Fix Gateway API test failures after Envoy Gateway 1.5.7 update by Copilot · Pull Request #2 · skoryk-oleksandr/operator

Copilot · 2026-01-15T16:43:33Z

The Envoy Gateway 1.5.7 update introduced structural changes including multiple ClusterRoles/ClusterRoleBindings, MutatingWebhookConfigurations, and removed the separate certgen Service. Tests were failing due to outdated expectations and a misleading panic message.

Changes

Fixed misleading panic message in gateway_api.go

Line 220: Changed Service unmarshal error from "missing certgen Service" to actual error details via fmt.Sprintf("unable to unmarshal %v: %v", kindStr, err)

Removed obsolete validation

Lines 278-279: Removed certgenService nil check - Envoy Gateway 1.5.7 no longer provides a separate certgen service

Updated test expectations in gateway_api_test.go

Added MutatingWebhookConfiguration (envoy-gateway-topology-injector.tigera-gateway)
Added second ClusterRole (tigera-gateway-api-gateway-helm-certgen:tigera-gateway)
Added second ClusterRoleBinding (tigera-gateway-api-gateway-helm-certgen:tigera-gateway)
Applied to all three test cases: override application, OSS registry, and Enterprise registry

rtest.ExpectResources(objsToCreate, []client.Object{
    // ... existing resources ...
    &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-role"}},
    &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-certgen:tigera-gateway"}},
    &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-rolebinding"}},
    &rbacv1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-certgen:tigera-gateway"}},
    &admissionv1.MutatingWebhookConfiguration{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-topology-injector.tigera-gateway"}},
    // ... remaining resources ...
})

All 4 Gateway API tests now pass.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

