fix: continue processing the remaining xDS with invalid EnvoyPatchPolicies#8153
Merged
arkodg merged 1 commit intoenvoyproxy:mainfrom Feb 4, 2026
Merged
fix: continue processing the remaining xDS with invalid EnvoyPatchPolicies#8153arkodg merged 1 commit intoenvoyproxy:mainfrom
arkodg merged 1 commit intoenvoyproxy:mainfrom
Conversation
✅ Deploy Preview for cerulean-figolla-1f9435 canceled.
|
zhaohuabing
commented
Feb 2, 2026
| - maxRetries: 1024 | ||
| commonLbConfig: | ||
| localityWeightedLbConfig: {} | ||
| commonLbConfig: {} |
Member
Author
There was a problem hiding this comment.
This and the other xds test out yaml files were added before and never updated afterward, since the invalid EnvoyPatchPolicies didn't produce any xDS output.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8153 +/- ##
==========================================
+ Coverage 73.67% 73.69% +0.01%
==========================================
Files 241 241
Lines 36561 36561
==========================================
+ Hits 26937 26943 +6
+ Misses 7712 7709 -3
+ Partials 1912 1909 -3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
zirain
previously approved these changes
Feb 3, 2026
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Member
Author
|
The diff looks good. Thanks! @zirain |
zirain
approved these changes
Feb 3, 2026
kkk777-7
approved these changes
Feb 3, 2026
Member
|
LGTM, thanks! |
cnvergence
pushed a commit
to cnvergence/gateway
that referenced
this pull request
Feb 5, 2026
…icies (envoyproxy#8153) continue processing the remaining xDS with invalid EnvoyPatchPolicies Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
cnvergence
pushed a commit
to cnvergence/gateway
that referenced
this pull request
Feb 5, 2026
…icies (envoyproxy#8153) continue processing the remaining xDS with invalid EnvoyPatchPolicies Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>
cnvergence
pushed a commit
to cnvergence/gateway
that referenced
this pull request
Feb 5, 2026
…icies (envoyproxy#8153) continue processing the remaining xDS with invalid EnvoyPatchPolicies Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>
cnvergence
added a commit
that referenced
this pull request
Feb 5, 2026
* chore(docs): Update Azure Entra link in OIDC guide (#8167) Update Azure Entra link in OIDC guide Signed-off-by: Guy Daich <guy.daich@sap.com> * fix: continue processing the remaining xDS with invalid EnvoyPatchPolicies (#8153) continue processing the remaining xDS with invalid EnvoyPatchPolicies Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * build(deps): bump the actions group across 1 directory with 2 updates (#8178) Bumps the actions group with 2 updates in the / directory: [docker/login-action](https://github.com/docker/login-action) and [github/codeql-action](https://github.com/github/codeql-action). Updates `docker/login-action` from 3.6.0 to 3.7.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@5e57cd1...c94ce9f) Updates `github/codeql-action` from 4.32.0 to 4.32.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@b20883b...6bc82e0) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: github/codeql-action dependency-version: 4.32.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Isaac Wilson <10012479+jukie@users.noreply.github.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: skip provision when IR Infra is invalid (#7754) * fix: do not trigger IR deletion when EnvoyProxy is invalid Signed-off-by: zirain <zirain2009@gmail.com> * add Invalid to ir.Infra Signed-off-by: zirain <zirain2009@gmail.com> * fix gen Signed-off-by: zirain <zirain2009@gmail.com> * add e2e Signed-off-by: zirain <zirain2009@gmail.com> * remove invalid Signed-off-by: zirain <zirain2009@gmail.com> * add comments Signed-off-by: zirain <zirain2009@gmail.com> * update Signed-off-by: zirain <zirain2009@gmail.com> * merge loop Signed-off-by: zirain <zirain2009@gmail.com> * move back Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * docs: add HTTP header and method based authentication task (#7990) * docs: add HTTP header and method based authentication task Signed-off-by: Aditya Sanskar Srivastav <161202916+Aditya7880900936@users.noreply.github.com> * docs: replace api-key examples with user header Signed-off-by: Aditya Sanskar Srivastav <161202916+Aditya7880900936@users.noreply.github.com> * docs: format header and method authentication examples Signed-off-by: Aditya Sanskar Srivastav <161202916+Aditya7880900936@users.noreply.github.com> * docs: add header and method based authorization examples Signed-off-by: Aditya Sanskar Srivastav <161202916+Aditya7880900936@users.noreply.github.com> --------- Signed-off-by: Aditya Sanskar Srivastav <161202916+Aditya7880900936@users.noreply.github.