fix(tranlator): SubjectAltNames were being dropped from BackendTLSPolicy.validation by ankushagarwal · Pull Request #6092 · envoyproxy/gateway

ankushagarwal · 2025-05-16T05:15:05Z

What this PR does / why we need it:

This PR adds support for configuring Subject Alternative Names (SANs) in the mTLS validation context for upstream connections, based on the BackendTLSPolicy.validation.subjectAltNames field as defined in the Gateway API (reference).

Previously, only the hostname field was used to populate the Envoy config for upstream TLS validation. This change ensures that entries from subjectAltNames are also translated and included in the generated Envoy configuration, allowing for more flexible and secure mTLS setups (e.g., with Istio-managed sidecars or other backends requiring SAN matching).

Release Notes: Yes

- Added support for configuring Subject Alternative Names (SANs) in upstream mTLS validation via `BackendTLSPolicy.validation.subjectAltNames`.

arkodg · 2025-05-16T16:54:56Z

internal/ir/xds.go

can we omit Type to save space, and convert Hostname and URI to pointers

the switch logic can be moved into the gateway api layer, so if we add any additional validation failure, it can be reported back in the status

codecov · 2025-05-16T16:55:10Z

Codecov Report

Attention: Patch coverage is 94.44444% with 2 lines in your changes missing coverage. Please review.

Project coverage is 70.49%. Comparing base (d776c6f) to head (0575f16).
Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/gatewayapi/backendtlspolicy.go	84.61%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6092   +/-   ##
=======================================
  Coverage   70.49%   70.49%           
=======================================
  Files         217      217           
  Lines       36191    36226   +35     
=======================================
+ Hits        25512    25539   +27     
- Misses       9166     9172    +6     
- Partials     1513     1515    +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

arkodg · 2025-05-16T16:58:23Z

thanks @ankushagarwal ! the PR looks good, added a comment
can you also add a test case in

gateway-api layer https://github.com/envoyproxy/gateway/tree/main/internal/gatewayapi/testdata
xds-translator layer https://github.com/envoyproxy/gateway/tree/main/internal/xds/translator/testdata/in/xds-ir

make testdata is useful to generate testdata output

ankushagarwal · 2025-05-17T03:30:20Z

internal/gatewayapi/testdata/backendtlspolicy-subjectaltnames.in.yaml

test both types of subjectAltNames: URI and DNS

ankushagarwal · 2025-05-17T03:31:26Z

internal/xds/translator/testdata/in/xds-ir/http-route-with-tlsbundle.yaml

Extend the tldbundle test and add subjectAltNames with both uri and hostname types

ankushagarwal · 2025-05-17T03:32:19Z

Thank you for the feedback, @arkodg

Addressed your comment and added tests in both the places

arkodg

LGTM thanks !

Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com>

ankushagarwal · 2025-05-19T17:16:57Z

(attempted to fix lint failure)

arkodg · 2025-05-19T17:45:00Z

still seeing them @ankushagarwal

./internal/xds/translator/testdata/in/xds-ir/http-route-with-tlsbundle.yaml
  Error: 30:17 [indentation] wrong indentation: expected 18 but found 16

./internal/gatewayapi/testdata/backendtlspolicy-subjectaltnames.in.yaml
  Error: 134:9 [indentation] wrong indentation: expected 10 but found 8

internal/gatewayapi/testdata/backendtlspolicy-subjectaltnames.in.yaml
  Error: 134:9 [indentation] wrong indentation: expected 10 but found 8

internal/xds/translator/testdata/in/xds-ir/http-route-with-tlsbundle.yaml
  Error: 30:17 [indentation] wrong indentation: expected 18 but found 16

arkodg · 2025-05-19T17:45:45Z

running make lint.fix-golint may fix it

arkodg · 2025-05-19T17:46:17Z

nvm it won't, because the error is from yamllint

Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com>

ankushagarwal · 2025-05-19T17:59:20Z

Another attempt at fixing yamllint

ankushagarwal · 2025-05-20T18:27:39Z

@arkodg : Is the failing e2e-test a flake or a true test failure

arkodg · 2025-05-20T18:46:36Z

its a flake, just waiting on a 2nd approval to merge this one

guydc

LGTM, Thanks!

