fix: continue processing the remaining xDS with invalid EnvoyPatchPolicies#8153
Merged
arkodg merged 1 commit intoenvoyproxy:mainfrom Feb 4, 2026
Merged
fix: continue processing the remaining xDS with invalid EnvoyPatchPolicies#8153arkodg merged 1 commit intoenvoyproxy:mainfrom
arkodg merged 1 commit intoenvoyproxy:mainfrom
Conversation
✅ Deploy Preview for cerulean-figolla-1f9435 canceled.
|
zhaohuabing
commented
Feb 2, 2026
| - maxRetries: 1024 | ||
| commonLbConfig: | ||
| localityWeightedLbConfig: {} | ||
| commonLbConfig: {} |
Member
Author
There was a problem hiding this comment.
This and the other xds test out yaml files were added before and never updated afterward, since the invalid EnvoyPatchPolicies didn't produce any xDS output.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8153 +/- ##
==========================================
+ Coverage 73.67% 73.69% +0.01%
==========================================
Files 241 241
Lines 36561 36561
==========================================
+ Hits 26937 26943 +6
+ Misses 7712 7709 -3
+ Partials 1912 1909 -3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
zirain
previously approved these changes
Feb 3, 2026
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Member
Author
|
The diff looks good. Thanks! @zirain |
zirain
approved these changes
Feb 3, 2026
kkk777-7
approved these changes
Feb 3, 2026
Member
|
LGTM, thanks! |
cnvergence
pushed a commit
to cnvergence/gateway
that referenced
this pull request
Feb 5, 2026
…icies (envoyproxy#8153) continue processing the remaining xDS with invalid EnvoyPatchPolicies Signed-off-by: Huabing (Robin) Zhao <[email protected]>
cnvergence
pushed a commit
to cnvergence/gateway
that referenced
this pull request
Feb 5, 2026
…icies (envoyproxy#8153) continue processing the remaining xDS with invalid EnvoyPatchPolicies Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Karol Szwaj <[email protected]>
cnvergence
pushed a commit
to cnvergence/gateway
that referenced
this pull request
Feb 5, 2026
…icies (envoyproxy#8153) continue processing the remaining xDS with invalid EnvoyPatchPolicies Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Karol Szwaj <[email protected]>
cnvergence
added a commit
that referenced
this pull request
Feb 5, 2026
* chore(docs): Update Azure Entra link in OIDC guide (#8167) Update Azure Entra link in OIDC guide Signed-off-by: Guy Daich <[email protected]> * fix: continue processing the remaining xDS with invalid EnvoyPatchPolicies (#8153) continue processing the remaining xDS with invalid EnvoyPatchPolicies Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * build(deps): bump the actions group across 1 directory with 2 updates (#8178) Bumps the actions group with 2 updates in the / directory: [docker/login-action](https://github.com/docker/login-action) and [github/codeql-action](https://github.com/github/codeql-action). Updates `docker/login-action` from 3.6.0 to 3.7.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@5e57cd1...c94ce9f) Updates `github/codeql-action` from 4.32.0 to 4.32.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@b20883b...6bc82e0) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: github/codeql-action dependency-version: 4.32.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Isaac Wilson <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix: skip provision when IR Infra is invalid (#7754) * fix: do not trigger IR deletion when EnvoyProxy is invalid Signed-off-by: zirain <[email protected]> * add Invalid to ir.Infra Signed-off-by: zirain <[email protected]> * fix gen Signed-off-by: zirain <[email protected]> * add e2e Signed-off-by: zirain <[email protected]> * remove invalid Signed-off-by: zirain <[email protected]> * add comments Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> * merge loop Signed-off-by: zirain <[email protected]> * move back Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * docs: add HTTP header and method based authentication task (#7990) * docs: add HTTP header and method based authentication task Signed-off-by: Aditya Sanskar Srivastav <[email protected]> * docs: replace api-key examples with user header Signed-off-by: Aditya Sanskar Srivastav <[email protected]> * docs: format header and method authentication examples Signed-off-by: Aditya Sanskar Srivastav <[email protected]> * docs: add header and method based authorization examples Signed-off-by: Aditya Sanskar Srivastav <[email protected]> --------- Signed-off-by: Aditya Sanskar Srivastav <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix: Validation of XListenerSet certificateRefs (#8168) Previously, validateTerminateModeAndGetTLSSecrets would always use the namespace of the listener's gateway when verifying a cross-namespace ref. This meant that if the listener were from an XListenerSet, whether or not the Secret associated with the certificateRef was in the same namespace as the XListenerSet, it would not be permitted. Additionally, and relatedly, this fixes an issue where an XListenerSet could reference a Secret in the gateway's namespace without a ReferenceGrant being present. With this change we add a new GetNamespace() method to gatewayapi.ListenerContext which returns the listener's gateway's namespace for a listener added directly to the gateway, or the XListenerSet's namespace otherwise. This is similar to some of the other methods that were added to ListenerContext in support of XListenerSets. The new method is used when creating the `crossNamespaceFrom` to determine if the certificateRef is permitted. If the Secret and XListenerSet are in the same namespace, it is permitted. If that is not the case a ReferenceGrant from the XListenerSet to the Secret will be properly searched for. Signed-off-by: krishicks <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * fix: Remove whitespace for nodeSelector in deployment YAML - helm chart change (#8185) Remove whitespace for nodeSelector in deployment YAML Signed-off-by: Jess Belliveau <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> * [release/v1.7.0] release notes (#8188) Signed-off-by: Karol Szwaj <[email protected]> --------- Signed-off-by: Guy Daich <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: Karol Szwaj <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: Aditya Sanskar Srivastav <[email protected]> Signed-off-by: krishicks <[email protected]> Signed-off-by: Jess Belliveau <[email protected]> Co-authored-by: Guy Daich <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Isaac Wilson <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Aditya Sanskar Srivastav <[email protected]> Co-authored-by: krishicks <[email protected]> Co-authored-by: Jess Belliveau <[email protected]>
