Race conditions between controller and gateway service

[adrielp]

Description:

When deploying for the first time, the Envoy Gateway controller appears to experience a race condition when trying to reference the Envoy service before it's fully created. One has to restart the controller pod for it to resolve.

Repro steps:

v1.5.0 of the install.yaml with minor annotation changes

envoy-proxy.yaml

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: public-proxy-config
  namespace: envoy-gateway-system
spec:
  # Bootstrap configuration to fix admin interface IPv6 binding
  bootstrap:
    type: JSONPatch
    jsonPatches:
    - {"op": "replace", "path": "/admin/address/socket_address/port_value", "value": 19003}
    - {"op": "replace", "path": "/admin/address/socket_address/address", "value": "::"}

  ipFamily: IPv6
  logging:
    level:
      default: debug
  provider:
    type: Kubernetes
    kubernetes:
      envoyService:
        annotations:
          # EKS Auto Mode compatible annotations
          service.beta.kubernetes.io/aws-load-balancer-type: external
          service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
          service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
          service.beta.kubernetes.io/aws-load-balancer-ip-address-type: dualstack
          service.beta.kubernetes.io/aws-load-balancer-subnets: "example-1, example-2"
          service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: TCP
        type: LoadBalancer
        loadBalancerClass: eks.amazonaws.com/nlb
        externalTrafficPolicy: Cluster

gateway-class.yaml

---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: some-public
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
  parametersRef:
    group: gateway.envoyproxy.io
    kind: EnvoyProxy
    name: public-proxy-config
    namespace: envoy-gateway-system

gateway.yaml

---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: some-public
  namespace: envoy-gateway-system
  labels:
    gateway: public
spec:
  gatewayClassName: some-public
  listeners:
  - name: https
    protocol: HTTPS
    port: 443
    allowedRoutes:
      namespaces:
        from: All
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        name: <some secret>
  # HTTP listener for redirects
  - name: http
    protocol: HTTP
    port: 80
    allowedRoutes:
      namespaces:
        from: All

Environment:

Envoy installed through Helm chart at v1.5.0.
ArgoCD > 3.0 applies manifests.
AWS EKS 1.33 Kubernetes w/ EKS Automode (karpenter enabled).

Logs:

Failure when envoy gateway is being deployed. Doesn't automatically resolve once service is online.

2025-08-16T02:27:27.124Z ERROR provider kubernetes/controller.go:618 failed to get Service {"runner": "provider", "namespace": "envoy-gateway-system", "name": "envoy-envoy-gateway-system-public-gateway-b3b5c242", "error": "Service \"envoy-envoy-gateway-system-public-gateway-b3b5c242\" not found"}

[arkodg]

this is expected / eventual consistent state, relates to the new zone aware routing feature which relies on proxy fleet endpoint data
#6597
we need to find a way to make this less alarming
cc @jukie

[jukie]

Yeah it shows up as an error if the service hasn't been created yet but it should resolve itself afterwards, albeit silently, without a restart.

If it's not an interesting error at normal runtime perhaps we should move this line to debug level.

[adrielp]

Eventual consistency makes sense, unfortunately, it seemed to only resolve once the pod was restarted. I left it running for an entire night, the service was online, but errors were still propagating. I can try and replicate it on the next cluster I build.

[arkodg]

+1 to moving this to debug since its not a error, this can also show up if a invalid/non existant backendRef is linked to a HTTPRoute

[Kazaen]

I have a very similar setup as @adrielp, except that in the EnvoyProxy, the service name is overwritten:

      envoyService:
        externalTrafficPolicy: Local
        name: envoy-envoy-gateway-system-eg
        type: ClusterIP

in order to be used by a TargetGroupBinding (aws-load-balancer-controller), it was easier to hardcode the name. However, since the upgrade to 1.5.0:

2025-09-02T12:46:26.773Z ERROR provider kubernetes/controller.go:618 failed to get Service {"runner": "provider", "namespace": "envoy-gateway-system", "name": "envoy-envoy-gateway-system-eg-5391c79d", "error": "Service \"envoy-envoy-gateway-system-eg-5391c79d\" not found"}

Which means that the controller is expecting this name instead of the one that I override. Did i miss something ?

[arkodg]

@Kazaen was the envoyproxy attached to the gateway class ? if so its fixed with #6838

[Kazaen]

@Kazaen was the envoyproxy attached to the gateway class ? if so its fixed with #6838

Indeed, it was !

Thanks for confirming.