Skip to content

feat(securitypolicy): add MergeType support for policy merging#7918

Open
rajatvig wants to merge 28 commits intoenvoyproxy:mainfrom
rajatvig:feat/security-policy-merge
Open

feat(securitypolicy): add MergeType support for policy merging#7918
rajatvig wants to merge 28 commits intoenvoyproxy:mainfrom
rajatvig:feat/security-policy-merge

Conversation

@rajatvig
Copy link
Contributor

@rajatvig rajatvig commented Jan 12, 2026

Add MergeType field to SecurityPolicy to enable policy merging similar
to BackendTrafficPolicy. This allows route-level policies to merge with
parent Gateway/Listener policies rather than completely overriding them.

Fixes #6734

@netlify
Copy link

netlify bot commented Jan 12, 2026
edited
Loading

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit 215388d
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/699317c9dbfabd00077fe8cf
😎 Deploy Preview https://deploy-preview-7918--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@rajatvig @zhaohuabing
feat(securitypolicy): add MergeType support for policy merging
c8b4bdc 
  Add MergeType field to SecurityPolicy to enable policy merging similar
  to BackendTrafficPolicy. This allows route-level policies to merge with
  parent Gateway/Listener policies rather than completely overriding them.

  Fixes envoyproxy#6734

Signed-off-by: Rajat Vig <rvig@etsy.com>
@zhaohuabing zhaohuabing force-pushed the feat/security-policy-merge branch from 95821a7 to c8b4bdc Compare January 13, 2026 01:23
@rajatvig
chore: drop unusable annotations and add in generatedfiles
d1d61ae 
Signed-off-by: Rajat Vig <rvig@etsy.com>
@rajatvig
chore: add release notes
edff170 
Signed-off-by: Rajat Vig <rvig@etsy.com>
@codecov
Copy link

codecov bot commented Jan 13, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 80.58824% with 33 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.56%. Comparing base (38b0ad1) to head (215388d).

Files with missing lines Patch % Lines
internal/gatewayapi/securitypolicy.go 80.58% 29 Missing and 4 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7918      +/-   ##
==========================================
+ Coverage   73.55%   73.56%   +0.01%     
==========================================
  Files         242      242              
  Lines       36949    37071     +122     
==========================================
+ Hits        27178    27272      +94     
- Misses       7851     7876      +25     
- Partials     1920     1923       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@rajatvig
test: add e2e test
8792f98 
Signed-off-by: Rajat Vig <rvig@etsy.com>
@rajatvig
chore: add more test coverage
5e5372d 
Signed-off-by: Rajat Vig <rvig@etsy.com>
@rajatvig
Merge remote-tracking branch 'upstream/main' into feat/security-polic…
1c62ff2 
…y-merge
@arkodg arkodg requested a review from kkk777-7 January 14, 2026 05:03
@rajatvig
chore: fix e2e test
09e0b17 
Signed-off-by: Rajat Vig <rvig@etsy.com>
@rajatvig
Merge remote-tracking branch 'upstream/main' into feat/security-polic…
5cacf84 
…y-merge

Signed-off-by: Rajat Vig <rvig@etsy.com>
@rajatvig
chore: add test data files for security policy
a190a39 
Signed-off-by: Rajat Vig <rvig@etsy.com>
@rajatvig
chore: add docs
6cd2177 
Signed-off-by: Rajat Vig <rvig@etsy.com>
@rajatvig rajatvig marked this pull request as ready for review January 18, 2026 23:30
@rajatvig rajatvig requested a review from a team as a code owner January 18, 2026 23:30
@rajatvig
Copy link
Contributor Author

rajatvig commented Jan 19, 2026

@arkodg @kkk777-7 The PR is ready. Please do review when you have bandwidth. The E2E tests for the feature are passing, CI seems to have a bit of flakiness.

@arkodg arkodg added this to the v1.7.0-rc.1 Release milestone Jan 19, 2026
kkk777-7
kkk777-7 reviewed Jan 20, 2026
View reviewed changes
kkk777-7
kkk777-7 reviewed Jan 20, 2026
View reviewed changes
@kkk777-7
Copy link
Member

kkk777-7 commented Jan 20, 2026

Hi @rajatvig , thanks for working on this!
I left some comments.

