envoyproxy · jukie · Dec 27, 2025 · Dec 27, 2025 · Dec 19, 2025 · Dec 19, 2025
@@ -176,12 +176,27 @@ provider:
       {{- end }}
     shutdownManager:
       image: {{ include "eg.image" . }}
+{{- if or (eq (include "eg.isKube135OrHigher" .) "true") (not .Values.topologyInjector.enabled) }}
+    proxyTopologyInjector:
+      disabled: true
+{{- end }}
 {{- with .Values.config.envoyGateway.extensionApis }}
 extensionApis:
   {{- toYaml . | nindent 2 }}
 {{- end }}
-{{- if not .Values.topologyInjector.enabled }}
-proxyTopologyInjector:
-  disabled: true
-{{- end }}
 {{- end }}
+
+{{/*
+Check if Kubernetes version is 1.35 or higher
+*/}}
+{{- define "eg.isKube135OrHigher" -}}
+{{- if .Capabilities.KubeVersion.GitVersion -}}
+{{- if semverCompare ">=1.35.0-0" .Capabilities.KubeVersion.GitVersion -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- else -}}
+false
+{{- end -}}
+{{- end -}}
@@ -9,7 +9,7 @@ All namespaced resources for Envoy Gateway RBAC.
 - {{ include "eg.rbac.namespaced.gateway.envoyproxy.status" . | nindent 2 | trim }}
 - {{ include "eg.rbac.namespaced.gateway.networking" . | nindent 2 | trim }}
 - {{ include "eg.rbac.namespaced.gateway.networking.status" . | nindent 2 | trim }}
-{{- if .Values.topologyInjector.enabled }}
+{{- if and .Values.topologyInjector.enabled (not (eq (include "eg.isKube135OrHigher" .) "true")) }}
 - {{ include "eg.rbac.namespaced.topologyinjector" . | nindent 2 | trim }}
 {{- end }}
 {{- end }}

@@ -28,7 +28,7 @@ spec:
     spec:
       containers:
       {{- $args := .Values.certgen.job.args }}
-      {{- if not .Values.topologyInjector.enabled }}
+      {{- if or (not .Values.topologyInjector.enabled) (eq (include "eg.isKube135OrHigher" .) "true") }}
         {{- $args = append $args "--disable-topology-injector" }}
       {{- end }}
       {{- if $args }}

@@ -73,7 +73,7 @@ spec:
         - containerPort: {{ .port }}
           name: {{ .name }}
         {{- end}}
-        {{- if .Values.topologyInjector.enabled }}
+        {{- if and .Values.topologyInjector.enabled (not (eq (include "eg.isKube135OrHigher" .) "true")) }}
         - name: webhook
           containerPort: 9443
         {{- end }}

@@ -20,7 +20,7 @@ spec:
   {{- include "eg.selectorLabels" . | nindent 4 }}
   ports:
   {{- .Values.deployment.ports | toYaml | nindent 2 -}}
-  {{- if .Values.topologyInjector.enabled }}
+  {{- if and .Values.topologyInjector.enabled (not (eq (include "eg.isKube135OrHigher" .) "true")) }}
   - name: webhook
     port: 9443
     targetPort: 9443

@@ -1,4 +1,4 @@
-{{- if .Values.topologyInjector.enabled }}
+{{- if and .Values.topologyInjector.enabled (not (eq (include "eg.isKube135OrHigher" .) "true")) }}
 
 {{ $watchedNamespaces := list }}
 {{ $gatewayNamespaceMode := false}}

@@ -136,7 +136,7 @@ func expectedProxyContainers(infra *ir.ProxyInfra,
 			ImagePullPolicy:          corev1.PullIfNotPresent,
 			Command:                  []string{"envoy"},
 			Args:                     args,
-			Env:                      expectedContainerEnv(containerSpec),
+			Env:                      expectedContainerEnv(containerSpec, topologyInjectorDisabled),
 			Resources:                *containerSpec.Resources,
 			SecurityContext:          expectedEnvoySecurityContext(containerSpec),
 			Ports:                    ports,
@@ -198,7 +198,7 @@ func expectedProxyContainers(infra *ir.ProxyInfra,
 			ImagePullPolicy:          corev1.PullIfNotPresent,
 			Command:                  []string{"envoy-gateway"},
 			Args:                     expectedShutdownManagerArgs(shutdownConfig),
-			Env:                      expectedContainerEnv(nil),
+			Env:                      expectedContainerEnv(nil, topologyInjectorDisabled),
 			Resources:                *egv1a1.DefaultShutdownManagerContainerResourceRequirements(),
 			TerminationMessagePolicy: corev1.TerminationMessageReadFile,
 			TerminationMessagePath:   "/dev/termination-log",
@@ -424,7 +424,7 @@ func sdsConfigMapItems(gatewayNamespaceMode bool) []corev1.KeyToPath {
 }
 
