refactor

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

Author: zhaohuabing

internal/controller/filter_config_bundle.go

@@ -43,7 +43,8 @@ func splitBytes(raw []byte, chunkSize int) [][]byte {
 	return chunks
 }
 
-func (c *GatewayController) writeFilterConfigBundle(ctx context.Context, indexSecretName, configSecretNamespace string, payload []byte, uuid string) error {
+func (c *GatewayController) writeFilterConfigBundle(ctx context.Context, gatewayName, gatewayNamespace, configSecretNamespace string, payload []byte, uuid string) error {
+	indexSecretName := FilterConfigBundleIndexSecretName(gatewayName, gatewayNamespace)
 	chunks := splitBytes(payload, filterConfigBundlePartSizeBytes)
 	if len(chunks) > maxFilterConfigBundleSlots {
 		return fmt.Errorf("filter config requires %d shards, exceeds max supported slots %d", len(chunks), maxFilterConfigBundleSlots)
@@ -56,8 +57,8 @@ func (c *GatewayController) writeFilterConfigBundle(ctx context.Context, indexSe
 	}
 
 	// Create parts Secrets
-	for i := 0; i < maxFilterConfigBundleSlots; i++ {
-		partName := filterConfigBundlePartSecretName(indexSecretName, i)
+	for i := range maxFilterConfigBundleSlots {
+		partName := filterConfigBundlePartSecretName(gatewayName, gatewayNamespace, i)
 		chunkPayload := ""
 		partSize := 0
 		if i < len(chunks) {

internal/controller/gateway.go

@@ -448,8 +448,7 @@ func (c *GatewayController) reconcileFilterConfigSecret(
 	if err != nil {
 		return false, fmt.Errorf("failed to marshal extproc config: %w", err)
 	}
-	configBundleIndexSecretName := FilterConfigBundleIndexSecretName(gatewayName, gatewayNamespace)
-	if err = c.writeFilterConfigBundle(ctx, configBundleIndexSecretName, configSecretNamespace, marshaled, uuid); err != nil {
+	if err = c.writeFilterConfigBundle(ctx, gatewayName, gatewayNamespace, configSecretNamespace, marshaled, uuid); err != nil {
 		return false, err
 	}
 	// TODO(huabing): this can be removed in the next release.
@@ -466,7 +465,7 @@ func (c *GatewayController) writeLegacyFilterConfigSecret(
 	configSecretNamespace string,
 	marshaled []byte,
 ) error {
-	legacySecretName := LegacyFilterConfigSecretName(gatewayName, gatewayNamespace)
+	legacySecretName := legacyFilterConfigSecretName(gatewayName, gatewayNamespace)
 
 	// Create legacy secret only if the content still fit Kubernetes limits.
 	if len(legacySecretName) > k8sObjectNameMaxLen || len(marshaled) > corev1.MaxSecretSize {

internal/controller/gateway_mutator.go

@@ -288,7 +288,7 @@ func (g *gatewayMutator) mutatePod(ctx context.Context, pod *corev1.Pod, gateway
 	// Prefer bundled config when available/valid, and fall back to legacy config for compatibility.
 	// If neither exists, skip mutation to avoid blocking Envoy pod creation.
 	// The controller will later trigger new pod mutations by updating pod/deployment annotations when the config secrets are created.
-	legacyConfigSecretName := LegacyFilterConfigSecretName(gatewayName, gatewayNamespace)
+	legacyConfigSecretName := legacyFilterConfigSecretName(gatewayName, gatewayNamespace)
 	bundleConfigIndexSecretName := FilterConfigBundleIndexSecretName(gatewayName, gatewayNamespace)
 
 	bundleConfigIndexSecret, err := g.kube.CoreV1().Secrets(pod.Namespace).Get(ctx, bundleConfigIndexSecretName, metav1.GetOptions{})
@@ -322,7 +322,7 @@ func (g *gatewayMutator) mutatePod(ctx context.Context, pod *corev1.Pod, gateway
 	}
 
 	// Now we construct the AI Gateway managed containers and volumes.
-	filterConfigVolumeName := filterConfigVolumeName(gatewayName, gatewayNamespace)
+	filterConfigVolumeName := legacyFilterConfigVolumeName(gatewayName, gatewayNamespace)
 	filterConfigBundleVolumeName := filterConfigBundleVolumeName(gatewayName, gatewayNamespace)
 	const extProcUDSVolumeName = mutationNamePrefix + "extproc-uds"
 	volumes := []corev1.Volume{
@@ -361,7 +361,7 @@ func (g *gatewayMutator) mutatePod(ctx context.Context, pod *corev1.Pod, gateway
 			projections = append(projections, corev1.VolumeProjection{
 				Secret: &corev1.SecretProjection{
 					LocalObjectReference: corev1.LocalObjectReference{
-						Name: filterConfigBundlePartSecretName(bundleConfigIndexSecretName, i),
+						Name: filterConfigBundlePartSecretName(gatewayName, gatewayNamespace, i),
 					},
 					Items: []corev1.KeyToPath{
 						{