@zhaohuabing zhaohuabing mentioned this pull request Jan 28, 2026
Open
@kkk777-7
Copy link
Member

kkk777-7 commented Jan 28, 2026

/retest

@zhaohuabing
Merge branch 'main' into feat/security-policy-merge
7c56302 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
zhaohuabing
zhaohuabing previously approved these changes Jan 28, 2026
View reviewed changes
Copy link
Member

@zhaohuabing zhaohuabing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

#7918 (comment) is tracked in #8088 and can be addressed later.

@kkk777-7 kkk777-7 mentioned this pull request Jan 28, 2026
Open
@kkk777-7
Copy link
Member

kkk777-7 commented Jan 28, 2026

/retest

kkk777-7
kkk777-7 reviewed Jan 28, 2026
View reviewed changes
@kkk777-7
Copy link
Member

kkk777-7 commented Jan 28, 2026

@rajatvig
Sorry, there’s one point I missed in the last review. I left a comment, so could you please take a look?

@arkodg arkodg modified the milestones: v1.7.0-rc.1 Release, Backlog Jan 29, 2026
@zhaohuabing zhaohuabing mentioned this pull request Jan 29, 2026
Open
@rajatvig
address feedback for multiple IR sends and write a test case to asser…
7d0261d 
…t fix

Signed-off-by: Rajat Vig <rvig@etsy.com>
@rajatvig
Merge remote-tracking branch 'upstream/main' into feat/security-polic…
925ade7 
…y-merge

Signed-off-by: Rajat Vig <rvig@etsy.com>
@rajatvig
Copy link
Contributor Author

rajatvig commented Jan 31, 2026

@rajatvig Sorry, there’s one point I missed in the last review. I left a comment, so could you please take a look?

Just fixed the last bit I think.

@rajatvig
Copy link
Contributor Author

rajatvig commented Feb 7, 2026

@kkk777-7 @zhaohuabing Does this look good now? Any other points I need to address?

@arkodg arkodg modified the milestones: Backlog, v1.8.0-rc.1 Release Feb 8, 2026
@rajatvig
Merge remote-tracking branch 'upstream/main' into feat/security-polic…
dbc78fa 
…y-merge

Signed-off-by: Rajat Vig <rvig@etsy.com>
@rajatvig
Merge remote-tracking branch 'upstream/main' into feat/security-polic…
e3ea6aa 
…y-merge

Signed-off-by: Rajat Vig <rvig@etsy.com>
@rajatvig
chore: add generted code
4cf5271 
Signed-off-by: Rajat Vig <rvig@etsy.com>
rudrakhp
rudrakhp reviewed Feb 12, 2026
View reviewed changes
Copy link
Member

@rudrakhp rudrakhp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that you might need to handle refs from parent policy after merge, see #8210 that fixes ref resolution for merged BTPs.

@rajatvig
Merge remote-tracking branch 'upstream/main' into feat/security-polic…
215388d 
…y-merge

Signed-off-by: Rajat Vig <rvig@etsy.com>
@rajatvig
Copy link
Contributor Author

rajatvig commented Feb 16, 2026

Note that you might need to handle refs from parent policy after merge, see #8210 that fixes ref resolution for merged BTPs.

@rudrakhp From what I could gather looking at the code, it would mostly affect secrets when the parent policy refers to a secret that the merged policy tries looking up in the route's namespace.

There is an issue #8094 tracking that. Would it be ok to resolve this as part of that issue?

@rudrakhp
Copy link
Member

rudrakhp commented Feb 16, 2026

@rajatvig it will affect not only secrets but any LocalObjectReference, I would recommend waiting on #8210 attempting to provide a generic way to handle local object references in merge scenarios.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rudrakhp rudrakhp rudrakhp left review comments

@kkk777-7 kkk777-7 kkk777-7 left review comments

@zhaohuabing zhaohuabing zhaohuabing left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v1.8.0-rc.1 Release

Development

Successfully merging this pull request may close these issues.

Support MergeType in SecurityPolicy

5 participants

@rajatvig @kkk777-7 @rudrakhp @zhaohuabing @arkodg