy being created first
The included testdata case (
backendtlspolicy-wildcard-older-than-sectioned) demonstrates this case, and the golden config shows the corrected behavior:policy-sectioned.status.ancestorsnow populates withAccepted: True(wasnull).sniflips fromwildcard.example.com→sectioned.example.com.Which issue(s) this PR fixes
Fixes #9035