Skip to content

feat: process Gateway spec.tls.backend.clientCertificateRef for backend mTLS #8206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
HueCodes wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: process Gateway spec.tls.backend.clientCertificateRef for backend mTLS #8206

HueCodes wants to merge 5 commits into from

Conversation

@HueCodes
Copy link

@HueCodes HueCodes commented Feb 7, 2026
edited
Loading

Process the clientCertificateRef field from Gateway spec.tls.backend so it participates in the client TLS config merge chain for backend mTLS (GEP-3155).

@HueCodes HueCodes requested a review from a team as a code owner February 7, 2026 07:53
@netlify
Copy link

netlify bot commented Feb 7, 2026
edited
Loading

Deploy Preview for cerulean-figolla-1f9435 failed.

Name Link
🔨 Latest commit 4e9d7a0
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/698c36bbb599cb00087fb0ef

@HueCodes HueCodes force-pushed the feat/gateway-backend-tls-client-cert branch 2 times, most recently from 235a5e3 to 2eae3a1 Compare February 7, 2026 08:40
@codecov
Copy link

codecov bot commented Feb 7, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 74.54545% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.85%. Comparing base (ff5e4b4) to head (907d2b0).

Files with missing lines Patch % Lines
internal/gatewayapi/backendtlspolicy.go 72.54% 8 Missing and 6 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8206      +/-   ##
==========================================
+ Coverage   73.76%   73.85%   +0.08%     
==========================================
  Files         241      241              
  Lines       36579    36609      +30     
==========================================
+ Hits        26983    27037      +54     
+ Misses       7688     7666      -22     
+ Partials     1908     1906       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zirain zirain force-pushed the feat/gateway-backend-tls-client-cert branch from 2eae3a1 to 907d2b0 Compare February 7, 2026 13:22
@arkodg
Copy link
Contributor

arkodg commented Feb 8, 2026

hey @HueCodes thanks for picking this up, if this is an experimental field, lets make it opt in

gateway/api/v1alpha1/envoygateway_types.go

Line 140 in 6442347

const (

@arkodg
Copy link
Contributor

arkodg commented Feb 8, 2026

can you also sign your commit and force push

HueCodes and others added 5 commits February 10, 2026 23:58
@HueCodes
feat: process Gateway spec.tls.backend.clientCertificateRef for backe…
3841d84 
…nd mTLS

Process the clientCertificateRef field from Gateway spec.tls.backend
so it participates in the client TLS merge chain for backend mTLS.

Precedence (highest to lowest):
1. Backend resource spec.tls.clientCertificateRef
2. Gateway spec.tls.backend.clientCertificateRef (new)
3. EnvoyProxy spec.backendTLS.clientCertificateRef

Signed-off-by: HueCodes <[email protected]>
Signed-off-by: Hugh <[email protected]>
@HueCodes
fix: correct typo in mergeServerValidationTLSConfigs comment
16552cf 
Fix "TL." to "TLS." in the function comment.

Signed-off-by: Hugh <[email protected]>
@HueCodes
fix(translator): support cross-namespace ReferenceGrant for Gateway c…
80a0345 
…lientCertificateRef

The SecretObjectReference type used by GatewayBackendTLS.ClientCertificateRef
allows cross-namespace secret references when authorized by a ReferenceGrant.
Replace the hard same-namespace check in processGatewayBackendTLS with the
existing validateSecretRef helper, which handles Group/Kind validation,
ReferenceGrant checking, and secret existence in one call.

Signed-off-by: Hugh <[email protected]>
@HueCodes
test(gatewayapi): add coverage for Gateway backend TLS merge logic
d31ca9c 
Add test cases to achieve 100% coverage for processGatewayBackendTLS
and mergeClientTLSConfigs functions.

Coverage improvements:
- processGatewayBackendTLS: 87.5% to 100.0%
- mergeClientTLSConfigs: 73.1% to 100.0%

Test scenarios added:
- Empty clientCertificateRef handling
- TLS version override (min/max)
- Cipher suite override
- ECDH curves override
- Signature algorithms override
- ALPN protocols override
- Comprehensive three-way merge validation

Signed-off-by: HueCodes <[email protected]>
Signed-off-by: Hugh <[email protected]>
@HueCodes
feat: make Gateway backend client cert experimental and opt-in
4e9d7a0 
Make Gateway spec.tls.backend.clientCertificateRef an experimental
feature that must be explicitly enabled via EnvoyGateway config.

Add XGatewayBackendClientCert to GatewayAPI experimental features.
Users must enable this feature by setting:

  envoyGateway:
    gatewayAPI:
      enabled:
      - XGatewayBackendClientCert

Signed-off-by: Hugh <[email protected]>
@HueCodes HueCodes force-pushed the feat/gateway-backend-tls-client-cert branch from 6397461 to 4e9d7a0 Compare February 11, 2026 07:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HueCodes @arkodg