fix: use spec.tls for telemetry backends instead of BackendTLSPolicy#1964
Merged
nacx merged 1 commit intoenvoyproxy:mainfrom Mar 17, 2026
Merged
fix: use spec.tls for telemetry backends instead of BackendTLSPolicy#1964nacx merged 1 commit intoenvoyproxy:mainfrom
nacx merged 1 commit intoenvoyproxy:mainfrom
Conversation
EG processBackendRefs does not look up BackendTLSPolicy for telemetry backends (e.g. OTLP collectors), so TLS never gets configured. Use Backend spec.tls with wellKnownCACertificates instead, which processBackendRefs does support. Route backends continue to use BackendTLSPolicy as before. Signed-off-by: Adrian Cole <adrian@tetrate.io>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1964 +/- ##
=======================================
Coverage 84.22% 84.22%
=======================================
Files 128 128
Lines 17828 17829 +1
=======================================
+ Hits 15016 15017 +1
Misses 1868 1868
Partials 944 944 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
dosubot
bot
added
the
size:M
Contributor
Author
|
FYI, I will chase up a root fix in EG later, but this will help avoid folks wanting to try remote otel clusters and failing with |
Member
|
/retest |
nacx
approved these changes
Mar 17, 2026
|
Documentation Updates 1 document(s) were updated by changes in this PR: tracingView Changes@@ -197,6 +197,29 @@
--unset extProc.extraEnvVars`}
</CodeBlock>
+## TLS Configuration for OTLP Endpoints
+
+When using HTTPS endpoints for your OTLP collector (e.g., `https://production-collector:4317`),
+the AI Gateway automatically configures TLS using the system's trusted CA certificates
+(`wellKnownCACertificates: System`). This differs from route backends, which use
+`BackendTLSPolicy` for TLS configuration.
+
+To use a secure OTLP collector, simply specify an `https://` URL in your
+`OTEL_EXPORTER_OTLP_ENDPOINT` environment variable. The system handles TLS
+configuration automatically—no additional BackendTLSPolicy is required.
+
+For example:
+
+```yaml
+extProc:
+ extraEnvVars:
+ - name: OTEL_EXPORTER_OTLP_ENDPOINT
+ value: "https://secure-collector.example.com:4317"
+```
+
+The examples in this guide use HTTP endpoints for simplicity, but production
+deployments should use HTTPS for secure trace transmission.
+
## Per-Gateway Configuration
For deployments with multiple Gateways that need different tracing configurations,
@@ -218,7 +241,7 @@
extProc:
env:
- name: OTEL_EXPORTER_OTLP_ENDPOINT
- value: "http://production-collector:4317"
+ value: "https://production-collector:4317"
- name: OTEL_SERVICE_NAME
value: "ai-gateway-production"
---How did I do? Any feedback? |
codefromthecrypt
added a commit
to codefromthecrypt/gateway
that referenced
this pull request
Mar 18, 2026
processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io>
Contributor
Author
|
envoyproxy/gateway#8545 for the tech debt in EG |
herewasmike
pushed a commit
to herewasmike/ai-gateway
that referenced
this pull request
Mar 18, 2026
…nvoyproxy#1964) **Description** EG processBackendRefs does not look up BackendTLSPolicy for telemetry backends (e.g. OTLP collectors), so TLS never gets configured. Use Backend spec.tls with wellKnownCACertificates instead, which processBackendRefs does support. Route backends continue to use BackendTLSPolicy as before. Signed-off-by: Adrian Cole <adrian@tetrate.io> Signed-off-by: Mikhail Toldov <matoldov@gmail.com>
codefromthecrypt
added a commit
to codefromthecrypt/gateway
that referenced
this pull request
Mar 18, 2026
processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
added a commit
to codefromthecrypt/gateway
that referenced
this pull request
Mar 21, 2026
processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
added a commit
to codefromthecrypt/gateway
that referenced
this pull request
Mar 26, 2026
processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
added a commit
to codefromthecrypt/gateway
that referenced
this pull request
Mar 30, 2026
processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io>
codefromthecrypt
added a commit
to codefromthecrypt/gateway
that referenced
this pull request
Mar 31, 2026
processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io>
zirain
pushed a commit
to codefromthecrypt/gateway
that referenced
this pull request
Mar 31, 2026
processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io>
arkodg
pushed a commit
to envoyproxy/gateway
that referenced
this pull request
Apr 2, 2026
* fix(telemetry): support BackendTLSPolicy for telemetry backends processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io>
cnvergence
pushed a commit
to cnvergence/gateway
that referenced
this pull request
Apr 16, 2026
…yproxy#8545) * fix(telemetry): support BackendTLSPolicy for telemetry backends processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io> (cherry picked from commit ac18feb)
cnvergence
pushed a commit
to cnvergence/gateway
that referenced
this pull request
Apr 16, 2026
…yproxy#8545) * fix(telemetry): support BackendTLSPolicy for telemetry backends processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io> (cherry picked from commit ac18feb) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>
