Skip to content

fix: SecurityPolicy, BTP and EEP silently dropped/missing status for routes with ListenerSet parentRef#9410

Draft
EmileGoto wants to merge 12 commits into
envoyproxy:mainfrom
EmileGoto:fix/listenerset-strategicmerge-policy-9409
Draft

fix: SecurityPolicy, BTP and EEP silently dropped/missing status for routes with ListenerSet parentRef#9410
EmileGoto wants to merge 12 commits into
envoyproxy:mainfrom
EmileGoto:fix/listenerset-strategicmerge-policy-9409

Conversation

@EmileGoto

@EmileGoto EmileGoto commented Jul 2, 2026

Copy link
Copy Markdown

What type of PR is this?

Bug fix.

What this PR does / why we need it

When an HTTPRoute used parentRefs that pointed to a ListenerSet, processSecurityPolicyForRoute, processBackendTrafficPolicyForRoute, and processEnvoyExtensionPolicyForRoute skipped those parents while iterating over parentRefs. They only handled cases where Kind == nil or Kind == Gateway, so parentRefCtxs and ancestorRefs remained empty.

For policies using mergeType: StrategicMerge, this caused the merge loop to iterate over an empty parentRefCtxs slice, silently dropping the policy without setting any status on the route.

For EnvoyExtensionPolicy, which does not use StrategicMerge, the policy was still applied, but all related status conditions were lost, including Accepted, error reporting, and overridden cross-notification.

This PR adds an else if isRefToListenerSet(p) branch to all three functions that:

fetches the RouteParentContext for the ListenerSet parentRef,
appends it to parentRefCtxs so the merge logic can run,
populates gatewayRouteMap using the backing Gateway NamespacedName, since gatewayPolicyMap is keyed by Gateway rather than ListenerSet,
adds one ancestor ref per backing Gateway for status and error reporting.

Which issue(s) this PR fixes

Fixes #9409

PR Checklist

  • Authorship & ownership: Coding agents / AI assistants are welcome, but I have reviewed every change, understand how and why it works, can explain and maintain it, and take full responsibility for this PR. I have not submitted generated output I do not understand.
  • DCO: All commits are signed off (git commit -s). See DCO: Sign your work.
  • API agreed first: If this PR contains API changes (changes under /api), the API was discussed and agreed before the implementation. N/A if this PR does not contain API changes.
  • Required checks pass: make generate gen-check, make lint, and the unit-test/coverage build pass.
  • Tests added/updated: New/changed code is covered by appropriate tests. N/A if this PR does not contain code changes.
  • Docs: User-facing changes update the docs, either in this PR or a follow-up PR. N/A if this PR does not contain user-facing changes.
  • Release notes: For any non-trivial change, added a release-note fragment under release-notes/current/<section>/<pr-number>-<slug>.md. N/A if this PR does not contain non-trivial changes.
  • Generated files committed: Ran make gen-check and committed the result if API/helm charts/modules changed.
  • Scope & compatibility: The PR is reasonably scoped (no unrelated changes) and preserves backward compatibility, or any breaking change is called out above and documented in release-notes/current/breaking_changes/.
  • Codex review: Requested a Codex review and addressed all of its comments.
  • Copilot review: Requested a Copilot review and addressed all of its comments.

@netlify

netlify Bot commented Jul 2, 2026

Copy link
Copy Markdown

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit 4b2e656
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/6a47e89fc6820400080a40ed
😎 Deploy Preview https://deploy-preview-9410--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@EmileGoto EmileGoto changed the title gatewayapi: handle ListenerSet parentRefs in SecurityPolicy/BackendTrafficPolicy merge for routes fix: SecurityPolicy and BackendTrafficPolicy StrategicMerge silently dropped for routes with ListenerSet parentRef Jul 2, 2026
When an HTTPRoute uses parentRefs pointing to a ListenerSet, both
processSecurityPolicyForRoute and processBackendTrafficPolicyForRoute
skipped ListenerSet-kind parents entirely, leaving parentRefCtxs and
ancestorRefs empty.

