fix(extension-server): unique connector domain to stop Envoy config NACK#214
Merged
Merged
Conversation
Online connector routing appended the connector's backend target host to the
virtual host's domains. Tunnels overwhelmingly target "localhost", so every
connector's virtual host received the same "localhost" domain. On a shared route
configuration (the HTTP listener that merges all gateways) those duplicate, and
Envoy rejects the entire xDS snapshot ("Only unique values for domains are
permitted"). A single collision freezes config updates fleet-wide: new tunnels
never program a route, and connectors that come online never leave the offline
503 program.
Append a synthetic domain derived from the virtual host name instead. Envoy
already requires virtual host names to be unique within a route configuration,
so the domain can never collide. The internal tunnel listener routes on cluster
metadata (tunnel address + endpoint id), not on this domain, so a synthetic
value preserves tunnel routing.
Adds a regression test asserting two online connectors that share a backend host
on one route configuration produce no duplicate domain.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Rewrite the connector domain comments to lead with the design intent — connector domains must be unique within a merged-listener namespace — and name the <virtual-host>.connector.internal format, dropping the mechanical detail. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Replace "GAP-1b"/"design §" references with plain descriptions of what each assertion guards. The comments already explain the behavior; the tags added nothing for a future reader. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ecv
approved these changes
Jun 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Connector tunnels intermittently get stuck on the 503 "Tunnel not online" page even when the connector is online, and new tunnels sometimes never get a route (404).
Why
Online connector routing appended the connector's backend host to the shared HTTP route config's virtual-host domains. Tunnels almost always target
localhost, so multiple connectors collide on the samelocalhostdomain. Envoy rejects the whole xDS snapshot (code 13, "Only unique values for domains are permitted") and freezes config — re-translations are computed but never applied.Fix
Append a unique per-connector synthetic domain (
<vhost>.connector.internal) instead of the raw backend host. Vhost names are already unique within a route config, so it can't collide. The internal tunnel listener routes on cluster metadata, not this domain, so routing is unchanged.Validation
localhosttunnels all program online and serve200,http-80has zero duplicate domains, nocode 13NACKs.Related
docs/enhancements/envoy-gateway-extension-server/README.md)🤖 Generated with Claude Code