internal/controller/gateway_mutator_test.go

@@ -417,7 +417,7 @@ func TestGatewayMutator_mutatePod(t *testing.T) {
 					require.NoError(t, idxErr)
 					_, err = g.kube.CoreV1().Secrets("test-namespace").Create(t.Context(),
 						&corev1.Secret{
-							ObjectMeta: metav1.ObjectMeta{Name: LegacyFilterConfigSecretName(
+							ObjectMeta: metav1.ObjectMeta{Name: legacyFilterConfigSecretName(
 								gwName, gwNamespace,
 							), Namespace: "test-namespace"},
 							Data: map[string][]byte{
@@ -527,7 +527,7 @@ func TestGatewayMutator_mutatePod_BundleOnly(t *testing.T) {
 	require.Contains(t, extProcContainer.Args, "-configBundlePath")
 	require.NotContains(t, extProcContainer.Args, "-configPath")
 
-	legacySecretName := LegacyFilterConfigSecretName(gwName, gwNamespace)
+	legacySecretName := legacyFilterConfigSecretName(gwName, gwNamespace)
 	for i := range pod.Spec.Volumes {
 		v := pod.Spec.Volumes[i]
 		if v.Secret != nil {
@@ -560,7 +560,7 @@ func TestGatewayMutator_mutatePod_LegacyOnly(t *testing.T) {
 
 	_, err = g.kube.CoreV1().Secrets(gwNamespace).Create(t.Context(),
 		&corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{Name: LegacyFilterConfigSecretName(gwName, gwNamespace), Namespace: gwNamespace},
+			ObjectMeta: metav1.ObjectMeta{Name: legacyFilterConfigSecretName(gwName, gwNamespace), Namespace: gwNamespace},
 			Data:       map[string][]byte{FilterConfigKeyInSecret: []byte("version: dev\n")},
 		}, metav1.CreateOptions{})
 	require.NoError(t, err)

internal/controller/gateway_test.go

@@ -1270,12 +1270,14 @@ func TestGatewayController_writeFilterConfigBundleShards(t *testing.T) {
 		"docker.io/envoyproxy/ai-gateway-extproc:latest", "info", false, nil, true)
 
 	namespace := "ns"
-	secretName := "cfg"
+	gatewayName := "cfg-gw"
+	gatewayNamespace := "cfg-ns"
 	payload := []byte(strings.Repeat("x", filterConfigBundlePartSizeBytes*2+10))
-	err := c.writeFilterConfigBundle(t.Context(), secretName, namespace, payload, "uuid-1")
+	err := c.writeFilterConfigBundle(t.Context(), gatewayName, gatewayNamespace, namespace, payload, "uuid-1")
 	require.NoError(t, err)
 
-	indexSecret, err := kube.CoreV1().Secrets(namespace).Get(t.Context(), secretName, metav1.GetOptions{})
+	indexSecretName := FilterConfigBundleIndexSecretName(gatewayName, gatewayNamespace)
+	indexSecret, err := kube.CoreV1().Secrets(namespace).Get(t.Context(), indexSecretName, metav1.GetOptions{})
 	require.NoError(t, err)
 	indexRaw, ok := indexSecret.StringData[FilterConfigBundleIndexKey]
 	if !ok {
@@ -1296,7 +1298,7 @@ func TestGatewayController_writeFilterConfigBundleShards(t *testing.T) {
 		require.True(t, partOK)
 	}
 	lastSlot, err := kube.CoreV1().Secrets(namespace).Get(t.Context(),
-		filterConfigBundlePartSecretName(secretName, maxFilterConfigBundleSlots-1), metav1.GetOptions{})
+		filterConfigBundlePartSecretName(gatewayName, gatewayNamespace, maxFilterConfigBundleSlots-1), metav1.GetOptions{})
 	require.NoError(t, err)
 	require.Empty(t, lastSlot.StringData[FilterConfigBundlePartKey])
 	_, legacyOK := indexSecret.StringData[FilterConfigKeyInSecret]
@@ -1311,7 +1313,7 @@ func TestGatewayController_writeFilterConfigBundleShards_Overflow(t *testing.T)
 		"docker.io/envoyproxy/ai-gateway-extproc:latest", "info", false, nil, true)
 
 	payload := []byte(strings.Repeat("x", filterConfigBundlePartSizeBytes*(maxFilterConfigBundleSlots+1)))
-	err := c.writeFilterConfigBundle(t.Context(), "cfg", "ns", payload, "uuid-1")
+	err := c.writeFilterConfigBundle(t.Context(), "cfg-gw", "cfg-ns", "ns", payload, "uuid-1")
 	require.ErrorContains(t, err, "exceeds max supported slots")
 }
 

internal/controller/secret_name.go

@@ -23,7 +23,8 @@ func shortStableHash(value string) string {
 	return hex.EncodeToString(sum[:6])
 }
 
