Skip to content

gateway-api: Fixes for TLSRoute conformance#44397

Merged
julianwiedmann merged 2 commits intocilium:mainfrom
youngnick:tlsroute-conformance-fixes
Feb 20, 2026
Merged

gateway-api: Fixes for TLSRoute conformance#44397
julianwiedmann merged 2 commits intocilium:mainfrom
youngnick:tlsroute-conformance-fixes

Conversation

@youngnick
Copy link
Copy Markdown
Contributor

@youngnick youngnick commented Feb 17, 2026
edited
Loading

This PR fixes some issues that will be a problem when we perform the upgrade to Gateway API v1.5, which includes new conformance tests for TLSRoute behavior.

The new conformance tests are testing behavior that we should always have been doing, so this should be backportable back to v1.18, where we upgraded to Gateway API v1.4.0.

There are two separate changes, each in their own commit. Please review by commits.

gateway-api: Fixed some issues with TLSRoute attachment that will be covered by new conformance tests soon.

@youngnick youngnick requested a review from a team as a code owner February 17, 2026 07:32
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 17, 2026
@youngnick youngnick force-pushed the tlsroute-conformance-fixes branch from 19d75b5 to 673a6be Compare February 17, 2026 07:42
@youngnick
Copy link
Copy Markdown
Contributor Author

youngnick commented Feb 17, 2026

/test

mhofstetter
mhofstetter approved these changes Feb 17, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@mhofstetter mhofstetter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, only commented on some nits. I expect the conformance tests catch potential issues 😇

also adding @xtineskim - maybe she wants to take a second look too.

@mhofstetter mhofstetter added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. area/servicemesh GH issues or PRs regarding servicemesh feature/k8s-gateway-api labels Feb 17, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Feb 17, 2026
@youngnick
gateway-api: Add TLSRoute hostname intersection test
1a7f0a5 
This commit adds the new TLSRoute hostname intersection test
added to Gateway API in v1.5, which tests behavior that Cilium
has had subtly incorrect for some time.

This adds a custom sorter for hostnames, which enables the
hostname intersection calculation to be correct.

This also required changing some details in how the model
lists backends, in `model.TLSBackends()`.

Signed-off-by: Nick Young <nick@isovalent.com>
@youngnick youngnick force-pushed the tlsroute-conformance-fixes branch from 673a6be to 8d5b244 Compare February 18, 2026 03:41
@youngnick
Copy link
Copy Markdown
Contributor Author

youngnick commented Feb 18, 2026

/test

xtineskim
xtineskim approved these changes Feb 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@xtineskim xtineskim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔥 lgtm

@youngnick youngnick force-pushed the tlsroute-conformance-fixes branch from 8d5b244 to 6cffa2f Compare February 20, 2026 02:14
@youngnick
Copy link
Copy Markdown
Contributor Author

youngnick commented Feb 20, 2026

/test

@youngnick
gateway-api: Fix incorrect protocol mismatch handling
577d2af 
This commit fixes a bug with Gateway API reconciliation, where
TLSRoutes were allowed to attach to HTTPS listeners. By the
Gateway API spec, they are only allowed to attach to TLS listeners.

Similarly, this updates HTTPRoute and GRPCRoute processing to not
be able to attach to TLS listeners - also not allowed by the spec.

Signed-off-by: Nick Young <nick@isovalent.com>
@youngnick youngnick force-pushed the tlsroute-conformance-fixes branch from 6cffa2f to 577d2af Compare February 20, 2026 03:24
@youngnick
Copy link
Copy Markdown
Contributor Author

youngnick commented Feb 20, 2026

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 20, 2026
@julianwiedmann
Copy link
Copy Markdown
Member

julianwiedmann commented Feb 20, 2026

The new conformance tests are testing behavior that we should always have been doing, so this should be backportable back to v1.18, where we upgraded to Gateway API v1.4.0.

I'll go ahead and set the matching labels then, please double-check if that was the intention.

@julianwiedmann julianwiedmann added this pull request to the merge queue Feb 20, 2026
@julianwiedmann julianwiedmann added affects/v1.18 This issue affects v1.18 branch needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Feb 20, 2026
Merged via the queue into cilium:main with commit 4aed766 Feb 20, 2026
77 checks passed
@youngnick youngnick added the needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch label Feb 22, 2026
@youngnick youngnick mentioned this pull request Feb 23, 2026
Open
3 tasks
@YutaroHayakawa YutaroHayakawa mentioned this pull request Feb 24, 2026
Merged
21 tasks
@YutaroHayakawa YutaroHayakawa added backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. backport/author The backport will be carried out by the author of the PR. and removed needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Feb 24, 2026
@YutaroHayakawa
Copy link
Copy Markdown
Member

YutaroHayakawa commented Feb 25, 2026

@youngnick I marked this as backport/author because it introduced too many conflicts during the backport. I don't have much context around this big PR, so I'm not certain that I could resolve the conflict correctly.

@youngnick
Copy link
Copy Markdown
Contributor Author

youngnick commented Feb 25, 2026

I'm not surprised, so I'll do it manually. Thanks!

@github-actions github-actions bot added backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. and removed backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. labels Mar 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mhofstetter mhofstetter mhofstetter approved these changes

+1 more reviewer

@xtineskim xtineskim xtineskim approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

affects/v1.18 This issue affects v1.18 branch area/servicemesh GH issues or PRs regarding servicemesh backport/author The backport will be carried out by the author of the PR. backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. feature/k8s-gateway-api kind/bug This is a bug in the Cilium logic. needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@youngnick @julianwiedmann @YutaroHayakawa @mhofstetter @xtineskim @msune