 // expectedContainerEnv returns expected proxy container envs.
-func expectedContainerEnv(containerSpec *egv1a1.KubernetesContainerSpec) []corev1.EnvVar {
+func expectedContainerEnv(containerSpec *egv1a1.KubernetesContainerSpec, topologyInjectorDisabled bool) []corev1.EnvVar {
 	env := []corev1.EnvVar{
 		{
 			Name: envoyNsEnvVar,
@@ -449,7 +449,7 @@ func expectedContainerEnv(containerSpec *egv1a1.KubernetesContainerSpec) []corev
 			ValueFrom: &corev1.EnvVarSource{
 				FieldRef: &corev1.ObjectFieldSelector{
 					APIVersion: "v1",
-					FieldPath:  fmt.Sprintf("metadata.annotations['%s']", corev1.LabelTopologyZone),
+					FieldPath:  expectedZoneFieldPath(topologyInjectorDisabled),
 				},
 			},
 		},
@@ -462,6 +462,19 @@ func expectedContainerEnv(containerSpec *egv1a1.KubernetesContainerSpec) []corev
 	}
 }
 
+// expectedZoneFieldPath returns the fieldPath for the zone environment variable
+// based on whether the topology injector MutatingWebhookConfiguration is enabled or disabled.
+// - When topology injector is enabled (disabled=false): zone is in annotations
+// - When topology injector is disabled (disabled=true): zone is in labels (K8s 1.35+ PodTopologyLabels)
+func expectedZoneFieldPath(topologyInjectorDisabled bool) string {
+	if topologyInjectorDisabled {
+		// K8s 1.35+ PodTopologyLabels: zone is in pod labels
+		return fmt.Sprintf("metadata.labels['%s']", corev1.LabelTopologyZone)
+	}
+	// Topology injector webhook: zone is in pod annotations
+	return fmt.Sprintf("metadata.annotations['%s']", corev1.LabelTopologyZone)
+}
+
 // calculateMaxHeapSizeBytes calculates the maximum heap size in bytes as 80% of Envoy container memory limits.
 // In case no limits are defined '0' is returned, which means no heap size limit is set.
 func calculateMaxHeapSizeBytes(envoyResourceRequirements *corev1.ResourceRequirements) uint64 {

@@ -183,3 +183,29 @@ func TestGetImageTag(t *testing.T) {
 		})
 	}
 }
+
+func TestExpectedZoneFieldPath(t *testing.T) {
+	tests := []struct {
+		name                     string
+		topologyInjectorDisabled bool
+		expectedPath             string
+	}{
+		{
+			name:                     "topology injector enabled - use annotations",
+			topologyInjectorDisabled: false,
+			expectedPath:             "metadata.annotations['topology.kubernetes.io/zone']",
+		},
+		{
+			name:                     "topology injector disabled - use labels",
+			topologyInjectorDisabled: true,
+			expectedPath:             "metadata.labels['topology.kubernetes.io/zone']",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			path := expectedZoneFieldPath(tt.topologyInjectorDisabled)
+			require.Equal(t, tt.expectedPath, path)
+		})
+	}
+}
@@ -14,7 +14,11 @@ cluster_manager:
 {{- end }}
 node:
   locality:
+{{- if .TopologyInjectorDisabled }}
+    zone: "$(ENVOY_SERVICE_ZONE)"
+{{- else }}
     zone: $(ENVOY_SERVICE_ZONE)
+{{- end }}
 stats_config:
   use_all_default_tags: true
   stats_tags:

@@ -10,7 +10,7 @@ admin:
       port_value: 19000
 node:
   locality:
-    zone: $(ENVOY_SERVICE_ZONE)
+    zone: "$(ENVOY_SERVICE_ZONE)"
 stats_config:
   use_all_default_tags: true
   stats_tags:

@@ -29,12 +29,15 @@ bug fixes: |
   Fixed a nil pointer error when applying BackendTrafficPolicy to HTTPRoutes with no backendRefs.
   Fixed ExternalTrafficPolicy not being applied to Envoy Service when ServiceType is NodePort.
   Fixed CRL ref not processed by gateway controller.
+  Fixed bug where disabling proxyTopologyInjector via Helm wasn't working
 
 # Enhancements that improve performance.
 performance improvements: |
 
 # Deprecated features or APIs.
 deprecations: |
+  Disables TopologyInjector Admission Webhook for K8s v1.35+ since topology info is now automatically injected by Kubernetes directly
 
 # Other notable changes not covered by the above sections.
 Other changes: |
+
@@ -36,6 +36,8 @@ data:
         default: info
     provider:
       kubernetes:
+        proxyTopologyInjector:
+          disabled: true
         rateLimitDeployment:
           container:
             image: docker.io/envoyproxy/ratelimit:master
@@ -51,8 +53,6 @@ data:
         shutdownManager:
           image: docker.io/envoyproxy/gateway-dev:latest
       type: Kubernetes
-    proxyTopologyInjector:
-      disabled: true
 ---
 # Source: gateway-helm/templates/envoy-gateway-rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1