Istio Resource Watching Cannot Be Disabled #13516
Description
kgateway version
2.3.0
Kubernetes Version
1.33.5
Describe the bug
We're currently adopting kgateway in replacement of our current Ingress solution, in a cluster using Istio service mesh (sidecar mode).
We're not looking to integrate kgateway with the service mesh in terms of using it as a gateway proxy or anything like that, we're just using it for N/S traffic for now.
What we're finding is that kgateway is loading in all ServiceEntry (and other) Istio resources and creating Envoy clusters for them in the gateways, which results in a larger config than necessary, and excess DNS requests from the gateway pods always trying to resolve these DNS entries.
We have attempted to remove the RBAC for Istio resources but it appears kgateway refuses to start if the RBAC is not there. I found some lingering reference to a KGW_ENABLE_ISTIO_INTEGRATION env var in the code base that might have controlled this, but it's not used anywhere, similarly KGW_ENABLE_WAYPOINT defaults to false and doesn't disable this behaviour.
Is there a way to explicitly prevent kgateway from looking for Istio resources?
Expected Behavior
kgateway should only watch Istio resources if configured to
Steps to reproduce the bug
- Deploy kgateway in a cluster that has Istio CRD's installed
- Create a
ServiceEntryresource - Observe a created Gateway load the contents of the
ServiceEntryas an Envoy cluster
Additional Environment Detail
No response
Additional Context
It appears #13200 is potentially attempting to solve this problem, but would be good to confirm