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: Validation of XListenerSet certificateRefs (#8168) Previously, validateTerminateModeAndGetTLSSecrets would always use the namespace of the listener's gateway when verifying a cross-namespace ref. This meant that if the listener were from an XListenerSet, whether or not the Secret associated with the certificateRef was in the same namespace as the XListenerSet, it would not be permitted. Additionally, and relatedly, this fixes an issue where an XListenerSet could reference a Secret in the gateway's namespace without a ReferenceGrant being present. With this change we add a new GetNamespace() method to gatewayapi.ListenerContext which returns the listener's gateway's namespace for a listener added directly to the gateway, or the XListenerSet's namespace otherwise. This is similar to some of the other methods that were added to ListenerContext in support of XListenerSets. The new method is used when creating the `crossNamespaceFrom` to determine if the certificateRef is permitted. If the Secret and XListenerSet are in the same namespace, it is permitted. If that is not the case a ReferenceGrant from the XListenerSet to the Secret will be properly searched for. Signed-off-by: krishicks <kris@krishicks.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: Remove whitespace for nodeSelector in deployment YAML - helm chart change (#8185) Remove whitespace for nodeSelector in deployment YAML Signed-off-by: Jess Belliveau <jess.belliveau@gmail.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * [release/v1.7.0] release notes (#8188) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Guy Daich <guy.daich@sap.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Aditya Sanskar Srivastav <161202916+Aditya7880900936@users.noreply.github.com> Signed-off-by: krishicks <kris@krishicks.com> Signed-off-by: Jess Belliveau <jess.belliveau@gmail.com> Co-authored-by: Guy Daich <guy.daich@sap.com> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Isaac Wilson <10012479+jukie@users.noreply.github.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Aditya Sanskar Srivastav <161202916+Aditya7880900936@users.noreply.github.com> Co-authored-by: krishicks <kris@krishicks.com> Co-authored-by: Jess Belliveau <jess.belliveau@gmail.com>
zirain
pushed a commit
to zirain/gateway
that referenced
this pull request
Feb 9, 2026
…icies (envoyproxy#8153) continue processing the remaining xDS with invalid EnvoyPatchPolicies Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
zirain
added a commit
that referenced
this pull request
Feb 11, 2026
* fix(status): align BackendTLSPolicy ResolvedRefs reason with Gateway API (#7793) * fix(status): align BackendTLSPolicy ResolvedRefs reason with Gateway API Signed-off-by: Aditya7880900936 <adityasanskarsrivastav788@gmail.com> * fix(gatewayapi): use accurate error for missing CA bundle in BackendTLSPolicy Signed-off-by: Aditya7880900936 <adityasanskarsrivastav788@gmail.com> * gatewayapi: fix BackendTLSPolicy status reasons for invalid CA refs Signed-off-by: Aditya7880900936 <adityasanskarsrivastav788@gmail.com> * Update internal/gatewayapi/backendtlspolicy.go Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Signed-off-by: Aditya Sanskar Srivastav <161202916+Aditya7880900936@users.noreply.github.com> * gatewayapi: align BackendTLSPolicy invalid CA status and formatting Signed-off-by: Aditya7880900936 <adityasanskarsrivastav788@gmail.com> * gatewayapi: align BackendTLSPolicy invalid CA error message with validation output Signed-off-by: Aditya7880900936 <adityasanskarsrivastav788@gmail.com> * testdata: regenerate BackendTLSPolicy invalid CA output Signed-off-by: Aditya7880900936 <adityasanskarsrivastav788@gmail.com> * fix(gatewayapi): keep Accepted reason as NoValidCACertificate for invalid CA ref kind Signed-off-by: Aditya7880900936 <adityasanskarsrivastav788@gmail.com> * chore(gatewayapi): fix import grouping in BackendTLSPolicy Signed-off-by: Aditya7880900936 <adityasanskarsrivastav788@gmail.com> --------- Signed-off-by: Aditya7880900936 <adityasanskarsrivastav788@gmail.com> Signed-off-by: Aditya Sanskar Srivastav <161202916+Aditya7880900936@users.noreply.github.