EnvoyPatchPolicy with JSONPatch blocks xDS updates when target objects don’t exist (control plane stuck)

[zhaohuabing]

Description:
Creating an EnvoyPatchPolicy that targets a SecurityPolicy-backed OAuth2 filter works once the SecurityPolicy exists, but if the EnvoyPatchPolicy is created first (while the SecurityPolicy does not exist), the control
plane gets stuck: other resources (HTTPRoutes) stop producing new xDS, and the Envoy configuration never updates.

Expected behavior: the control plane should log the error but remain healthy and continue generating xDS for unrelated resources.

Repro steps:

1. Create the following EnvoyPatchPolicy (no SecurityPolicy yet):

  apiVersion: gateway.envoyproxy.io/v1alpha1
  kind: EnvoyPatchPolicy
  metadata:
    name: foo
  spec:
    jsonPatches:
    - name: default/ingress/https
      operation:
        jsonPath: $..http_filters[?match(@.name, "non-existing-filter/.*")].typed_config.config.credentials
        op: replace
        path: /cookie_names
        value:
          bearer_token: baz
      type: type.googleapis.com/envoy.config.listener.v3.Listener
    targetRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: ingress
    type: JSONPatch

The status shows the programmed condition is "false" with an error, which is expected, but the other resources such as HTTPRoutes also stop producing new xDS.

    - lastTransitionTime: "2026-02-02T02:27:21Z"
      message: 'No jsonPointers were found while evaluating the jsonPath: ''$..http_filters[?match(@.name,
        "non-existing-filter/.*")].typed_config.config.credentials''. Ensure the elements
        you are trying to select with the jsonPath exist in the document. If you need
        to add a non-existing property, use the ''path'' attribute.

2. Do not create the referenced SecurityPolicy.
3. Create or update unrelated HTTPRoutes.

Environment:
Envoy Gateway version: v1.6.3

Logs:
Envoy Gateway log:

2026-02-02T02:27:21.393Z	ERROR	xds	runner/runner.go:323	failed to translate xds ir	{"runner": "xds", "trace_id": "16f51cfa80dcacffcc2cf19eb45db6ae", "span_id": "37569daa11b959d0", "error": "no jsonPointers were found while evaluating the jsonPath: '$..http_filters[?match(@.name, \"non-existing-filter/.*\")].typed_config.config.credentials'. Ensure the elements you are trying to select with the jsonPath exist in the document. If you need to add a non-existing property, use the 'path' attribute"}

[zhaohuabing]

We could consider two strategies for handling XDS translation errors:

• Fail the whole XDS translation and let the envoy fleet continue using the previous known-good state. New changes won't be pushed, this is the current behavior, as this issue reports.
• For JSONPatch translation failures, push the remaining valid xDS resources to the envoy fleet and log the errors. The EnvoyPatchPolicy errors will be surfaced via its "Programmed" condition to remind users about this invalid EnvoyPatchPolicy.

For other xDS translation errors that are not directly user-triggered (for example, errors from an extension server), keep the current behavior and fail the entire translation.

cc @envoyproxy/gateway-maintainers

[arkodg]

+1 for 2, lets separate user errors from system errors

[zirain]

+1 for option 2.

[kkk777-7]

+1 for 2, sounds good to me