Skip to content

fix: backend tls default namespace#7987

Merged
zhaohuabing merged 1 commit intoenvoyproxy:mainfrom
zhaohuabing:fix-backend-tls-ns
Jan 20, 2026
Merged

fix: backend tls default namespace#7987
zhaohuabing merged 1 commit intoenvoyproxy:mainfrom
zhaohuabing:fix-backend-tls-ns

Conversation

@zhaohuabing
Copy link
Copy Markdown
Member

@zhaohuabing zhaohuabing commented Jan 19, 2026
edited
Loading

Fixes: the default namespace for SecretObjectReference should be the owner namespace, not default.

The condition The Backend was not accepted: clientCertificateRef Secret is not located in the same namespace as Backend. Secret namespace: default does not match Backend namespace: httpbin-tls is wrong in the following example.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
  name: httpbin-mtls-httpbin-tls-be
  namespace: httpbin-tls
  resourceVersion: "1768671158131743002"
  uid: 1cb357df-44b9-4204-87b0-dbeb4cf86b7d
spec:
  endpoints:
  - fqdn:
      hostname: httpbin-tls.httpbin-tls.svc.cluster.local
      port: 8443
  tls:
    caCertificateRefs:
    - group: ""
      kind: Secret
      name: httpbin-mtls-ssl
    clientCertificateRef:
      group: ""
      kind: Secret
      name: httpbin-mtls-ssl
      namespace: httpbin-tls
    insecureSkipVerify: false
  type: Endpoints
status:
  conditions:
  - lastTransitionTime: "2026-01-17T17:32:38Z"
    message: 'The Backend was not accepted: clientCertificateRef Secret is not located
      in the same namespace as Backend. Secret namespace: default does not match Backend
      namespace: httpbin-tls'
    observedGeneration: 2
    reason: Accepted
    status: "False"
    type: Invalid
  - lastTransitionTime: "2026-01-17T17:32:38Z"
    message: The Backend was accepted
    observedGeneration: 3
    reason: Accepted
    status: "True"
    type: Accepted

@zhaohuabing zhaohuabing requested a review from a team as a code owner January 19, 2026 08:47
@netlify
Copy link
Copy Markdown

netlify bot commented Jan 19, 2026
edited
Loading

Deploy Preview for cerulean-figolla-1f9435 canceled.

Name Link
🔨 Latest commit a6fe35d
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/696dfc4501039d0008a8ed48

@codecov
Copy link
Copy Markdown

codecov bot commented Jan 19, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.90%. Comparing base (844be64) to head (a6fe35d).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7987      +/-   ##
==========================================
+ Coverage   72.86%   72.90%   +0.03%     
==========================================
  Files         237      237              
  Lines       35536    35536              
==========================================
+ Hits        25894    25907      +13     
+ Misses       7799     7791       -8     
+ Partials     1843     1838       -5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zhaohuabing
fix: backend tls default namespace
a6fe35d 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
kkk777-7
kkk777-7 approved these changes Jan 19, 2026
View reviewed changes
@kkk777-7
Copy link
Copy Markdown
Member

kkk777-7 commented Jan 19, 2026

LGTM, thanks!

@kkk777-7
Copy link
Copy Markdown
Member

kkk777-7 commented Jan 19, 2026

/retest

@zhaohuabing zhaohuabing merged commit a8952d0 into envoyproxy:main Jan 20, 2026
76 of 82 checks passed
@zhaohuabing zhaohuabing deleted the fix-backend-tls-ns branch January 20, 2026 00:23
rudrakhp pushed a commit to rudrakhp/gateway that referenced this pull request Jan 26, 2026
@zhaohuabing @rudrakhp
fix: backend tls default namespace (envoyproxy#7987)
f9a49ba 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
rudrakhp added a commit that referenced this pull request Jan 26, 2026
@rudrakhp @zhaohuabing @zirain
[release/v1.6] cherry pick v1.6.3 (#8059)
b6033c2 
* fix: extproc is discarded with failOpen is enabled for wasm (#7956)

* fix: extproc is discarded with failOpen is enabled for wasm

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* add test

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

* polish code

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

* add test

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

---------

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

* fix: sanitize control plane config dump (#7901)

