Kubernetes RuleSet provider does not seem to populate request captures

[Kakadus]

Preflight checklist

• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines."
• I could not find a solution in the existing issues, docs, nor discussions.

Describe the bug

When defining e.g. a cel authorizer with an expression using Request.URL.Captures and defining a rule in a kuberentes RuleSet object, the authorizer always fails with internal error: failed evaluating expression 1: no such key: param
The exact same configuration works in a local docker-compose setup where heimdall works in proxy mode.

As a workaround it is possible to access Request.URL.Path, but this is not as expressive as having access to Request.URL.Captures

How can the bug be reproduced

1. Start kubernetes cluster (e.g. minikube)
2. Install heimdall with configuration below
3. Install reverse proxy with decision api set to heimdall (e.g. kgateway)
4. Deploy sample upstream (e.g. jwilder/whoami)
5. Port-forward reverse proxy
6. visit http://localhost:8000/abc/abc or http://localhost:8000/my_param/abc

Relevant log output

2025-11-06T18:15:09Z INF Starting heimdall _cli="heimdall serve decision --envoy-grpc --insecure-skip-egress-tls-enforcement --insecure-skip-ingress-tls-enforcement" _version=v0.17.3
2025-11-06T18:15:09Z WRN Enforcement of secure settings disabled
2025-11-06T18:15:09Z INF OpenTelemetry tracing initialized.
2025-11-06T18:15:09Z INF OpenTelemetry metrics initialized.
2025-11-06T18:15:09Z INF Loading mechanism catalogue
2025-11-06T18:15:09Z DBG Loading definitions for authenticators
2025-11-06T18:15:09Z INF Creating authenticator _name=unauthorized _type=unauthorized
2025-11-06T18:15:09Z INF Creating authenticator _name=anonymous _type=anonymous
2025-11-06T18:15:09Z DBG Loading definitions for authorizers
2025-11-06T18:15:09Z INF Creating authorizer _name=param _type=cel
2025-11-06T18:15:09Z DBG Loading definitions for contextualizer
2025-11-06T18:15:09Z DBG Loading definitions for finalizers
2025-11-06T18:15:09Z DBG Loading definitions for error handler
2025-11-06T18:15:09Z DBG Creating rule factory
2025-11-06T18:15:09Z INF Loading default rule
2025-11-06T18:15:09Z INF Cache configured _type=in-memory
2025-11-06T18:15:09Z INF Rule provider configured. _provider_type=kubernetes
2025-11-06T18:15:09Z INF Metrics service disabled
2025-11-06T18:15:09Z INF Profiling service disabled
2025-11-06T18:15:09Z INF Starting rule provider _provider_type=kubernetes
2025-11-06T18:15:09Z INF Starting reconciliation loop _provider_type=kubernetes
2025-11-06T18:15:09Z INF Starting listening _address=[::]:4457 _service=Management
2025-11-06T18:15:09Z WRN TLS is disabled. _service=Management
2025-11-06T18:15:09Z INF Starting listening _address=[::]:4456 _service="Decision Envoy ExtAuth"
2025-11-06T18:15:09Z WRN TLS is disabled. _service="Decision Envoy ExtAuth"
2025-11-06T18:15:09Z INF New rule set received _provider_type=kubernetes _src=kubernetes:default:f63a734a-156f-46e1-ae53-5115c23a7338
2025-11-06T18:15:09Z INF New rule set received _provider_type=kubernetes _rule_set=broken _src=kubernetes:default:f63a734a-156f-46e1-ae53-5115c23a7338
2025-11-06T18:15:09Z INF Rule set loaded _provider_type=kubernetes _src=kubernetes:default:f63a734a-156f-46e1-ae53-5115c23a7338
2025-11-06T18:15:09Z DBG Updating RuleSet status _provider_type=kubernetes _src=kubernetes:default:f63a734a-156f-46e1-ae53-5115c23a7338
...
2025-11-06T18:18:12Z INF TX started _client_ip=10.244.0.10 _grpc_method=/envoy.service.auth.v3.Authorization/Check _span_id=7f18eb072d855d09 _trace_id=256b56e9de532906b2a36ba09241fee3 _tx_start=1762453092 _x_forwarded_for=10.244.0.10
2025-11-06T18:18:12Z DBG Analyzing request _method=GET _span_id=7f18eb072d855d09 _trace_id=256b56e9de532906b2a36ba09241fee3 _url=http://localhost:8000/abc/abc
2025-11-06T18:18:12Z DBG Matching rule _id=broken _source=kubernetes:default:f63a734a-156f-46e1-ae53-5115c23a7338 _span_id=7f18eb072d855d09 _trace_id=256b56e9de532906b2a36ba09241fee3 route=/:param/**
2025-11-06T18:18:12Z DBG Rule matched _id=broken _source=kubernetes:default:f63a734a-156f-46e1-ae53-5115c23a7338 _span_id=7f18eb072d855d09 _trace_id=256b56e9de532906b2a36ba09241fee3 route=/:param/**
2025-11-06T18:18:12Z INF Executing rule _id=broken _span_id=7f18eb072d855d09 _src=kubernetes:default:f63a734a-156f-46e1-ae53-5115c23a7338 _trace_id=256b56e9de532906b2a36ba09241fee3
2025-11-06T18:18:12Z DBG Executing authenticator _id=anonymous _name=anonymous _span_id=7f18eb072d855d09 _trace_id=256b56e9de532906b2a36ba09241fee3 _type=anonymous
2025-11-06T18:18:12Z DBG Checking execution condition _id=param _span_id=7f18eb072d855d09 _trace_id=256b56e9de532906b2a36ba09241fee3
2025-11-06T18:18:12Z DBG Executing authorizer _id=param _name=param _span_id=7f18eb072d855d09 _trace_id=256b56e9de532906b2a36ba09241fee3 _type=cel
2025-11-06T18:18:12Z INF Pipeline step execution failed error="internal error: failed evaluating expression 1: no such key: param" _span_id=7f18eb072d855d09 _trace_id=256b56e9de532906b2a36ba09241fee3
2025-11-06T18:18:12Z DBG Handling pipeline error _span_id=7f18eb072d855d09 _trace_id=256b56e9de532906b2a36ba09241fee3
2025-11-06T18:18:12Z DBG No applicable error handler found _span_id=7f18eb072d855d09 _trace_id=256b56e9de532906b2a36ba09241fee3
2025-11-06T18:18:12Z INF TX finished error="internal error: failed evaluating expression 1: no such key: param" _access_granted=false _client_ip=10.244.0.10 _grpc_method=/envoy.service.auth.v3.Authorization/Check _grpc_status_code=2 _span_id=7f18eb072d855d09 _subject=anonymous _trace_id=256b56e9de532906b2a36ba09241fee3 _tx_duration_ms=0 _tx_start=1762453092 _x_forwarded_for=10.244.0.10

