From f3b5ffa42646069461720faf2f1f3496d9f8649f Mon Sep 17 00:00:00 2001
From: Scot Wells <wells.scot@gmail.com>
Date: Wed, 17 Jun 2026 21:09:24 -0500
Subject: [PATCH] fix(envoy-gateway): roll back EG control plane to v1.7.4

EG v1.8.x crashes the shared downstream gateway when any tenant's OIDC
SecurityPolicy references a missing clientSecret. v1.8.0 (PR #8703) moved
OIDC to a listener-level oauth2 filter; on a missing secret EG ships a
config-less filter that Envoy rejects, taking down the entire listener
snapshot for ALL tenants. v1.7.4 fails safe (per-route 500, no filter).

Pins both the control-plane and downstream gateway-helm charts to v1.7.4.
All extensionManager features the ext-server depends on (policyResources,
resources, translation.includeAll, retry, failOpen) are present in v1.7.4;
kustomize build --enable-helm verified for both overlays.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .../tools/envoy-gateway-downstream/kustomization.yaml | 11 ++++++++++-
 config/tools/envoy-gateway/kustomization.yaml         |  9 ++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/config/tools/envoy-gateway-downstream/kustomization.yaml b/config/tools/envoy-gateway-downstream/kustomization.yaml
index d6cce81..ce2c951 100644
--- a/config/tools/envoy-gateway-downstream/kustomization.yaml
+++ b/config/tools/envoy-gateway-downstream/kustomization.yaml
@@ -6,7 +6,16 @@ helmCharts:
     includeCRDs: false
     namespace: datum-downstream-gateway
     releaseName: envoy-datum-downstream-gateway
-    version: v1.8.1
+    # Rolled back from v1.8.1 to v1.7.4: EG v1.8.0 (PR #8703) reworked OIDC into a
+    # listener-level "dumb" oauth2 filter. When a SecurityPolicy's OIDC clientSecret
+    # is missing, v1.8.x emits a config-less envoy.filters.http.oauth2 at listener
+    # scope, which Envoy rejects ("config must be present for global config"),
+    # rejecting the WHOLE listener snapshot for every tenant on the shared gateway.
+    # v1.7.4 (last pre-redesign release) fails safe: it omits the oauth2 filter for
+    # the broken route and returns a per-route 500 direct response instead. All
+    # extensionManager features used below (policyResources, resources,
+    # translation.includeAll, retry, failOpen) are present in v1.7.4.
+    version: v1.7.4
     repo: oci://docker.io/envoyproxy
     valuesInline:
       config:
diff --git a/config/tools/envoy-gateway/kustomization.yaml b/config/tools/envoy-gateway/kustomization.yaml
index 0c48a62..35d13e4 100644
--- a/config/tools/envoy-gateway/kustomization.yaml
+++ b/config/tools/envoy-gateway/kustomization.yaml
@@ -5,7 +5,14 @@ helmCharts:
     includeCRDs: true
     namespace: envoy-gateway-system
     releaseName: envoy-gateway
-    version: v1.8.1
+    # Rolled back from v1.8.1 to v1.7.4: EG v1.8.0 (PR #8703) reworked OIDC into a
+    # listener-level "dumb" oauth2 filter. When a SecurityPolicy's OIDC clientSecret
+    # is missing, v1.8.x emits a config-less envoy.filters.http.oauth2 at listener
+    # scope, which Envoy rejects ("config must be present for global config"),
+    # rejecting the WHOLE listener snapshot for every tenant on the shared gateway.
+    # v1.7.4 (last pre-redesign release) fails safe: it omits the oauth2 filter for
+    # the broken route and returns a per-route 500 direct response instead.
+    version: v1.7.4
     repo: oci://docker.io/envoyproxy
     valuesInline:
       config: