fix: truncate status condition messages to 32768 (#7159)

arkodg · web-flow · commit 74083dfd4a81 · 2025-10-08T16:07:33.000-07:00
* fix: truncate status condition messages to 32768 Fixes: #7146 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
diff --git a/internal/gatewayapi/status/conditions.go b/internal/gatewayapi/status/conditions.go
@@ -22,21 +22,27 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+const (
+	conditionMessageMaxLength        = 32768
+	conditionMessageTruncationSuffix = " (message truncated)."
+)
+
 // MergeConditions adds or updates matching conditions, and updates the transition
 // time if details of a condition have changed. Returns the updated condition array.
 func MergeConditions(conditions []metav1.Condition, updates ...metav1.Condition) []metav1.Condition {
 	var additions []metav1.Condition
-	for i, update := range updates {
+	for i := range updates {
+		updates[i].Message = truncateConditionMessage(updates[i].Message)
 		add := true
-		for j, cond := range conditions {
-			if cond.Type == update.Type {
+		for j := range conditions {
+			if conditions[j].Type == updates[i].Type {
 				add = false
-				if conditionChanged(&cond, &update) {
-					conditions[j].Status = update.Status
-					conditions[j].Reason = update.Reason
-					conditions[j].Message = update.Message
-					conditions[j].ObservedGeneration = update.ObservedGeneration
-					conditions[j].LastTransitionTime = update.LastTransitionTime
+				if conditionChanged(&conditions[j], &updates[i]) {
+					conditions[j].Status = updates[i].Status
+					conditions[j].Reason = updates[i].Reason
+					conditions[j].Message = updates[i].Message
+					conditions[j].ObservedGeneration = updates[i].ObservedGeneration
+					conditions[j].LastTransitionTime = updates[i].LastTransitionTime
 					break
 				}
 			}
@@ -54,7 +60,7 @@ func newCondition(t string, status metav1.ConditionStatus, reason, msg string, l
 		Type:               t,
 		Status:             status,
 		Reason:             reason,
-		Message:            msg,
+		Message:            truncateConditionMessage(msg),
 		LastTransitionTime: metav1.NewTime(lt),
 		ObservedGeneration: og,
 	}
@@ -95,3 +101,11 @@ func Error2ConditionMsg(err error) string {
 	// Convert the rune slice back to a string
 	return string(runes)
 }
+
+func truncateConditionMessage(msg string) string {
+	if len(msg) <= conditionMessageMaxLength {
+		return msg
+	}
+	suffixLen := len(conditionMessageTruncationSuffix)
+	return msg[:conditionMessageMaxLength-suffixLen] + conditionMessageTruncationSuffix
+}
diff --git a/internal/gatewayapi/status/conditions_test.go b/internal/gatewayapi/status/conditions_test.go
@@ -15,6 +15,7 @@ package status
 
 import (
 	"errors"
+	"strings"
 	"testing"
 	"time"
 
@@ -185,6 +186,20 @@ func TestMergeConditions(t *testing.T) {
 	}
 }
 
+func TestMergeConditionsTruncatesMessages(t *testing.T) {
+	longMsg := strings.Repeat("x", conditionMessageMaxLength+5)
+	cond := newCondition("available", metav1.ConditionTrue, "Reason", longMsg, time.Now(), 1)
+	conditions := MergeConditions(nil, cond)
+
+	if assert.Len(t, conditions, 1) {
+		assert.Len(t, conditions[0].Message, conditionMessageMaxLength)
+		prefixLen := conditionMessageMaxLength - len(conditionMessageTruncationSuffix)
+		expectedPrefix := strings.Repeat("x", prefixLen)
+		assert.True(t, strings.HasSuffix(conditions[0].Message, conditionMessageTruncationSuffix))
+		assert.Equal(t, expectedPrefix, conditions[0].Message[:prefixLen])
+	}
+}
+
 func TestError2ConditionMsg(t *testing.T) {
 	testCases := []struct {
 		name   string
diff --git a/internal/gatewayapi/status/policy.go b/internal/gatewayapi/status/policy.go
@@ -86,6 +86,8 @@ func SetConditionForPolicyAncestor(policyStatus *gwapiv1a2.PolicyStatus, ancesto
 		policyStatus.Ancestors = []gwapiv1a2.PolicyAncestorStatus{}
 	}
 
