Add BackendTLSPolicy support to Gateway API#43045
Merged
Conversation
30d6de2 to
6fb1b22
Compare
Contributor
|
xref #20960 (should it be fixed by this PR?) |
Contributor
Author
|
Part of it will be fixed, yes. But This one has proven way more difficult than I thought, still working on it. |
3a65e83 to
dde950e
Compare
8f75822 to
1be6c8c
Compare
ca17f44 to
99247bb
Compare
e9880d9 to
64f1ee2
Compare
f0c9b1e to
6d0005a
Compare
Contributor
Author
|
/test |
mhofstetter
requested changes
Jan 21, 2026
0e40786 to
f905e25
Compare
Contributor
Author
|
/test |
This commit adds BackendTLSPolicy reconciliation (only) to the Gateway API reconciler. This commit adds: * watch BackendTLSPolicy objects * watch ConfigMap objects used in BackendTLSPolicy objects * Calculate their correct status and update it. In order to get the BackendTLSPolicy status calculations correct, it turns out we need to pre-process all the BackendTLSPolicy objects, and build maps keyed via their targetRefs (the Services that they target). This is because of the upstream conflict resolution requirements for Policy objects, where conflicts need to be _resolved_ based on what Service (and port name) the Policy targets, and _reported_ based on the Gateway that they are used in. The calculation for this is added in `operator/pkg/gateway-api/helpers/backendtlspolicies.go`, and has both tests and documentation. The actual status updating is performed in `operator/pkg/gateway-api/gateway_reconcile.go`, in the `setBackendTLSPolicyStatuses` method. This commit also changes the Gateway reconciliation test framework slightly so that all Gateways are reconciled for each test before Routes and other objects are checked. This allows multiparent status checks to work. This also removes the filtering of Routes, so all Routes in the input for the reconciler test must be present in the output to be checked. This change forces us to ensure that things that should have _no_ status updates don't get changed. As part of making this change, I also found some tests (httproute-hostname-intersection, httproute-listener-hostname-matching, and httproute-listener-port-matching) that were not checking the correct Gateway status, that we all missed. I fixed those as well. Further commits will add support for the ingestion and translation steps. Signed-off-by: Nick Young <nick@isovalent.com>
This commit adds ingestion support for BackendTLSPolicy objects. The Gateway API model now stores TLS config for relevant backends when there is a valid BackendTLSPolicy present. Signed-off-by: Nick Young <nick@isovalent.com>
This commit gives the secret-sync Cell the ability to synchronize ConfigMaps into Secrets in the configured secrets namespace. This is then used by the Gateway API reconciler to synchronize relevant ConfigMaps from BackendTLSPolicy objects into Secrets in the configured Secrets namespace. Includes a small refactor to move the names of indexes into the `indexers` module (they probably should always have been there anyway). Signed-off-by: Nick Young <nick@isovalent.com>
This commit completes the implementation of translation for BackendTLSPolicy support. Cilium passes the conformance tests for BackendTLSPolicy support, although we do not currently implement the additional BackendTLSPolicySANValidation feature. That is left for future work, as it is a much smaller change. It needed a few additional changes along the way: * one of the conformance tests found a bug with the ingestion implementation to do with handling, so in fixing that I also wired logging down into the Gateway ingestion (GAMMA already had it). * In order for our conformance report to reflect BackendTLSPolicy support correctly, I needed to update the Gateway API version to v1.4.1 (which was released to correct that specific error, along with some other minor fixes). Signed-off-by: Nick Young <nick@isovalent.com>
Signed-off-by: Nick Young <nick@isovalent.com>
f905e25 to
e56810c
Compare
Contributor
Author
|
/test |
sayboras
added a commit
to cilium/proxy
that referenced
this pull request
Feb 2, 2026
Relates: cilium/cilium#43045 Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras
added a commit
to cilium/proxy
that referenced
this pull request
Feb 2, 2026
Relates: cilium/cilium#43045 Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras
added a commit
to cilium/proxy
that referenced
this pull request
Feb 2, 2026
Relates: cilium/cilium#43045 Signed-off-by: Tam Mach <tam.mach@cilium.io>
|
Thanks for your work on this, @youngnick ! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit adds BackendTLSPolicy reconciliation (only) to the Gateway API reconciler.
This commit adds:
In order to get the BackendTLSPolicy status calculations correct, it turns out we need to pre-process all the BackendTLSPolicy objects, and build maps keyed via their targetRefs (the Services that they target). This is because of the upstream conflict resolution requirements for Policy objects, where conflicts need to be resolved based on what Service (and port name) the Policy targets, and reported based on the Gateway that they are used in.
The calculation for this is added in
operator/pkg/gateway-api/helpers/backendtlspolicies.go, and has both tests and documentation.The actual status updating is performed in
operator/pkg/gateway-api/gateway_reconcile.go, in thesetBackendTLSPolicyStatusesmethod.This commit also changes the Gateway reconciliation test framework slightly so that all Gateways are reconciled for each test before Routes and other objects are checked.
This allows multiparent status checks to work.
This also removes the filtering of Routes, so all Routes in the input for the reconciler test must be present in the output to be checked. This change forces us to ensure that things that should have no status updates don't get changed.
As part of making this change, I also found some tests (httproute-hostname-intersection, httproute-listener-hostname-matching, and httproute-listener-port-matching) that were not checking the correct Gateway status, that we all missed. I fixed those as well.