fix(telemetry): support BackendTLSPolicy for telemetry backends by codefromthecrypt · Pull Request #8545 · envoyproxy/gateway

codefromthecrypt · 2026-03-18T03:50:42Z

What type of PR is this?
fix(telemetry): support BackendTLSPolicy for telemetry backends

What this PR does / why we need it:
processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls.

Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge.

Which issue(s) this PR fixes:
Workaround: envoyproxy/ai-gateway#1964

Release Notes: Yes

Tested with examples/otel-headers against Elastic Cloud using BackendTLSPolicy (no Backend.spec.tls):

--- a/examples/otel-headers/resources/gateway.yaml
+++ b/examples/otel-headers/resources/gateway.yaml
@@ -5,15 +5,21 @@
 spec:
   endpoints:
     - fqdn:
-        hostname: localhost
-        port: 4317
-# Use below for cloud OTLP endpoints
-#   endpoints:
-#     - fqdn:
-#         hostname: otel.example.com
-#         port: 443
-#   tls:
-#     wellKnownCACertificates: System
+        hostname: adrian-o11y-b7e5ce.ingest.us-central1.gcp.elastic.cloud
+        port: 443
+---
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
+metadata:
+  name: otel-tls
+spec:
+  targetRefs:
+    - group: gateway.envoyproxy.io
+      kind: Backend
+      name: otel-collector
+  validation:
+    wellKnownCACertificates: System
+    hostname: adrian-o11y-b7e5ce.ingest.us-central1.gcp.elastic.cloud
 ---
@@ -35,7 +41,7 @@
             headers:
               - name: Authorization
-                value: Bearer fake
+                value: ApiKey <redacted>

netlify · 2026-03-18T03:50:48Z

✅ Deploy Preview for cerulean-figolla-1f9435 canceled.

Name	Link
🔨 Latest commit	`f9e5061`
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69cc5ae05084f60008f508cc

codecov · 2026-03-18T04:00:44Z

Codecov Report

❌ Patch coverage is 90.47619% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.36%. Comparing base (fdc3128) to head (f9e5061).
⚠️ Report is 12 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/gatewayapi/listener.go	90.47%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8545      +/-   ##
==========================================
- Coverage   74.40%   74.36%   -0.04%     
==========================================
  Files         243      243              
  Lines       38262    38267       +5     
==========================================
- Hits        28467    28457      -10     
- Misses       7805     7816      +11     
- Partials     1990     1994       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io>

Signed-off-by: Adrian Cole <adrian@tetrate.io>

zhaohuabing

LGTM. Thanks!

zirain · 2026-04-01T03:21:04Z

/retest

…yproxy#8545) * fix(telemetry): support BackendTLSPolicy for telemetry backends processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io> (cherry picked from commit ac18feb)

…yproxy#8545) * fix(telemetry): support BackendTLSPolicy for telemetry backends processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io> (cherry picked from commit ac18feb) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* fix: handle network errors in rate limit e2e tests (#8446) Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> (cherry picked from commit b0638d5) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * refactor/perf: use LuaPerRoute instead of FilterConfig (#8355) perf: use LuaPerRoute instead of FilterConfig Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> (cherry picked from commit f31ac4e) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: per-endpoint hostname override blocked by auto-generated wildcad host (#8565) * fix: per-endpoint hostname override blocked by auto-generated wildcard host Signed-off-by: zirain <zirain2009@gmail.com> * add UT Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 595010a) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix bug with grpcroute mirror filter (#8541) * fix bug with grpcroute mirror filter Signed-off-by: Adam Buran <aburan@roblox.com> * add indexers test Signed-off-by: Adam Buran <aburan@roblox.com> * add release note Signed-off-by: Adam Buran <aburan@roblox.com> --------- Signed-off-by: Adam Buran <aburan@roblox.com> Signed-off-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> (cherry picked from commit e633c08) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: normalize CRLF line endings in htpasswd basic auth secrets (#8557) Fixes #8554 Signed-off-by: stekole <stefan@sandnetworks.com> Signed-off-by: stekole <30674956+stekole@users.noreply.github.com> (cherry picked from commit 9cac348) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: avoid metric increments on no-op delete reconcile paths (#8480) * fix: avoid metric increments on no-op delete reconcile paths Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> * Update internal/infrastructure/kubernetes/infra_resource_test.go Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> * Update internal/infrastructure/kubernetes/infra_resource_test.go Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> --------- Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> Co-authored-by: Isaac Wilson <isaac.wilson514@gmail.com> (cherry picked from commit 7a2a4ec) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix(telemetry): support BackendTLSPolicy for telemetry backends (#8545) * fix(telemetry): support BackendTLSPolicy for telemetry backends processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io> (cherry picked from commit ac18feb) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: restore failure-path metric recording for delete and HPA reconcile (#8656) Fixes #8651 Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> (cherry picked from commit 2a5bfd0) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: status for mirror backend (#8675) Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> (cherry picked from commit fa81778) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy extAuth Backend (#8654) * fix: client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy extAuth Backend Signed-off-by: zirain <zirain2009@gmail.com> * fix lint Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit c7e21fa) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy jwt/oidc Backend (#8711) Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 95c3a79) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: helm secrets rbac for gateway namespace with watch list of namespaces (#8706) * fix: helm secrets rbac for gateway namespace with watch list of namespaces Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * add release notes Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * review update Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> (cherry picked from commit c48a346) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * add release notes Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix lint Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix lint Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Adam Buran <aburan@roblox.com> Signed-off-by: Arko Dasgupta <arkodg@users.noreply.github.com> Signed-off-by: stekole <stefan@sandnetworks.com> Signed-off-by: stekole <30674956+stekole@users.noreply.github.com> Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> Signed-off-by: Adrian Cole <adrian@tetrate.io> Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: aburanrbx <aburan@roblox.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: stekole <30674956+stekole@users.noreply.github.com> Co-authored-by: Felipe Sabadini <fsabadini@hotmail.com> Co-authored-by: Isaac Wilson <isaac.wilson514@gmail.com> Co-authored-by: Adrian Cole <64215+codefromthecrypt@users.noreply.github.com> Co-authored-by: Kota Kimura <86363983+kkk777-7@users.noreply.github.com>

