feat: log+metric on envoy xDS errors (#13003)

Signed-off-by: Yuval Kohavi <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: yuval-k

go.mod

@@ -611,7 +611,7 @@ require (
 	google.golang.org/api v0.246.0 // indirect
 	google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20251020155222-88f65dc88635 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251020155222-88f65dc88635 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251020155222-88f65dc88635
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect

hack/utils/oss_compliance/osa_provided.md

@@ -40,6 +40,7 @@ Name|Version|License
 [go.uber.org/zap](https://go.uber.org/zap)|v1.27.0|MIT License
 [x/exp](https://golang.org/x/exp)|v0.0.0-20251017212417-90e834f514db|BSD 3-clause "New" or "Revised" License
 [x/time](https://golang.org/x/time)|v0.14.0|BSD 3-clause "New" or "Revised" License
+[googleapis/rpc](https://google.golang.org/genproto/googleapis/rpc)|v0.0.0-20251020155222-88f65dc88635|Apache License 2.0
 [google.golang.org/grpc](https://google.golang.org/grpc)|v1.76.0|Apache License 2.0
 [google.golang.org/protobuf](https://google.golang.org/protobuf)|v1.36.10|BSD 3-clause "New" or "Revised" License
 [helm/v3](https://helm.sh/helm/v3)|v3.19.2|Apache License 2.0

internal/kgateway/setup/callbacks.go

@@ -0,0 +1,92 @@
+package setup
+
+import (
+	"context"
+
+	envoycorev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	discoveryv3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
+	xdsserver "github.com/envoyproxy/go-control-plane/pkg/server/v3"
+)
+
+func chainCallbacks(cbs ...xdsserver.Callbacks) xdsserver.Callbacks {
+	return &callbacksChain{Callbacks: cbs}
+}
+
+type callbacksChain struct {
+	Callbacks []xdsserver.Callbacks
+}
+
+func (c *callbacksChain) OnDeltaStreamClosed(s int64, n *envoycorev3.Node) {
+	for _, cb := range c.Callbacks {
+		cb.OnDeltaStreamClosed(s, n)
+	}
+}
+
+func (c *callbacksChain) OnDeltaStreamOpen(ctx context.Context, streamID int64, typeURL string) error {
+	for _, cb := range c.Callbacks {
+		if err := cb.OnDeltaStreamOpen(ctx, streamID, typeURL); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *callbacksChain) OnFetchRequest(ctx context.Context, req *discoveryv3.DiscoveryRequest) error {
+	for _, cb := range c.Callbacks {
+		if err := cb.OnFetchRequest(ctx, req); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *callbacksChain) OnFetchResponse(req *discoveryv3.DiscoveryRequest, resp *discoveryv3.DiscoveryResponse) {
+	for _, cb := range c.Callbacks {
+		cb.OnFetchResponse(req, resp)
+	}
+}
+
+func (c *callbacksChain) OnStreamClosed(streamID int64, node *envoycorev3.Node) {
+	for _, cb := range c.Callbacks {
+		cb.OnStreamClosed(streamID, node)
+	}
+}
+
+func (c *callbacksChain) OnStreamDeltaRequest(streamID int64, deltaReq *discoveryv3.DeltaDiscoveryRequest) error {
+	for _, cb := range c.Callbacks {
+		if err := cb.OnStreamDeltaRequest(streamID, deltaReq); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *callbacksChain) OnStreamDeltaResponse(streamID int64, deltaReq *discoveryv3.DeltaDiscoveryRequest, deltaResp *discoveryv3.DeltaDiscoveryResponse) {
+	for _, cb := range c.Callbacks {
+		cb.OnStreamDeltaResponse(streamID, deltaReq, deltaResp)
+	}
+}
+
+func (c *callbacksChain) OnStreamOpen(ctx context.Context, streamID int64, typeURL string) error {
+	for _, cb := range c.Callbacks {
+		if err := cb.OnStreamOpen(ctx, streamID, typeURL); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *callbacksChain) OnStreamRequest(streamID int64, req *discoveryv3.DiscoveryRequest) error {
+	for _, cb := range c.Callbacks {
+		if err := cb.OnStreamRequest(streamID, req); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *callbacksChain) OnStreamResponse(ctx context.Context, streamID int64, req *discoveryv3.DiscoveryRequest, resp *discoveryv3.DiscoveryResponse) {
+	for _, cb := range c.Callbacks {
+		cb.OnStreamResponse(ctx, streamID, req, resp)
+	}
+}

internal/kgateway/setup/controlplane.go

@@ -100,14 +100,16 @@ func NewControlPlane(
 ) envoycache.SnapshotCache {
 	baseLogger := slog.Default().With("component", "envoy-controlplane")
 	envoyLoggerAdapter := &slogAdapterForEnvoy{logger: baseLogger}
+	lnc := newLogNackCallback()
+	allCallbacks := chainCallbacks(callbacks, lnc)
 
 	// Create separate gRPC servers for each listener
 	serverOpts := getGRPCServerOpts(authenticators, xdsAuth, certWatcher, baseLogger)
 	kgwGRPCServer := grpc.NewServer(serverOpts...)
 
 	snapshotCache := envoycache.NewSnapshotCache(true, xds.NewNodeRoleHasher(), envoyLoggerAdapter)
 
-	xdsServer := xdsserver.NewServer(ctx, snapshotCache, callbacks)
+	xdsServer := xdsserver.NewServer(ctx, snapshotCache, allCallbacks)
 