…icy.validation (envoyproxy#6092) * Add support for SubjectAltNames from BackendTLSPolicy.validation Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com> (cherry picked from commit 35420d5) Signed-off-by: Arko Dasgupta <arko@tetrate.io>

* feat: set OverlappingTLSConfig condition for merged Gateways (#5862) * set OverlappingTLSConfig condition for merged Gateways Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix lint Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * minor change Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit be51e5b) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * e2e: fix backend tls test (#6029) * fix backend tls test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * enable backend tls test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * remove gateway TLS to simplify the test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * rename secret to avoid conflicts Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit a685667) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * validate gateway namespace mode and merged gateways (#6041) * validate gateway namespace mode and merged gateways in translator Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix lint Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * skip merge gateways test Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * validate on gatewayclass and set the status Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * skip e2e test Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * add valid testcases Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * Update internal/provider/kubernetes/controller.go Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix lint Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * skip merge gateways test Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * rebase Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> (cherry picked from commit c5f6831) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Fix shared=true when no clientSelector, (#6072) * Fix shared=true when no clientSelector, cleanup filter logic, fix rl descriptor logic Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * testdata update Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * Linting, remove unused funcs Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * fix e2e Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> (cherry picked from commit bb3c8da) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix(tranlator): SubjectAltNames were being dropped from BackendTLSPolicy.validation (#6092) * Add support for SubjectAltNames from BackendTLSPolicy.validation Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com> (cherry picked from commit 35420d5) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * feat: add ownerreference to infra resources when gateway namespace mode (#6100) * feat: add ownerreference to infra resources when gateway namespace mode Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> (cherry picked from commit fc462a8) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: add FullDuplexStreamed to enum (#6103) * fix: add FullDuplexStreamed to enum Signed-off-by: Guy Daich <guy.daich@sap.com> (cherry picked from commit 020d60a) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: Use quoted values zone annotation in topology injector (#6133) * Quoted string for zone values Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> * release note Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> * regen Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> (cherry picked from commit ea9cb05) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: return early from buildwasms (#6169) return early from buildwasms Signed-off-by: Guy Daich <guy.daich@sap.com> (cherry picked from commit 64624fe) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * chore: bump go and purego (#6174) * chore: bump go and purego Signed-off-by: zirain <zirain2009@gmail.com> * fix gen Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 40ae9e3) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: translate xds udp listener (#6183) * fix: translate udp listener Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> * add: tcp/udp no routes testdata in xds translator Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> * add: release note Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> (cherry picked from commit 8f538e7) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Change static uid to for global ratelimit dashboard (#6193) Signed-off-by: Emin Aktas <eminaktas34@gmail.com> (cherry picked from commit f721925) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Fix broken btp ratelimit merge (#6214) * Fix broken btp ratelimit merge Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * lint Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> --------- Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> (cherry picked from commit 0f6f363) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set via ClientTrafficPolicy (#6217) Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set in ClientTrafficPolicy Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit de816a6) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix testdata Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Allow for headless envoy services (#6250) * Allow for headless envoy services Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * Allow headless service, cleanup Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * clean Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * Add test and comment Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * Fix tests Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> (cherry picked from commit 2e168a8) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * remove infra ENVOY_GATEWAY_NAMESPACE and introduce ENVOY_POD_NAMESPACE envVar for accesslog (#6221) * remove infra ENVOY_GATEWAY_NAMESPACE and introduce ENVOY_POD_NAMESPACE envVar for accesslog Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix e2e test Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> (cherry picked from commit b7ed197) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix lint Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com> Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Signed-off-by: Guy Daich <guy.daich@sap.com> Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Emin Aktas <eminaktas34@gmail.com> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: Karol Szwaj <karol.szwaj@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Ryan Hristovski <61257223+ryanhristovski@users.noreply.github.com> Co-authored-by: Ankush Agarwal <ankushagarwal11@gmail.com> Co-authored-by: Kota Kimura <86363983+kkk777-7@users.noreply.github.com> Co-authored-by: Guy Daich <guy.daich@sap.com> Co-authored-by: Isaac <10012479+jukie@users.noreply.github.com> Co-authored-by: Emin AKTAS <eminaktas34@gmail.com>