al.essio.dev
- Triggering command: /update-job-proxy /update-job-proxy -ifaceassert -nilfunc (dns block)
- Triggering command: /update-job-proxy /update-job-proxy -o br-6edacd4ad850 -j DOCKER-ISOLATION-STAGE-2 e/vcs/0ab7c7bc964e6f4054247fed3ac8d636309918420efe8a7cabef12d9f9904311/shallow.lock origin /home/dependabot/bin/git REDACTED %H %ct %D dc02a1c6ad6f9333--objects git remo�� e/vcs/66b7b8c8db--exclude-hidden=fetch origin /bin/git REDACTED /usr/lib/systemd--wait est /usr/lib/git-corfilter (dns block)
get.helm.sh
- Triggering command: /usr/bin/curl curl -sSf -L --retry 5 -o hack/bin/helm3.tar.gz REDACTED 0.74.0/v1/alertmbash /informers/sched--norc -lang=go1.18 ux_amd64/vet -o 4573809/b933/_pkg_.a pkg/mod/k8s.io/client-go@v0.33.3-ifaceassert ux_amd64/vet -p roller-runtime/p--norc -lang=go1.24 ux_amd64/vet (dns block)
go.elastic.co
- Triggering command: /update-job-proxy /update-job-proxy -ifaceassert -nilfunc (dns block)
- Triggering command: /update-job-proxy /update-job-proxy -o br-6edacd4ad850 -j DOCKER-ISOLATION-STAGE-2 e/vcs/0ab7c7bc964e6f4054247fed3ac8d636309918420efe8a7cabef12d9f9904311/shallow.lock origin /home/dependabot/bin/git REDACTED %H %ct %D dc02a1c6ad6f9333--objects git remo�� e/vcs/66b7b8c8db--exclude-hidden=fetch origin /bin/git REDACTED /usr/lib/systemd--wait est /usr/lib/git-corfilter (dns block)
go.googlesource.com
- Triggering command: /update-job-proxy /update-job-proxy -ifaceassert -nilfunc (dns block)
- Triggering command: /update-job-proxy /update-job-proxy -o br-6edacd4ad850 -j DOCKER-ISOLATION-STAGE-2 e/vcs/0ab7c7bc964e6f4054247fed3ac8d636309918420efe8a7cabef12d9f9904311/shallow.lock origin /home/dependabot/bin/git REDACTED %H %ct %D dc02a1c6ad6f9333--objects git remo�� e/vcs/66b7b8c8db--exclude-hidden=fetch origin /bin/git REDACTED /usr/lib/systemd--wait est /usr/lib/git-corfilter (dns block)
go.uber.org
- Triggering command: /update-job-proxy /update-job-proxy -ifaceassert -nilfunc (dns block)
- Triggering command: /update-job-proxy /update-job-proxy -o br-6edacd4ad850 -j DOCKER-ISOLATION-STAGE-2 e/vcs/0ab7c7bc964e6f4054247fed3ac8d636309918420efe8a7cabef12d9f9904311/shallow.lock origin /home/dependabot/bin/git REDACTED %H %ct %D dc02a1c6ad6f9333--objects git remo�� e/vcs/66b7b8c8db--exclude-hidden=fetch origin /bin/git REDACTED /usr/lib/systemd--wait est /usr/lib/git-corfilter (dns block)
go.yaml.in
- Triggering command: /update-job-proxy /update-job-proxy -ifaceassert -nilfunc (dns block)
- Triggering command: /update-job-proxy /update-job-proxy -o br-6edacd4ad850 -j DOCKER-ISOLATION-STAGE-2 e/vcs/0ab7c7bc964e6f4054247fed3ac8d636309918420efe8a7cabef12d9f9904311/shallow.lock origin /home/dependabot/bin/git REDACTED %H %ct %D dc02a1c6ad6f9333--objects git remo�� e/vcs/66b7b8c8db--exclude-hidden=fetch origin /bin/git REDACTED /usr/lib/systemd--wait est /usr/lib/git-corfilter (dns block)
gomodules.xyz
- Triggering command: /update-job-proxy /update-job-proxy -ifaceassert -nilfunc (dns block)
- Triggering command: /update-job-proxy /update-job-proxy -o br-6edacd4ad850 -j DOCKER-ISOLATION-STAGE-2 e/vcs/0ab7c7bc964e6f4054247fed3ac8d636309918420efe8a7cabef12d9f9904311/shallow.lock origin /home/dependabot/bin/git REDACTED %H %ct %D dc02a1c6ad6f9333--objects git remo�� e/vcs/66b7b8c8db--exclude-hidden=fetch origin /bin/git REDACTED /usr/lib/systemd--wait est /usr/lib/git-corfilter (dns block)
google.golang.org
- Triggering command: /update-job-proxy /update-job-proxy -ifaceassert -nilfunc (dns block)
- Triggering command: /update-job-proxy /update-job-proxy -o br-6edacd4ad850 -j DOCKER-ISOLATION-STAGE-2 e/vcs/0ab7c7bc964e6f4054247fed3ac8d636309918420efe8a7cabef12d9f9904311/shallow.lock origin /home/dependabot/bin/git REDACTED %H %ct %D dc02a1c6ad6f9333--objects git remo�� e/vcs/66b7b8c8db--exclude-hidden=fetch origin /bin/git REDACTED /usr/lib/systemd--wait est /usr/lib/git-corfilter (dns block)
gopkg.in
- Triggering command: /update-job-proxy /update-job-proxy -ifaceassert -nilfunc (dns block)
- Triggering command: /update-job-proxy /update-job-proxy -o br-6edacd4ad850 -j DOCKER-ISOLATION-STAGE-2 e/vcs/0ab7c7bc964e6f4054247fed3ac8d636309918420efe8a7cabef12d9f9904311/shallow.lock origin /home/dependabot/bin/git REDACTED %H %ct %D dc02a1c6ad6f9333--objects git remo�� e/vcs/66b7b8c8db--exclude-hidden=fetch origin /bin/git REDACTED /usr/lib/systemd--wait est /usr/lib/git-corfilter (dns block)
howett.net
- Triggering command: /update-job-proxy /update-job-proxy -ifaceassert -nilfunc (dns block)
- Triggering command: /update-job-proxy /update-job-proxy -o br-6edacd4ad850 -j DOCKER-ISOLATION-STAGE-2 e/vcs/0ab7c7bc964e6f4054247fed3ac8d636309918420efe8a7cabef12d9f9904311/shallow.lock origin /home/dependabot/bin/git REDACTED %H %ct %D dc02a1c6ad6f9333--objects git remo�� e/vcs/66b7b8c8db--exclude-hidden=fetch origin /bin/git REDACTED /usr/lib/systemd--wait est /usr/lib/git-corfilter (dns block)
k8s.io
- Triggering command: /update-job-proxy /update-job-proxy -ifaceassert -nilfunc (dns block)
- Triggering command: /update-job-proxy /update-job-proxy -o br-6edacd4ad850 -j DOCKER-ISOLATION-STAGE-2 e/vcs/0ab7c7bc964e6f4054247fed3ac8d636309918420efe8a7cabef12d9f9904311/shallow.lock origin /home/dependabot/bin/git REDACTED %H %ct %D dc02a1c6ad6f9333--objects git remo�� e/vcs/66b7b8c8db--exclude-hidden=fetch origin /bin/git REDACTED /usr/lib/systemd--wait est /usr/lib/git-corfilter (dns block)
sigs.k8s.io
- Triggering command: /update-job-proxy /update-job-proxy -ifaceassert -nilfunc (dns block)
- Triggering command: /update-job-proxy /update-job-proxy -o br-6edacd4ad850 -j DOCKER-ISOLATION-STAGE-2 e/vcs/0ab7c7bc964e6f4054247fed3ac8d636309918420efe8a7cabef12d9f9904311/shallow.lock origin /home/dependabot/bin/git REDACTED %H %ct %D dc02a1c6ad6f9333--objects git remo�� e/vcs/66b7b8c8db--exclude-hidden=fetch origin /bin/git REDACTED /usr/lib/systemd--wait est /usr/lib/git-corfilter (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Problem