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> * feat: Ignore ready and stats listener metrics in shutdown manager calculation (#7985) * feat: Ignore ready and stats listener metrics in shutdown manager calculation Signed-off-by: zirain <zirain2009@gmail.com> * fix Signed-off-by: zirain <zirain2009@gmail.com> * fix Signed-off-by: zirain <zirain2009@gmail.com> * refactor Signed-off-by: zirain <zirain2009@gmail.com> * remove USE_SERVER_CONNECTIONS Signed-off-by: zirain <zirain2009@gmail.com> * address review comment Signed-off-by: zirain <zirain2009@gmail.com> * display the real value Signed-off-by: zirain <zirain2009@gmail.com> * comment for worker thread Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> * fix: custom response should be put at the first of the filter chain (#8061) * fix: custom response should be put before oauth2 Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * move the custom response filter to first Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * add release note Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix: route idle timeout (#8058) * fix: route idle timeout Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * add test Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix: remove global logger in message package (#8131) * fix: remove global logger in message package Signed-off-by: zirain <zirain2009@gmail.com> * fix: TCPRoute mTLS didn't work (#8152) * fix: remove auto HTTP config on TCP cluster Signed-off-by: zirain <zirain2009@gmail.com> * fix lint Signed-off-by: zirain <zirain2009@gmail.com> * add e2e Signed-off-by: zirain <zirain2009@gmail.com> * fix e2e Signed-off-by: zirain <zirain2009@gmail.com> * fix comment Signed-off-by: zirain <zirain2009@gmail.com> * fix Signed-off-by: zirain <zirain2009@gmail.com> * fix resource name Signed-off-by: zirain <zirain2009@gmail.com> * address Arko's comment Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> * fix: continue processing the remaining xDS with invalid EnvoyPatchPolicies (#8153) continue processing the remaining xDS with invalid EnvoyPatchPolicies Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> * fix gen Signed-off-by: zirain <zirain2009@gmail.com> * fix gen Signed-off-by: zirain <zirain2009@gmail.com> * fix: controller cache-sync readiness check (#7430) Signed-off-by: zirain <zirain2009@gmail.com> * fix gen Signed-off-by: zirain <zirain2009@gmail.com> * release notes for v1.6.4 (#8221) * release notes for v1.6.4 Signed-off-by: zirain <zirain2009@gmail.com> * update Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> * update VERSION Signed-off-by: zirain <zirain2009@gmail.com> * update release notes Signed-off-by: zirain <zirain2009@gmail.com> * update Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: Aditya7880900936 <adityasanskarsrivastav788@gmail.com> Signed-off-by: Aditya Sanskar Srivastav <161202916+Aditya7880900936@users.noreply.github.com> Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: Aditya Sanskar Srivastav <161202916+Aditya7880900936@users.noreply.github.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: Isaac Wilson <10012479+jukie@users.noreply.github.com>
Inode1
pushed a commit
to Inode1/gateway
that referenced
this pull request
Feb 23, 2026
…icies (envoyproxy#8153) continue processing the remaining xDS with invalid EnvoyPatchPolicies Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix: #8151
This PR ignores the invalid
EnvoyPatchPolicyin the xDS translator and continue pushing the xDS for unrelated resources to the Envoy fleet.Errors from the invalid
EnvoyPatchPolicyare logged in the Envoy Gateway logs, and surfaced in theProgrammedcondition of theEnvoyPatchPolicy's status.