[release-1.7] cherry pick for v1.7.4#9152
Conversation
zirain
commented
Jun 3, 2026
- #8744 with SHA: 560a262
- #8962 with SHA: 9430ab9
- #8986 with SHA: f1f9829
- #8959 with SHA: 35c5a12
- #9032 with SHA: 8da6dc7
- #9068 with SHA: 07ec95c
- #9099 with SHA: 3ab110e
- #9131 with SHA: acaf4cd
- #9138 with SHA: b1aa5d9
* exclude non-ready https Signed-off-by: Karol Szwaj <[email protected]> * prevent BoringSSL errors Signed-off-by: Karol Szwaj <[email protected]> * Add trailing newline to testdata PEMs Signed-off-by: Karol Szwaj <[email protected]> * add release notes Signed-off-by: Karol Szwaj <[email protected]> * use shallow copy instead of DeepCopy Signed-off-by: Karol Szwaj <[email protected]> * use maps.Clone for the data and split the PRs Signed-off-by: Karol Szwaj <[email protected]> --------- Signed-off-by: Karol Szwaj <[email protected]> Signed-off-by: zirain <[email protected]>
…oxy#8962) * fix: restore last transition time in merge status conditions Signed-off-by: Rudrakh Panigrahi <[email protected]> * add release note Signed-off-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: zirain <[email protected]>
…oxy#8959) * fix(xds): hot-reload xDS server cert in GatewayNamespaceMode Signed-off-by: nguyenptk <[email protected]> * extract loadServerTLSConfig helper and add tests Signed-off-by: nguyenptk <[email protected]> --------- Signed-off-by: nguyenptk <[email protected]> Signed-off-by: Nguyên (Harry) <[email protected]> Signed-off-by: zirain <[email protected]>
…xy#9032) Signed-off-by: benjaminch <[email protected]> Signed-off-by: zirain <[email protected]>
…same target (envoyproxy#9068) * add passing testcase showing wildcard overriding sectioned backendTLSPolicy Signed-off-by: AlecDiraimondo <[email protected]> * fix(gatewayapi): prefer sectioned BackendTLSPolicy over wildcard for same target When two BackendTLSPolicies target the same backend — one with sectionName set, one without — the wildcard wins whenever it sorts earlier, since policies are iterated in creationTimestamp order with no specificity preference. The sectioned policy is silently dropped: never selected by the translator, no status written. Make getBackendTLSPolicy prefer policies with an explicit sectionName match before falling back to wildcard matches. Matches the specificity ordering SecurityPolicy already implements. Refs envoyproxy#9035 Signed-off-by: AlecDiraimondo <[email protected]> * update release notes Signed-off-by: AlecDiraimondo <[email protected]> * fixes from review: dedup helper, return early if backendTarget has no section specified Signed-off-by: AlecDiraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> --------- Signed-off-by: AlecDiraimondo <[email protected]> Signed-off-by: Alec Diraimondo <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: zirain <[email protected]>
`egctl x status all` (and `xroute`/`xpolicy`) aborted with an error when a Gateway API CRD was not installed in the cluster (e.g. TCPRoute). Missing CRDs are now skipped, and reported on stderr when `-v` is set. Explicit single-resource invocations still error loudly so users get a clear signal when a kind they asked for is unavailable. Signed-off-by: Jeremiah Snapp <[email protected]> Signed-off-by: zirain <[email protected]>
…es (envoyproxy#9131) gatewayapi: reject BackendRef URLRewrite path modifiers Signed-off-by: Aditya7880900936 <[email protected]> Signed-off-by: zirain <[email protected]>
…envoyproxy#9138) force HTTP1 for Service/ServiceImport with websocket appProtocol Signed-off-by: Huabing Zhao <[email protected]> Signed-off-by: zirain <[email protected]>
Signed-off-by: zirain <[email protected]>
f95140f to
8428d57
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f95140f764
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| case ap == "kubernetes.io/ws" || ap == "kubernetes.io/wss": | ||
| return ir.HTTP |
There was a problem hiding this comment.
Preserve HTTPS for WSS service ports on TLSRoutes
When a Service or ServiceImport port is marked appProtocol: kubernetes.io/wss and is used by a TLSRoute, processDestination starts with inspectAppProtocolByRouteKind returning ir.HTTPS, but this new mapping unconditionally downgrades it to ir.HTTP. That makes WSS backends behind TLSRoutes get a cleartext HTTP/1.1 upstream cluster instead of the HTTPS protocol they had before, so those backends will fail the TLS handshake; the WebSocket override needs to avoid changing an HTTPS default for WSS.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
ds.Protocol only influences HTTP protocol options, like HTTP/2 enablement and the explicit HTTP/1 upstream setting path. For TLSRout, the route is translated as an ir.TCPRoute, and upstream TLS is governed by ds.TLS, not by Protocol: HTTPS.
So this is not a data-plane bug, but we could improve it to remain semantically accurate in a follow-up PR.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## release/v1.7 #9152 +/- ##
================================================
+ Coverage 73.95% 73.98% +0.03%
================================================
Files 241 241
Lines 36959 37026 +67
================================================
+ Hits 27334 27395 +61
- Misses 7717 7723 +6
Partials 1908 1908 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
/retest |