+	sanitizedMessage := truncateConditionMessage(message)
+
 	// Find existing ancestor first
 	for i, ancestor := range policyStatus.Ancestors {
 		if string(ancestor.ControllerName) == controllerName && ancestorRefsEqual(&ancestor.AncestorRef, ancestorRef) {
@@ -94,21 +96,21 @@ func SetConditionForPolicyAncestor(policyStatus *gwapiv1a2.PolicyStatus, ancesto
 				if existingCond.Type == string(conditionType) &&
 					existingCond.Status == status &&
 					existingCond.Reason == string(reason) &&
-					existingCond.Message == message &&
+					existingCond.Message == sanitizedMessage &&
 					existingCond.ObservedGeneration == generation {
 					return
 				}
 			}
 
 			// Only create condition and merge if needed
-			cond := newCondition(string(conditionType), status, string(reason), message, time.Now(), generation)
+			cond := newCondition(string(conditionType), status, string(reason), sanitizedMessage, time.Now(), generation)
 			policyStatus.Ancestors[i].Conditions = MergeConditions(policyStatus.Ancestors[i].Conditions, cond)
 			return
 		}
 	}
 
 	// Add condition for new PolicyAncestorStatus
-	cond := newCondition(string(conditionType), status, string(reason), message, time.Now(), generation)
+	cond := newCondition(string(conditionType), status, string(reason), sanitizedMessage, time.Now(), generation)
 	policyStatus.Ancestors = append(policyStatus.Ancestors, gwapiv1a2.PolicyAncestorStatus{
 		AncestorRef:    *ancestorRef,
 		ControllerName: gwapiv1a2.GatewayController(controllerName),
diff --git a/internal/gatewayapi/status/policy_test.go b/internal/gatewayapi/status/policy_test.go
@@ -0,0 +1,36 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package status
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+)
+
+func TestSetConditionForPolicyAncestorsTruncatesMessages(t *testing.T) {
+	longMsg := strings.Repeat("x", conditionMessageMaxLength+5)
+	policyStatus := &gwapiv1a2.PolicyStatus{}
+	ancestorRef := &gwapiv1a2.ParentReference{Name: gwapiv1a2.ObjectName("example")}
+
+	SetConditionForPolicyAncestors(policyStatus, []*gwapiv1a2.ParentReference{ancestorRef}, "example.com/controller",
+		gwapiv1a2.PolicyConditionAccepted, metav1.ConditionTrue, gwapiv1a2.PolicyReasonAccepted, longMsg, 1)
+
+	if assert.Len(t, policyStatus.Ancestors, 1) {
+		ancestor := policyStatus.Ancestors[0]
+		if assert.Len(t, ancestor.Conditions, 1) {
+			gotMsg := ancestor.Conditions[0].Message
+			assert.Len(t, gotMsg, conditionMessageMaxLength)
+			prefixLen := conditionMessageMaxLength - len(conditionMessageTruncationSuffix)
+			expectedPrefix := strings.Repeat("x", prefixLen)
+			assert.True(t, strings.HasSuffix(gotMsg, conditionMessageTruncationSuffix))
+			assert.Equal(t, expectedPrefix, gotMsg[:prefixLen])
+		}
+	}
+}
diff --git a/release-notes/current.yaml b/release-notes/current.yaml
@@ -32,6 +32,7 @@ bug fixes: |
   Fixed service account token handling in GatewayNamespaceMode to use SDS for properly refreshing expired token.
   Fixed handling of regex meta characters in prefix match replace for URL rewrite.
   Disabled the default emission of `x-envoy-ratelimited` headers from the rate limit filter; re-enable with the `enableEnvoyHeaders` setting in ClientTrafficPolicy.
+  Truncated Gateway API status condition messages to stay within Kubernetes limits and prevent update failures.
 
 # Enhancements that improve performance.
 performance improvements: |
