TLSRoute: Require hostnames and bump version to v1alpha3 by rostislavbobo · Pull Request #3872 · kubernetes-sigs/gateway-api

rostislavbobo · 2025-06-20T15:32:27Z

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR makes the hostnames field in TLSRoute non-optional. Hostnames is the only available match for TLSRoutes and, per the TLSRoute spec, at least one hostname match is required. If SNI hostname matching is not needed, TCPRoute should be used instead.

Which issue(s) this PR fixes:

Fixes #3871

Does this PR introduce a user-facing change?:

- Adds v1alpha3 experimental TLSRoute with the hostnames field being required.

k8s-ci-robot · 2025-06-20T15:32:36Z

Welcome @rostislavbobo!

It looks like this is your first PR to kubernetes-sigs/gateway-api 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/gateway-api has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

k8s-ci-robot · 2025-06-20T15:32:36Z

Hi @rostislavbobo. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

robscott · 2025-06-27T16:48:37Z

Thanks @rostislavbobo!

/ok-to-test

robscott

Thanks @rostislavbobo! Some small nits, but otherwise LGTM.

hack/invalid-examples/experimental/tlsroute/no-hostname.yaml

robscott · 2025-07-11T05:03:37Z

apis/v1alpha3/tlsroute_types.go

+}
+
+// TLSRouteSpec defines the desired state of a TLSRoute resource.
+type TLSRouteSpec struct {


Going back in time to one of the recent times we did something similar, we used aliases in the old API version that pointed to the new one. I'd recommend doing that here as well. So in this case v1alpha3 would be the source of truth, and v1alpha2 would point at that. Take a look at this for an example:

gateway-api/apis/v1beta1/gateway_types.go

Lines 48 to 55 in 093f653

// GatewaySpec defines the desired state of Gateway.

//

// Not all possible combinations of options specified in the Spec are

// valid. Some invalid configurations can be caught synchronously via a

// webhook, but there are many cases that will require asynchronous

// signaling via the GatewayStatus block.

// +k8s:deepcopy-gen=false

type GatewaySpec = v1.GatewaySpec

When promoting TLSRoutes to v1, we'll use aliases in v1alpha3 to reference the v1 version.

TLSRoute promotion from from v1alpha2 to v1alpha3 is different, let me summarize the conversation above:

@youngnick asked to keep old v1alpha2 TLSRoute while introducing new v1alpha3 TLSRoute. This is to avoid breaking existing implementations that use v1alpha2 in prod.

As a result, we can only aliases unchanged parts of TLSRoute – TLSRouteStatus and TLSRouteRule. TLSRouteSpec has changed and can't be aliased.

We can't reference v1alpha2 from v1alpha3.

v1alpha3 is already based on v1alpha2 (see v1alpha3/backendtlspolicy_types.go, v1alpha3/zz_generated.deepcopy.go).

Referencing v1alpha2 from v1alpha3 requires re-doing Update API and docs for GEP-2907 changes (BackendTLSPolicy) #2955

apis/v1alpha3/tlsroute_types.go

robscott · 2025-07-14T17:50:31Z

/retitle TLSRoute: Require hostnames and bump version to v1alpha3

robscott · 2025-07-14T17:51:26Z

Thanks @rostislavbobo!

/approve
/cc @mlavacca @shaneutt @youngnick

shaneutt

/lgtm

k8s-ci-robot · 2025-07-14T17:59:25Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: robscott, rostislavbobo, shaneutt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [robscott,shaneutt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

apis/v1alpha3/tlsroute_types.go

…sigs#3872) * TLSRoute: Require hostnames * TLSRoute: Move to v1alpha3 TLSRoute: Update config crd TLSRoute: Update pkg TLSRoute: Update hack example * TLSRoute: Bring TLSRoute back to v1alpha2 * TLSRoute: Update conformance helpers * TLSRoute: Remove storageversion from v1alpha3 * TLSRoute: Update invalid example * TLSRoute: v1alpha3 example * TLSRoute: Make v1alpha3 storage

zirain · 2026-02-05T00:26:46Z

apis/v1alpha3/tlsroute_types.go

+	//
+	// If both the Listener and TLSRoute have specified hostnames, any
+	// TLSRoute hostnames that do not match the Listener hostname MUST be
+	// ignored. For example, if a Listener specified `*.example.com`, and the


For what added in #4437

does *.example.com matched test.example.com? what I missed?

