gatewayapi: render namespace before EnvoyProxyRef resolution#4756
Open
electricjesus wants to merge 1 commit intotigera:masterfrom
Open
gatewayapi: render namespace before EnvoyProxyRef resolution#4756electricjesus wants to merge 1 commit intotigera:masterfrom
electricjesus wants to merge 1 commit intotigera:masterfrom
Conversation
When a GatewayAPI CR is created on a fresh install with envoyProxyRef set on a GatewayClass pointing at an EnvoyProxy in the operator-managed tigera-gateway namespace, reconcile would early-return on the missing EnvoyProxy before reaching the non-CRD render that creates the namespace. Users could not create the EnvoyProxy because the namespace did not exist, deadlocking the controller in Degraded state. Render the namespace alongside CRDs, before EnvoyProxyRef resolution, so the namespace is always present as part of the operator's contract for any GatewayAPI CR. The existing non-CRD pass continues to apply the namespace later (idempotent), keeping the GatewayAPI CR as owner so the namespace is still cleaned up on CR removal.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Bug fix in the gatewayapi controller. Components affected:
pkg/controller/gatewayapi,pkg/render/gatewayapi.When a
GatewayAPICR is created on a fresh install withenvoyProxyRefset on aGatewayClasspointing at anEnvoyProxyin the operator-managedtigera-gatewaynamespace, reconcile early-returns atpkg/controller/gatewayapi/gatewayapi_controller.go:350on the missingEnvoyProxybefore reaching the non-CRD render atgatewayapi_controller.go:419that creates the namespace. Users can't create theEnvoyProxybecause the namespace doesn't exist, so the controller deadlocks inDegradedstate with:This PR splits the namespace render out of the non-CRD component into a new
GatewayAPINamespaceComponentand applies it early, alongside CRDs and beforeEnvoyProxyRefresolution. Thetigera-gatewaynamespace is part of the operator's contract for anyGatewayAPICR, so it should always exist; otherwise users can't pre-create customEnvoyProxyresources in it.The new component is owned by the
GatewayAPICR (same as before), so the namespace is still cleaned up when the CR is removed.CreateOrUpdateOrDeleteis idempotent on the existing namespace, so existing clusters are unaffected.Testing
make ut UT_DIR=./pkg/controller/gatewayapi— 14/14 pass; added 1 regression test covering the bug case (EnvoyProxyRefconfigured butEnvoyProxymissing → namespace still rendered)make ut UT_DIR=./pkg/render/gatewayapiGatewayAPIwithenvoyProxyRefpointing at a not-yet-existentEnvoyProxyintigera-gateway→tigera-gatewaynamespace created within seconds,tigerastatus gatewayapiDegraded with the expectedError reading EnvoyProxyRef; then apply theEnvoyProxy→ reconcile completes, gatewayapiAvailable=True,envoy-gatewaypod Running,GatewayClass tigera-gateway-classAcceptedRelease Note
For PR author
make gen-filesmake gen-versionsFor PR reviewers
kind/bugif this is a bugfix.kind/enhancementif this is a a new feature.enterpriseif this PR applies to Calico Enterprise only.