Skip to content

fix: backend tls default namespace #7987

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
zhaohuabing wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: backend tls default namespace #7987

zhaohuabing wants to merge 1 commit into from
+15 −19

Conversation

@zhaohuabing
Copy link
Member

@zhaohuabing zhaohuabing commented Jan 19, 2026
edited
Loading

Fixes: the default namespace for SecretObjectReference should be the owner namespace, not default.

The condition The Backend was not accepted: clientCertificateRef Secret is not located in the same namespace as Backend. Secret namespace: default does not match Backend namespace: httpbin-tls is wrong in the following example.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
  name: httpbin-mtls-httpbin-tls-be
  namespace: httpbin-tls
  resourceVersion: "1768671158131743002"
  uid: 1cb357df-44b9-4204-87b0-dbeb4cf86b7d
spec:
  endpoints:
  - fqdn:
      hostname: httpbin-tls.httpbin-tls.svc.cluster.local
      port: 8443
  tls:
    caCertificateRefs:
    - group: ""
      kind: Secret
      name: httpbin-mtls-ssl
    clientCertificateRef:
      group: ""
      kind: Secret
      name: httpbin-mtls-ssl
      namespace: httpbin-tls
    insecureSkipVerify: false
  type: Endpoints
status:
  conditions:
  - lastTransitionTime: "2026-01-17T17:32:38Z"
    message: 'The Backend was not accepted: clientCertificateRef Secret is not located
      in the same namespace as Backend. Secret namespace: default does not match Backend
      namespace: httpbin-tls'
    observedGeneration: 2
    reason: Accepted
    status: "False"
    type: Invalid
  - lastTransitionTime: "2026-01-17T17:32:38Z"
    message: The Backend was accepted
    observedGeneration: 3
    reason: Accepted
    status: "True"
    type: Accepted

@zhaohuabing zhaohuabing requested a review from a team as a code owner January 19, 2026 08:47
@netlify
Copy link

netlify bot commented Jan 19, 2026
edited
Loading

Deploy Preview for cerulean-figolla-1f9435 canceled.

Name Link
🔨 Latest commit a6fe35d
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/696dfc4501039d0008a8ed48

@codecov
Copy link

codecov bot commented Jan 19, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.90%. Comparing base (844be64) to head (a6fe35d).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7987      +/-   ##
==========================================
+ Coverage   72.86%   72.90%   +0.03%     
==========================================
  Files         237      237              
  Lines       35536    35536              
==========================================
+ Hits        25894    25907      +13     
+ Misses       7799     7791       -8     
+ Partials     1843     1838       -5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zhaohuabing
fix: backend tls default namespace
a6fe35d 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
kkk777-7
kkk777-7 approved these changes Jan 19, 2026
View reviewed changes
internal/gatewayapi/backend.go

if backend.Spec.TLS.BackendTLSConfig != nil && backend.Spec.TLS.ClientCertificateRef != nil {
ns := string(ptr.Deref(backend.Spec.TLS.ClientCertificateRef.Namespace, "default"))
ns := NamespaceDerefOr(backend.Spec.TLS.ClientCertificateRef.Namespace, backend.Namespace)
Copy link
Member

@kkk777-7 kkk777-7 Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a question (not blocking):
Is there an EG coding rule about whether we should use ptr.Deref directly vs using a helper?

@kkk777-7
Copy link
Member

kkk777-7 commented Jan 19, 2026

LGTM, thanks!

@kkk777-7
Copy link
Member

kkk777-7 commented Jan 19, 2026

/retest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cnvergence cnvergence cnvergence approved these changes

@kkk777-7 kkk777-7 kkk777-7 approved these changes

Assignees

No one assigned

Labels

cherrypick/release-v1.5.8 cherrypick/release-v1.6.3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zhaohuabing @kkk777-7 @cnvergence