envoyproxy · jukie · Mar 11, 2026 · Mar 10, 2026 · Mar 10, 2026 · Mar 10, 2026
@@ -111,12 +111,14 @@ type PreconnectPolicy struct {
 	PredictivePercent *uint32 `json:"predictivePercent,omitempty"`
 }
 
+// +kubebuilder:validation:XValidation:rule="!has(self.closeDelay) || has(self.value)",message="closeDelay can only be configured when value is set"
 type ConnectionLimit struct {
 	// Value of the maximum concurrent connections limit.
 	// When the limit is reached, incoming connections will be closed after the CloseDelay duration.
 	//
 	// +kubebuilder:validation:Minimum=1
-	Value int64 `json:"value"`
+	// +optional
+	Value *int64 `json:"value,omitempty"`
 
 	// CloseDelay defines the delay to use before closing connections that are rejected
 	// once the limit value is reached.

@@ -178,9 +178,10 @@ spec:
                         format: int64
                         minimum: 1
                         type: integer
-                    required:
-                    - value
                     type: object
+                    x-kubernetes-validations:
+                    - message: closeDelay can only be configured when value is set
+                      rule: '!has(self.closeDelay) || has(self.value)'
                   maxAcceptPerSocketEvent:
                     default: 1
                     description: |-

@@ -177,9 +177,10 @@ spec:
                         format: int64
                         minimum: 1
                         type: integer
-                    required:
-                    - value
                     type: object
+                    x-kubernetes-validations:
+                    - message: closeDelay can only be configured when value is set
+                      rule: '!has(self.closeDelay) || has(self.value)'
                   maxAcceptPerSocketEvent:
                     default: 1
                     description: |-

@@ -1014,7 +1014,9 @@ func buildConnection(connection *egv1a1.ClientConnection) (*ir.ClientConnection,
 	if connection.ConnectionLimit != nil {
 		irConnectionLimit := &ir.ConnectionLimit{}
 
-		irConnectionLimit.Value = ptr.To(uint64(connection.ConnectionLimit.Value))
+		if connection.ConnectionLimit.Value != nil {
+			irConnectionLimit.Value = ptr.To(uint64(*connection.ConnectionLimit.Value))
+		}
 
 		if connection.ConnectionLimit.CloseDelay != nil {
 			d, err := time.ParseDuration(string(*connection.ConnectionLimit.CloseDelay))

