gatewayapi: don't append gwcResource if there's invalid GatewayClass by zirain · Pull Request #6379 · envoyproxy/gateway

zirain · 2025-06-23T04:44:05Z

this fix a error log when there more than one unaccepted gatewayclass like following:

2025-06-23T04:32:40.628Z	INFO	provider	kubernetes/controller.go:361	secret	{"runner": "provider", "count": 2, "gwc": "eg"}
2025-06-23T04:32:40.629Z	INFO	provider	kubernetes/controller.go:361	secret	{"runner": "provider", "count": 2, "gwc": "eg"}
2025-06-23T04:33:08.944Z	INFO	provider	kubernetes/controller.go:361	secret	{"runner": "provider", "count": 2, "gwc": "eg"}
2025-06-23T04:34:07.884Z	INFO	provider	kubernetes/controller.go:361	secret	{"runner": "provider", "count": 2, "gwc": "envoy-gateway"}
2025-06-23T04:34:07.884Z	INFO	provider	kubernetes/controller.go:361	secret	{"runner": "provider", "count": 2, "gwc": "eg"}
2025-06-23T04:36:06.505Z	INFO	provider	kubernetes/controller.go:361	secret	{"runner": "provider", "count": 0, "gwc": "envoy-gateway"}
2025-06-23T04:36:06.505Z	INFO	provider	kubernetes/controller.go:361	secret	{"runner": "provider", "count": 2, "gwc": "eg"}
2025-06-23T04:36:06.506Z	ERROR	gateway-api	runner/runner.go:180	errors detected during translation	{"runner": "gateway-api", "error": "envoy TLS secret envoy-gateway-system/envoy not found"}

it's easy to reproduce with following configuration:

kind: GatewayClass
apiVersion: gateway.networking.k8s.io/v1
metadata:
  name: envoy-gateway
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
  parametersRef:
    group: gateway.envoyproxy.io
    kind: EnvoyProxy
    name: proxy-config
    namespace: envoy-gateway-system
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: eg
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: eg
  namespace: ingress
spec:
  gatewayClassName: eg
  listeners:
    - name: http
      protocol: HTTP
      port: 80
      allowedRoutes:
        namespaces:
          from: All

codecov · 2025-06-23T04:52:59Z

Codecov Report

Attention: Patch coverage is 57.14286% with 9 lines in your changes missing coverage. Please review.

Project coverage is 70.89%. Comparing base (ec94c98) to head (e5668bf).
Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/provider/kubernetes/controller.go	60.00%	1 Missing and 7 partials ⚠️
internal/gatewayapi/runner/runner.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6379      +/-   ##
==========================================
- Coverage   70.93%   70.89%   -0.04%     
==========================================
  Files         220      220              
  Lines       37259    37263       +4     
==========================================
- Hits        26429    26419      -10     
- Misses       9287     9297      +10     
- Partials     1543     1547       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

arkodg · 2025-06-23T19:14:47Z

im not sure how this is related

if a GWC is not accepted because of an invalid EProxy, it is not added into the Provider message

gateway/internal/provider/kubernetes/controller.go

Line 222 in ddc9a5c

if managedGC.Spec.ParametersRef != nil && managedGC.DeletionTimestamp == nil {
gateway-api runner should skip translation

gateway/internal/gatewayapi/runner/runner.go

Line 133 in ddc9a5c

if update.Delete || val == nil {

zirain · 2025-06-23T23:52:37Z

im not sure how this is related

if a GWC is not accepted because of an invalid EProxy, it is not added into the Provider message

gateway/internal/provider/kubernetes/controller.go

Line 222 in ddc9a5c

if managedGC.Spec.ParametersRef != nil && managedGC.DeletionTimestamp == nil {

gateway-api runner should skip translation

gateway/internal/gatewayapi/runner/runner.go

Line 133 in ddc9a5c

if update.Delete || val == nil {

I was suprised too, which take me more than 1h to identiy the issue.

Signed-off-by: zirain <zirain2009@gmail.com>

zirain · 2025-07-01T21:35:36Z

/retest

…nvoyproxy#6379) * gatewayapi: don't process gloabal resources when acceptedGateways is 0 Signed-off-by: zirain <zirain2009@gmail.com> * update Signed-off-by: zirain <zirain2009@gmail.com> * fix test Signed-off-by: zirain <zirain2009@gmail.com> * don't skip gateways Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com>