I'd recommend going through #4437 (comment) thread for more details

k8s-ci-robot requested review from mlavacca and robscott June 20, 2025 15:32

k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jun 20, 2025

rostislavbobo force-pushed the tlsroute-hostnames-required branch from 8a842f0 to 5630d40 Compare June 27, 2025 12:43

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jun 27, 2025

rostislavbobo force-pushed the tlsroute-hostnames-required branch from 75ab19e to 563794e Compare June 27, 2025 13:01

k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 27, 2025

rostislavbobo force-pushed the tlsroute-hostnames-required branch 4 times, most recently from 2cc1661 to bf124db Compare June 27, 2025 14:04

k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jun 27, 2025

rostislavbobo force-pushed the tlsroute-hostnames-required branch from bf124db to 1c19f20 Compare June 27, 2025 14:53

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 27, 2025

rostislavbobo marked this pull request as ready for review June 27, 2025 16:47

k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 27, 2025

k8s-ci-robot requested review from sunjayBhatia and youngnick June 27, 2025 16:47

TLSRoute: Update invalid example

2ba0374

rostislavbobo force-pushed the tlsroute-hostnames-required branch from 9dc3faf to 2ba0374 Compare July 10, 2025 22:07

robscott reviewed Jul 11, 2025

View reviewed changes

apis/v1alpha3/tlsroute_types.go Show resolved Hide resolved

TLSRoute: v1alpha3 example

236339c

rostislavbobo force-pushed the tlsroute-hostnames-required branch 2 times, most recently from 7b67116 to 892a84d Compare July 13, 2025 16:15

TLSRoute: Make v1alpha3 storage

cf5c16d

rostislavbobo force-pushed the tlsroute-hostnames-required branch from 892a84d to cf5c16d Compare July 13, 2025 16:36

k8s-ci-robot changed the title ~~TLSRoute: Require hostnames~~ TLSRoute: Require hostnames and bump version to v1alpha3 Jul 14, 2025

k8s-ci-robot requested a review from shaneutt July 14, 2025 17:51

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 14, 2025

shaneutt approved these changes Jul 14, 2025

View reviewed changes

k8s-ci-robot assigned shaneutt Jul 14, 2025

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 14, 2025

k8s-ci-robot merged commit 6d76ec6 into kubernetes-sigs:main Jul 14, 2025
13 checks passed

rikatz reviewed Jul 14, 2025

View reviewed changes

apis/v1alpha3/tlsroute_types.go Show resolved Hide resolved

rostislavbobo deleted the tlsroute-hostnames-required branch July 15, 2025 11:28

rostislavbobo mentioned this pull request Jul 15, 2025

TLSRoute: Require hostnames via +required #3918

Merged

shaneutt added this to Release v1.4.0 Jul 15, 2025

shaneutt moved this to Done in Release v1.4.0 Jul 15, 2025

shaneutt added this to the v1.4.0 milestone Jul 15, 2025

rostislavbobo mentioned this pull request Aug 18, 2025

REQUEST: New membership for @rostislavbobo kubernetes/org#5778

Closed

11 tasks

rikatz mentioned this pull request Sep 12, 2025

Need to manually delete generated files before running make generate #4077

Closed

zirain reviewed Feb 5, 2026

View reviewed changes

rostislavbobo mentioned this pull request Feb 20, 2026

Add Hostname concept and explanation document #4516

Merged

	// GatewaySpec defines the desired state of Gateway.
	//
	// Not all possible combinations of options specified in the Spec are
	// valid. Some invalid configurations can be caught synchronously via a
	// webhook, but there are many cases that will require asynchronous
	// signaling via the GatewayStatus block.
	// +k8s:deepcopy-gen=false
	type GatewaySpec = v1.GatewaySpec

Conversation

rostislavbobo commented Jun 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

k8s-ci-robot commented Jun 20, 2025

Uh oh!

k8s-ci-robot commented Jun 20, 2025

Uh oh!

robscott commented Jun 27, 2025

Uh oh!

robscott left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

robscott Jul 11, 2025

Choose a reason for hiding this comment

Uh oh!

rostislavbobo Jul 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

robscott commented Jul 14, 2025

Uh oh!

robscott commented Jul 14, 2025

Uh oh!

shaneutt left a comment

Choose a reason for hiding this comment

Uh oh!

k8s-ci-robot commented Jul 14, 2025

Uh oh!

Uh oh!

Uh oh!

zirain Feb 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

rostislavbobo Feb 5, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

rostislavbobo commented Jun 20, 2025 •

edited

Loading

rostislavbobo Jul 11, 2025 •

edited

Loading

zirain Feb 5, 2026 •

edited

Loading