Updated release notes and comments as requested in the review.

Signed-off-by: Lior Okman <[email protected]>
envoyproxy · Jan 8, 2025 · 0ffd03c · 0ffd03c
1 parent 459b13a
commit 0ffd03c
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/internal/xds/translator/extensionserver_test.go b/internal/xds/translator/extensionserver_test.go
@@ -203,6 +203,7 @@ func (t *testingExtensionServer) PostHTTPListenerModify(_ context.Context, req *
 // PostTranslateModifyHook inserts and overrides some clusters/secrets
 func (t *testingExtensionServer) PostTranslateModify(_ context.Context, req *pb.PostTranslateModifyRequest) (*pb.PostTranslateModifyResponse, error) {
 	for _, cluster := range req.Clusters {
+		// This simulates an extension server that returns an error. It allows verifying that fail-close is working.
 		if edsConfig := cluster.GetEdsClusterConfig(); edsConfig != nil {
 			if strings.Contains(edsConfig.ServiceName, "fail-close-error") {
 				return &pb.PostTranslateModifyResponse{

diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go
@@ -122,6 +122,8 @@ func (t *Translator) Translate(xdsIR *ir.Xds) (*types.ResourceVersionTable, erro
 	// If no extension exists (or it doesn't subscribe to this hook) then this is a quick no-op
 	if err := processExtensionPostTranslationHook(tCtx, t.ExtensionManager); err != nil {
 		errs = errors.Join(errs, err)
+		// Setting the configuration to fail open will mean that Envoy Gateway ignores the error and keeps the resources
+		// as they were before the extension server was called.
 		if t.ExtensionManager != nil && !(*t.ExtensionManager).FailOpen() {
 			for _, listener := range tCtx.XdsResources[resourcev3.ListenerType] {
 				errs = errors.Join(errs, clearListenerRoutes(listener.(*listenerv3.Listener)))
@@ -186,6 +188,10 @@ func (t *Translator) notifyExtensionServerAboutListeners(
 		}
 		if err := processExtensionPostListenerHook(tCtx, listener, policies, t.ExtensionManager); err != nil {
 			errs = errors.Join(errs, err)
+			// If the extension server returns an error, and the extension server is not configured to fail open,
+			// then replace all of the routes in the virtual host with a single route that returns an InternalServerError result.
+			// Setting the configuration to fail open will mean that Envoy Gateway ignores the error and keeps the routes
+			// as they were before the extension server was called.
 			if !(*t.ExtensionManager).FailOpen() {
 				errs = errors.Join(errs, clearListenerRoutes(listener))
 			}
@@ -516,6 +522,10 @@ func (t *Translator) addRouteToRouteConfig(
 		// If no extension exists (or it doesn't subscribe to this hook) then this is a quick no-op.
 		if err = processExtensionPostRouteHook(xdsRoute, vHost, httpRoute, t.ExtensionManager); err != nil {
 			errs = errors.Join(errs, err)
+			// If the extension server returns an error, and the extension server is not configured to fail open,
+			// then replace the route with one that returns an InternalServerError result.
+			// Setting the configuration to fail open will mean that Envoy Gateway ignores the error and keeps the route
+			// as it was before the extension server was called.
 			if t.ExtensionManager != nil && !(*t.ExtensionManager).FailOpen() {
 				xdsRoute.Action = &routev3.Route_DirectResponse{DirectResponse: buildXdsDirectResponseAction(&ir.CustomResponse{
 					StatusCode: ptr.To(uint32(http.StatusInternalServerError)),
@@ -572,6 +582,10 @@ func (t *Translator) addRouteToRouteConfig(
 		// If no extension exists (or it doesn't subscribe to this hook) then this is a quick no-op.
 		if err = processExtensionPostVHostHook(vHost, t.ExtensionManager); err != nil {
 			errs = errors.Join(errs, err)
+			// If the extension server returns an error, and the extension server is not configured to fail open,
+			// then replace all of the virtual hosts such that accessing them returns an InternalServerError result.
+			// Setting the configuration to fail open will mean that Envoy Gateway ignores the error and keeps the routes
+			// as they were before the extension server was called.
 			if t.ExtensionManager != nil && !(*t.ExtensionManager).FailOpen() {
 				vHost.Routes = []*routev3.Route{
 					{

diff --git a/release-notes/current.yaml b/release-notes/current.yaml
@@ -7,7 +7,7 @@ breaking changes: |
   An empty TLS ALPNProtocols list is now treated as user-defined disablement of the TLS ALPN extension.
   Outlier detection (passive health check) is now disabled by default.
   refer to https://gateway.envoyproxy.io/docs/api/extension_types/#backendtrafficpolicy for working with passive health checks.
-  Envoy Gateway treats errors in calls to an extension service as fail-closed by default. The previous behavior can be enabled by setting the `failOpen` field to `true` in the extension service configuration.
+  Envoy Gateway treats errors in calls to an extension service as fail-closed by default. Any error returned from the extension server will replace the affected resource with an "Internal Server Error" immediate response. The previous behavior can be enabled by setting the `failOpen` field to `true` in the extension service configuration. 
 
 # Updates addressing vulnerabilities, security flaws, or compliance requirements.
 security updates: |