-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
envoyproxy needs restart before securitypolicy takes action #2521
Comments
@zetaab, can you post the configuration of envoy's listener and route when it does not take effect? |
@tmsnan took few attempts to reproduce routes https://gist.github.com/zetaab/63a22a8d4db2a2a9c0edaf995d4abee8 in listeners the interesting information is perhaps errorstate
looks like the cluster nowadays exists, but I am thinking is the config modification order wrong or something? The cluster needs to be applied first and after that oauth2 config itself. If the order is wrong (race-condition?) it can end to error state? For me this is happening something like 10-20% of cases. I am running this process in loop (manually):
this is visible also in prometheus metrics
|
cc @zhaohuabing |
this issue is quite easy to reproduce with small golang code https://gist.github.com/zetaab/814fe46949c8739007f314463b5d8607 and manifests: route.yaml https://gist.github.com/zetaab/75d87db3afd666619f496a8d20e25dcc |
output from execution:
I tried to modify https://github.com/envoyproxy/gateway/blob/main/internal/xds/translator/translator.go#L304 to be executed before https://github.com/envoyproxy/gateway/blob/main/internal/xds/translator/translator.go#L162 but it does not help either. I am thinking can this be race condition bug in envoygateway itself? If I check |
the logs from envoy proxy itself
we can clearly see that the order of the calls are incorrect. Clusters should be updated before listeners |
thanks for sharing the logs @zetaab ! this really helps |
@arkodg I tried to look this little bit more. Now I am somewhere in https://github.com/envoyproxy/go-control-plane/blob/main/pkg/cache/v3/simple.go#L301-L304 the issue is that |
Description:
I am trying to add oidc+jwt authentication to single HTTPRoute. However, after the configuration is in place, it does not take action before the envoyproxy is restarted.
Repro steps:
first create httproute
Works like should. Then apply securitypolicy:
Still target working without authentication?
Restarting envoy and trying again:
Works like should. Why the restart is needed?
Environment:
kube 1.29.1
Logs:
The text was updated successfully, but these errors were encountered: