Skip to content

Issue 3940: Move BackendTLSPolicy to standard #4074

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
k8s-ci-robot merged 1 commit into from
Sep 15, 2025
Merged

Issue 3940: Move BackendTLSPolicy to standard #4074

k8s-ci-robot merged 1 commit into from
Sep 15, 2025

Conversation

@candita
Copy link
Contributor

@candita candita commented Sep 8, 2025
edited
Loading

Copy:
apis/v1alpha2/policy_types.go -> apis/v1/policy_types.go
apis/v1alpha3/backendtlspolicy_types.go -> apis/v1/backendtlspolicy_types.go

Update:
apis/v1alpha2/policy_types.go
apis/v1alpha3/backendtlspolicy_types.go
config/crd/kustomization.yaml
conformance/tests/backendtlspolicy-conflict-resolution.go
conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.go
conformance/tests/backendtlspolicy-invalid-kind.go
conformance/tests/backendtlspolicy-observed-generation-bump.go
conformance/tests/backendtlspolicy-san.go
conformance/tests/backendtlspolicy.go
conformance/tests/backendtlspolicy.yaml
conformance/utils/kubernetes/helpers.go
examples/standard/backendtlspolicy/backendtlspolicy-ca-certs.yaml
examples/standard/backendtlspolicy/backendtlspolicy-system-certs.yaml
pkg/features/backendtlspolicy.go
pkg/generator/main.go
pkg/test/cel/backendtlspolicy_test.go
site-src/guides/tls.md

Delete:
examples/experimental/v1alpha3/backendtlspolicy-ca-certs.yaml
examples/experimental/v1alpha3/backendtlspolicy-system-certs.yaml

Regenerate the remaining files:
rm -rf pkg/client
make generate
hack/../hack/verify-golint.sh (if needed)

What type of PR is this?
/kind feature

What this PR does / why we need it:
Move BackendTLSPolicy from v1alpha3 to v1, along with a required move of Policy types from v1alpha2 to v1.

Which issue(s) this PR fixes:

Fixes part of issue 3940

Does this PR introduce a user-facing change?:

BackendTLSPolicy moves from experimental to standard.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Sep 8, 2025
@candita candita force-pushed the issue3940-BackendTLSPolicy-to-standard branch from 85ac3a5 to 3a6af30 Compare September 8, 2025 23:40
snorwin
snorwin reviewed Sep 9, 2025
View reviewed changes
Copy link
Member

@snorwin snorwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to include both v1alpha3 and v1 APIs, at least on the experimental channel, or was it always intended as a hard cut when graduating a new resource? Otherwise, the upgrade process might become quite challenging.

@snorwin
Copy link
Member

snorwin commented Sep 9, 2025

Is the documentation, e.g., https://github.com/candita/gateway-api/blob/3a6af30be82124d1506eaa415a80354044ce1510/site-src/api-types/backendtlspolicy.md, updated after the release is published?

@shaneutt shaneutt moved this to Review in Release v1.4.0 Sep 9, 2025
@shaneutt shaneutt added this to the v1.4.0 milestone Sep 9, 2025
@shaneutt shaneutt self-assigned this Sep 9, 2025
shaneutt
shaneutt reviewed Sep 9, 2025
View reviewed changes
Copy link
Member

@shaneutt shaneutt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We talked about this on the community call today, and there was agreement that we would like to leave the v1alpha3 version of the API in place for now since we've historically tried to do that.

So basically the ask from the group is: could we please copy the types back to v1alpha3 so we have both? Note that other APIs that exist in both versions often use the Go types from v1, so we should do that here, and there's some prior art for that sprinkled throughout.

