envoyproxy · zirain · May 26, 2025 · May 23, 2025 · arkodg · May 23, 2025
@@ -290,10 +290,10 @@ type KubernetesWatchMode struct {
 
 const (
 	// KubernetesDeployModeTypeControllerNamespace indicates that the controller namespace is used for the infra proxy deployments.
-	KubernetesDeployModeTypeControllerNamespace = "ControllerNamespace"
+	KubernetesDeployModeTypeControllerNamespace KubernetesDeployModeType = "ControllerNamespace"
 
 	// KubernetesDeployModeTypeGatewayNamespace indicates that the gateway namespace is used for the infra proxy deployments.
-	KubernetesDeployModeTypeGatewayNamespace = "GatewayNamespace"
+	KubernetesDeployModeTypeGatewayNamespace KubernetesDeployModeType = "GatewayNamespace"
 )
 
 // KubernetesDeployModeType defines the type of KubernetesDeployMode

@@ -243,7 +243,7 @@ infraIR:
         ownerReference:
           kind: Gateway
           name: gateway-1
-      name: default/gateway-1
+      name: gateway-1
       namespace: default
   default/gateway-2:
     proxy:
@@ -262,7 +262,7 @@ infraIR:
         ownerReference:
           kind: Gateway
           name: gateway-2
-      name: default/gateway-2
+      name: gateway-2
       namespace: default
   test-ns/gateway-3:
     proxy:
@@ -281,7 +281,7 @@ infraIR:
         ownerReference:
           kind: Gateway
           name: gateway-3
-      name: test-ns/gateway-3
+      name: gateway-3
       namespace: test-ns
 xdsIR:
   default/gateway-1:

@@ -318,6 +318,7 @@ func (t *Translator) InitIRs(gateways []*GatewayContext) (map[string]*ir.Xds, ma
 		gwInfraIR.Proxy.Name = irKey
 		gwInfraIR.Proxy.Namespace = t.ControllerNamespace
 		if t.GatewayNamespaceMode {
+			gwInfraIR.Proxy.Name = gateway.Name
 			gwInfraIR.Proxy.Namespace = gateway.Namespace
 			gwInfraIR.Proxy.GetProxyMetadata().OwnerReference = &ir.ResourceMetadata{
 				Kind: resource.KindGateway,

@@ -51,8 +51,13 @@ func BuildProxyArgs(
 
 	logging := infra.Config.Spec.Logging
 
+	serviceCluster := infra.Name
+	if gatewayNamespaceMode {
 if err := r.mgr.CreateOrUpdateProxyInfra(ctx, val); err != nil { 
 if err := r.mgr.CreateOrUpdateProxyInfra(ctx, val); err != nil { 
+		serviceCluster = fmt.Sprintf("%s/%s", infra.Namespace, infra.Name)
+	}
+
 	args := []string{
-		fmt.Sprintf("--service-cluster %s", infra.Name),
+		fmt.Sprintf("--service-cluster %s", serviceCluster),
 		fmt.Sprintf("--service-node %s", serviceNode),
 		fmt.Sprintf("--config-yaml %s", bootstrapConfigurations),
 		fmt.Sprintf("--log-level %s", logging.DefaultEnvoyProxyLoggingLevel()),

@@ -35,6 +35,7 @@ const (
 )
 
 // ExpectedResourceHashedName returns expected resource hashed name including up to the 48 characters of the original name.
+// WARNING: DO NOT USE THIS FUNCTION IN MOST OF THE CASES. Use ResourceRender.Name() instead.
 func ExpectedResourceHashedName(name string) string {
 	hashedName := utils.GetHashedName(name, 48)
 	return fmt.Sprintf("%s-%s", config.EnvoyPrefix, hashedName)
@@ -308,7 +309,7 @@ func expectedContainerVolumeMounts(containerSpec *egv1a1.KubernetesContainerSpec
 }
 
 // expectedVolumes returns expected proxy deployment volumes.
-func expectedVolumes(name string, gatewayNamespacedMode bool, pod *egv1a1.KubernetesPodSpec, dnsDomain, controllerNamespace string) []corev1.Volume {
+func (r *ResourceRender) expectedVolumes(pod *egv1a1.KubernetesPodSpec) []corev1.Volume {
 	var volumes []corev1.Volume
 	certsVolume := corev1.Volume{
 		Name: "certs",
@@ -320,13 +321,13 @@ func expectedVolumes(name string, gatewayNamespacedMode bool, pod *egv1a1.Kubern
 		},
 	}
 
