envoy: Delta SDS incorrectly sends an error response for an empty response
Title: Delta SDS incorrectly sends an error response for an empty response
Description:
Control plan sends resources:[], removed:[some resource]. Envoy rejects with 2024-03-11T23:35:13.641010Z warning envoy config external/envoy/source/extensions/config_subscription/grpc/grpc_subscription_impl.cc:138 gRPC config for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret rejected: Missing SDS resources for kubernetes://sds-credential in onConfigUpdate() thread=25
This comes from https://github.com/envoyproxy/envoy/blob/708fa7b4d8269372fdac39b11caf2a3bf7b18d53/source/common/secret/sds_api.cc#L157 which only considers SotW
Repro steps: I don’t have a trivial Envoy SDS setup for this in pure envoy, but its pretty simple in Istio. Just create something like
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: echo
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
credentialName: sds-credential
mode: SIMPLE
With istio latest (which uses delta xds now)
About this issue
- Original URL
- State: closed
- Created 4 months ago
- Comments: 18 (16 by maintainers)
Commits related to this issue
- sds: Ignore Delta Removals (#32961) Fixes #24373 and #32832 Risk Level: Low Testing: Manual testing with the Istio scenario described in #32832. Investigating how to add a unit test Release Note... — committed to envoyproxy/envoy by keithmattix 3 months ago
- sds: Ignore Delta Removals (#32961) Fixes #24373 and #32832 Risk Level: Low Testing: Manual testing with the Istio scenario described in #32832. Investigating how to add a unit test Release Note... — committed to alyssawilk/envoy by keithmattix 3 months ago
@keithmattix I’ll close this as dupe and assign you https://github.com/envoyproxy/envoy/issues/24373