@rikatz
Copy link
Member

rikatz commented Sep 9, 2025

This is also probably missing to be moved/fixed: https://github.com/kubernetes-sigs/gateway-api/tree/main/examples/experimental/v1alpha3

I think all of our tests should be pointing to v1, even we keeping the old v1alpha3

@rikatz
Copy link
Member

rikatz commented Sep 9, 2025
edited
Loading

Some more other places missing an update:

  • pkg/test/cel/backendtlspolicy_test.go - you can probably remove all of the v1alpha2 references and use v1 directly (eg gatewayv1a2.Group
  • Still on backendtlspolicy_test.go - Probably the tags that run this test just on the experimental CRDs can be removed:
//go:build experimental
// +build experimental
  • config/crd/kustomization.yaml - Not mandatory, but maybe to keep the consistency should also add a line of - standard/gateway.networking.k8s.io_backendtlspolicies.yaml

@candita candita force-pushed the issue3940-BackendTLSPolicy-to-standard branch 2 times, most recently from 9a27ccc to d486f87 Compare September 9, 2025 23:40
@candita
Copy link
Contributor Author

candita commented Sep 9, 2025

@snorwin In response to #4074 (comment), I will work next on updating the docs.

@candita candita force-pushed the issue3940-BackendTLSPolicy-to-standard branch from d486f87 to 1e1c666 Compare September 9, 2025 23:58
@candita
Copy link
Contributor Author

candita commented Sep 10, 2025

@shaneutt @rikatz @snorwin -- I've made the requested changes. Please take a look and lgtm/approve or let me know if you need anything else.

shaneutt
shaneutt approved these changes Sep 10, 2025
View reviewed changes
Copy link
Member

@shaneutt shaneutt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

/cc @robscott @youngnick

for additional review and lgtm

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 10, 2025
rikatz
rikatz approved these changes Sep 10, 2025
View reviewed changes
Copy link
Member

@rikatz rikatz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold
Hold for Rob or Nick final review

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 10, 2025
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 10, 2025
robscott
robscott reviewed Sep 15, 2025
View reviewed changes
Copy link
Member

@robscott robscott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @candita!

@rikatz rikatz mentioned this pull request Sep 15, 2025
Closed
@shaneutt shaneutt linked an issue Sep 15, 2025 that may be closed by this pull request
Create the v1 API for BackendTLSPolicy #4063
Closed
@robscott
Copy link
Member

robscott commented Sep 15, 2025

@candita We need one more thing in this PR - all BackendTLSPolicy conformance tests should be bumped to use the v1 API.

@candita
Issue 3940: Move BackendTLSPolicy to standard
4566f54 
Copy:
 apis/v1alpha3/backendtlspolicy_types.go -> apis/v1/backendtlspolicy_types.go
 apis/v1alpha2/policy_types.go -> apis/v1/policy_types.go

Update:
 apis/v1alpha2/policy_types.go
 apis/v1alpha3/backendtlspolicy_types.go
 config/crd/kustomization.yaml
 conformance/tests/backendtlspolicy-conflict-resolution.go
 conformance/tests/backendtlspolicy-conflict-resolution.yaml
 conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.go
 conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.yaml
 conformance/tests/backendtlspolicy-invalid-kind.go
 conformance/tests/backendtlspolicy-invalid-kind.yaml
 conformance/tests/backendtlspolicy-observed-generation-bump.go
 conformance/tests/backendtlspolicy-observed-generation-bump.yaml
 conformance/tests/backendtlspolicy-san.go
 conformance/tests/backendtlspolicy-san.yaml
 conformance/tests/backendtlspolicy.go
 conformance/tests/backendtlspolicy.yaml
 conformance/utils/kubernetes/helpers.go
 examples/standard/backendtlspolicy/backendtlspolicy-ca-certs.yaml
 examples/standard/backendtlspolicy/backendtlspolicy-system-certs.yaml
 pkg/features/backendtlspolicy.go
 pkg/generator/main.go
 pkg/test/cel/backendtlspolicy_test.go
 site-src/guides/tls.md

Delete:
 examples/experimental/v1alpha3/backendtlspolicy-ca-certs.yaml
 examples/experimental/v1alpha3/backendtlspolicy-system-certs.yaml

Regenerate the remaining files:
 rm -rf pkg/client
 make generate
 hack/../hack/verify-golint.sh (if needed)
@candita candita force-pushed the issue3940-BackendTLSPolicy-to-standard branch from 1e1c666 to 4566f54 Compare September 15, 2025 23:15
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 15, 2025
robscott
robscott approved these changes Sep 15, 2025
View reviewed changes
Copy link
Member

@robscott robscott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @candita!

