Skip to content

[release-1.7] cherry pick for v1.7.4#9152

Merged
zirain merged 9 commits into
envoyproxy:release/v1.7from
zirain:cherry-pick/v1.7.4
Jun 3, 2026
Merged

[release-1.7] cherry pick for v1.7.4#9152
zirain merged 9 commits into
envoyproxy:release/v1.7from
zirain:cherry-pick/v1.7.4

Conversation

@zirain

@zirain zirain commented Jun 3, 2026

Copy link
Copy Markdown
Member

@zirain zirain requested a review from a team as a code owner June 3, 2026 10:31
cnvergence and others added 9 commits June 3, 2026 18:31
* exclude non-ready https

Signed-off-by: Karol Szwaj <[email protected]>

* prevent BoringSSL errors

Signed-off-by: Karol Szwaj <[email protected]>

* Add trailing newline to testdata PEMs

Signed-off-by: Karol Szwaj <[email protected]>

* add release notes

Signed-off-by: Karol Szwaj <[email protected]>

* use shallow copy instead of DeepCopy

Signed-off-by: Karol Szwaj <[email protected]>

* use maps.Clone for the data and split the PRs

Signed-off-by: Karol Szwaj <[email protected]>

---------

Signed-off-by: Karol Szwaj <[email protected]>
Signed-off-by: zirain <[email protected]>
…oxy#8962)

* fix: restore last transition time in merge status conditions

Signed-off-by: Rudrakh Panigrahi <[email protected]>

* add release note

Signed-off-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: zirain <[email protected]>
…oxy#8959)

* fix(xds): hot-reload xDS server cert in GatewayNamespaceMode

Signed-off-by: nguyenptk <[email protected]>

* extract loadServerTLSConfig helper and add tests

Signed-off-by: nguyenptk <[email protected]>

---------

Signed-off-by: nguyenptk <[email protected]>
Signed-off-by: Nguyên (Harry) <[email protected]>
Signed-off-by: zirain <[email protected]>
…same target (envoyproxy#9068)

* add passing testcase showing wildcard overriding sectioned backendTLSPolicy

Signed-off-by: AlecDiraimondo <[email protected]>

* fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target

When two BackendTLSPolicies target the same backend — one with sectionName
set, one without — the wildcard wins whenever it sorts earlier, since
policies are iterated in creationTimestamp order with no specificity
preference. The sectioned policy is silently dropped: never selected by
the translator, no status written.

Make getBackendTLSPolicy prefer policies with an explicit sectionName
match before falling back to wildcard matches. Matches the specificity
ordering SecurityPolicy already implements.

Refs envoyproxy#9035

Signed-off-by: AlecDiraimondo <[email protected]>

* update release notes

Signed-off-by: AlecDiraimondo <[email protected]>

* fixes from review: dedup helper, return early if backendTarget has no section specified

Signed-off-by: AlecDiraimondo <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>

---------

Signed-off-by: AlecDiraimondo <[email protected]>
Signed-off-by: Alec Diraimondo <[email protected]>
Co-authored-by: Rudrakh Panigrahi <[email protected]>
Signed-off-by: zirain <[email protected]>
`egctl x status all` (and `xroute`/`xpolicy`) aborted with an error when a
Gateway API CRD was not installed in the cluster (e.g. TCPRoute). Missing
CRDs are now skipped, and reported on stderr when `-v` is set. Explicit
single-resource invocations still error loudly so users get a clear signal
when a kind they asked for is unavailable.

Signed-off-by: Jeremiah Snapp <[email protected]>
Signed-off-by: zirain <[email protected]>
…es (envoyproxy#9131)

gatewayapi: reject BackendRef URLRewrite path modifiers

Signed-off-by: Aditya7880900936 <[email protected]>
Signed-off-by: zirain <[email protected]>
…envoyproxy#9138)

force HTTP1 for Service/ServiceImport with websocket appProtocol

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: zirain <[email protected]>
Signed-off-by: zirain <[email protected]>
@zirain zirain force-pushed the cherry-pick/v1.7.4 branch from f95140f to 8428d57 Compare June 3, 2026 10:32

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f95140f764

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment on lines +2548 to +2549
case ap == "kubernetes.io/ws" || ap == "kubernetes.io/wss":
return ir.HTTP

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve HTTPS for WSS service ports on TLSRoutes

When a Service or ServiceImport port is marked appProtocol: kubernetes.io/wss and is used by a TLSRoute, processDestination starts with inspectAppProtocolByRouteKind returning ir.HTTPS, but this new mapping unconditionally downgrades it to ir.HTTP. That makes WSS backends behind TLSRoutes get a cleartext HTTP/1.1 upstream cluster instead of the HTTPS protocol they had before, so those backends will fail the TLS handshake; the WebSocket override needs to avoid changing an HTTPS default for WSS.

Useful? React with 👍 / 👎.

@zhaohuabing zhaohuabing Jun 3, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ds.Protocol only influences HTTP protocol options, like HTTP/2 enablement and the explicit HTTP/1 upstream setting path. For TLSRout, the route is translated as an ir.TCPRoute, and upstream TLS is governed by ds.TLS, not by Protocol: HTTPS.

So this is not a data-plane bug, but we could improve it to remain semantically accurate in a follow-up PR.

@codecov

codecov Bot commented Jun 3, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 83.51648% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.98%. Comparing base (20d7d74) to head (8428d57).

Files with missing lines Patch % Lines
internal/cmd/egctl/status.go 0.00% 12 Missing ⚠️
internal/xds/runner/runner.go 76.92% 3 Missing ⚠️
Additional details and impacted files
@@               Coverage Diff                @@
##           release/v1.7    #9152      +/-   ##
================================================
+ Coverage         73.95%   73.98%   +0.03%     
================================================
  Files               241      241              
  Lines             36959    37026      +67     
================================================
+ Hits              27334    27395      +61     
- Misses             7717     7723       +6     
  Partials           1908     1908              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zhaohuabing

Copy link
Copy Markdown
Member

/retest

@zirain zirain merged commit 523b97f into envoyproxy:release/v1.7 Jun 3, 2026
81 of 95 checks passed
@zirain zirain deleted the cherry-pick/v1.7.4 branch June 3, 2026 21:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

10 participants