envoyproxy · cnvergence · May 9, 2025 · May 9, 2025 · May 9, 2025
@@ -649,7 +649,7 @@ func buildRateLimitServiceDescriptors(route *ir.HTTPRoute) []*rlsconfv3.RateLimi
 }
 
 // buildRateLimitTLSocket builds the TLS socket for the rate limit service.
-func buildRateLimitTLSocket() (*corev3.TransportSocket, error) {
+func (t *Translator) buildRateLimitTLSocket() (*corev3.TransportSocket, error) {
 	tlsCtx := &tlsv3.UpstreamTlsContext{
 		CommonTlsContext: &tlsv3.CommonTlsContext{
 			TlsCertificates: []*tlsv3.TlsCertificate{},
@@ -663,15 +663,19 @@ func buildRateLimitTLSocket() (*corev3.TransportSocket, error) {
 		},
 	}
 
-	tlsCert := &tlsv3.TlsCertificate{
-		CertificateChain: &corev3.DataSource{
-			Specifier: &corev3.DataSource_Filename{Filename: rateLimitClientTLSCertFilename},
-		},
-		PrivateKey: &corev3.DataSource{
-			Specifier: &corev3.DataSource_Filename{Filename: rateLimitClientTLSKeyFilename},
-		},
+	// Add client certificates only when not in gateway namespace mode
+	// TODO: Add better support for gateway namespace mode
+	if !t.GatewayNamespaceMode {
+		tlsCert := &tlsv3.TlsCertificate{
+			CertificateChain: &corev3.DataSource{
+				Specifier: &corev3.DataSource_Filename{Filename: rateLimitClientTLSCertFilename},
+			},
+			PrivateKey: &corev3.DataSource{
+				Specifier: &corev3.DataSource_Filename{Filename: rateLimitClientTLSKeyFilename},
+			},
+		}
+		tlsCtx.CommonTlsContext.TlsCertificates = append(tlsCtx.CommonTlsContext.TlsCertificates, tlsCert)
 	}
-	tlsCtx.CommonTlsContext.TlsCertificates = append(tlsCtx.CommonTlsContext.TlsCertificates, tlsCert)
 
 	tlsCtxAny, err := anypb.New(tlsCtx)
 	if err != nil {
@@ -701,7 +705,7 @@ func (t *Translator) createRateLimitServiceCluster(tCtx *types.ResourceVersionTa
 		Name:      destinationSettingName(clusterName),
 	}
 
-	tSocket, err := buildRateLimitTLSocket()
+	tSocket, err := t.buildRateLimitTLSocket()
 	if err != nil {
 		return err
 	}

@@ -67,8 +67,9 @@ func (r *Runner) subscribeAndTranslate(sub <-chan watchable.Snapshot[string, *ir
 			} else {
 				// Translate to xds resources
 				t := &translator.Translator{
-					FilterOrder: val.FilterOrder,
-					Logger:      r.Logger,
+					GatewayNamespaceMode: r.EnvoyGateway.GatewayNamespaceMode(),
+					FilterOrder:          val.FilterOrder,
+					Logger:               r.Logger,
 				}
 
 				// Set the extension manager if an extension is loaded

@@ -44,6 +44,7 @@ const (
 
 // Translator translates the xDS IR into xDS resources.
 type Translator struct {
+	GatewayNamespaceMode bool
 	// GlobalRateLimit holds the global rate limit settings
 	// required during xds translation.
 	GlobalRateLimit *GlobalRateLimitSettings

@@ -67,18 +67,6 @@ func TestE2E(t *testing.T) {
 			tests.HTTPWasmTest.ShortName,
 			tests.OCIWasmTest.ShortName,
 			tests.ZoneAwareRoutingTest.ShortName,
-
-			// Skip RateLimit tests because they are not supported in GatewayNamespaceMode
-			tests.RateLimitCIDRMatchTest.ShortName,
-			tests.RateLimitHeaderMatchTest.ShortName,
-			tests.GlobalRateLimitHeaderInvertMatchTest.ShortName,
-			tests.RateLimitHeadersDisabled.ShortName,
-			tests.RateLimitBasedJwtClaimsTest.ShortName,
-			tests.RateLimitMultipleListenersTest.ShortName,
-			tests.RateLimitHeadersAndCIDRMatchTest.ShortName,
-			tests.UsageRateLimitTest.ShortName,
-			tests.RateLimitGlobalSharedCidrMatchTest.ShortName,
-			tests.RateLimitGlobalSharedGatewayHeaderMatchTest.ShortName,
 		)
 	}