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 15, 2025
robscott
robscott approved these changes Sep 15, 2025
View reviewed changes
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Sep 15, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: candita, rikatz, robscott, shaneutt, snorwin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@robscott
Copy link
Member

robscott commented Sep 15, 2025

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 15, 2025
@k8s-ci-robot k8s-ci-robot merged commit 5cad7cc into kubernetes-sigs:main Sep 15, 2025
19 checks passed
@github-project-automation github-project-automation bot moved this from Review to Done in Release v1.4.0 Sep 15, 2025
@4n86rakam1 4n86rakam1 mentioned this pull request Sep 16, 2025
Closed
shaneutt pushed a commit that referenced this pull request Sep 17, 2025
@candita @shaneutt
Issue 3940: Move BackendTLSPolicy to standard (#4074)
f98df98 
Copy:
 apis/v1alpha3/backendtlspolicy_types.go -> apis/v1/backendtlspolicy_types.go
 apis/v1alpha2/policy_types.go -> apis/v1/policy_types.go

Update:
 apis/v1alpha2/policy_types.go
 apis/v1alpha3/backendtlspolicy_types.go
 config/crd/kustomization.yaml
 conformance/tests/backendtlspolicy-conflict-resolution.go
 conformance/tests/backendtlspolicy-conflict-resolution.yaml
 conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.go
 conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.yaml
 conformance/tests/backendtlspolicy-invalid-kind.go
 conformance/tests/backendtlspolicy-invalid-kind.yaml
 conformance/tests/backendtlspolicy-observed-generation-bump.go
 conformance/tests/backendtlspolicy-observed-generation-bump.yaml
 conformance/tests/backendtlspolicy-san.go
 conformance/tests/backendtlspolicy-san.yaml
 conformance/tests/backendtlspolicy.go
 conformance/tests/backendtlspolicy.yaml
 conformance/utils/kubernetes/helpers.go
 examples/standard/backendtlspolicy/backendtlspolicy-ca-certs.yaml
 examples/standard/backendtlspolicy/backendtlspolicy-system-certs.yaml
 pkg/features/backendtlspolicy.go
 pkg/generator/main.go
 pkg/test/cel/backendtlspolicy_test.go
 site-src/guides/tls.md

Delete:
 examples/experimental/v1alpha3/backendtlspolicy-ca-certs.yaml
 examples/experimental/v1alpha3/backendtlspolicy-system-certs.yaml

Regenerate the remaining files:
 rm -rf pkg/client
 make generate
 hack/../hack/verify-golint.sh (if needed)
@candita candita mentioned this pull request Sep 17, 2025
Closed
@robscott
Copy link
Member

robscott commented Sep 25, 2025

/cherry-pick release-1.4

@k8s-infra-cherrypick-robot
Copy link
Contributor

k8s-infra-cherrypick-robot commented Sep 25, 2025

@robscott: #4074 failed to apply on top of branch "release-1.4":