-func boundedBaseWithHash(base, hash string, maxLen int) string {
+// truncate base to fit maxLen and append hash, hash is included in maxLen
+func truncateAndAppendHash(base, hash string, maxLen int) string {
 	base = strings.Trim(base, "-")
 	name := fmt.Sprintf("%s-%s", base, hash)
 	if len(name) <= maxLen {
@@ -43,46 +44,43 @@ func boundedBaseWithHash(base, hash string, maxLen int) string {
 	return fmt.Sprintf("%s-%s", trimmedBase, hash)
 }
 
+// example: gateway-ns1-c6d39be275c7
 func FilterConfigBundleIndexSecretName(gwName, gwNamespace string) string {
 	rawIdentity := fmt.Sprintf("%s/%s", gwNamespace, gwName)
-	return boundedBaseWithHash(LegacyFilterConfigSecretName(gwName, gwNamespace), shortStableHash(rawIdentity), k8sObjectNameMaxLen)
+	return truncateAndAppendHash(legacyFilterConfigSecretName(gwName, gwNamespace), shortStableHash(rawIdentity), k8sObjectNameMaxLen)
 }
 
-func filterConfigBundlePartSecretName(baseSecretName string, idx int) string {
+// example: gateway-ns1-c6d39be275c7-part-000
+func filterConfigBundlePartSecretName(gwName, gwNamespace string, idx int) string {
+	rawIdentity := fmt.Sprintf("%s/%s", gwNamespace, gwName)
+	hash := shortStableHash(rawIdentity)
+	base := fmt.Sprintf("%s-%s", gwName, gwNamespace)
 	suffix := fmt.Sprintf("-part-%03d", idx)
-	maxNameLen := k8sObjectNameMaxLen - len(suffix)
-
-	// Preserve full identity hash (the trailing "-<12hex>") when deriving part names.
-	lastDash := strings.LastIndex(baseSecretName, "-")
-	if lastDash > 0 {
-		hash := baseSecretName[lastDash+1:]
-		if len(hash) == 12 {
-			prefix := baseSecretName[:lastDash]
-			return boundedBaseWithHash(prefix, hash, maxNameLen) + suffix
-		}
-	}
+	maxNameLen := k8sObjectNameMaxLen - len(hash) - len(suffix) - 1
 
-	// Fallback for unexpected base names that do not carry a hash suffix.
-	if len(baseSecretName) > maxNameLen {
-		baseSecretName = strings.TrimRight(baseSecretName[:maxNameLen], "-")
+	if len(base) > maxNameLen {
+		base = strings.TrimRight(base[:maxNameLen], "-")
 	}
-	return baseSecretName + suffix
+	return base + "-" + hash + suffix
 }
 
-func LegacyFilterConfigSecretName(gwName, gwNamespace string) string {
-	return fmt.Sprintf("%s-%s", gwName, gwNamespace)
+// example: ai-gateway-gateway-ns1-c6d39be275c7-bundle
+func filterConfigBundleVolumeName(gwName, gwNamespace string) string {
+	const suffix = "-bundle"
+	rawIdentity := fmt.Sprintf("%s/%s", gwNamespace, gwName)
+	volumeBase := fmt.Sprintf("%s%s-%s", mutationNamePrefix, gwName, gwNamespace)
+	base := truncateAndAppendHash(volumeBase, shortStableHash(rawIdentity), k8sVolumeNameMaxLen-len(suffix))
+	return base + suffix
 }
 
-func filterConfigVolumeName(gwName, gwNamespace string) string {
-	rawIdentity := fmt.Sprintf("%s/%s", gwNamespace, gwName)
-	legacyVolumeBase := mutationNamePrefix + LegacyFilterConfigSecretName(gwName, gwNamespace)
-	return boundedBaseWithHash(legacyVolumeBase, shortStableHash(rawIdentity), k8sVolumeNameMaxLen)
+// example: gateway-ns1
+func legacyFilterConfigSecretName(gwName, gwNamespace string) string {
+	return fmt.Sprintf("%s-%s", gwName, gwNamespace)
 }
 
-func filterConfigBundleVolumeName(gwName, gwNamespace string) string {
-	const suffix = "-bundle"
+// example: ai-gateway-gw-default-3d45476e8d68
+func legacyFilterConfigVolumeName(gwName, gwNamespace string) string {
 	rawIdentity := fmt.Sprintf("%s/%s", gwNamespace, gwName)
-	legacyVolumeBase := mutationNamePrefix + LegacyFilterConfigSecretName(gwName, gwNamespace)
-	base := boundedBaseWithHash(legacyVolumeBase, shortStableHash(rawIdentity), k8sVolumeNameMaxLen-len(suffix))
-	return base + suffix
+	volumeBase := fmt.Sprintf("%s%s-%s", mutationNamePrefix, gwName, gwNamespace)
+	return truncateAndAppendHash(volumeBase, shortStableHash(rawIdentity), k8sVolumeNameMaxLen)
 }