fix: Proxy-sidecar reinvocation check and routes volume mount#303
Merged
fix: Proxy-sidecar reinvocation check and routes volume mount#303
Conversation
…es volume Two proxy-sidecar gaps found during end-to-end testing: 1. isAlreadyInjected did not check for AuthBridgeProxyContainerName. On webhook reinvocation with spiffe-helper disabled, the proxy- sidecar container would not be recognized as already-injected, causing a second injection pass. 2. BuildProxySidecarContainerWithPorts did not mount the authproxy- routes volume. File-based route loading (routes.file in config) was broken in proxy-sidecar mode. Adds /etc/authproxy mount matching the envoy-sidecar container. Signed-off-by: Hai Huang <hai@us.ibm.com> Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Hai Huang <huang195@gmail.com>
esnible
approved these changes
Apr 21, 2026
github-project-automation
Bot
moved this from Backlog
to Done
in Kagenti Issue Prioritization
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
AuthBridgeProxyContainerNametoisAlreadyInjectedcheck in the webhook handlerauthproxy-routesvolume mount toBuildProxySidecarContainerWithPortsBugs found during end-to-end testing
1. Reinvocation gap:
isAlreadyInjectedchecked for envoy-proxy, spiffe-helper, client-registration, and authbridge containers — but not authbridge-proxy. If spiffe-helper is disabled, webhook reinvocation would not recognize the proxy-sidecar container and could double-inject.2. Missing routes volume: The proxy-sidecar container only mounted shared-data, authbridge-runtime-config, and svid-output. The authproxy-routes ConfigMap (
/etc/authproxy/routes.yaml) was not mounted, so file-based route loading was broken. Inline routes viaroutes.rulesin the ConfigMap worked as a workaround.Test plan
go build— passesgo test ./internal/webhook/injector/— passesgolangci-lint— 0 issuesAssisted-By: Claude (Anthropic AI) noreply@anthropic.com