fix: oidc authentication endpoint was overwritten by discovered value#7460
Merged
zhaohuabing merged 4 commits intoenvoyproxy:mainfrom Nov 28, 2025
Merged
fix: oidc authentication endpoint was overwritten by discovered value#7460zhaohuabing merged 4 commits intoenvoyproxy:mainfrom
zhaohuabing merged 4 commits intoenvoyproxy:mainfrom
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7460 +/- ##
==========================================
+ Coverage 72.30% 72.33% +0.02%
==========================================
Files 232 232
Lines 34117 34130 +13
==========================================
+ Hits 24669 24687 +18
+ Misses 7674 7669 -5
Partials 1774 1774 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
zhaohuabing
force-pushed
the
fix-7459
branch
from
48e3b44 to
95dfadd
Compare
zhaohuabing
changed the title
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
zhaohuabing
force-pushed
the
fix-7459
branch
from
95dfadd to
4e67e7d
Compare
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
zirain
approved these changes
Nov 27, 2025
zhaohuabing
added a commit
to zhaohuabing/gateway
that referenced
this pull request
Dec 5, 2025
…envoyproxy#7460) fix: oid authentication endpoint was overriden by discovered value Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit 50dcb15) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
jukie
pushed a commit
to jukie/gateway
that referenced
this pull request
Dec 5, 2025
…envoyproxy#7460) fix: oid authentication endpoint was overriden by discovered value Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: jukie <10012479+jukie@users.noreply.github.com>
jukie
added a commit
that referenced
this pull request
Dec 5, 2025
* fix(xds-server): clear snapshot on stream close (#6618) * fix(xds-server): clear snapshot on stream close Signed-off-by: Zachary Vacura <zvacura@digitalocean.com> * check if there are other active connections before clearning the snapshot Signed-off-by: Zachary Vacura <zvacura@digitalocean.com> Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> * fix: oidc authentication endpoint was overwritten by discovered value (#7460) fix: oid authentication endpoint was overriden by discovered value Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> * ci: add script to free disk space (#7534) * feat: free disk space Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> * lint Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> * cleanup Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> * make target and tools/hack Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> * lint Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> * modular action Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> --------- Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> * treat too many addresses as programmed (#7542) Signed-off-by: cong <q1875486458@gmail.com> Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> * feat: reclaim space in release pipeline (#7587) Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> * chore: bump golang.org/x/crypto (#7588) * chore: bump golang.org/x/crypto Signed-off-by: zirain <zirain2009@gmail.com> * fix gen Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> * findOwningGateway should return controller based on linked GatewayClass (#7611) * fix: filter Gateway by controller in findOwningGateway Prevent cross-controller Gateway mutations by validating GatewayClass Signed-off-by: Sudipto Baral <sudiptobaral.me@gmail.com> Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> * fix: use default when namespace is unset (#7612) * fix: use default when namespace is unset Signed-off-by: zirain <zirain2009@gmail.com> * fix Signed-off-by: zirain <zirain2009@gmail.com> * fix test Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> * fix: prevent skeleton route status entries for unmanaged GatewayClasses (#7536) * fix: prevent skeleton route status entries for unmanaged GatewayClasses When processing policies (EnvoyExtensionPolicy, SecurityPolicy), the translator was calling GetRouteParentContext for ALL parentRefs in a route, even those referencing gateways with different GatewayClasses not managed by this translator. GetRouteParentContext creates a skeleton RouteParentStatus entry with just the controllerName when called on a parentRef that hasn't been processed yet. Since all GatewayClass instances share the same controller name, these skeleton entries persisted in status without conditions. The fix checks if a parentRef context already exists before attempting to apply policy configuration to it. If the context doesn't exist, it means this parentRef wasn't processed by this translator and should be skipped. Signed-off-by: Raj Singh <raj@tailscale.com> * fix: also prevent skeleton entries in BackendTrafficPolicy processing The same issue exists in BackendTrafficPolicy route processing - calling GetRouteParentContext for all parentRefs creates skeleton status entries. Apply the same fix: check if parentRef context exists before adding to list. Signed-off-by: Raj Singh <raj@tailscale.com> --------- Signed-off-by: Raj Singh <raj@tailscale.com> Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> * lint Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> --------- Signed-off-by: Zachary Vacura <zvacura@digitalocean.com> Signed-off-by: jukie <10012479+jukie@users.noreply.github.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> Signed-off-by: cong <q1875486458@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Sudipto Baral <sudiptobaral.me@gmail.com> Signed-off-by: Raj Singh <raj@tailscale.com> Co-authored-by: Zach Vacura <zach@hackzzila.com> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: shreealt <shreemaanabhishek@apache.org> Co-authored-by: 聪 <q1875486458@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Sudipto Baral <sudiptobaral.me@gmail.com> Co-authored-by: Raj Singh <raj@tailscale.com>