-	if gatewayNamespacedMode {
+	if r.GatewayNamespaceMode {
 		certsVolume = corev1.Volume{
 			Name: "certs",
 			VolumeSource: corev1.VolumeSource{
 				ConfigMap: &corev1.ConfigMapVolumeSource{
 					LocalObjectReference: corev1.LocalObjectReference{
-						Name: ExpectedResourceHashedName(name),
+						Name: r.Name(),
 					},
 					Items: []corev1.KeyToPath{
 						{
@@ -339,7 +340,7 @@ func expectedVolumes(name string, gatewayNamespacedMode bool, pod *egv1a1.Kubern
 				},
 			},
 		}
-		saAudience := fmt.Sprintf("%s.%s.svc.%s", config.EnvoyGatewayServiceName, controllerNamespace, dnsDomain)
+		saAudience := fmt.Sprintf("%s.%s.svc.%s", config.EnvoyGatewayServiceName, r.ControllerNamespace(), r.DNSDomain)
 		saTokenProjectedVolume := corev1.Volume{
 			Name: "sa-token",
 			VolumeSource: corev1.VolumeSource{
@@ -367,45 +368,39 @@ func expectedVolumes(name string, gatewayNamespacedMode bool, pod *egv1a1.Kubern
 		VolumeSource: corev1.VolumeSource{
 			ConfigMap: &corev1.ConfigMapVolumeSource{
 				LocalObjectReference: corev1.LocalObjectReference{
-					Name: ExpectedResourceHashedName(name),
-				},
-				Items: []corev1.KeyToPath{
-					{
-						Key:  common.SdsCAFilename,
-						Path: common.SdsCAFilename,
-					},
-					{
-						Key:  common.SdsCertFilename,
-						Path: common.SdsCertFilename,
-					},
+					Name: r.Name(),
 				},
+				Items:       sdsConfigMapItems(r.GatewayNamespaceMode),
 				DefaultMode: ptr.To[int32](420),
 				Optional:    ptr.To(false),
 			},
 		},
 	}
-	if gatewayNamespacedMode {
-		sdsVolume = corev1.Volume{
-			Name: "sds",
-			VolumeSource: corev1.VolumeSource{
-				ConfigMap: &corev1.ConfigMapVolumeSource{
-					LocalObjectReference: corev1.LocalObjectReference{
-						Name: ExpectedResourceHashedName(name),
-					},
-					Items: []corev1.KeyToPath{
-						{
-							Key:  common.SdsCAFilename,
-							Path: common.SdsCAFilename,
-						},
-					},
-					DefaultMode: ptr.To[int32](420),
-					Optional:    ptr.To(false),
-				},
+
+	volumes = append(volumes, sdsVolume)
+	return resource.ExpectedVolumes(pod, volumes)
+}
+
+func sdsConfigMapItems(gatewayNamespaceMode bool) []corev1.KeyToPath {
+	if gatewayNamespaceMode {
+		return []corev1.KeyToPath{
+			{
+				Key:  common.SdsCAFilename,
+				Path: common.SdsCAFilename,
 			},
 		}
 	}
-	volumes = append(volumes, sdsVolume)
-	return resource.ExpectedVolumes(pod, volumes)
+
+	return []corev1.KeyToPath{
+		{
+			Key:  common.SdsCAFilename,
+			Path: common.SdsCAFilename,
+		},
+		{
+			Key:  common.SdsCertFilename,
+			Path: common.SdsCertFilename,
+		},
+	}
 }
 
 // expectedContainerEnv returns expected proxy container envs.

@@ -96,6 +96,10 @@ func NewResourceRender(ctx context.Context, kubernetesInfra KubernetesInfraProvi
 }
 
 func (r *ResourceRender) Name() string {
+	if r.GatewayNamespaceMode {
+		return r.infra.Name
+	}
+
 	return ExpectedResourceHashedName(r.infra.Name)
 }
 
@@ -380,7 +384,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
 					SecurityContext:               deploymentConfig.Pod.SecurityContext,
 					Affinity:                      deploymentConfig.Pod.Affinity,
 					Tolerations:                   deploymentConfig.Pod.Tolerations,
-					Volumes:                       expectedVolumes(r.infra.Name, r.GatewayNamespaceMode, deploymentConfig.Pod, r.DNSDomain, r.controllerNamespace),
+					Volumes:                       r.expectedVolumes(deploymentConfig.Pod),
 					ImagePullSecrets:              deploymentConfig.Pod.ImagePullSecrets,
 					NodeSelector:                  deploymentConfig.Pod.NodeSelector,
 					TopologySpreadConstraints:     deploymentConfig.Pod.TopologySpreadConstraints,
@@ -598,15 +602,15 @@ func (r *ResourceRender) getPodSpec(
 	return corev1.PodSpec{
 		Containers:                    containers,
 		InitContainers:                initContainers,
-		ServiceAccountName:            ExpectedResourceHashedName(r.infra.Name),
+		ServiceAccountName:            r.Name(),
 		TerminationGracePeriodSeconds: expectedTerminationGracePeriodSeconds(proxyConfig.Spec.Shutdown),
 		DNSPolicy:                     corev1.DNSClusterFirst,
 		RestartPolicy:                 corev1.RestartPolicyAlways,
 		SchedulerName:                 "default-scheduler",
 		SecurityContext:               pod.SecurityContext,
 		Affinity:                      pod.Affinity,
 		Tolerations:                   pod.Tolerations,
-		Volumes:                       expectedVolumes(r.infra.Name, r.GatewayNamespaceMode, pod, r.DNSDomain, r.controllerNamespace),
+		Volumes:                       r.expectedVolumes(pod),
 		ImagePullSecrets:              pod.ImagePullSecrets,
 		NodeSelector:                  pod.NodeSelector,
 		TopologySpreadConstraints:     pod.TopologySpreadConstraints,