Skip to content

fix: skip provision when IR Infra is invalid #7754

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zirain merged 9 commits into from
Feb 4, 2026
Merged

fix: skip provision when IR Infra is invalid #7754

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
57ec432
fix: do not trigger IR deletion when EnvoyProxy is invalid
zirain Dec 17, 2025
c839278
add Invalid to ir.Infra
zirain Jan 20, 2026
92c9522
fix gen
zirain Jan 20, 2026
48a3d9c
add e2e
zirain Jan 20, 2026
740ec80
remove invalid
zirain Jan 30, 2026
051d32d
add comments
zirain Feb 2, 2026
c74d004
update
zirain Feb 3, 2026
fb98dea
merge loop
zirain Feb 3, 2026
422b0d6
move back
zirain Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions internal/cmd/egctl/testdata/translate/out/invalid-envoyproxy.all.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,3 +41,58 @@ gatewayClass:
reason: InvalidParameters
status: "False"
type: Accepted
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: eg
namespace: default
spec:
gatewayClassName: eg
listeners:
- allowedRoutes:
namespaces:
from: Same
name: tcp
port: 1234
protocol: TCP
- allowedRoutes:
namespaces:
from: Same
name: udp
port: 1234
protocol: UDP
- allowedRoutes:
namespaces:
from: Same
hostname: foo.com
name: tls-passthrough
port: 8443
protocol: TLS
tls:
mode: Passthrough
- allowedRoutes:
kinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespaces:
from: Same
name: http
port: 80
protocol: HTTP
- allowedRoutes:
kinds:
- group: gateway.networking.k8s.io
kind: GRPCRoute
namespaces:
from: Same
name: grpc
port: 8080
protocol: HTTP
status:
conditions:

@arkodg arkodg Feb 4, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

follow up, should this be Accepted:True and ResolvedRefs:False ?
cc @zhaohuabing

@zirain zirain Feb 4, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we use RefNotPermitted here?

	// This condition indicates whether the controller was able to resolve all
	// the object references for the Gateway that are not part of a specific
	// Listener configuration, and also provides a positive-polarity summary of
	// Listener's "ResolvedRefs" condition. This condition does not directly
	// impact the Gateway's Accepted or Programmed conditions.
	//
	// Possible reasons for this condition to be True are:
	//
	// * "ResolvedRefs"
	//
	// Possible reasons for this condition to be False are:
	//
	// * "RefNotPermitted"
	// * "InvalidClientCertificateRef"
	// * "ListenersNotResolved"
	//
	// Controllers may raise this condition with other reasons, but should
	// prefer to use the reasons listed above to improve interoperability.
	//
	// Note: This condition is considered Experimental and may change in future
	// releases of the API.

@arkodg arkodg Feb 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably ListenersNotResolved, from https://github.com/kubernetes-sigs/gateway-api/blob/8ecfe98081f74aec9eb8c44ef265380e2edb9094/apis/v1/gateway_types.go#L1323
RefNotPermitted seems more scoped to ReferenceGrant issues

