feat: support crls in client traffic policies #7199
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7199 +/- ##
=======================================
Coverage 72.30% 72.31%
=======================================
Files 231 231
Lines 33939 33952 +13
=======================================
+ Hits 24539 24551 +12
Misses 7632 7632
- Partials 1768 1769 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
rudrakhp
force-pushed
the
feat_crl
branch
3 times, most recently
from
451c9ed to
353110f
Compare
rudrakhp
commented
Oct 13, 2025
internal/gatewayapi/testdata/clienttrafficpolicy-invalid-settings.out.yaml
Show resolved
Hide resolved
rudrakhp
commented
Oct 13, 2025
rudrakhp
force-pushed
the
feat_crl
branch
2 times, most recently
from
ea2e484 to
8311467
Compare
Contributor
|
/retest |
rudrakhp
force-pushed
the
feat_crl
branch
6 times, most recently
from
1a81709 to
eeca2fe
Compare
arkodg
reviewed
Oct 22, 2025
rudrakhp
force-pushed
the
feat_crl
branch
4 times, most recently
from
3f7a1ab to
8aec2b6
Compare
zhaohuabing
reviewed
Oct 30, 2025
| status: "True" | ||
| type: Accepted | ||
| - lastTransitionTime: null | ||
| message: service envoy-gateway/service-1 not found |
Member
There was a problem hiding this comment.
Let's add the service-1 to the .in.yaml file to avoid this translation failure.
zhaohuabing
reviewed
Oct 30, 2025
| conditions: | ||
| - lastTransitionTime: null | ||
| message: 'TLS: invalid crl in tls-secret-1: CRL is expired (next update was | ||
| due at 2005-02-06 12:00:00 +0000 UTC).' |
Member
There was a problem hiding this comment.
Can we attach an HTTPRoute to gateway-1 to verify that 500 response is set at route in case that crl is invalid?
zhaohuabing
reviewed
Oct 30, 2025
zhaohuabing
reviewed
Oct 30, 2025
rudrakhp
force-pushed
the
feat_crl
branch
4 times, most recently
from
a67443e to
ffd9251
Compare
rudrakhp
force-pushed
the
feat_crl
branch
3 times, most recently
from
043ce62 to
bdacaa8
Compare
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
zhaohuabing
approved these changes
Oct 31, 2025
arkodg
reviewed
Oct 31, 2025
| return fmt.Errorf("failed to parse CRL: %w", err) | ||
| } | ||
| now := time.Now() | ||
| if now.After(crl.NextUpdate) { |
Contributor
There was a problem hiding this comment.
nextUpdate and thisUpdate are optional
can we guard with !crl.NextUpdate.IsZero()
zhaohuabing
added a commit
to zhaohuabing/gateway
that referenced
this pull request
Nov 1, 2025
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
zhaohuabing
added a commit
to zhaohuabing/gateway
that referenced
this pull request
Nov 1, 2025
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
arkodg
pushed a commit
that referenced
this pull request
Nov 1, 2025
fix test for #7199 Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
ekline-ai
pushed a commit
to ekline-ai/envoyproxy-gateway
that referenced
this pull request
Nov 2, 2025
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: EkLine AI <ekline-ai@ekline.io>
ekline-ai
pushed a commit
to ekline-ai/envoyproxy-gateway
that referenced
this pull request
Nov 2, 2025
fix test for envoyproxy#7199 Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: EkLine AI <ekline-ai@ekline.io>
ADITYATIWARI342005
pushed a commit
to ADITYATIWARI342005/envoyproxy_gateway
that referenced
this pull request
Nov 3, 2025
Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: ADITYA TIWARI <142050150+ADITYATIWARI342005@users.noreply.github.com>
ADITYATIWARI342005
pushed a commit
to ADITYATIWARI342005/envoyproxy_gateway
that referenced
this pull request
Nov 3, 2025
fix test for envoyproxy#7199 Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: ADITYA TIWARI <142050150+ADITYATIWARI342005@users.noreply.github.com>
rudrakhp
pushed a commit
that referenced
this pull request
Nov 10, 2025
fix test for #7199 Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
arkodg
added a commit
that referenced
this pull request
Nov 10, 2025
* chore(examples): fix extensionserver build (#7398) Signed-off-by: Maxime Brunet <max@brnt.mx> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * chore: add missing endpoints in the crl test (#7402) fix test for #7199 Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * chore(make): exit on failure (#7387) Signed-off-by: Maxime Brunet <max@brnt.mx> Co-authored-by: zirain <zirain2009@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: port typo (#7397) Signed-off-by: cong <q1875486458@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * build(deps): bump busybox from `2f590fc` to `e3652a0` in /tools/docker/envoy-gateway (#7409) build(deps): bump busybox in /tools/docker/envoy-gateway Bumps busybox from `2f590fc` to `e3652a0`. --- updated-dependencies: - dependency-name: busybox dependency-version: e3652a00a2fabd16ce889f0aa32c38eec347b997e73bd09e69c962ec7f8732ee dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: validate EnvoyGateway configuration before reload (#7412) Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * build(deps): bump the actions group across 1 directory with 2 updates (#7410) Bumps the actions group with 2 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action) and [google/osv-scanner-action](https://github.com/google/osv-scanner-action). Updates `github/codeql-action` from 4.31.0 to 4.31.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@4e94bd1...0499de3) Updates `google/osv-scanner-action` from 2.2.3 to 2.2.4 - [Release notes](https://github.com/google/osv-scanner-action/releases) - [Commits](google/osv-scanner-action@e92b5d0...9bb6957) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: google/osv-scanner-action dependency-version: 2.2.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: missing onInvalidMessage for ClientTrafficPolicy (#7417) Signed-off-by: i.makarychev <makarichev.ivan@gmail.com> Signed-off-by: i.makarychev <i.makarychev@tbank.ru> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * chore: add missing filters in the filter order configuration (#7404) * add missing filters in the filter order configuration Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix wrong filter name Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * test: tcp security policy e2e (#7226) * feat(securitypolicy): Added e2e tests for tcp security policies Signed-off-by: davem-git <demathieu@gmail.com> * removed commented out line Signed-off-by: davem-git <demathieu@gmail.com> --------- Signed-off-by: davem-git <demathieu@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * Docs: tcp security policy (#7247) * updated release notes Signed-off-by: davem-git <demathieu@gmail.com> * updated docs Signed-off-by: davem-git <demathieu@gmail.com> * fixed merge conflict Signed-off-by: davem-git <demathieu@gmail.com> --------- Signed-off-by: davem-git <demathieu@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * feat: support both local and global ratelimit simultaneously (#7334) * update rate limit type Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> * feat: support both type rate limit Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * feat: support separated path match in ratelimit path (#7413) * update: path match ratelimit e2e Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: handle optional next update for CRL (#7422) fix: handle optional next update for crl Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: missing jwt provider when jwt is configured on multiple listeners sharing the same port (#7337) * fix jwt provider missing when jwt is configured at multiple ir listeners Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: only insert proxy service once it exists (#7424) * maybe this is the fix? Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> * fixes Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> * cleanup Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> * consolidate Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> * fix Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> --------- Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix error when updating invalid gateway status (#7415) * fix error when updating invalid gateway status Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: avoid calling the issuer's well-known endpoint for every routes (#7394) * fix: avoid calling the issuer's well-known endpoint for every routes with Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: memory leak (#7429) Fix memory leak. Two watchable.Maps were never closed when shutting down the provider: - GatewayClassStatuses.Close() - missing in GatewayAPIStatuses.Close() - BackendTrafficPolicyStatuses.Close() - missing in PolicyStatuses.Close() Each unclosed map leaked 3 goroutines: 1. Internal watchable.Map.coalesce goroutine 2. HandleSubscription goroutine blocked on channel read 3. Error handler goroutine blocked on channel read Signed-off-by: Gonzalo Serrano <boikot@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * perf: move snapshot update above status update in xds layer (#7423) Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * chore: cleanup logging when inserting proxy service cluster (#7431) cleanup Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * upgrade gofumpt (#7420) Signed-off-by: fabian4 <fabian.v.bao@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * feat(translator): relax backend restrictions for localhost when running standalone with Host infrastructure (#7427) Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * chore: improve api docs for http10.useDefaultHost (#7435) * imporove api docs for useDefaultHost Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * ci: disable lint.dependabot (#7445) Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * chore: bump github.com/containerd/containerd (#7448) Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * perf: do not set last transition time for status in watcher layer (#7268) Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * docs: fix gwapi docs (#7408) * docs: fix gwapi docs Signed-off-by: zirain <zirain2009@gmail.com> * fix Signed-off-by: zirain <zirain2009@gmail.com> * update Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * chore: renable lint.dependabot (#7454) Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * chore: remove last transition time comparison as no longer set (#7451) chore: remove last transition time comparision as no longer set Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: