Skip to content

make EnvoyGatewayServiceName configurable, as other values of the same config are #6997

New issue
New issue
Open
#7049
Open
make EnvoyGatewayServiceName configurable, as other values of the same config are#6997
#7049
Labels
help wantedExtra attention is needed
Milestone
Backlog
@Owersun

Description

@Owersun
Owersun
opened on Sep 17, 2025

Description:

in config/config.go const structure variables are set, that control kubernetes internal domain, namespace and service name.
Kubernetes domain and namespace are customisable through env variables of deployment as ENVOY_GATEWAY_NAMESPACE and KUBERNETES_CLUSTER_DOMAIN, but EnvoyGatewayServiceName is static and is always used as "envoy-gateway". At the same time nothing really prevents from creating the certificates and the actual service by different name.
This results that envoy-proxies always receive link to their upstream as:

    - connect_timeout: 10s
      load_assignment:
        cluster_name: xds_cluster
        endpoints:
        - load_balancing_weight: 1
          lb_endpoints:
          - load_balancing_weight: 1
            endpoint:
              address:
                socket_address:
                  **address: envoy-gateway.<ENVOY_GATEWAY_NAMESPACE>.svc.<KUBERNETES_CLUSTER_DOMAIN>.**
                  port_value: 18000

regardless of actual service, that can have different name

This makes it impossible to run two gateways, serving different ingress in the same namespace. And feels "kind of" alien in general: namespace is customisable, cluster DNS too, the actual service name created in k8s pointing to the gateway can be anything, but it has to be "envoy-gateway" since it's static in the config.

Possible scenario to run this, would be if I have two type of services in the cluster - exposed outside by one kind of names, and exposed inside with the other names and other certificates (and maybe some mTLS attached, just different way of accessing same services anyway). Some services would be both public and private, some private only. I would approach it by creating two gateway controllers with two gatewayclasses, creating separate ingress routes to separate gateway classes. This will allow me to never leak private httproutes to public gateway controller and make them accessible through public loadbalancer.
Of course this can be done running two gateways in two different namespaces, but it feels kind of excessive if it's only two, and they kinda serve same services in the cluster, just one to private LB and one to public LB.
Would be really nice to just run them in same namespace just with different names.

Now it's "impossible" because envoyproxies they create all try to reach back to "envoy-gateway.namespace.svc.cluster.local" service which in any case would mean them reporting back to just one gateway controller.

PS. "impossible" is in quotes as I guess it can be achieved with custom bootstrap patch, but would be really nice just to have it configurable.

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedExtra attention is needed

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions