gateway-api: remove backends with missing or invalid TLS policies#44743
Merged
julianwiedmann merged 1 commit intocilium:mainfrom Mar 16, 2026
Merged
Conversation
827a96d to
8ea6cba
Compare
Contributor
|
/test |
|
Commit b93aa23 does not match "(?m)^Signed-off-by:". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
This change introduces a small change to how the Cilium Operator's Gateway API reconciler handles a BackendTLSPolicy that has a missing or invalid TLS certificate. In these cases, the backends are immediately removed from the Cilium Envoy Configuration. Previously, if a backend required HTTPS but the policy wasn't in the cache yet (due to a resource creation race condition), the reconciler would generate a plain-text cluster. Envoy would then hold live traffic in a "warming" state waiting for an SDS secret for 30 seconds (`initial_fetch_timeout`), routing plain-text to the secure backend and causing unexpected HTTP 400 errors. Signed-off-by: Liam Connery <lconnery@google.com>
b93aa23 to
36ebfd5
Compare
Contributor
|
/test |
Member
|
Thank you! Please consider whether this also needs backports. |
Contributor
Author
@youngnick it looked like some of the Gateway reconciler logic is new as of the last couple of months. Do you know if this needs to be back ported to v1.19? Thanks again for all the help! |
Contributor
|
BackendTLSPolicy support didn't make it to v1.19, so we're all good. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change introduces a small change to how the Cilium Operator's Gateway API reconciler handles a BackendTLSPolicy that has a missing or invalid TLS certificate. In these cases, the backends are immediately removed from the Cilium Envoy Configuration.
Previously, if a backend required HTTPS but the policy wasn't in the cache yet (due to a resource creation race condition), the reconciler would generate a plain-text cluster. Envoy would then hold live traffic in a "warming" state waiting for an SDS secret for 30 seconds (
initial_fetch_timeout), routing plain-text to the secure backend and causing unexpected HTTP 400 errors.I have run
TestConformance/BackendTLSPolicyInvalidCACertificateRefseveral hundred times locally to confirm this does address the flakiness seen in that test.Fixes: #44043