Applying: Issue 3940: Move BackendTLSPolicy to standard
Using index info to reconstruct a base tree...
M	apis/v1/zz_generated.deepcopy.go
M	apis/v1/zz_generated.register.go
M	apis/v1alpha2/policy_types.go
M	apis/v1alpha2/zz_generated.deepcopy.go
M	apis/v1alpha3/backendtlspolicy_types.go
M	apis/v1alpha3/zz_generated.deepcopy.go
M	apisx/v1alpha1/shared_types.go
M	apisx/v1alpha1/zz_generated.deepcopy.go
M	applyconfiguration/apis/v1alpha2/policystatus.go
M	applyconfiguration/apis/v1alpha3/backendtlspolicy.go
M	applyconfiguration/apis/v1alpha3/backendtlspolicyvalidation.go
M	applyconfiguration/apis/v1alpha3/subjectaltname.go
M	applyconfiguration/apisx/v1alpha1/backendtrafficpolicyspec.go
M	applyconfiguration/apisx/v1alpha1/xbackendtrafficpolicy.go
M	applyconfiguration/internal/internal.go
M	applyconfiguration/utils.go
M	config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml
M	config/crd/kustomization.yaml
M	conformance/tests/backendtlspolicy-conflict-resolution.go
M	conformance/tests/backendtlspolicy-conflict-resolution.yaml
M	conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.go
M	conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.yaml
M	conformance/tests/backendtlspolicy-invalid-kind.go
M	conformance/tests/backendtlspolicy-invalid-kind.yaml
M	conformance/tests/backendtlspolicy-observed-generation-bump.go
M	conformance/tests/backendtlspolicy-observed-generation-bump.yaml
M	conformance/tests/backendtlspolicy-san.go
M	conformance/tests/backendtlspolicy-san.yaml
M	conformance/tests/backendtlspolicy.go
M	conformance/tests/backendtlspolicy.yaml
M	conformance/utils/kubernetes/helpers.go
A	examples/experimental/v1alpha3/backendtlspolicy-ca-certs.yaml
A	examples/experimental/v1alpha3/backendtlspolicy-system-certs.yaml
M	pkg/client/clientset/versioned/typed/apis/v1/apis_client.go
M	pkg/client/clientset/versioned/typed/apis/v1/fake/fake_apis_client.go
M	pkg/client/clientset/versioned/typed/apis/v1/generated_expansion.go
M	pkg/client/informers/externalversions/apis/v1/interface.go
M	pkg/client/informers/externalversions/generic.go
M	pkg/client/listers/apis/v1/expansion_generated.go
M	pkg/features/backendtlspolicy.go
M	pkg/generated/openapi/zz_generated.openapi.go
M	pkg/generator/main.go
M	pkg/test/cel/backendtlspolicy_test.go
M	site-src/guides/tls.md
Falling back to patching base and 3-way merge...
Auto-merging site-src/guides/tls.md
CONFLICT (content): Merge conflict in site-src/guides/tls.md
Auto-merging pkg/generated/openapi/zz_generated.openapi.go
Auto-merging examples/standard/backendtlspolicy/backendtlspolicy-system-certs.yaml
Auto-merging examples/standard/backendtlspolicy/backendtlspolicy-ca-certs.yaml
Auto-merging conformance/tests/backendtlspolicy-observed-generation-bump.yaml
CONFLICT (add/add): Merge conflict in config/crd/standard/gateway.networking.k8s.io_backendtlspolicies.yaml
Auto-merging config/crd/standard/gateway.networking.k8s.io_backendtlspolicies.yaml
Auto-merging config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 Issue 3940: Move BackendTLSPolicy to standard

In response to this:

/cherry-pick release-1.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

shaneutt pushed a commit that referenced this pull request Sep 26, 2025
@candita @shaneutt
Issue 3940: Move BackendTLSPolicy to standard (#4074)
c66a7fb 
Copy:
 apis/v1alpha3/backendtlspolicy_types.go -> apis/v1/backendtlspolicy_types.go
 apis/v1alpha2/policy_types.go -> apis/v1/policy_types.go

