Misconfigured GatewayClass Impacts Creation of other resources in other GatewayClasses

[shamusx]

Description:
If a user is to misconfigure a gatewayclass - for example creates gatewayclass but invalid parametersRef it looks to cause envoy-gateway controller to not operate.

For example I am creating a new gatewayclass to use the mergedGateways feature but i misconfigure it the gatewayclass. At the same time another user is looking to deploy a new gateway. Looks because of my misconfiguration it is impacting the creation of other resources.

Repro steps:

Create EnvoyProxy in app namespace

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: sharedgw-proxy-config
  namespace: httpbin
spec:
  logging:
    level:
      default: warn
  mergeGateways: true

Create Gatewayclass without namespace

apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: shared-eg
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
  parametersRef:
    group: gateway.envoyproxy.io
    kind: EnvoyProxy
    name: sharedgw-proxy-config

Checking status does indicate something is wrong

status:
  conditions:
  - lastTransitionTime: "2025-03-26T16:53:45Z"
    message: 'Invalid parametersRef: unsupported parametersRef for gatewayclass shared-eg'
    observedGeneration: 1
    reason: InvalidParameters
    status: "False"
    type: Accepted

Another Gateway is then to be created (could be another user):

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: eg-app-gateway
  namespace: httpbin
spec:
  gatewayClassName: eg
  listeners:
  - allowedRoutes:
      namespaces:
        from: Same
    name: http
    port: 80
    protocol: HTTP

Checking envoy-gateway-system shows no gateways being created
Checking the status of the 2nd gateway gives the user idea something is wrong with controller

kubectl describe gateway eg-app-gateway -n httpbin
Status:
  Conditions:
    Last Transition Time:  1970-01-01T00:00:00Z
    Message:               Waiting for controller
    Reason:                Pending
    Status:                Unknown
    Type:                  Accepted
    Last Transition Time:  1970-01-01T00:00:00Z
    Message:               Waiting for controller
    Reason:                Pending
    Status:                Unknown
    Type:                  Programmed
Events:                    <none>

Now once i fix the gatewayclass for shared-eg all the gateways come online

envoy-httpbin-eg-app-gateway-37422f9d-6c8878446b-5szzs   2/2     Running   0          3m26s
envoy-shared-eg-b8e47214-c85555fc5-mz692                  2/2     Running   0          13s

Note: If there are privacy concerns, sanitize the data prior to
sharing.

Environment:

Include the environment like gateway version, envoy version and so on.

Logs:
Pin pointed it in the end as envoy-gateway controller logs had namespace:"" which lead me to realize namespace is required:

2025-03-26T16:53:45.115Z        ERROR   provider        kubernetes/controller.go:218    failed to process parametersRef for gatewayclass        {"runner": "provider", "name": "shared-eg", "error": "unsupported parametersRef for gatewayclass shared-eg"}
2025-03-26T16:53:45.115Z        ERROR   provider        controller/controller.go:341    Reconciler error        {"runner": "provider", "controller": "gatewayapi-1743007591", "object": {"name":"gateway.envoyproxy.io/gatewayclass-controller"}, "namespace": "", "name": "gateway.envoyproxy.io/gatewayclass-controller", "reconcileID": "e4eca4c7-72a9-4a65-8707-c37ba33bd889", "error": "unsupported parametersRef for gatewayclass shared-eg"}

[arkodg]

this should be fixed with #5524 and available in v1.3.2, closing this one for now, please let me know if it doesnt resolve it

[shamusx]

@arkodg Just tested and same issue appears with v1.3.2

All the same status errors, only difference i saw was the envoy-gateway controller no longer has a log entry.

[arkodg]

@shamusx since the error is at the GatewayClass level (since the EnvoyProxy is linked to the GatewayClass), this would unfortunately affect any new Gateway or xRoute configuration that is linked to the GatewayClass, and should not allow any new configuration to be pushed to the data plane.

However any previous configuration should continue to work, if that is not happening, we should resolve this part

[shamusx]

@arkodg I do get it would affect any Gateway or Route linked to the GatewayClass. But should it also be affecting other GatewayClass that have their own Gateway or Routes?

Basically i have:
GatewayClass - shared-eg - misconfigured
GatewayClass - httpbin
GatewayClass - bookinfo

Because shared-eg is misconfigured it is affecting the others. At least if users are configuring against same GatewayClass it will be easier to come to a conclusion. But as a user if I'm working on my httpbin Gateway with a valid status for GatewayClass will make it hard for user to come to a conclusion on whats wrong when its a GatewayClass unrelated to whats being configured, and now there is less errors on the envoy-gateway controller to come to conclusion on understanding the error my Gateway object will produce.

Status:
  Conditions:
    Last Transition Time:  1970-01-01T00:00:00Z
    Message:               Waiting for controller
    Reason:                Pending
    Status:                Unknown
    Type:                  Accepted
    Last Transition Time:  1970-01-01T00:00:00Z
    Message:               Waiting for controller
    Reason:                Pending
    Status:                Unknown
    Type:                  Programmed

[arkodg]

thanks for flagging this one @shamusx , the issue is to return early if we hit any errors, so we skip parsing other GatewayClasses , we need to continue instead of return

gateway/internal/provider/kubernetes/controller.go

Line 218 in 953ccc1

return reconcile.Result{}, nil

in most of the code in this function