 	// Register reflection and services on both servers
 	reflection.Register(kgwGRPCServer)

internal/kgateway/setup/envoy_error.go

@@ -0,0 +1,171 @@
+package setup
+
+import (
+	"strings"
+	"sync"
+
+	envoycorev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	discoveryv3 "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v3"
+	xdsserver "github.com/envoyproxy/go-control-plane/pkg/server/v3"
+	"google.golang.org/genproto/googleapis/rpc/status"
+
+	"github.com/kgateway-dev/kgateway/v2/internal/kgateway/xds"
+	"github.com/kgateway-dev/kgateway/v2/pkg/logging"
+	"github.com/kgateway-dev/kgateway/v2/pkg/metrics"
+)
+
+const (
+	gwNameLabel      = "gateway_name"
+	gwNamespaceLabel = "gateway_namespace"
+	typeURLLabel     = "type_url"
+)
+
+var (
+	logger            = logging.New("xds/envoy")
+	envoyXdsSubsystem = "envoy_xds"
+	xdsRejectsTotal   = metrics.NewCounter(
+		metrics.CounterOpts{
+			Subsystem: envoyXdsSubsystem,
+			Name:      "rejects_total",
+			Help:      "Total number of xDS responses rejected by envoy proxy",
+		}, []string{gwNamespaceLabel, gwNameLabel, typeURLLabel})
+	xdsRejectsCurrent = metrics.NewGauge(
+		metrics.GaugeOpts{
+			Subsystem: envoyXdsSubsystem,
+			Name:      "rejects_active",
+			Help:      "Number of xDS responses currently rejected by envoy proxy",
+		}, []string{gwNamespaceLabel, gwNameLabel, typeURLLabel})
+)
+
+type resourceKey struct {
+	Namespace       string
+	Name            string
+	ResourceTypeUrl string
+}
+
+type resourceState struct {
+	errors map[resourceKey]struct{}
+}
+
+func newResourceState() resourceState {
+	return resourceState{
+		errors: make(map[resourceKey]struct{}),
+	}
+}
+
+type logNackCallback struct {
+	xdsserver.CallbackFuncs
+	streamState map[int64]resourceState
+
+	lock sync.Mutex
+}
+
+var _ xdsserver.Callbacks = (*logNackCallback)(nil)
+
+func newLogNackCallback() *logNackCallback {
+	return &logNackCallback{
+		streamState: make(map[int64]resourceState),
+	}
+}
+
+// OnStreamClosed implements server.Callbacks.
+func (l *logNackCallback) OnStreamClosed(streamID int64, node *envoycorev3.Node) {
+	l.lock.Lock()
+	streamState := l.streamState[streamID]
+	delete(l.streamState, streamID)
+	l.lock.Unlock()
+
+	for k := range streamState.errors {
+		l.onErrorGone(k)
+	}
+}
+
+// OnStreamRequest implements server.Callbacks.
+func (l *logNackCallback) OnStreamRequest(streamID int64, req *discoveryv3.DiscoveryRequest) error {
+	// get gateway and typeURL from request
+	role := req.GetNode().GetMetadata().GetFields()[xds.RoleKey].GetStringValue()
+	parts := strings.SplitN(role, xds.KeyDelimiter, 3)
+	if len(parts) != 3 {
+		return nil
+	}
+	namespace := parts[1]
+	name := parts[2]
+
+	// note, with locality, name will include name~hash~ns
+	if localityParts := strings.SplitN(name, xds.KeyDelimiter, 3); len(localityParts) == 3 {
+		name = localityParts[0]
+	}
+
+	typeUrl := req.GetTypeUrl()
+	key := resourceKey{
+		Namespace:       namespace,
+		Name:            name,
+		ResourceTypeUrl: strings.TrimPrefix(typeUrl, "type.googleapis.com/"),
+	}
+
+	if req.ErrorDetail != nil {
+		if !l.handleError(streamID, key) {
+			// Log NACK only once per resource
+			return nil
+		}
+		l.onNewError(key, req.ErrorDetail)
+	} else {
+		errorGone := l.handleNoError(streamID, key)
+		if errorGone {
+			l.onErrorGone(key)
+		}
+	}
+	return nil
+}
+
+func (l *logNackCallback) onNewError(key resourceKey, err *status.Status) {
+	labels := toLabels(key)
+	xdsRejectsTotal.Inc(labels...)
+	xdsRejectsCurrent.Add(1, labels...)
+	logger.Warn("xds error", "gateway_name", key.Name, "gateway_ns", key.Namespace, "resource", key.ResourceTypeUrl, "error", err.Message)
+}
+
+func (l *logNackCallback) onErrorGone(key resourceKey) {
+	xdsRejectsCurrent.Add(-1, toLabels(key)...)
+}
+
+func (l *logNackCallback) handleNoError(streamID int64, key resourceKey) bool {
+	l.lock.Lock()
+	defer l.lock.Unlock()
+	streamState := l.streamState[streamID]
+	_, hadKey := streamState.errors[key]
+	delete(streamState.errors, key)
+	return hadKey
+}
+
+func (l *logNackCallback) handleError(streamID int64, key resourceKey) bool {
+	l.lock.Lock()
+	defer l.lock.Unlock()
+	streamState := l.streamState[streamID]
+	if streamState.errors == nil {
+		streamState = newResourceState()
+		l.streamState[streamID] = streamState
+	}
+	if _, exists := streamState.errors[key]; exists {
+		return false
+	}
+	streamState.errors[key] = struct{}{}
+	return true
+}
+
+func toLabels(key resourceKey) []metrics.Label {
+	return []metrics.Label{
+		{
+			Name:  gwNamespaceLabel,
+			Value: key.Namespace,
+		},
+		{
+			Name:  gwNameLabel,
+			Value: key.Name,
+		},
+		{
+			Name:  typeURLLabel,
+			Value: key.ResourceTypeUrl,
+		},
+	}
+}