* mask secrets

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* address comments

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

---------

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

* fix: server run race (#7964)

* add test

Signed-off-by: zirain <zirain2009@gmail.com>

* fix race

Signed-off-by: zirain <zirain2009@gmail.com>

* fix lint

Signed-off-by: zirain <zirain2009@gmail.com>

* fix

Signed-off-by: zirain <zirain2009@gmail.com>

* fix

Signed-off-by: zirain <zirain2009@gmail.com>

* fix lint

Signed-off-by: zirain <zirain2009@gmail.com>

* use Semaphore instead of WaitGroup

Signed-off-by: zirain <zirain2009@gmail.com>

* comments

Signed-off-by: zirain <zirain2009@gmail.com>

* lint

Signed-off-by: zirain <zirain2009@gmail.com>

* fix

Signed-off-by: zirain <zirain2009@gmail.com>

* fix lint

Signed-off-by: zirain <zirain2009@gmail.com>

* callback

Signed-off-by: zirain <zirain2009@gmail.com>

* fix lint

Signed-off-by: zirain <zirain2009@gmail.com>

* run hook sequentially

Signed-off-by: zirain <zirain2009@gmail.com>

* fix lint

Signed-off-by: zirain <zirain2009@gmail.com>

* rename to cfgMux

Signed-off-by: zirain <zirain2009@gmail.com>

---------

Signed-off-by: zirain <zirain2009@gmail.com>
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

* fix: wrong cluster type with mixed FQDN backend and service backend refs (#7994)

* fix: wrong cluster type with mixed FQDN backend and service backend refs

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

* fix mirror cluster endpoint type

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

* simplify the test

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

* update comment

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

---------

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

* fix: fail fast when unrecoverable discovery errors happens on checking optional CRDs (#7872)

* fail fast when unrecoverable discovery errors happens

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* only retry transient errors

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* fix potenial dead lock

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* address comments

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* minor wording

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* create discovery client once

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* fix lint

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* address comments

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* remove redundant logging

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* add e2e test

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>

* fix test

Signed-off-by: Huabing(Robin) Zhao <zhaohuabing@gmail.com>

* fix test

Signed-off-by: Huabing(Robin) Zhao <zhaohuabing@gmail.com>

---------

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

* fix: merge route match rule with match all route (#8011)

Signed-off-by: zirain <zirain2009@gmail.com>
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

* fix: do not set autoHTTPConfig when used mixed(HTTP + HTTPS) backends (#7950)

* fix: do not set autoHTTPConfig when used mixed backend

Signed-off-by: zirain <zirain2009@gmail.com>

* release notes

Signed-off-by: zirain <zirain2009@gmail.com>

* fix

Signed-off-by: zirain <zirain2009@gmail.com>

* add e2e

Signed-off-by: zirain <zirain2009@gmail.com>

---------

Signed-off-by: zirain <zirain2009@gmail.com>
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

* fix: backend tls default namespace (#7987)

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

* fix: race in gatewaapi runner (#8037)

* add testcase

Signed-off-by: zirain <zirain2009@gmail.com>

* fix

Signed-off-by: zirain <zirain2009@gmail.com>

* simply

Signed-off-by: zirain <zirain2009@gmail.com>

---------

Signed-off-by: zirain <zirain2009@gmail.com>
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

* [release/v1.6] v1.6.3 release notes (#8054)

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

* v1.6.3 version

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

* fix gen-check

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

* fix lint

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

---------

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
Signed-off-by: zirain <zirain2009@gmail.com>
Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Co-authored-by: zirain <zirain2009@gmail.com>
SadmiB pushed a commit to SadmiB/gateway that referenced this pull request Jan 30, 2026
@zhaohuabing @SadmiB
fix: backend tls default namespace (envoyproxy#7987)
dcee8d0 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Sadmi Bouhafs <sadmibouhafs@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kkk777-7 kkk777-7 kkk777-7 approved these changes

@arkodg arkodg arkodg approved these changes

@cnvergence cnvergence cnvergence approved these changes

Assignees

No one assigned

Labels

cherrypick/release-v1.6.3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@zhaohuabing @kkk777-7 @arkodg @cnvergence @zirain