codefromthecrypt requested a review from a team as a code owner March 18, 2026 03:50

codefromthecrypt mentioned this pull request Mar 18, 2026

fix: use spec.tls for telemetry backends instead of BackendTLSPolicy envoyproxy/ai-gateway#1964

Merged

zirain previously approved these changes Mar 18, 2026

View reviewed changes

zirain added the cherrypick/release-v1.7.2 label Mar 18, 2026

codefromthecrypt dismissed zirain’s stale review via 2278826 March 18, 2026 23:37

codefromthecrypt force-pushed the fix/telemetry-backendtlspolicy branch from fda7b39 to 2278826 Compare March 18, 2026 23:37

codefromthecrypt requested a review from zirain March 19, 2026 00:52

zirain previously approved these changes Mar 19, 2026

View reviewed changes

codefromthecrypt force-pushed the fix/telemetry-backendtlspolicy branch from 0c36522 to d698a37 Compare March 21, 2026 16:30

arkodg requested review from a team March 23, 2026 03:54

zirain dismissed their stale review via 9642cca March 23, 2026 03:56

zirain previously approved these changes Mar 23, 2026

View reviewed changes

codefromthecrypt dismissed zirain’s stale review via ef89f02 March 26, 2026 00:04

codefromthecrypt force-pushed the fix/telemetry-backendtlspolicy branch 2 times, most recently from ef89f02 to 7077639 Compare March 30, 2026 12:56

zhaohuabing reviewed Mar 31, 2026

View reviewed changes

Comment thread internal/gatewayapi/listener.go

zhaohuabing previously approved these changes Mar 31, 2026

View reviewed changes

zirain previously approved these changes Mar 31, 2026

View reviewed changes

codefromthecrypt dismissed stale reviews from zirain and zhaohuabing via cb7727e March 31, 2026 12:52

codefromthecrypt force-pushed the fix/telemetry-backendtlspolicy branch from 7077639 to cb7727e Compare March 31, 2026 12:52

codefromthecrypt added 3 commits April 1, 2026 07:38

missing-test

8f5a645

Signed-off-by: Adrian Cole <adrian@tetrate.io>

rename processBackendRefs to processBackendRefsForTelemetry

f9e5061

Signed-off-by: Adrian Cole <adrian@tetrate.io>

zirain force-pushed the fix/telemetry-backendtlspolicy branch from cb7727e to f9e5061 Compare March 31, 2026 23:38

zirain approved these changes Mar 31, 2026

View reviewed changes

zhaohuabing approved these changes Apr 1, 2026

View reviewed changes

arkodg merged commit ac18feb into envoyproxy:main Apr 2, 2026
55 of 59 checks passed

codefromthecrypt deleted the fix/telemetry-backendtlspolicy branch April 2, 2026 12:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(telemetry): support BackendTLSPolicy for telemetry backends#8545

fix(telemetry): support BackendTLSPolicy for telemetry backends#8545
arkodg merged 3 commits intoenvoyproxy:mainfrom
codefromthecrypt:fix/telemetry-backendtlspolicy

codefromthecrypt commented Mar 18, 2026

Uh oh!

netlify bot commented Mar 18, 2026 •

edited

Loading

Uh oh!

codecov bot commented Mar 18, 2026 •

edited

Loading

Uh oh!

Uh oh!

zhaohuabing left a comment

Uh oh!

zirain commented Apr 1, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

codefromthecrypt commented Mar 18, 2026

Uh oh!

netlify bot commented Mar 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for cerulean-figolla-1f9435 canceled.

Uh oh!

codecov bot commented Mar 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

zhaohuabing left a comment

Choose a reason for hiding this comment

Uh oh!

zirain commented Apr 1, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

netlify bot commented Mar 18, 2026 •

edited

Loading

codecov bot commented Mar 18, 2026 •

edited

Loading