fix(translator): Fix panic with request mirror + grpcroute#6875
Merged
arkodg merged 13 commits intoenvoyproxy:mainfrom Sep 2, 2025
Merged
fix(translator): Fix panic with request mirror + grpcroute#6875arkodg merged 13 commits intoenvoyproxy:mainfrom
arkodg merged 13 commits intoenvoyproxy:mainfrom
Conversation
0261526 to
da5dfd6
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #6875 +/- ##
==========================================
- Coverage 71.10% 71.08% -0.03%
==========================================
Files 225 225
Lines 39859 39868 +9
==========================================
- Hits 28343 28340 -3
- Misses 9848 9857 +9
- Partials 1668 1671 +3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
c2e5f76 to
fea450c
Compare
arkodg
reviewed
Aug 30, 2025
internal/gatewayapi/filters.go
Outdated
Contributor
There was a problem hiding this comment.
can we eliminate this ?
validateBackendRef already accepts a backend interface
gateway/internal/gatewayapi/validate.go
Line 29 in c181d47
Contributor
Author
There was a problem hiding this comment.
@arkodg I think we need some kind of split in the concrete type of the iface approximately here, because validateBackendRefFilters needs GRPCRoutes to have a GRPCRouteFilter-containing-backendref, and HTTPRoutes to have an HTTPRouteFilter-containing-backendref -- the panic was caused by the existing unification causing the downstream cast to fail.
Contributor
Author
There was a problem hiding this comment.
(I'm not a go expert or familiar with the types in play, but this was the smallest code diff way I found to avoid the unchecked cast panic)
Member
|
@AndyMoreland e.g. var mirrorBackendRef BackendRefContext
routeType := GetRouteType(filterContext.Route)
if routeType == resource.KindGRPCRoute {
mirrorBackendRef = gwapiv1.GRPCBackendRef{
BackendRef: gwapiv1.BackendRef{
BackendObjectReference: mirrorBackend,
Weight: &weight,
},
}
} else {
mirrorBackendRef = gwapiv1.HTTPBackendRef{
BackendRef: gwapiv1.BackendRef{
BackendObjectReference: mirrorBackend,
Weight: &weight,
},
}
}
// This sets the status on the HTTPRoute, should the usage be changed so that the status message reflects that the backendRef is from the filter?
filterNs := filterContext.Route.GetNamespace()
serviceNamespace := NamespaceDerefOr(mirrorBackend.Namespace, filterNs)
err = t.validateBackendRef(mirrorBackendRef, filterContext.Route,
resources, serviceNamespace, routeType) |
Contributor
|
+1 to #6875 (comment) |
Signed-off-by: Andrew Moreland <andy@andymoreland.com>
Signed-off-by: Andrew Moreland <andy@andymoreland.com>
Signed-off-by: Andrew Moreland <andy@andymoreland.com>
Signed-off-by: Andrew Moreland <andy@andymoreland.com>
Signed-off-by: Andrew Moreland <andy@andymoreland.com>
The validateBackendRefFilters function casts the Filters field to the specific filter type (HTTPRouteFilter vs GRPCRouteFilter) based on the routeKind. Using the wrong wrapper type causes a type assertion panic, so we must keep the typed wrappers despite the duplication. Signed-off-by: Andrew Moreland <andy@andymoreland.com>
Simplified the RequestMirror filter processing by: - Getting RouteType directly from filterContext - Creating appropriate BackendRef type (HTTP or gRPC) based on RouteType - Consolidating logic into single processRequestMirrorFilter function - Keeping processGRPCRequestMirrorFilter as a delegate for compatibility This approach follows the review feedback and maintains the fix for GRPCRoute panic while simplifying the code structure. Signed-off-by: Andrew Moreland <andy@andymoreland.com>
521204e to
4740589
Compare
Contributor
Author
|
I've applied the suggested change |
ProcessGRPCFilters now calls processRequestMirrorFilter directly since it already handles both HTTP and gRPC routes based on RouteType. Signed-off-by: Andrew Moreland <andy@andymoreland.com>
arkodg
reviewed
Sep 2, 2025
Contributor
|
thanks for addressing the comments @AndyMoreland, added one minor comment |
Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Signed-off-by: Andrew Moreland <andy@andymo.org>
Contributor
Author
|
I've merged your suggestion |
zirain
approved these changes
Sep 2, 2025
shawnh2
pushed a commit
to shawnh2/gateway
that referenced
this pull request
Oct 15, 2025
…y#6875) Signed-off-by: Andrew Moreland <andy@andymoreland.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com>
arkodg
added a commit
that referenced
this pull request
Oct 15, 2025