cnvergence
added a commit
to envoyproxy/gateway
that referenced
this pull request
Apr 16, 2026
* fix: handle network errors in rate limit e2e tests (#8446) Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> (cherry picked from commit b0638d5) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * refactor/perf: use LuaPerRoute instead of FilterConfig (#8355) perf: use LuaPerRoute instead of FilterConfig Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> (cherry picked from commit f31ac4e) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: per-endpoint hostname override blocked by auto-generated wildcad host (#8565) * fix: per-endpoint hostname override blocked by auto-generated wildcard host Signed-off-by: zirain <zirain2009@gmail.com> * add UT Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 595010a) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix bug with grpcroute mirror filter (#8541) * fix bug with grpcroute mirror filter Signed-off-by: Adam Buran <aburan@roblox.com> * add indexers test Signed-off-by: Adam Buran <aburan@roblox.com> * add release note Signed-off-by: Adam Buran <aburan@roblox.com> --------- Signed-off-by: Adam Buran <aburan@roblox.com> Signed-off-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> (cherry picked from commit e633c08) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: normalize CRLF line endings in htpasswd basic auth secrets (#8557) Fixes #8554 Signed-off-by: stekole <stefan@sandnetworks.com> Signed-off-by: stekole <30674956+stekole@users.noreply.github.com> (cherry picked from commit 9cac348) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: avoid metric increments on no-op delete reconcile paths (#8480) * fix: avoid metric increments on no-op delete reconcile paths Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> * Update internal/infrastructure/kubernetes/infra_resource_test.go Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> * Update internal/infrastructure/kubernetes/infra_resource_test.go Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> --------- Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> Co-authored-by: Isaac Wilson <isaac.wilson514@gmail.com> (cherry picked from commit 7a2a4ec) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix(telemetry): support BackendTLSPolicy for telemetry backends (#8545) * fix(telemetry): support BackendTLSPolicy for telemetry backends processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io> (cherry picked from commit ac18feb) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: restore failure-path metric recording for delete and HPA reconcile (#8656) Fixes #8651 Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> (cherry picked from commit 2a5bfd0) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: status for mirror backend (#8675) Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> (cherry picked from commit fa81778) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy extAuth Backend (#8654) * fix: client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy extAuth Backend Signed-off-by: zirain <zirain2009@gmail.com> * fix lint Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit c7e21fa) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy jwt/oidc Backend (#8711) Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 95c3a79) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: helm secrets rbac for gateway namespace with watch list of namespaces (#8706) * fix: helm secrets rbac for gateway namespace with watch list of namespaces Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * add release notes Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * review update Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> (cherry picked from commit c48a346) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * add release notes Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix lint Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix lint Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Adam Buran <aburan@roblox.com> Signed-off-by: Arko Dasgupta <arkodg@users.noreply.github.com> Signed-off-by: stekole <stefan@sandnetworks.com> Signed-off-by: stekole <30674956+stekole@users.noreply.github.com> Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> Signed-off-by: Adrian Cole <adrian@tetrate.io> Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: aburanrbx <aburan@roblox.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: stekole <30674956+stekole@users.noreply.github.com> Co-authored-by: Felipe Sabadini <fsabadini@hotmail.com> Co-authored-by: Isaac Wilson <isaac.wilson514@gmail.com> Co-authored-by: Adrian Cole <64215+codefromthecrypt@users.noreply.github.com> Co-authored-by: Kota Kimura <86363983+kkk777-7@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
EG processBackendRefs does not look up BackendTLSPolicy for telemetry backends (e.g. OTLP collectors), so TLS never gets configured. Use Backend spec.tls with wellKnownCACertificates instead, which processBackendRefs does support. Route backends continue to use BackendTLSPolicy as before.
Here's a screenshot from elastic on this working now