* feat: set OverlappingTLSConfig condition for merged Gateways (envoyproxy#5862) * set OverlappingTLSConfig condition for merged Gateways Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix lint Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * minor change Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit be51e5b) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * e2e: fix backend tls test (envoyproxy#6029) * fix backend tls test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * enable backend tls test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * remove gateway TLS to simplify the test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * rename secret to avoid conflicts Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit a685667) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * validate gateway namespace mode and merged gateways (envoyproxy#6041) * validate gateway namespace mode and merged gateways in translator Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix lint Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * skip merge gateways test Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * validate on gatewayclass and set the status Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * skip e2e test Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * add valid testcases Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * Update internal/provider/kubernetes/controller.go Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix lint Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * skip merge gateways test Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * rebase Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> (cherry picked from commit c5f6831) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Fix shared=true when no clientSelector, (envoyproxy#6072) * Fix shared=true when no clientSelector, cleanup filter logic, fix rl descriptor logic Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * testdata update Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * Linting, remove unused funcs Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * fix e2e Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> (cherry picked from commit bb3c8da) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix(tranlator): SubjectAltNames were being dropped from BackendTLSPolicy.validation (envoyproxy#6092) * Add support for SubjectAltNames from BackendTLSPolicy.validation Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com> (cherry picked from commit 35420d5) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * feat: add ownerreference to infra resources when gateway namespace mode (envoyproxy#6100) * feat: add ownerreference to infra resources when gateway namespace mode Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> (cherry picked from commit fc462a8) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: add FullDuplexStreamed to enum (envoyproxy#6103) * fix: add FullDuplexStreamed to enum Signed-off-by: Guy Daich <guy.daich@sap.com> (cherry picked from commit 020d60a) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: Use quoted values zone annotation in topology injector (envoyproxy#6133) * Quoted string for zone values Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> * release note Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> * regen Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> (cherry picked from commit ea9cb05) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: return early from buildwasms (envoyproxy#6169) return early from buildwasms Signed-off-by: Guy Daich <guy.daich@sap.com> (cherry picked from commit 64624fe) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * chore: bump go and purego (envoyproxy#6174) * chore: bump go and purego Signed-off-by: zirain <zirain2009@gmail.com> * fix gen Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 40ae9e3) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix: translate xds udp listener (envoyproxy#6183) * fix: translate udp listener Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> * add: tcp/udp no routes testdata in xds translator Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> * add: release note Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> (cherry picked from commit 8f538e7) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Change static uid to for global ratelimit dashboard (envoyproxy#6193) Signed-off-by: Emin Aktas <eminaktas34@gmail.com> (cherry picked from commit f721925) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Fix broken btp ratelimit merge (envoyproxy#6214) * Fix broken btp ratelimit merge Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * lint Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> --------- Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> (cherry picked from commit 0f6f363) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set via ClientTrafficPolicy (envoyproxy#6217) Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set in ClientTrafficPolicy Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit de816a6) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix testdata Signed-off-by: Arko Dasgupta <arko@tetrate.io> * Allow for headless envoy services (envoyproxy#6250) * Allow for headless envoy services Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * Allow headless service, cleanup Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * clean Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * Add test and comment Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> * Fix tests Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> (cherry picked from commit 2e168a8) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * remove infra ENVOY_GATEWAY_NAMESPACE and introduce ENVOY_POD_NAMESPACE envVar for accesslog (envoyproxy#6221) * remove infra ENVOY_GATEWAY_NAMESPACE and introduce ENVOY_POD_NAMESPACE envVar for accesslog Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix e2e test Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> (cherry picked from commit b7ed197) Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix lint Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Signed-off-by: Ryan Hristovski <ryan.hristovski@docker.com> Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com> Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Signed-off-by: Guy Daich <guy.daich@sap.com> Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Emin Aktas <eminaktas34@gmail.com> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: Karol Szwaj <karol.szwaj@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Ryan Hristovski <61257223+ryanhristovski@users.noreply.github.com> Co-authored-by: Ankush Agarwal <ankushagarwal11@gmail.com> Co-authored-by: Kota Kimura <86363983+kkk777-7@users.noreply.github.com> Co-authored-by: Guy Daich <guy.daich@sap.com> Co-authored-by: Isaac <10012479+jukie@users.noreply.github.com> Co-authored-by: Emin AKTAS <eminaktas34@gmail.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com>

ankushagarwal requested a review from a team as a code owner May 16, 2025 05:15

ankushagarwal force-pushed the support-san branch 2 times, most recently from 634c33d to 50038d4 Compare May 16, 2025 05:18

arkodg mentioned this pull request May 16, 2025

[Gateway API v1.2] Implement GEP-3155 / BackendTLS #4381

Open

arkodg reviewed May 16, 2025

View reviewed changes

ankushagarwal force-pushed the support-san branch 2 times, most recently from 3ebd3dd to 0376285 Compare May 17, 2025 03:29

ankushagarwal commented May 17, 2025

View reviewed changes

arkodg previously approved these changes May 19, 2025

View reviewed changes

arkodg requested review from a team May 19, 2025 16:23

arkodg added this to the v1.5.0-rc.1 Release milestone May 19, 2025

Add support for SubjectAltNames from BackendTLSPolicy.validation

ef5be49

Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com>

ankushagarwal dismissed arkodg’s stale review via ef5be49 May 19, 2025 17:13

ankushagarwal force-pushed the support-san branch from 0376285 to ef5be49 Compare May 19, 2025 17:13

Fix yaml lint issues

88a551f

Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com>

ankushagarwal force-pushed the support-san branch from becf0a5 to 88a551f Compare May 19, 2025 17:58

arkodg approved these changes May 19, 2025

View reviewed changes

arkodg requested review from a team May 20, 2025 01:33

guydc approved these changes May 20, 2025

View reviewed changes

Merge branch 'main' into support-san

0575f16

arkodg merged commit 35420d5 into envoyproxy:main May 20, 2025
10 checks passed

arkodg added the cherrypick/release-v1.4.1 label May 21, 2025

BrewTestBot mentioned this pull request Aug 8, 2025

egctl 1.5.0 Homebrew/homebrew-core#232799

Merged

Conversation

ankushagarwal commented May 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

arkodg May 16, 2025

Choose a reason for hiding this comment

Uh oh!

ankushagarwal May 17, 2025

Choose a reason for hiding this comment

Uh oh!

codecov bot commented May 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

arkodg commented May 16, 2025

Uh oh!

ankushagarwal May 17, 2025

Choose a reason for hiding this comment

Uh oh!

ankushagarwal May 17, 2025

Choose a reason for hiding this comment

Uh oh!

ankushagarwal commented May 17, 2025

Uh oh!

arkodg left a comment

Choose a reason for hiding this comment

Uh oh!

ankushagarwal commented May 19, 2025

Uh oh!

arkodg commented May 19, 2025

Uh oh!

arkodg commented May 19, 2025

Uh oh!

arkodg commented May 19, 2025

Uh oh!

ankushagarwal commented May 19, 2025

Uh oh!

ankushagarwal commented May 20, 2025

Uh oh!

arkodg commented May 20, 2025

Uh oh!

guydc left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

ankushagarwal commented May 16, 2025 •

edited

Loading

codecov bot commented May 16, 2025 •

edited

Loading