Guy Daich

@zirain, @Xunzhuo - There are some differences from `ServiceEntry`. - `ServiceEntry` doesn't support Unix Domain Sockets - You can route from `VirtualService` to external services by just specifying their address....

Option 1: it's possible (not 100% sure) that a server cert cannot always be used as a client cert, e.g. if it doesn't have the appropriate [extended key usage](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12) `TLS...

> suggest waiting for upstream to align on naming [kubernetes-sigs/gateway-api#2910](https://github.com/kubernetes-sigs/gateway-api/pull/2910) With the merge of the above, should we proceed with for something like: - `BackendTLS.ClientCertificateRef` for Client Certificate: #2984 -...

> move load generation after the deployment has been restarted Hi @shawnh2! The purpose of the test is to run load during the restart and assert that there's no loss...

Hi @shawnh2 , @alexwo - that's interesting input. Yes, I assume that if failures are 404s, then we have a problem with new envoy proxies receiving traffic before they are...

Hi @owenhaynes. The timeout that you're referring to in the Gateway API HTTP Route is implemented in EG as Envoy's route timeout: https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#route-timeouts. I'm not familiar with an equivalent global...

EnvoyPatchPolicy is also an option that you can consider here. It supports GatewayClass attachment for the MergeGateways scenario that you describe: https://gateway.envoyproxy.io/v1.0.1/tasks/extensibility/envoy-patch-policy/.

I'm concerned that a hitless in-place upgrade of envoy is not trivial. A graceful termination of envoy may require: - Failing LB/Kubelet probes to stop new connection from being established...

@arkodg I executed a naive test: - Environment: kind, metallb, EG quickstart.yaml - envoy proxy replicas: 2 - upgrade: 0.6.0 => 0.0.0-latest using `helm upgrade` - load simulation during upgrade:...

/retest