Update:
 apis/v1alpha2/policy_types.go
 apis/v1alpha3/backendtlspolicy_types.go
 config/crd/kustomization.yaml
 conformance/tests/backendtlspolicy-conflict-resolution.go
 conformance/tests/backendtlspolicy-conflict-resolution.yaml
 conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.go
 conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.yaml
 conformance/tests/backendtlspolicy-invalid-kind.go
 conformance/tests/backendtlspolicy-invalid-kind.yaml
 conformance/tests/backendtlspolicy-observed-generation-bump.go
 conformance/tests/backendtlspolicy-observed-generation-bump.yaml
 conformance/tests/backendtlspolicy-san.go
 conformance/tests/backendtlspolicy-san.yaml
 conformance/tests/backendtlspolicy.go
 conformance/tests/backendtlspolicy.yaml
 conformance/utils/kubernetes/helpers.go
 examples/standard/backendtlspolicy/backendtlspolicy-ca-certs.yaml
 examples/standard/backendtlspolicy/backendtlspolicy-system-certs.yaml
 pkg/features/backendtlspolicy.go
 pkg/generator/main.go
 pkg/test/cel/backendtlspolicy_test.go
 site-src/guides/tls.md

Delete:
 examples/experimental/v1alpha3/backendtlspolicy-ca-certs.yaml
 examples/experimental/v1alpha3/backendtlspolicy-system-certs.yaml

Regenerate the remaining files:
 rm -rf pkg/client
 make generate
 hack/../hack/verify-golint.sh (if needed)
@shaneutt
Copy link
Member

shaneutt commented Sep 26, 2025

manually cherry-picked to deal with conflict.

@RainbowMango RainbowMango mentioned this pull request Nov 17, 2025
Merged
tylerauerbeck pushed a commit to tylerauerbeck/gateway-api that referenced this pull request Nov 27, 2025
@candita @tylerauerbeck
Issue 3940: Move BackendTLSPolicy to standard (kubernetes-sigs#4074)
124488b 
Copy:
 apis/v1alpha3/backendtlspolicy_types.go -> apis/v1/backendtlspolicy_types.go
 apis/v1alpha2/policy_types.go -> apis/v1/policy_types.go

Update:
 apis/v1alpha2/policy_types.go
 apis/v1alpha3/backendtlspolicy_types.go
 config/crd/kustomization.yaml
 conformance/tests/backendtlspolicy-conflict-resolution.go
 conformance/tests/backendtlspolicy-conflict-resolution.yaml
 conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.go
 conformance/tests/backendtlspolicy-invalid-ca-certificate-ref.yaml
 conformance/tests/backendtlspolicy-invalid-kind.go
 conformance/tests/backendtlspolicy-invalid-kind.yaml
 conformance/tests/backendtlspolicy-observed-generation-bump.go
 conformance/tests/backendtlspolicy-observed-generation-bump.yaml
 conformance/tests/backendtlspolicy-san.go
 conformance/tests/backendtlspolicy-san.yaml
 conformance/tests/backendtlspolicy.go
 conformance/tests/backendtlspolicy.yaml
 conformance/utils/kubernetes/helpers.go
 examples/standard/backendtlspolicy/backendtlspolicy-ca-certs.yaml
 examples/standard/backendtlspolicy/backendtlspolicy-system-certs.yaml
 pkg/features/backendtlspolicy.go
 pkg/generator/main.go
 pkg/test/cel/backendtlspolicy_test.go
 site-src/guides/tls.md

Delete:
 examples/experimental/v1alpha3/backendtlspolicy-ca-certs.yaml
 examples/experimental/v1alpha3/backendtlspolicy-system-certs.yaml

Regenerate the remaining files:
 rm -rf pkg/client
 make generate
 hack/../hack/verify-golint.sh (if needed)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robscott robscott robscott approved these changes

@shaneutt shaneutt shaneutt approved these changes

@LiorLieberman LiorLieberman Awaiting requested review from LiorLieberman

@mlavacca mlavacca Awaiting requested review from mlavacca

@youngnick youngnick Awaiting requested review from youngnick

+2 more reviewers

@snorwin snorwin snorwin approved these changes

@rikatz rikatz rikatz approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@robscott robscott

@shaneutt shaneutt

@rikatz rikatz

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

Release v1.4.0
Status: Done

Milestone

v1.4.0

Development

Successfully merging this pull request may close these issues.

Create the v1 API for BackendTLSPolicy

7 participants

@candita @snorwin @rikatz @robscott @k8s-ci-robot @k8s-infra-cherrypick-robot @shaneutt