kubewharf · xuqingyun · Aug 7, 2025 · Dec 25, 2024 · Mar 4, 2025 · Apr 8, 2025
diff --git a/Makefile.expansion b/Makefile.expansion
@@ -39,7 +39,7 @@ ifeq (, $(shell which controller-gen))
 	CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
 	cd $$CONTROLLER_GEN_TMP_DIR ;\
 	go mod init tmp ;\
-	go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.5 ;\
+	go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.9.2 ;\
 	rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
 	}
 CONTROLLER_GEN=$(GOBIN)/controller-gen

diff --git a/hack/crd/proxy.kubegateway.io_upstreamclusters.yaml b/hack/crd/proxy.kubegateway.io_upstreamclusters.yaml
@@ -82,6 +82,12 @@ spec:
                       like 0.01 (qps:1, qpsDivisor:100)
                     format: int32
                     type: integer
+                  serverName:
+                    description: ServerName is passed to the server for SNI and is
+                      used in the client to check server ceritificates against. If
+                      ServerName is empty, the upstreamcluster name used to contact
+                      the server is used.
+                    type: string
                 type: object
               dispatchPolicies:
                 description: DispatchPolicies describes how to dispatch requests to
@@ -325,6 +331,12 @@ spec:
                       string
                     format: byte
                     type: string
+                  serverNames:
+                    description: ServerNames are used to route requests with different
+                      hostnames for the same upstream cluster.
+                    items:
+                      type: string
+                    type: array
                 type: object
               servers:
                 description: Servers contains a group of upstream api servers

diff --git a/pkg/apis/generated/openapi/openapi_generated.go b/pkg/apis/generated/openapi/openapi_generated.go
diff --git a/pkg/apis/generated/openapi/violations.report b/pkg/apis/generated/openapi/violations.report
@@ -23,6 +23,7 @@ API rule violation: list_type_missing,github.com/kubewharf/kubegateway/pkg/apis/
 API rule violation: list_type_missing,github.com/kubewharf/kubegateway/pkg/apis/proxy/v1alpha1,SecureServing,CertData
 API rule violation: list_type_missing,github.com/kubewharf/kubegateway/pkg/apis/proxy/v1alpha1,SecureServing,ClientCAData
 API rule violation: list_type_missing,github.com/kubewharf/kubegateway/pkg/apis/proxy/v1alpha1,SecureServing,KeyData
+API rule violation: list_type_missing,github.com/kubewharf/kubegateway/pkg/apis/proxy/v1alpha1,SecureServing,ServerNames
 API rule violation: list_type_missing,github.com/kubewharf/kubegateway/pkg/apis/proxy/v1alpha1,UpstreamClusterList,Items
 API rule violation: list_type_missing,github.com/kubewharf/kubegateway/pkg/apis/proxy/v1alpha1,UpstreamClusterSpec,DispatchPolicies
 API rule violation: list_type_missing,github.com/kubewharf/kubegateway/pkg/apis/proxy/v1alpha1,UpstreamClusterSpec,Servers

diff --git a/pkg/apis/proxy/v1alpha1/generated.pb.go b/pkg/apis/proxy/v1alpha1/generated.pb.go
diff --git a/pkg/apis/proxy/v1alpha1/generated.proto b/pkg/apis/proxy/v1alpha1/generated.proto
diff --git a/pkg/apis/proxy/v1alpha1/upstreamcluster_types.go b/pkg/apis/proxy/v1alpha1/upstreamcluster_types.go
@@ -84,6 +84,8 @@ type SecureServing struct {
 	// ClientCAData contains PEM-encoded data from a ca file for TLS.
 	// The serialized form of data is a base64 encoded string
 	ClientCAData []byte `json:"clientCAData,omitempty" protobuf:"bytes,3,opt,name=clientCAData"`
+	// ServerNames are used to route requests with different hostnames for the same upstream cluster.
+	ServerNames []string `json:"serverNames,omitempty" protobuf:"bytes,4,opt,name=serverNames"`
 }
 
 type ClientConfig struct {
@@ -114,6 +116,11 @@ type ClientConfig struct {
 	// It allows you to set a more precise qps, like 0.01 (qps:1, qpsDivisor:100)
 	// +optional
 	QPSDivisor int32 `json:"qpsDivisor,omitempty" protobuf:"varint,8,opt,name=qpsDivisor"`
+
+	// ServerName is passed to the server for SNI and is used in the client to check server
+	// ceritificates against. If ServerName is empty, the upstreamcluster name used to contact the
+	// server is used.
+	ServerName string `json:"serverName,omitempty" protobuf:"varint,9,opt,name=serverName"`
 }
 
 type FlowControl struct {

diff --git a/pkg/clusters/clusterinfo.go b/pkg/clusters/clusterinfo.go
@@ -118,6 +118,9 @@ type ClusterInfo struct {
 	// server Cluster
 	Cluster string
 