@@ -48,6 +48,21 @@ clientTrafficPolicies:
       kind: Gateway
       name: gateway-1
       sectionName: http-2
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: ClientTrafficPolicy
+  metadata:
+    namespace: envoy-gateway
+    name: target-gateway-1-section-http-3
+  spec:
+    connection:
+      connectionLimit:
+        maxConnectionDuration: 300s
+        maxRequestsPerConnection: 100
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: gateway-1
+      sectionName: http-3
 gateways:
 - apiVersion: gateway.networking.k8s.io/v1
   kind: Gateway
@@ -69,3 +84,9 @@ gateways:
       allowedRoutes:
         namespaces:
           from: Same
+    - name: http-3
+      protocol: HTTP
+      port: 9090
+      allowedRoutes:
+        namespaces:
+          from: Same
@@ -67,6 +67,36 @@ clientTrafficPolicies:
         status: "True"
         type: Accepted
       controllerName: gateway.envoyproxy.io/gatewayclass-controller
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: ClientTrafficPolicy
+  metadata:
+    name: target-gateway-1-section-http-3
+    namespace: envoy-gateway
+  spec:
+    connection:
+      connectionLimit:
+        maxConnectionDuration: 300s
+        maxRequestsPerConnection: 100
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: gateway-1
+      sectionName: http-3
+  status:
+    ancestors:
+    - ancestorRef:
+        group: gateway.networking.k8s.io
+        kind: Gateway
+        name: gateway-1
+        namespace: envoy-gateway
+        sectionName: http-3
+      conditions:
+      - lastTransitionTime: null
+        message: Policy has been accepted.
+        reason: Accepted
+        status: "True"
+        type: Accepted
+      controllerName: gateway.envoyproxy.io/gatewayclass-controller
 - apiVersion: gateway.envoyproxy.io/v1alpha1
   kind: ClientTrafficPolicy
   metadata:
@@ -88,7 +118,7 @@ clientTrafficPolicies:
       conditions:
       - lastTransitionTime: null
         message: There are existing ClientTrafficPolicies that are overriding these
-          sections [http-1 http-2]
+          sections [http-1 http-2 http-3]
         reason: Overridden
         status: "True"
         type: Overridden
@@ -124,6 +154,12 @@ gateways:
       name: http-2
       port: 8080
       protocol: HTTP
+    - allowedRoutes:
+        namespaces:
+          from: Same
+      name: http-3
+      port: 9090
+      protocol: HTTP
   status:
     listeners:
     - attachedRoutes: 0
@@ -172,6 +208,29 @@ gateways:
         kind: HTTPRoute
       - group: gateway.networking.k8s.io
         kind: GRPCRoute
+    - attachedRoutes: 0
+      conditions:
+      - lastTransitionTime: null
+        message: Sending translated listener configuration to the data plane
+        reason: Programmed
+        status: "True"
+        type: Programmed
+      - lastTransitionTime: null
+        message: Listener has been successfully translated
+        reason: Accepted
+        status: "True"
+        type: Accepted
+      - lastTransitionTime: null
+        message: Listener references have been resolved
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
+      name: http-3
+      supportedKinds:
+      - group: gateway.networking.k8s.io
+        kind: HTTPRoute
+      - group: gateway.networking.k8s.io
+        kind: GRPCRoute
 infraIR:
   envoy-gateway/gateway-1:
     proxy:
@@ -188,6 +247,12 @@ infraIR:
           name: http-8080
           protocol: HTTP
           servicePort: 8080
+      - name: envoy-gateway/gateway-1/http-3
+        ports:
+        - containerPort: 9090
+          name: http-9090
+          protocol: HTTP
+          servicePort: 9090
       metadata:
         labels:
           gateway.envoyproxy.io/owning-gateway-name: gateway-1
@@ -268,6 +333,24 @@ xdsIR:
         escapedSlashesAction: UnescapeAndRedirect
         mergeSlashes: true
       port: 8080
+    - address: 0.0.0.0
+      connection:
+        limit:
+          maxConnectionDuration: 5m0s
+          maxRequestsPerConnection: 100
+      externalPort: 9090
+      hostnames:
+      - '*'
+      metadata:
+        kind: Gateway
+        name: gateway-1
+        namespace: envoy-gateway
+        sectionName: http-3
+      name: envoy-gateway/gateway-1/http-3
+      path:
+        escapedSlashesAction: UnescapeAndRedirect
+        mergeSlashes: true
+      port: 9090
     readyListener:
       address: 0.0.0.0
       ipFamily: IPv4

@@ -456,11 +456,13 @@ func (t *Translator) addHCMToXDSListener(
 			mgr.CommonHttpProtocolOptions.MaxStreamDuration = durationpb.New(connLimit.MaxStreamDuration.Duration)
 		}
 
-		cl := buildConnectionLimitFilter(statPrefix, connection)
-		if clf, err := toNetworkFilter(networkConnectionLimit, cl); err == nil {
-			filters = append(filters, clf)
-		} else {
-			return err
+		if connLimit.Value != nil {
+			cl := buildConnectionLimitFilter(statPrefix, connection)
+			if clf, err := toNetworkFilter(networkConnectionLimit, cl); err == nil {
+				filters = append(filters, clf)
+			} else {
+				return err
+			}
 		}
 	}
 
@@ -721,7 +723,7 @@ func buildTCPFilterChain(
 	}
 
 	// Connection limit (if configured)
-	if connection != nil && connection.ConnectionLimit != nil {
+	if connection != nil && connection.ConnectionLimit != nil && connection.ConnectionLimit.Value != nil {
 		cl := buildConnectionLimitFilter(statPrefix, connection)
 		if clf, err := toNetworkFilter(networkConnectionLimit, cl); err == nil {
 			filters = append(filters, clf)