With mergeType: StrategicMerge the merge loop iterates parentRefCtxs,
so an empty slice silently drops the policy with no status entry.

Fix: add an else-if branch for isRefToListenerSet(p) that:
- fetches the RouteParentContext (which already holds the underlying
  Gateway listeners, populated during route attachment)
- appends it to parentRefCtxs so the merge loop executes
- populates gatewayRouteMap using the backing Gateway NN (derived from
  listener.gateway), since gatewayPolicyMap is keyed by Gateway NN
- adds one ancestor ref per backing Gateway for error status reporting

Fixes envoyproxy#9409

Signed-off-by: Emile <emile.boutin@goto.com>
@EmileGoto EmileGoto force-pushed the fix/listenerset-strategicmerge-policy-9409 branch from ce712f8 to 8ec1954 Compare July 2, 2026 16:01
EmileGoto added 2 commits July 2, 2026 12:27
…tenerSet route

Add two golden file test pairs that cover the case where an HTTPRoute
has a parentRef pointing to a ListenerSet (not a Gateway directly) and
is subject to a StrategicMerge policy:

- securitypolicy-with-merge-listenerset-route: gateway-level BasicAuth
  merged with a route-level CORS SecurityPolicy
- backendtrafficpolicy-strategic-merge-listenerset-route: gateway-level
  timeout merged with a route-level timeout override and bufferLimit

Both mirror their existing non-ListenerSet counterparts and fail without
the accompanying fix.

Signed-off-by: Emile <emile.boutin@goto.com>
@EmileGoto EmileGoto changed the title fix: SecurityPolicy and BackendTrafficPolicy StrategicMerge silently dropped for routes with ListenerSet parentRef fix: SecurityPolicy, BackendTrafficPolicy and EnvoyExtensionPolicy silently dropped/missing status for routes with ListenerSet parentRef Jul 2, 2026
EmileGoto added 2 commits July 2, 2026 12:56
Same ListenerSet-kind parentRef was skipped in processEnvoyExtensionPolicyForRoute,
causing all status conditions (Accepted, Overridden, error reporting) to be silently
lost for routes attached via a ListenerSet.

Add the same isRefToListenerSet branch to populate gatewayRouteMap and ancestorRefs
from the backing Gateway listeners.

Add testdata coverage: envoyextensionpolicy-listenerset-route.

Signed-off-by: Emile <emile.boutin@goto.com>
Move GetGateway() call before parentRefCtxs append in all three policy
functions (SecurityPolicy, BackendTrafficPolicy, EnvoyExtensionPolicy).
Skip the ListenerSet parentRef early if the backing Gateway context is
nil, avoiding the inner conditional for the ancestorRef append.

Signed-off-by: Emile <emile.boutin@goto.com>
@EmileGoto EmileGoto marked this pull request as ready for review July 3, 2026 00:24
@EmileGoto EmileGoto requested a review from a team as a code owner July 3, 2026 00:24

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 34c327deb1

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread internal/gatewayapi/backendtrafficpolicy.go Outdated
@EmileGoto EmileGoto marked this pull request as draft July 3, 2026 01:33
@EmileGoto EmileGoto force-pushed the fix/listenerset-strategicmerge-policy-9409 branch from b7f6a94 to 09e54a7 Compare July 3, 2026 13:36
@EmileGoto EmileGoto changed the title fix: SecurityPolicy, BackendTrafficPolicy and EnvoyExtensionPolicy silently dropped/missing status for routes with ListenerSet parentRef fix: SecurityPolicy, BTP and EEP silently dropped/missing status for routes with ListenerSet parentRef Jul 3, 2026
EmileGoto added 2 commits July 3, 2026 09:41
…nerSet parentRef

When a policy (BackendTrafficPolicy, SecurityPolicy, EnvoyExtensionPolicy)
targets an HTTPRoute that uses a ListenerSet parentRef, the policy status
ancestors were silently dropped because the translation path had no handling
for ListenerSet parentRefs.