merged policy status (#7376) Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: header modifier doesn't permit multiple values with commas (#7436) * revert: separate headers with commas Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> * add e2e Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix auto http config with proxy protocol (#7439) * don't set TypedExtensionProtocolOptions when ProxyProtocol enabled Signed-off-by: zirain <zirain2009@gmail.com> * update test Signed-off-by: zirain <zirain2009@gmail.com> * enable auto ALPN for proxy protocol Signed-off-by: zirain <zirain2009@gmail.com> * add e2e Signed-off-by: zirain <zirain2009@gmail.com> * update Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * build(deps): bump sigs.k8s.io/controller-runtime from 0.22.3 to 0.22.4 in /examples/extension-server (#7470) build(deps): bump sigs.k8s.io/controller-runtime Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.22.3 to 0.22.4. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.22.3...v0.22.4) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.22.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * build(deps): bump softprops/action-gh-release from 2.4.1 to 2.4.2 in the actions group across 1 directory (#7461) build(deps): bump softprops/action-gh-release Bumps the actions group with 1 update in the / directory: [softprops/action-gh-release](https://github.com/softprops/action-gh-release). Updates `softprops/action-gh-release` from 2.4.1 to 2.4.2 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@6da8fa9...5be0e66) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-version: 2.4.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * build(deps): bump github.com/envoyproxy/go-control-plane/envoy from 1.35.0 to 1.36.0 in /examples/grpc-ext-proc (#7471) build(deps): bump github.com/envoyproxy/go-control-plane/envoy Bumps [github.com/envoyproxy/go-control-plane/envoy](https://github.com/envoyproxy/go-control-plane) from 1.35.0 to 1.36.0. - [Release notes](https://github.com/envoyproxy/go-control-plane/releases) - [Changelog](https://github.com/envoyproxy/go-control-plane/blob/main/CHANGELOG.md) - [Commits](envoyproxy/go-control-plane@envoy/v1.35.0...envoy/v1.36.0) --- updated-dependencies: - dependency-name: github.com/envoyproxy/go-control-plane/envoy dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * build(deps): bump github.com/envoyproxy/go-control-plane/envoy from 1.35.0 to 1.36.0 in /examples/envoy-ext-auth (#7467) build(deps): bump github.com/envoyproxy/go-control-plane/envoy Bumps [github.com/envoyproxy/go-control-plane/envoy](https://github.com/envoyproxy/go-control-plane) from 1.35.0 to 1.36.0. - [Release notes](https://github.com/envoyproxy/go-control-plane/releases) - [Changelog](https://github.com/envoyproxy/go-control-plane/blob/main/CHANGELOG.md) - [Commits](envoyproxy/go-control-plane@envoy/v1.35.0...envoy/v1.36.0) --- updated-dependencies: - dependency-name: github.com/envoyproxy/go-control-plane/envoy dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * build(deps): bump github.com/envoyproxy/go-control-plane/envoy from 1.35.1-0.20251029084203-42a4a9261f66 to 1.36.0 in /examples/extension-server (#7468) build(deps): bump github.com/envoyproxy/go-control-plane/envoy Bumps [github.com/envoyproxy/go-control-plane/envoy](https://github.com/envoyproxy/go-control-plane) from 1.35.1-0.20251029084203-42a4a9261f66 to 1.36.0. - [Release notes](https://github.com/envoyproxy/go-control-plane/releases) - [Changelog](https://github.com/envoyproxy/go-control-plane/blob/main/CHANGELOG.md) - [Commits](https://github.com/envoyproxy/go-control-plane/commits/envoy/v1.36.0) --- updated-dependencies: - dependency-name: github.com/envoyproxy/go-control-plane/envoy dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * [release/v1.6] v1.6.0 release docs (#7475) Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> --------- Signed-off-by: Maxime Brunet <max@brnt.mx> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: cong <q1875486458@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: i.makarychev <makarichev.ivan@gmail.com> Signed-off-by: i.makarychev <i.makarychev@tbank.ru> Signed-off-by: davem-git <demathieu@gmail.com> Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> Signed-off-by: Gonzalo Serrano <boikot@gmail.com> Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: fabian4 <fabian.v.bao@gmail.com> Co-authored-by: Maxime Brunet <max@brnt.mx> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: 聪 <q1875486458@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Inode1 <makarichevivan@gmail.com> Co-authored-by: davem-git <demathieu@gmail.com> Co-authored-by: Kota Kimura <86363983+kkk777-7@users.noreply.github.com> Co-authored-by: Isaac <10012479+jukie@users.noreply.github.com> Co-authored-by: Gonzalo Serrano <boikot@gmail.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: Fabian Bao <fabian.v.bao@gmail.com> Co-authored-by: Ignasi Barrera <nacx@apache.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
feat: support crls in client traffic policies
What this PR does / why we need it:
Implement #6955
Which issue(s) this PR fixes:
Fixes #3021
Release Notes: Yes