zhaohuabing
added a commit
that referenced
this pull request
Dec 5, 2025
* fix: oidc authentication endpoint was overwritten by discovered value (#7460) fix: oid authentication endpoint was overriden by discovered value Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit 50dcb15) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix: do not return 500 for all requests when part of BackendRefs are invalid (#7488) * do not return 500 for all requests when part of BackendRefs are invalid Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> (cherry picked from commit 2899416) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix: prevent skeleton route status entries for unmanaged GatewayClasses (#7536) * fix: prevent skeleton route status entries for unmanaged GatewayClasses When processing policies (EnvoyExtensionPolicy, SecurityPolicy), the translator was calling GetRouteParentContext for ALL parentRefs in a route, even those referencing gateways with different GatewayClasses not managed by this translator. GetRouteParentContext creates a skeleton RouteParentStatus entry with just the controllerName when called on a parentRef that hasn't been processed yet. Since all GatewayClass instances share the same controller name, these skeleton entries persisted in status without conditions. The fix checks if a parentRef context already exists before attempting to apply policy configuration to it. If the context doesn't exist, it means this parentRef wasn't processed by this translator and should be skipped. Signed-off-by: Raj Singh <raj@tailscale.com> * fix: also prevent skeleton entries in BackendTrafficPolicy processing The same issue exists in BackendTrafficPolicy route processing - calling GetRouteParentContext for all parentRefs creates skeleton status entries. Apply the same fix: check if parentRef context exists before adding to list. Signed-off-by: Raj Singh <raj@tailscale.com> --------- Signed-off-by: Raj Singh <raj@tailscale.com> (cherry picked from commit ff13742) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * treat too many addresses as programmed (#7542) Signed-off-by: cong <q1875486458@gmail.com> (cherry picked from commit 7cb5f72) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * bechmark: fix cpu sampling (#7581) use fixed duration for cpu rate Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> (cherry picked from commit 536486f) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * chore: bump golang.org/x/crypto (#7588) * chore: bump golang.org/x/crypto Signed-off-by: zirain <zirain2009@gmail.com> * fix gen Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 70fa59a) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * findOwningGateway should return controller based on linked GatewayClass (#7611) * fix: filter Gateway by controller in findOwningGateway Prevent cross-controller Gateway mutations by validating GatewayClass Signed-off-by: Sudipto Baral <sudiptobaral.me@gmail.com> (cherry picked from commit ba8e0e2) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix: use default when namespace is unset (#7612) * fix: use default when namespace is unset Signed-off-by: zirain <zirain2009@gmail.com> * fix Signed-off-by: zirain <zirain2009@gmail.com> * fix test Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit be2cc73) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * bump Gateway API v1.4.1 (#7653) Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 0fa26d7) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * update release note Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix gen check Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * ci: add script to free disk space (#7534) * feat: free disk space Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> * lint Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> * cleanup Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> * make target and tools/hack Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> * lint Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> * modular action Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> --------- Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> (cherry picked from commit 4312f38) Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: Raj Singh <raj@tailscale.com> Signed-off-by: cong <q1875486458@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Sudipto Baral <sudiptobaral.me@gmail.com> Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org> Co-authored-by: Raj Singh <raj@tailscale.com> Co-authored-by: 聪 <q1875486458@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: Sudipto Baral <sudiptobaral.me@gmail.com> Co-authored-by: shreealt <shreemaanabhishek@apache.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fixes: #7459