* fix(translator): ext-proc full duplex streamed trailers and validation (#6323) * fix ext proc validation and trailer management for full duplex streamed mode Signed-off-by: Guy Daich <guy.daich@sap.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * feat: disable automountServiceAccountToken for proxy and ratelimit (#6364) Signed-off-by: Jeff Davis <mr.jefedavis@gmail.com> * bugfix: make EnvoyPatchPolicy able to replace telemetry cluster (#6367) Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * feat: add validation of section name for Gateway listener (#6343) * add validation of section name Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> * update error status reason Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> * refactor: define as function of validate section name for gateway listener Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix: add configMap indexers for EEP reconciler (#6369) Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: use buildEndpointType for access and tracing (#6370) Signed-off-by: zirain <zirain2009@gmail.com> * fix: default accesslog not working (#6441) * fix default accesslog Signed-off-by: zirain <zirain2009@gmail.com> * release notes Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * chore: fix cve (#6446) * fix cve Signed-off-by: zirain <zirain2009@gmail.com> * lint Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> * fix: Do not set backendRequestTimeout when Retries are set (#6421) * fix: Do not set backendRequestTimeout when Retries are set Signed-off-by: sudipto baral <sudiptobaral.me@gmail.com> * fix: update comment Signed-off-by: sudipto baral <sudiptobaral.me@gmail.com> --------- Signed-off-by: sudipto baral <sudiptobaral.me@gmail.com> * gatewayapi: don't append gwcResource if there's invalid GatewayClass (#6379) * gatewayapi: don't process gloabal resources when acceptedGateways is 0 Signed-off-by: zirain <zirain2009@gmail.com> * update Signed-off-by: zirain <zirain2009@gmail.com> * fix test Signed-off-by: zirain <zirain2009@gmail.com> * don't skip gateways Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix testdata Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix k8s provider controller Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix: retry reconcile on transient errors during reconcile (#6299) * fix: add isTransientError helper to classify retryable errors Introduces isTransientError to detect transient Kubernetes errors and enable proper reconciliation retries. Signed-off-by: Patryk Rostkowski <patrostkowski@gmail.com> handle errors from processing BackendRefs Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> handle errors from processing ConfigMap Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * skip invalid GatewayClass Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * handle all transient errors Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * don't skip failed GCs Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Patryk Rostkowski <patrostkowski@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit 71ce56f) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix: fix bug in hostname overlap detection (#6332) fix bug in hostname overlap detection Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> (cherry picked from commit e78e268) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix telemetry with host port not working (#6460) Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit c0a2ce7) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * bugfix: BackendTlsPolicy should not reference across namespace (#6309) * bugfix: BackendTlsPolicy should not reference across namespace Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 9925189) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Guy Daich <guy.daich@sap.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> Signed-off-by: Jeff Davis <mr.jefedavis@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: sudipto baral <sudiptobaral.me@gmail.com> Signed-off-by: Patryk Rostkowski <patrostkowski@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: Guy Daich <guy.daich@sap.com> Co-authored-by: Jeff Davis <mr.jefedavis@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Kota Kimura <86363983+kkk777-7@users.noreply.github.com> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Co-authored-by: Sudipto Baral <sudiptobaral.me@gmail.com> Co-authored-by: Patryk Rostkowski <48490105+patrostkowski@users.noreply.github.com> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

* fix(translator): ext-proc full duplex streamed trailers and validation (envoyproxy#6323) * fix ext proc validation and trailer management for full duplex streamed mode Signed-off-by: Guy Daich <guy.daich@sap.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * feat: disable automountServiceAccountToken for proxy and ratelimit (envoyproxy#6364) Signed-off-by: Jeff Davis <mr.jefedavis@gmail.com> * bugfix: make EnvoyPatchPolicy able to replace telemetry cluster (envoyproxy#6367) Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * feat: add validation of section name for Gateway listener (envoyproxy#6343) * add validation of section name Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> * update error status reason Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> * refactor: define as function of validate section name for gateway listener Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix: add configMap indexers for EEP reconciler (envoyproxy#6369) Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: use buildEndpointType for access and tracing (envoyproxy#6370) Signed-off-by: zirain <zirain2009@gmail.com> * fix: default accesslog not working (envoyproxy#6441) * fix default accesslog Signed-off-by: zirain <zirain2009@gmail.com> * release notes Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * chore: fix cve (envoyproxy#6446) * fix cve Signed-off-by: zirain <zirain2009@gmail.com> * lint Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> * fix: Do not set backendRequestTimeout when Retries are set (envoyproxy#6421) * fix: Do not set backendRequestTimeout when Retries are set Signed-off-by: sudipto baral <sudiptobaral.me@gmail.com> * fix: update comment Signed-off-by: sudipto baral <sudiptobaral.me@gmail.com> --------- Signed-off-by: sudipto baral <sudiptobaral.me@gmail.com> * gatewayapi: don't append gwcResource if there's invalid GatewayClass (envoyproxy#6379) * gatewayapi: don't process gloabal resources when acceptedGateways is 0 Signed-off-by: zirain <zirain2009@gmail.com> * update Signed-off-by: zirain <zirain2009@gmail.com> * fix test Signed-off-by: zirain <zirain2009@gmail.com> * don't skip gateways Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix testdata Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix k8s provider controller Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix: retry reconcile on transient errors during reconcile (envoyproxy#6299) * fix: add isTransientError helper to classify retryable errors Introduces isTransientError to detect transient Kubernetes errors and enable proper reconciliation retries. Signed-off-by: Patryk Rostkowski <patrostkowski@gmail.com> handle errors from processing BackendRefs Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> handle errors from processing ConfigMap Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * skip invalid GatewayClass Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * address comment Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * handle all transient errors Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * don't skip failed GCs Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Patryk Rostkowski <patrostkowski@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit 71ce56f) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix: fix bug in hostname overlap detection (envoyproxy#6332) fix bug in hostname overlap detection Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> (cherry picked from commit e78e268) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix telemetry with host port not working (envoyproxy#6460) Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit c0a2ce7) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * bugfix: BackendTlsPolicy should not reference across namespace (envoyproxy#6309) * bugfix: BackendTlsPolicy should not reference across namespace Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 9925189) Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Guy Daich <guy.daich@sap.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> Signed-off-by: Jeff Davis <mr.jefedavis@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: sudipto baral <sudiptobaral.me@gmail.com> Signed-off-by: Patryk Rostkowski <patrostkowski@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: Guy Daich <guy.daich@sap.com> Co-authored-by: Jeff Davis <mr.jefedavis@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Kota Kimura <86363983+kkk777-7@users.noreply.github.com> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Co-authored-by: Sudipto Baral <sudiptobaral.me@gmail.com> Co-authored-by: Patryk Rostkowski <48490105+patrostkowski@users.noreply.github.com> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com>

zirain requested a review from a team as a code owner June 23, 2025 04:44

zirain force-pushed the nit-log branch from 152a699 to 1a0d888 Compare June 23, 2025 04:44

cnvergence previously approved these changes Jun 23, 2025

View reviewed changes

zirain dismissed cnvergence’s stale review via 60acc73 June 24, 2025 02:29

zirain changed the title ~~gatewayapi: don't process gloabal resources when acceptedGateways is 0~~ gatewayapi: don't append gwcResource if there's invalid GatewayClass or Gateway Jun 24, 2025

zirain force-pushed the nit-log branch 2 times, most recently from 885ba8f to 6c56470 Compare June 25, 2025 01:39

zirain changed the title ~~gatewayapi: don't append gwcResource if there's invalid GatewayClass or Gateway~~ gatewayapi: don't append gwcResource if there's invalid GatewayClass Jun 25, 2025

zirain added 4 commits July 1, 2025 20:31

gatewayapi: don't process gloabal resources when acceptedGateways is 0

8d435c4

Signed-off-by: zirain <zirain2009@gmail.com>

update

9e9961b

Signed-off-by: zirain <zirain2009@gmail.com>

fix test

4285593

Signed-off-by: zirain <zirain2009@gmail.com>

don't skip gateways

e5668bf

Signed-off-by: zirain <zirain2009@gmail.com>

zirain force-pushed the nit-log branch from 6c56470 to e5668bf Compare July 1, 2025 13:23

arkodg approved these changes Jul 2, 2025

View reviewed changes

arkodg added the cherrypick/release-v1.4.2 label Jul 2, 2025

arkodg requested review from a team July 2, 2025 02:29

zirain requested a review from cnvergence July 2, 2025 03:31

Xunzhuo approved these changes Jul 2, 2025

View reviewed changes

Xunzhuo merged commit 5016dda into envoyproxy:main Jul 2, 2025
44 of 47 checks passed

zirain deleted the nit-log branch August 4, 2025 03:01

negative-7-bot bot mentioned this pull request Aug 8, 2025

feat(container): update image docker.io/envoyproxy/gateway-helm ( 1.4.2 → 1.5.0 ) negative7/home-ops#598

Merged

1 task

BrewTestBot mentioned this pull request Aug 8, 2025

egctl 1.5.0 Homebrew/homebrew-core#232799

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

gatewayapi: don't append gwcResource if there's invalid GatewayClass#6379

gatewayapi: don't append gwcResource if there's invalid GatewayClass#6379
Xunzhuo merged 4 commits intoenvoyproxy:mainfrom
zirain:nit-log

zirain commented Jun 23, 2025 •

edited

Loading

Uh oh!

codecov bot commented Jun 23, 2025 •

edited

Loading

Uh oh!

arkodg commented Jun 23, 2025

Uh oh!

zirain commented Jun 23, 2025

Uh oh!

zirain commented Jul 1, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

zirain commented Jun 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov bot commented Jun 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

arkodg commented Jun 23, 2025

Uh oh!

zirain commented Jun 23, 2025

Uh oh!

zirain commented Jul 1, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

zirain commented Jun 23, 2025 •

edited

Loading

codecov bot commented Jun 23, 2025 •

edited

Loading