+	// serverNames are used to route requests with different hostnames
+	serverNames sync.Map
+
 	// global rate limiter type
 	globalRateLimiter string
 
@@ -234,6 +237,18 @@ func (c *ClusterInfo) LoadVerifyOptions() (x509.VerifyOptions, bool) {
 	return *cfg.verifyOptions, true
 }
 
+func (c *ClusterInfo) LoadServerNames() []string {
+	var serverNames = []string{c.Cluster}
+	cfg, ok := c.loadSecureServingConfig()
+	if ok {
+		for _, serverName := range cfg.secureServing.ServerNames {
+			serverNames = append(serverNames, strings.ToLower(serverName))
+		}
+	}
+
+	return serverNames
+}
+
 func (c *ClusterInfo) loadSecureServingConfig() (secureServingConfig, bool) {
 	empty := secureServingConfig{
 		secureServing: &proxyv1alpha1.SecureServing{},

diff --git a/pkg/clusters/manager.go b/pkg/clusters/manager.go
@@ -30,8 +30,10 @@ type EndpointHealthCheck func(*EndpointInfo) (done bool)
 
 type Manager interface {
 	Add(*ClusterInfo)
+	AddWithKey(string, *ClusterInfo)
 	Get(name string) (*ClusterInfo, bool)
 	Delete(name string)
+	DeleteWithStop(name string)
 	DeleteAll()
 
 	ClientProvider
@@ -59,24 +61,39 @@ func (m *manager) Get(name string) (*ClusterInfo, bool) {
 }
 
 func (m *manager) Add(cluster *ClusterInfo) {
+	m.AddWithKey(cluster.Cluster, cluster)
+}
+
+func (m *manager) AddWithKey(key string, cluster *ClusterInfo) {
 	if cluster == nil {
 		return
 	}
-	cluster.Cluster = strings.ToLower(cluster.Cluster)
-	klog.V(1).Infof("[cluster manager] new cluster info is added, cluster=%q", cluster.Cluster)
-	m.clusters.Store(cluster.Cluster, cluster)
+	key = strings.ToLower(key)
+	klog.V(1).Infof("[cluster manager] new cluster info is added, cluster=%q [%q]", cluster.Cluster, key)
+	m.clusters.Store(key, cluster)
 }
 
 func (m *manager) Delete(name string) {
+	m.doDelete(name, false)
+}
+
+func (m *manager) DeleteWithStop(name string) {
+	m.doDelete(name, true)
+}
+
+func (m *manager) doDelete(name string, stop bool) {
 	name = strings.ToLower(name)
 	v, ok := m.clusters.LoadAndDelete(name)
 	if !ok {
 		return
 	}
 	// close all requests to this cluster
 	cluster := v.(*ClusterInfo)
-	cluster.Stop()
-	klog.V(1).Infof("[cluster manager] cluster info is deleted, cluster=%q", cluster.Cluster)
+	if stop {
+		cluster.Stop()
+	}
+
+	klog.V(1).Infof("[cluster manager] cluster info is deleted, cluster=%q [%q]", cluster.Cluster, name)
 }
 
 func (m *manager) DeleteAll() {

diff --git a/pkg/clusters/util.go b/pkg/clusters/util.go
@@ -47,9 +47,14 @@ func buildClusterRESTConfig(cluster *proxyv1alpha1.UpstreamCluster) (*rest.Confi
 		cfg.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(qps, int(cluster.Spec.ClientConfig.Burst))
 	}
 
+	serverName := cluster.Name
+	if len(cluster.Spec.ClientConfig.ServerName) > 0 {
+		serverName = cluster.Spec.ClientConfig.ServerName
+	}
+
 	if httpScheme == "https" {
 		tlsCfg := rest.TLSClientConfig{
-			ServerName: cluster.Name,
+			ServerName: serverName,
 			KeyData:    cluster.Spec.ClientConfig.KeyData,
 			CertData:   cluster.Spec.ClientConfig.CertData,
 			CAData:     cluster.Spec.ClientConfig.CAData,