Relevant configuration

# heimdall.chart.yaml
providers:
  kubernetes:
    auth_class: default

deployment:
  resources:
    limits:
      cpu: 100m
      memory: 256Mi
    requests:
      cpu: 100m
      memory: 256Mi

# heimdall.config.yaml
log:
  level: debug
serve:
  respond:
    verbose: true
  trusted_proxies:
    - 10.0.0.0/8

extraArgs:
  - --insecure-skip-egress-tls-enforcement
  - --insecure-skip-ingress-tls-enforcement
  - --envoy-grpc

mechanisms:
  authenticators:
    - id: unauthorized
      type: unauthorized
    - id: anonymous
      type: anonymous
      config:
        subject: anonymous
  authorizers:
    - id: param
      type: cel
      config:
        expressions:
          - expression: |
              Request.URL.Captures.param == "my_param"
            message: "Not visited my_param."

default_rule:
  execute:
    - authenticator: unauthorized

# ruleset.yaml
apiVersion: heimdall.dadrus.github.com/v1alpha4
kind: RuleSet
metadata:
  name: broken
spec:
  rules:
    - id: broken
      match:
        routes:
          - path: /:param/**
      execute:
        - authenticator: anonymous
        - authorizer: param

Version

0.17.3

On which operating system are you observing this issue?

None

In which environment are you deploying?

Kubernetes with Helm

Additional Context

It works locally in reverse proxy mode

[dadrus]

Thank you @Kakadus for the finding. It is actually pretty strange - the source of the rulesets (where the rulesets are loaded from) have no influence on the runtime behavior. Ok..., I should rather have written "... should have no influence ...". I'll take a look asap.

[Kakadus]

Maybe it has something to with decision vs proxy mode? Also note that the --envoy-grpc option is passed

[dadrus]

That should actually have no effect either. I'm intrigued :)

[dadrus]

This issue affects only the Envoy integration and is unrelated to the configured provider. Each time the Request object is accessed in the pipeline, a new URL object is created, which causes previously captured path values to be lost.

Seems this bug has been quietly lurking there since the early days.