Skip to content

Add OverlappingTLSConfig condition #3709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 8, 2025
Merged

Add OverlappingTLSConfig condition #3709

merged 2 commits into from
Aug 8, 2025

Conversation

ciarams87
Copy link
Contributor

Proposed changes

Problem: Currently, our controller does not set the OverlappingTLSConfig condition on Listeners when overlapping TLS configuration is detected (e.g., overlapping hostnames or certificates on the same port). This means users are not warned about potentially conflicting TLS configurations, which can lead to confusing runtime behavior, especially with HTTP connection coalescing.

Solution: Implement logic to detect overlapping TLS hostnames between Listeners on the same port, and set the OverlappingTLSConfig condition with the reason OverlappingHostnames on all affected Listeners, as required by the Gateway API spec. OverlappingCertificates is not being implemented as it is optional, and is far too complicated (we would have to inspect the Certificate itself)

Testing: Manually tested creating Gateways with various overlapping conditions

Closes #3696

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

Implemented logic to detect overlapping TLS hostnames between Listeners on the same port, and set the OverlappingTLSConfig condition with the reason OverlappingHostnames on all affected Listeners

@ciarams87 ciarams87 requested a review from a team as a code owner August 8, 2025 12:35
@github-actions github-actions bot added the enhancement New feature or request label Aug 8, 2025
@codecov Codecov
Copy link

codecov bot commented Aug 8, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 46.00000% with 27 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.90%. Comparing base (e8083f7) to head (1215a9a).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
internal/controller/state/conditions/conditions.go 0.00% 22 Missing ⚠️
...nternal/controller/state/graph/gateway_listener.go 80.76% 3 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3709      +/-   ##
==========================================
- Coverage   87.03%   86.90%   -0.13%     
==========================================
  Files         128      128              
  Lines       15919    15962      +43     
  Branches       62       62              
==========================================
+ Hits        13855    13872      +17     
- Misses       1899     1922      +23     
- Partials      165      168       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

sjberman
sjberman reviewed Aug 8, 2025
View reviewed changes
bjee19
bjee19 approved these changes Aug 8, 2025
View reviewed changes
Copy link
Contributor

@bjee19 bjee19 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice

@ciarams87 ciarams87 force-pushed the feat/add-OverlappingTLSConfig-cond branch from 010563b to 1215a9a Compare August 8, 2025 17:42
@ciarams87 ciarams87 enabled auto-merge (squash) August 8, 2025 17:42
@ciarams87 ciarams87 merged commit 924252b into main Aug 8, 2025
84 of 88 checks passed
@ciarams87 ciarams87 deleted the feat/add-OverlappingTLSConfig-cond branch August 8, 2025 18:40
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in NGINX Gateway Fabric Aug 8, 2025
@sjberman
Copy link
Collaborator

sjberman commented Aug 8, 2025

Didn't realize this until after merge, but let's make sure the squashed commit message matches the Problem/solution context in the PR description.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sjberman sjberman sjberman approved these changes

@bjee19 bjee19 bjee19 approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request release-notes
Projects
NGINX Gateway Fabric
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Set OverlappingTLSConfig condition on Listeners
3 participants
@ciarams87 @sjberman @bjee19