zirain
pushed a commit
to zirain/gateway
that referenced
this pull request
Feb 9, 2026
…icies (envoyproxy#8153) continue processing the remaining xDS with invalid EnvoyPatchPolicies Signed-off-by: Huabing (Robin) Zhao <[email protected]>
zirain
added a commit
that referenced
this pull request
Feb 11, 2026
* fix(status): align BackendTLSPolicy ResolvedRefs reason with Gateway API (#7793) * fix(status): align BackendTLSPolicy ResolvedRefs reason with Gateway API Signed-off-by: Aditya7880900936 <[email protected]> * fix(gatewayapi): use accurate error for missing CA bundle in BackendTLSPolicy Signed-off-by: Aditya7880900936 <[email protected]> * gatewayapi: fix BackendTLSPolicy status reasons for invalid CA refs Signed-off-by: Aditya7880900936 <[email protected]> * Update internal/gatewayapi/backendtlspolicy.go Co-authored-by: Arko Dasgupta <[email protected]> Signed-off-by: Aditya Sanskar Srivastav <[email protected]> * gatewayapi: align BackendTLSPolicy invalid CA status and formatting Signed-off-by: Aditya7880900936 <[email protected]> * gatewayapi: align BackendTLSPolicy invalid CA error message with validation output Signed-off-by: Aditya7880900936 <[email protected]> * testdata: regenerate BackendTLSPolicy invalid CA output Signed-off-by: Aditya7880900936 <[email protected]> * fix(gatewayapi): keep Accepted reason as NoValidCACertificate for invalid CA ref kind Signed-off-by: Aditya7880900936 <[email protected]> * chore(gatewayapi): fix import grouping in BackendTLSPolicy Signed-off-by: Aditya7880900936 <[email protected]> --------- Signed-off-by: Aditya7880900936 <[email protected]> Signed-off-by: Aditya Sanskar Srivastav <[email protected]> Co-authored-by: Arko Dasgupta <[email protected]> * feat: Ignore ready and stats listener metrics in shutdown manager calculation (#7985) * feat: Ignore ready and stats listener metrics in shutdown manager calculation Signed-off-by: zirain <[email protected]> * fix Signed-off-by: zirain <[email protected]> * fix Signed-off-by: zirain <[email protected]> * refactor Signed-off-by: zirain <[email protected]> * remove USE_SERVER_CONNECTIONS Signed-off-by: zirain <[email protected]> * address review comment Signed-off-by: zirain <[email protected]> * display the real value Signed-off-by: zirain <[email protected]> * comment for worker thread Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> * fix: custom response should be put at the first of the filter chain (#8061) * fix: custom response should be put before oauth2 Signed-off-by: Huabing (Robin) Zhao <[email protected]> * move the custom response filter to first Signed-off-by: Huabing (Robin) Zhao <[email protected]> * add release note Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix: route idle timeout (#8058) * fix: route idle timeout Signed-off-by: Huabing (Robin) Zhao <[email protected]> * address comments Signed-off-by: Huabing (Robin) Zhao <[email protected]> * add test Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix: remove global logger in message package (#8131) * fix: remove global logger in message package Signed-off-by: zirain <[email protected]> * fix: TCPRoute mTLS didn't work (#8152) * fix: remove auto HTTP config on TCP cluster Signed-off-by: zirain <[email protected]> * fix lint Signed-off-by: zirain <[email protected]> * add e2e Signed-off-by: zirain <[email protected]> * fix e2e Signed-off-by: zirain <[email protected]> * fix comment Signed-off-by: zirain <[email protected]> * fix Signed-off-by: zirain <[email protected]> * fix resource name Signed-off-by: zirain <[email protected]> * address Arko's comment Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> * fix: continue processing the remaining xDS with invalid EnvoyPatchPolicies (#8153) continue processing the remaining xDS with invalid EnvoyPatchPolicies Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix gen Signed-off-by: zirain <[email protected]> * fix gen Signed-off-by: zirain <[email protected]> * fix: controller cache-sync readiness check (#7430) Signed-off-by: zirain <[email protected]> * fix gen Signed-off-by: zirain <[email protected]> * release notes for v1.6.4 (#8221) * release notes for v1.6.4 Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> * update VERSION Signed-off-by: zirain <[email protected]> * update release notes Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> --------- Signed-off-by: Aditya7880900936 <[email protected]> Signed-off-by: Aditya Sanskar Srivastav <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Aditya Sanskar Srivastav <[email protected]> Co-authored-by: Arko Dasgupta <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Isaac Wilson <[email protected]>
Inode1
pushed a commit
to Inode1/gateway
that referenced
this pull request
Feb 23, 2026
…icies (envoyproxy#8153) continue processing the remaining xDS with invalid EnvoyPatchPolicies Signed-off-by: Huabing (Robin) Zhao <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix: #8151
This PR ignores the invalid
EnvoyPatchPolicyin the xDS translator and continue pushing the xDS for unrelated resources to the Envoy fleet.Errors from the invalid
EnvoyPatchPolicyare logged in the Envoy Gateway logs, and surfaced in theProgrammedcondition of theEnvoyPatchPolicy's status.