fix: prevent skeleton route status entries for unmanaged GatewayClasses (envoyproxy#7536)

rajsinghtech · jukie · commit a2783a05c674 · 2025-12-04T20:55:30.000-07:00
* fix: prevent skeleton route status entries for unmanaged GatewayClasses

When processing policies (EnvoyExtensionPolicy, SecurityPolicy), the translator
was calling GetRouteParentContext for ALL parentRefs in a route, even those
referencing gateways with different GatewayClasses not managed by this translator.

GetRouteParentContext creates a skeleton RouteParentStatus entry with just the
controllerName when called on a parentRef that hasn't been processed yet. Since
all GatewayClass instances share the same controller name, these skeleton entries
persisted in status without conditions.

The fix checks if a parentRef context already exists before attempting to apply
policy configuration to it. If the context doesn't exist, it means this parentRef
wasn't processed by this translator and should be skipped.

Signed-off-by: Raj Singh &lt;raj@tailscale.com&gt;

* fix: also prevent skeleton entries in BackendTrafficPolicy processing

The same issue exists in BackendTrafficPolicy route processing - calling
GetRouteParentContext for all parentRefs creates skeleton status entries.

Apply the same fix: check if parentRef context exists before adding to list.

Signed-off-by: Raj Singh &lt;raj@tailscale.com&gt;

---------

Signed-off-by: Raj Singh &lt;raj@tailscale.com&gt;
Signed-off-by: jukie &lt;10012479+jukie@users.noreply.github.com&gt;
diff --git a/internal/gatewayapi/envoyextensionpolicy.go b/internal/gatewayapi/envoyextensionpolicy.go
@@ -314,7 +314,12 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(
 	prefix := irRoutePrefix(route)
 	parentRefs := GetParentReferences(route)
 	for _, p := range parentRefs {
-		parentRefCtx := GetRouteParentContext(route, p, t.GatewayControllerName)
+		// Skip if this parentRef was not processed by this translator
+		// (e.g., references a Gateway with a different GatewayClass)
+		parentRefCtx := route.GetRouteParentContext(p)
+		if parentRefCtx == nil {
+			continue
+		}
 		gtwCtx := parentRefCtx.GetGateway()
 		if gtwCtx == nil {
 			continue
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -659,7 +659,12 @@ func (t *Translator) translateSecurityPolicyForRoute(
 	prefix := irRoutePrefix(route)
 	parentRefs := GetParentReferences(route)
 	for _, p := range parentRefs {
-		parentRefCtx := GetRouteParentContext(route, p, t.GatewayControllerName)
+		// Skip if this parentRef was not processed by this translator
+		// (e.g., references a Gateway with a different GatewayClass)
+		parentRefCtx := route.GetRouteParentContext(p)
+		if parentRefCtx == nil {
+			continue
+		}
 		gtwCtx := parentRefCtx.GetGateway()
 		if gtwCtx == nil {
 			continue
