envoyproxy · arkodg · May 31, 2025 · May 28, 2025 · May 29, 2025
@@ -440,7 +440,13 @@ func (t *Translator) translateBackendTrafficPolicyForRouteWithMerge(
 	// Since GlobalRateLimit merge relies on IR auto-generated key: (<policy-ns>/<policy-name>/rule/<rule-index>)
 	// We can't simply merge the BTP's using utils.Merge() we need to specifically merge the GlobalRateLimit.Rules using IR fields.
 	// Since ir.TrafficFeatures is not a built-in Kubernetes API object with defined merging strategies and it does not support a deep merge (for lists/maps).
+
+	// Handle rate limit merging cases:
+	// 1. Both policies have rate limits - merge them
+	// 2. Only gateway policy has rate limits - preserve gateway policy's rule names
+	// 3. Only route policy has rate limits - use route policy's rule names (default behavior)
 	if policy.Spec.RateLimit != nil && gwPolicy.Spec.RateLimit != nil {
+		// Case 1: Both policies have rate limits - merge them
 		tfGW, _ := t.buildTrafficFeatures(gwPolicy, resources)
 		tfRoute, _ := t.buildTrafficFeatures(policy, resources)
 
@@ -454,7 +460,15 @@ func (t *Translator) translateBackendTrafficPolicyForRouteWithMerge(
 			// Replace the rate limit in the merged features if successful
 			tf.RateLimit = mergedRL
 		}
+	} else if policy.Spec.RateLimit == nil && gwPolicy.Spec.RateLimit != nil {
+		// Case 2: Only gateway policy has rate limits - preserve gateway policy's rule names
+		tfGW, _ := t.buildTrafficFeatures(gwPolicy, resources)
+		if tfGW != nil && tfGW.RateLimit != nil {
+			// Use the gateway policy's rate limit with its original rule names
+			tf.RateLimit = tfGW.RateLimit
+		}
 	}
+	// Case 3: Only route policy has rate limits or neither has rate limits - use default behavior (tf already built from merged policy)
 
 	x, ok := xdsIR[t.IRKey(gatewayNN)]
 	if !ok {

@@ -0,0 +1,111 @@
+gateways:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    metadata:
+      namespace: envoy-gateway
+      name: gateway-1
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        - name: http
+          protocol: HTTP
+          port: 80
+          allowedRoutes:
+            namespaces:
+              from: All
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    metadata:
+      namespace: envoy-gateway
+      name: gateway-2
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        - name: http
+          protocol: HTTP
+          port: 80
+          allowedRoutes:
+            namespaces:
+              from: All
+httpRoutes:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-1
+    spec:
+      hostnames:
+        - gateway.envoyproxy.io
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+          sectionName: http
+        - namespace: envoy-gateway
+          name: gateway-2
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: "/"
+          backendRefs:
+            - name: service-1
+              port: 8080
+backendTrafficPolicies:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: BackendTrafficPolicy
+    metadata:
+      namespace: envoy-gateway
+      name: policy-for-gateway1
+    spec:
+      targetRef:
+        group: gateway.networking.k8s.io
+        kind: Gateway
+        name: gateway-1
+      timeout:
+        tcp:
+          connectTimeout: 15s
+        http:
+          connectionIdleTimeout: 16s
+          maxConnectionDuration: 17s
+      httpUpgrade:
+        - type: websocket
+      rateLimit:
+        type: Global
+        global:
+          rules:
+            - clientSelectors:
+                - sourceCIDR:
+                    type: Distinct
+                    value: 0.0.0.0/0
+              limit:
+                requests: 5
+                unit: Hour
+              shared: true
+            - clientSelectors:
+                - headers:
+                    - name: x-user-id
+                      type: Exact
+                      value: one
+              limit:
+                requests: 5
+                unit: Hour
+              shared: true
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: BackendTrafficPolicy
+    metadata:
+      namespace: default
+      name: policy-for-route
+    spec:
+      targetRef:
+        group: gateway.networking.k8s.io
+        kind: HTTPRoute
+        name: httproute-1
+      mergeType: StrategicMerge
+      timeout:
+        tcp:
+          connectTimeout: 10s
+      connection:
+        bufferLimit: 100M
+      httpUpgrade:
+        - type: "spdy/3.1"
+