The test pkg/render/gateway_api_test.go is failing with the following panic:
Test Panicked
missing certgen Service from gateway API YAML
/home/oleksandr/GolandProjects/oleks-operator/operator/pkg/render/gateway_api.go:279
Root Cause Analysis

There are two issues that need to be fixed:

Issue 1: Incorrect panic message in gateway_api.go

In the case "v1/Service": block around line 219, the error message is misleading:
case "v1/Service":
    obj := &corev1.Service{}
    if err := yaml.Unmarshal([]byte(yml), obj); err != nil {
        panic("missing certgen Service from gateway API YAML")  // Wrong error message!
    }
When yaml.Unmarshal fails, it panics with "missing certgen Service" instead of the actual unmarshal error. The fix should be:
if err := yaml.Unmarshal([]byte(yml), obj); err != nil {
    panic(fmt.Sprintf("unable to unmarshal %v: %v", kindStr, err))
}
Issue 2: Test expectations need to be updated in gateway_api_test.go

The PR that updates Envoy Gateway to 1.5.7 made several structural changes:

Changed from single clusterRole to multiple clusterRoles []

Changed from single clusterRoleBinding to multiple clusterRoleBindings []

Added support for MutatingWebhookConfiguration resources

Added certgenService

The test's rtest.ExpectResources calls need to be updated to include all the new resources being rendered. Currently the test at lines 166-185 only expects:

One ClusterRole: tigera-gateway-api-gateway-helm-envoy-gateway-role

One ClusterRoleBinding: tigera-gateway-api-gateway-helm-envoy-gateway-rolebinding

But now there may be multiple ClusterRoles, ClusterRoleBindings, and MutatingWebhookConfigurations being rendered.

Files to Modify

pkg/render/gateway_api.go - Fix the panic message in the Service unmarshal error handling

pkg/render/gateway_api_test.go - Update test expectations to match the new resources being rendered after the Envoy Gateway 1.5.7 update

Acceptance Criteria

The panic message correctly shows the unmarshal error

All tests in pkg/render/gateway_api_test.go pass

The test expectations match all resources that Objects() returns including any new ClusterRoles, ClusterRoleBindings, and MutatingWebhookConfigurations from the new Envoy Gateway version

This pull request was created from Copilot chat.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

- Fix misleading panic message in gateway_api.go when Service unmarshal fails - Remove validation for certgenService which is no longer provided by Envoy Gateway 1.5.7 - Add missing resources to test expectations: second ClusterRole, second ClusterRoleBinding, and MutatingWebhookConfiguration Co-authored-by: skoryk-oleksandr <5551658+skoryk-oleksandr@users.noreply.github.com>

Updated all three Gateway API test cases to include the new MutatingWebhookConfiguration resource in their expectations. Co-authored-by: skoryk-oleksandr <5551658+skoryk-oleksandr@users.noreply.github.com>

The certgen ClusterRole and ClusterRoleBinding (with names containing colons) are rendered by the Objects() method and need to be included in test expectations. Co-authored-by: skoryk-oleksandr <5551658+skoryk-oleksandr@users.noreply.github.com>

Initial plan

1562d7f

Copilot AI assigned Copilot and skoryk-oleksandr Jan 15, 2026

Copilot started work on behalf of skoryk-oleksandr January 15, 2026 16:44 View session

Copilot AI and others added 3 commits January 15, 2026 16:54

Add MutatingWebhookConfiguration to all test expectations

06a418a

Updated all three Gateway API test cases to include the new MutatingWebhookConfiguration resource in their expectations. Co-authored-by: skoryk-oleksandr <5551658+skoryk-oleksandr@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Fix incorrect panic message in gateway API~~ Fix Gateway API test failures after Envoy Gateway 1.5.7 update Jan 15, 2026

Copilot AI requested a review from skoryk-oleksandr January 15, 2026 17:34

Copilot finished work on behalf of skoryk-oleksandr January 15, 2026 17:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix Gateway API test failures after Envoy Gateway 1.5.7 update#2

Fix Gateway API test failures after Envoy Gateway 1.5.7 update#2
Copilot wants to merge 4 commits into
update-envoy-gateway-to-1.5.7from
copilot/fix-panic-message-gateway-api

Copilot AI commented Jan 15, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Copilot AI commented Jan 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

I tried to connect to the following addresses, but was blocked by firewall rules:

Problem

Root Cause Analysis

Issue 1: Incorrect panic message in gateway_api.go

Issue 2: Test expectations need to be updated in gateway_api_test.go

Files to Modify

Acceptance Criteria

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Copilot AI commented Jan 15, 2026 •

edited

Loading

Issue 1: Incorrect panic message in `gateway_api.go`

Issue 2: Test expectations need to be updated in `gateway_api_test.go`