Skip to content

fix: isHTTPRouteFilterReferencingSecret always returns true#9340

Open
emilien-puget wants to merge 1 commit into
envoyproxy:mainfrom
emilien-puget:fix/httproutefilter-secret-predicate
Open

fix: isHTTPRouteFilterReferencingSecret always returns true#9340
emilien-puget wants to merge 1 commit into
envoyproxy:mainfrom
emilien-puget:fix/httproutefilter-secret-predicate

Conversation

@emilien-puget

Copy link
Copy Markdown

The isHTTPRouteFilterReferencingSecret function in predicates.go had 'return true' where 'return false' was intended when no HTTPRouteFilter references the given Secret. This caused validateSecretForReconcile to always return true when hrfCRDExists=true, triggering unnecessary reconciliations on every Secret change.

Added unit tests covering:

  • Secret not referenced by any HTTPRouteFilter (expect false)
  • Secret referenced by HTTPRouteFilter CredentialInjection (expect true)

Fixes https://github.com/envoyproxy/gateway/issues/9339`

@emilien-puget emilien-puget requested a review from a team as a code owner June 24, 2026 17:57
@netlify

netlify Bot commented Jun 24, 2026

Copy link
Copy Markdown

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit 38c877f
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/6a3c1cd3a5ef330008ab573d
😎 Deploy Preview https://deploy-preview-9340--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 13a9c25b03

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

}

return true
return false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Honor credential ValueRef namespaces before skipping reconcile

When an HTTPRouteFilter credentialInjection valueRef.namespace points at a Secret in another namespace, this new false path skips reconciliation for that Secret because secretRouteFilterIndexFunc indexes HTTPRouteFilters under filter.Namespace instead of ValueRef.Namespace. The generated CRD explicitly allows cross-namespace valueRef.namespace with a ReferenceGrant, and the translator calls validateSecretRef(true, ...), so rotating that cross-namespace credential will no longer enqueue a reconcile and Envoy can keep using stale credentials until some unrelated event occurs.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the modification in internal/provider/kubernetes/indexers.go should take care of that cross namespace stuff, is it enough ?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@codex review

@emilien-puget emilien-puget force-pushed the fix/httproutefilter-secret-predicate branch 2 times, most recently from 5759e1a to b1f2401 Compare June 24, 2026 18:05
…-namespace index

Two bugs in the HTTPRouteFilter secret predicate path:

1. predicates.go: isHTTPRouteFilterReferencingSecret had 'return true' where
   'return false' was intended when no HTTPRouteFilter references the given
   Secret. This caused validateSecretForReconcile to always return true when
   hrfCRDExists=true, triggering unnecessary reconciliations on every Secret
   change.

2. indexers.go: secretRouteFilterIndexFunc indexed the Secret reference under
   filter.Namespace instead of the Secret's actual namespace. When
   ValueRef.Namespace points to a different namespace (allowed by the CRD
   with a ReferenceGrant), the index key was wrong and cross-namespace
   credential rotation would not trigger reconciliation. Fixed by using
   gatewayapi.NamespaceDerefOr to resolve the correct namespace, matching
   the pattern used by secretSecurityPolicyIndexFunc and
   secretEnvoyExtensionPolicyIndexFunc.

Added unit tests covering:
- Secret not referenced by any HTTPRouteFilter (expect false)
- Secret referenced by HTTPRouteFilter CredentialInjection, same namespace (expect true)
- Secret in another namespace referenced via ValueRef.Namespace (expect true)

Signed-off-by: Emilien Puget <emilien.puget@numspot.com>
@emilien-puget emilien-puget force-pushed the fix/httproutefilter-secret-predicate branch from b1f2401 to 38c877f Compare June 24, 2026 18:07

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 38c877fb3e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

secretReferences = append(secretReferences,
types.NamespacedName{
Namespace: filter.Namespace,
Namespace: gatewayapi.NamespaceDerefOr(filter.Spec.CredentialInjection.Credential.ValueRef.Namespace, filter.Namespace),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Load the referenced namespace for HRF secrets

When CredentialInjection.Credential.ValueRef.Namespace is set, this index now makes the remote Secret pass validateSecretForReconcile, but the reconcile path still fetches the credential from the HTTPRouteFilter namespace in internal/provider/kubernetes/filters.go:112 and only inserts that namespace into the resource tree. As a result, a cross-namespace credential Secret change is enqueued but the translator still cannot see the remote Secret, so the configuration remains stale or invalid despite the new cross-namespace test expectation.

Useful? React with 👍 / 👎.

@codecov

codecov Bot commented Jun 25, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.22%. Comparing base (3619397) to head (38c877f).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #9340      +/-   ##
==========================================
+ Coverage   75.17%   75.22%   +0.04%     
==========================================
  Files         252      252              
  Lines       41049    41049              
==========================================
+ Hits        30858    30878      +20     
+ Misses       8094     8075      -19     
+ Partials     2097     2096       -1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

is isHTTPRouteFilterReferencingSecret too eager ?

1 participant