- Add else-if branch for isRefToListenerSet in BTP, SP and EEP route processing
- Return backing GatewayContext from GetReferencedListeners for status use
- Add GetBackingGateway() on RouteParentContext for policy ancestor reporting
- Store backingGateway on RouteParentContext when no listeners match/are allowed
- Report Accepted=False/TargetNotFound with Gateway ancestor when no listeners
  in the ListenerSet match the parentRef sectionName

Fixes: envoyproxy#9409
Signed-off-by: Emile <emile.boutin@goto.com>
…testdata to targetRefs

Update existing test fixture to use the current targetRefs field
instead of the deprecated targetRef singular field.

Signed-off-by: Emile <emile.boutin@goto.com>
@EmileGoto EmileGoto force-pushed the fix/listenerset-strategicmerge-policy-9409 branch from b0f886d to 7a405dc Compare July 3, 2026 13:41
@EmileGoto EmileGoto marked this pull request as ready for review July 3, 2026 15:40

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 255ed87ea4

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread internal/gatewayapi/securitypolicy.go Outdated
if parentRefCtx := targetedRoute.GetRouteParentContext(p); parentRefCtx != nil {
parentRefCtxs = append(parentRefCtxs, parentRefCtx)
}
} else if isRefToListenerSet(p) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Make ListenerSet status branch reachable

For SecurityPolicy routes whose parentRef is a ListenerSet, this new branch is never reached because the immediately preceding else if *p.Kind == resource.KindListenerSet matches every ListenerSet parentRef first. In the no-matching-listener case, the earlier branch appends a ListenerSet ancestor and a parent context with no listeners, so the merge loop is skipped and the final accepted-status helper marks the policy accepted instead of using the new Gateway TargetNotFound status added here; the new securitypolicy-with-merge-listenerset-route-no-matching-listener expected status therefore is not produced by this code path.

Useful? React with 👍 / 👎.

Signed-off-by: Emile <emile.boutin@goto.com>
@EmileGoto EmileGoto force-pushed the fix/listenerset-strategicmerge-policy-9409 branch from a7f4300 to 40d2960 Compare July 3, 2026 16:34
Signed-off-by: Emile <emile.boutin@goto.com>
@EmileGoto EmileGoto force-pushed the fix/listenerset-strategicmerge-policy-9409 branch from dd7dbf3 to 6f48cc8 Compare July 3, 2026 16:36
@EmileGoto EmileGoto marked this pull request as draft July 3, 2026 16:38
EmileGoto added 2 commits July 3, 2026 12:46
…dant test

The *p.Kind == resource.KindListenerSet block in processSecurityPolicyForRoute
now uses the same early-continue guard pattern as processBackendTrafficPolicyForRoute
and processEnvoyExtensionPolicyForRoute:
  - check parentRefCtx == nil → continue
  - check GetGateway() == nil → TargetNotFound + continue
  - append to parentRefCtxs

The securitypolicy-with-merge-listenerset-route test fixtures are removed:
PR envoyproxy#9270 already covers StrategicMerge with ListenerSet-attached routes via the
securitypolicy-listenerset-merge test (7 policy scenarios).

Signed-off-by: Emile <emile.boutin@goto.com>
…P, EEP

The nil-parentRefCtx case (wrong GatewayClass, silent skip) is
structurally distinct from the nil-gateway case (our GatewayClass but
no listeners matched, must report TargetNotFound). Use the nested
  if parentRefCtx := ...; parentRefCtx != nil {
      if parentRefCtx.GetGateway() == nil { ... } else { ... }
  }
pattern in all three policy translators so the silent-skip branch falls
off naturally without an explicit continue.

Signed-off-by: Emile <emile.boutin@goto.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

HTTPRoute/SecurityPolicy/ListenerSet - StategicMerge setup does not resolve to parent policy

1 participant