* fix(xds-server): clear snapshot on stream close (#6618) * fix(xds-server): clear snapshot on stream close Signed-off-by: Zachary Vacura <zvacura@digitalocean.com> * check if there are other active connections before clearning the snapshot Signed-off-by: Zachary Vacura <zvacura@digitalocean.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * bug: disable x-envoy-ratelimited by default (#7110) * bug: disable x-envoy-ratelimited by default * can be enabled with `enableEnvoyHeaders` in CTP Relates to #7034 Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix tests and release note Signed-off-by: Arko Dasgupta <arko@tetrate.io> * fix testdata Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix(translator): Fix panic with request mirror + grpcroute (#6875) Signed-off-by: Andrew Moreland <andy@andymoreland.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix: bug in overlap detection of cert SANs (#7234) Signed-off-by: shawnh2 <shawnhxh@outlook.com> * bump golang for crypto/x509 reggression (#7236) Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> * fix gen-check Signed-off-by: shawnh2 <shawnhxh@outlook.com> --------- Signed-off-by: Zachary Vacura <zvacura@digitalocean.com> Signed-off-by: shawnh2 <shawnhxh@outlook.com> Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: Andrew Moreland <andy@andymoreland.com> Signed-off-by: zirain <zirain2009@gmail.com> Co-authored-by: Zach Vacura <zach@hackzzila.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: Andrew Moreland <andy@andymo.org> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com>
zirain
pushed a commit
to zirain/gateway
that referenced
this pull request
Nov 14, 2025
…y#6875) Signed-off-by: Andrew Moreland <andy@andymoreland.com> Signed-off-by: zirain <zirain2009@gmail.com>
zirain
added a commit
that referenced
this pull request
Nov 14, 2025
* fix: bug in overlap detection of cert SANs (#7234) Signed-off-by: zirain <zirain2009@gmail.com> * fix(translator): Fix panic with request mirror + grpcroute (#6875) Signed-off-by: Andrew Moreland <andy@andymoreland.com> Signed-off-by: zirain <zirain2009@gmail.com> * fix: watch change for the ca cert in the Backend (#7294) * watch change for the ca cert in the Backend Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> * fix ipFamily not set in UDPListener (#7313) fix: set ipfamily in udpistener (#7312) Signed-off-by: cong <q1875486458@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> * coalesce updates to reduce intermediate updates (#7328) * coalesce updates to reduce redundant processing in subscription handler Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * retain order Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * keep intermediate delete updates Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * minor wording Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * treat delete as normal operations Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * retain the original order of the last updates for each key Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> * fix: port typo (#7397) Signed-off-by: cong <q1875486458@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> * fix: validate EnvoyGateway configuration before reload (#7412) Signed-off-by: zirain <zirain2009@gmail.com> * fix: missing jwt provider when jwt is configured on multiple listeners sharing the same port (#7337) * fix jwt provider missing when jwt is configured at multiple ir listeners Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> * fix: memory leak (#7429) Fix memory leak. Two watchable.Maps were never closed when shutting down the provider: - GatewayClassStatuses.Close() - missing in GatewayAPIStatuses.Close() - BackendTrafficPolicyStatuses.Close() - missing in PolicyStatuses.Close() Each unclosed map leaked 3 goroutines: 1. Internal watchable.Map.coalesce goroutine 2. HandleSubscription goroutine blocked on channel read 3. Error handler goroutine blocked on channel read Signed-off-by: Gonzalo Serrano <boikot@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> * fix gen after cherry-pick Signed-off-by: zirain <zirain2009@gmail.com> * fix watchutil test Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Andrew Moreland <andy@andymoreland.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: cong <q1875486458@gmail.com> Signed-off-by: Gonzalo Serrano <boikot@gmail.com> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Co-authored-by: Andrew Moreland <andy@andymo.org> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: 聪 <q1875486458@gmail.com> Co-authored-by: Gonzalo Serrano <boikot@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
This fixes an unconditional panic when the RequestMirror filter is used with GRPCRoutes
Which issue(s) this PR fixes:
Fixes #6874
Release Notes: No