Skip to content

fix(xds): deduplicate filter in inbound:passthrough filter chain#16080

Merged
lukidzi merged 1 commit into
kumahq:masterfrom
lukidzi:fix-duplicate-filter-passthrough
Apr 1, 2026
Merged

fix(xds): deduplicate filter in inbound:passthrough filter chain#16080
lukidzi merged 1 commit into
kumahq:masterfrom
lukidzi:fix-duplicate-filter-passthrough

Conversation

@lukidzi
Copy link
Copy Markdown
Contributor

@lukidzi lukidzi commented Mar 31, 2026

Motivation

Once a user have 2 services with the same port we were creating duplicate filter chain matches which caused envoy to reject configuration.

Implementation information

  • track seenPorts map and skip any port already added as a filter chain

@lukidzi
fix(xds): deduplicate filter in inbound:passthrough filter chain
fb33797 
Signed-off-by: Lukasz Dziedziak <lukidzi@gmail.com>
Copilot AI review requested due to automatic review settings March 31, 2026 23:32
@lukidzi lukidzi requested a review from a team as a code owner March 31, 2026 23:32
@lukidzi lukidzi requested review from lobkovilya and slonka March 31, 2026 23:32
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 31, 2026

Reviewer Checklist

🔍 Each of these sections need to be checked by the reviewer of the PR 🔍:
If something doesn't apply please check the box and add a justification if the reason is non obvious.

  • Is the PR title satisfactory? Is this part of a larger feature and should be grouped using > Changelog?
  • PR description is clear and complete. It Links to relevant issue as well as docs and UI issues
  • This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as an image registry)
  • IPv6 is taken into account (.e.g: no string concatenation of host port)
  • Tests (Unit test, E2E tests, manual test on universal and k8s)
    • Don't forget ci/ labels to run additional/fewer tests
  • Does this contain a change that needs to be notified to users? In this case, UPGRADE.md should be updated.
  • Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label)

Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes an issue where duplicate services with the same port on a dataplane were creating duplicate Envoy filter chain matches, causing Envoy configuration to be rejected. The fix implements deduplication by tracking already-seen ports using a map and skipping ports that have already been processed.

Changes:

  • Added port deduplication logic in CreateInboundPassthroughListener() to prevent duplicate filter chains when strict inbound ports are enabled
  • Added a test case validating the behavior with duplicate ports [8080, 8080]
  • Added golden file showing the expected Envoy configuration with deduplication applied

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
pkg/xds/generator/transparent_proxy_generator.go Adds seenPorts map to track processed ports and skip duplicates in the filter chain loop
pkg/xds/generator/transparent_proxy_generator_test.go Adds test case for duplicate ports scenario with STRICT TLS mode
pkg/xds/generator/testdata/transparent-proxy/10.envoy.golden.yaml Golden file showing expected Envoy config with one filter chain match despite duplicate input ports

@lukidzi lukidzi merged commit d755470 into kumahq:master Apr 1, 2026
20 checks passed
kumahq Bot pushed a commit that referenced this pull request Apr 1, 2026
@lukidzi @kumahq
fix(xds): deduplicate filter in inbound:passthrough filter chain (#16080
85b29ce 
)

## Motivation

Once a user have 2 services with the same port we were creating
duplicate filter chain matches which caused envoy to reject
configuration.

## Implementation information

* track `seenPorts` map and skip any port already added as a filter
chain

Signed-off-by: Lukasz Dziedziak <lukidzi@gmail.com>
@kumahq kumahq Bot mentioned this pull request Apr 1, 2026
Merged
lukidzi added a commit that referenced this pull request Apr 1, 2026
@kumahq @lukidzi
fix(xds): deduplicate filter in inbound:passthrough filter chain (bac…
bfc2ac7 
…kport of #16080) (#16085)

Automatic cherry-pick of #16080 for branch release-2.13

Generated by
[action](https://github.com/kumahq/kuma/actions/runs/23849713194)

cherry-picked commit d755470

Signed-off-by: Lukasz Dziedziak <lukidzi@gmail.com>
Co-authored-by: Lukasz Dziedziak <lukidzi@gmail.com>
bartsmykla pushed a commit to bartsmykla/kuma that referenced this pull request Apr 7, 2026
@lukidzi @bartsmykla
fix(xds): deduplicate filter in inbound:passthrough filter chain (kum…
ffda38b 
…ahq#16080)

## Motivation

Once a user have 2 services with the same port we were creating
duplicate filter chain matches which caused envoy to reject
configuration.

## Implementation information

* track `seenPorts` map and skip any port already added as a filter
chain

Signed-off-by: Lukasz Dziedziak <lukidzi@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Automaat Automaat Automaat approved these changes

@slonka slonka Awaiting requested review from slonka slonka is a code owner automatically assigned from kumahq/kuma-maintainers

@lobkovilya lobkovilya Awaiting requested review from lobkovilya lobkovilya is a code owner automatically assigned from kumahq/kuma-maintainers

Assignees

No one assigned

Labels

backport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lukidzi @Automaat