@@ -68,6 +68,28 @@ http:
         - host: "1.2.3.4"
           port: 50000
         name: "third-route-dest/backend/0"
+- name: "sixth-listener"
+  address: "::"
+  port: 10085
+  hostnames:
+  - "foo.org"
+  connection:
+    limit:
+      maxConnectionDuration: 300s
+      maxRequestsPerConnection: 100
+  path:
+    mergeSlashes: true
+    escapedSlashesAction: UnescapeAndRedirect
+  routes:
+  - name: "sixth-route"
+    hostname: "*"
+    destination:
+      name: "sixth-route-dest"
+      settings:
+      - endpoints:
+        - host: "1.2.3.4"
+          port: 50000
+        name: "sixth-route-dest/backend/0"
 tcp:
 - name: "fourth-listener"
   address: "::"
@@ -102,3 +124,17 @@ tcp:
         - host: "1.2.3.4"
           port: 50000
         name: "tcp-route-dest/backend/0"
+- name: "seventh-listener"
+  address: "::"
+  port: 10086
+  connection:
+    limit:
+      maxConnectionDuration: 600s
+  routes:
+  - destination:
+      name: "tcp-route-dest-2"
+      settings:
+      - endpoints:
+        - host: "1.2.3.4"
+          port: 50000
+        name: "tcp-route-dest-2/backend/0"
@@ -70,6 +70,30 @@
   name: third-route-dest
   perConnectionBufferLimitBytes: 32768
   type: EDS
+- circuitBreakers:
+    thresholds:
+    - maxRetries: 1024
+  commonLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_PREFERRED
+  edsClusterConfig:
+    edsConfig:
+      ads: {}
+      resourceApiVersion: V3
+    serviceName: sixth-route-dest
+  ignoreHealthOnHostRemoval: true
+  lbPolicy: LEAST_REQUEST
+  loadBalancingPolicy:
+    policies:
+    - typedExtensionConfig:
+        name: envoy.load_balancing_policies.least_request
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest
+          localityLbConfig:
+            localityWeightedLbConfig: {}
+  name: sixth-route-dest
+  perConnectionBufferLimitBytes: 32768
+  type: EDS
 - circuitBreakers:
     thresholds:
     - maxRetries: 1024
@@ -118,3 +142,27 @@
   name: tcp-route-dest
   perConnectionBufferLimitBytes: 32768
   type: EDS
+- circuitBreakers:
+    thresholds:
+    - maxRetries: 1024
+  commonLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_PREFERRED
+  edsClusterConfig:
+    edsConfig:
+      ads: {}
+      resourceApiVersion: V3
+    serviceName: tcp-route-dest-2
+  ignoreHealthOnHostRemoval: true
+  lbPolicy: LEAST_REQUEST
+  loadBalancingPolicy:
+    policies:
+    - typedExtensionConfig:
+        name: envoy.load_balancing_policies.least_request
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest
+          localityLbConfig:
+            localityWeightedLbConfig: {}
+  name: tcp-route-dest-2
+  perConnectionBufferLimitBytes: 32768
+  type: EDS
@@ -34,6 +34,18 @@
     loadBalancingWeight: 1
     locality:
       region: third-route-dest/backend/0
+- clusterName: sixth-route-dest
+  endpoints:
+  - lbEndpoints:
+    - endpoint:
+        address:
+          socketAddress:
+            address: 1.2.3.4
+            portValue: 50000
+      loadBalancingWeight: 1
+    loadBalancingWeight: 1
+    locality:
+      region: sixth-route-dest/backend/0
 - clusterName: tls-route-dest
   endpoints:
   - lbEndpoints:
@@ -58,3 +70,15 @@
     loadBalancingWeight: 1
     locality:
       region: tcp-route-dest/backend/0
+- clusterName: tcp-route-dest-2
+  endpoints:
+  - lbEndpoints:
+    - endpoint:
+        address:
+          socketAddress:
+            address: 1.2.3.4
+            portValue: 50000
+      loadBalancingWeight: 1
+    loadBalancingWeight: 1
+    locality:
+      region: tcp-route-dest-2/backend/0