- lastTransitionTime: null
message: 'Invalid parametersRef:: dynamic_resources cannot be modified'
reason: InvalidParameters
status: "False"
type: Accepted
40 changes: 38 additions & 2 deletions internal/gatewayapi/testdata/envoyproxy-accesslog-with-bad-sinks.out.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,41 @@ gatewayClass:
reason: InvalidParameters
status: "False"
type: Accepted
infraIR: {}
xdsIR: {}
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: gateway-1
namespace: envoy-gateway
spec:
gatewayClassName: envoy-gateway-class
listeners:
- allowedRoutes:
namespaces:
from: Same
name: http
port: 80
protocol: HTTP
status:
conditions:
- lastTransitionTime: null
message: 'Invalid parametersRef:: [unable to configure access log when using
File sink type but "file" field being empty, unable to configure access log
when using OpenTelemetry sink type but "openTelemetry" field being empty]'
reason: InvalidParameters
status: "False"
type: Accepted
infraIR:
envoy-gateway/gateway-1:
proxy:
metadata:
labels:
gateway.envoyproxy.io/owning-gateway-name: gateway-1
gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
ownerReference:
kind: GatewayClass
name: envoy-gateway-class
name: envoy-gateway/gateway-1
namespace: envoy-gateway-system
xdsIR:
envoy-gateway/gateway-1: {}
82 changes: 82 additions & 0 deletions internal/gatewayapi/testdata/envoyproxy-for-gatewayclass.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
gatewayClass:
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: envoy-gateway-class
spec:
controllerName: gateway.envoyproxy.io/gatewayclass-controller
parametersRef:
group: gateway.envoyproxy.io
kind: EnvoyProxy
name: invalid
namespace: envoy-gateway-system
envoyProxyForGatewayClass:
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
namespace: envoy-gateway
name: invalid
spec:
telemetry:
accessLog:
settings:
- format:
type: Text
text: |
[%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n
sinks:
- type: File
- type: ALS
- type: OpenTelemetry
envoyProxiesForGateways:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
namespace: envoy-gateway
name: valid
spec:
telemetry:
accessLog:
settings:
- format:
type: Text
text: |
[%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n
sinks:
- type: File
file:
path: /dev/stdout
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: envoy-gateway
name: ep-from-gtw
spec:
gatewayClassName: envoy-gateway-class
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: Same
infrastructure:
parametersRef:
group: gateway.envoyproxy.io
kind: EnvoyProxy
name: valid
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: envoy-gateway
name: ep-from-gc
spec:
gatewayClassName: envoy-gateway-class
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: Same
190 changes: 190 additions & 0 deletions internal/gatewayapi/testdata/envoyproxy-for-gatewayclass.out.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,190 @@
gatewayClass:
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: envoy-gateway-class
spec:
controllerName: gateway.envoyproxy.io/gatewayclass-controller
parametersRef:
group: gateway.envoyproxy.io
kind: EnvoyProxy
name: invalid
namespace: envoy-gateway-system
status:
conditions:
- lastTransitionTime: null
message: 'Invalid parametersRef: [unable to configure access log when using
File sink type but "file" field being empty, unable to configure access log
when using OpenTelemetry sink type but "openTelemetry" field being empty]'
reason: InvalidParameters
status: "False"
type: Accepted
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: ep-from-gtw
namespace: envoy-gateway
spec:
gatewayClassName: envoy-gateway-class
infrastructure:
parametersRef:
group: gateway.envoyproxy.io
kind: EnvoyProxy
name: valid
listeners:
- allowedRoutes:
namespaces:
from: Same
name: http
port: 80
protocol: HTTP
status:
listeners:
- attachedRoutes: 0
conditions:
- lastTransitionTime: null
message: Sending translated listener configuration to the data plane
reason: Programmed
status: "True"
type: Programmed
- lastTransitionTime: null
message: Listener has been successfully translated
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: null
message: Listener references have been resolved
reason: ResolvedRefs
status: "True"
type: ResolvedRefs
name: http
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- group: gateway.networking.k8s.io
kind: GRPCRoute
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: ep-from-gc
namespace: envoy-gateway
spec:
gatewayClassName: envoy-gateway-class
listeners:
- allowedRoutes:
namespaces:
from: Same
name: http
port: 80
protocol: HTTP
status:
conditions:
- lastTransitionTime: null
message: 'Invalid parametersRef:: [unable to configure access log when using
File sink type but "file" field being empty, unable to configure access log
when using OpenTelemetry sink type but "openTelemetry" field being empty]'
reason: InvalidParameters
status: "False"
type: Accepted
infraIR:
envoy-gateway/ep-from-gc:
proxy:
metadata:
labels:
gateway.envoyproxy.io/owning-gateway-name: ep-from-gc
gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
ownerReference:
kind: GatewayClass
name: envoy-gateway-class
name: envoy-gateway/ep-from-gc
namespace: envoy-gateway-system
envoy-gateway/ep-from-gtw:
proxy:
config:
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
name: valid
namespace: envoy-gateway
spec:
logging: {}
telemetry:
accessLog:
settings:
- format:
text: |
[%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n
type: Text
sinks:
- file:
path: /dev/stdout
type: File
status: {}
listeners:
- address: null
name: envoy-gateway/ep-from-gtw/http
ports:
- containerPort: 10080
name: http-80
protocol: HTTP
servicePort: 80
metadata:
labels:
gateway.envoyproxy.io/owning-gateway-name: ep-from-gtw
gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
ownerReference:
kind: GatewayClass
name: envoy-gateway-class
name: envoy-gateway/ep-from-gtw
namespace: envoy-gateway-system
xdsIR:
envoy-gateway/ep-from-gc: {}
envoy-gateway/ep-from-gtw:
accessLog:
text:
- format: |
[%START_TIME%] "%REQ(:METHOD)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n
path: /dev/stdout
globalResources:
proxyServiceCluster:
metadata:
kind: Service
name: envoy-envoy-gateway-ep-from-gtw-90cb3c57
namespace: envoy-gateway-system
sectionName: "8080"
name: envoy-gateway/ep-from-gtw
settings:
- addressType: IP
endpoints:
- host: 7.6.5.4
port: 8080
zone: zone1
metadata:
kind: Service
name: envoy-envoy-gateway-ep-from-gtw-90cb3c57
namespace: envoy-gateway-system
sectionName: "8080"
name: envoy-gateway/ep-from-gtw
protocol: TCP
http:
- address: 0.0.0.0
externalPort: 80
hostnames:
- '*'
isHTTP2: false
metadata:
kind: Gateway
name: ep-from-gtw
namespace: envoy-gateway
sectionName: http
name: envoy-gateway/ep-from-gtw/http
path:
escapedSlashesAction: UnescapeAndRedirect
mergeSlashes: true
port: 10080
readyListener:
address: 0.0.0.0
ipFamily: IPv4
path: /ready
port: 19003
16 changes: 14 additions & 2 deletions internal/gatewayapi/testdata/envoyproxy-gateway-accesslog-with-bad-sinks.out.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,5 +27,17 @@ gateways:
reason: InvalidParameters
status: "False"
type: Accepted
infraIR: {}
xdsIR: {}
infraIR:
envoy-gateway/gateway-1:
proxy:
metadata:
labels:
gateway.envoyproxy.io/owning-gateway-name: gateway-1
gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
ownerReference:
kind: GatewayClass
name: envoy-gateway-class
name: envoy-gateway/gateway-1
namespace: envoy-gateway-system
xdsIR:
envoy-gateway/gateway-1: {}
Loading