From b079ce726456de9dd02fc954e84ff15a1f13fc73 Mon Sep 17 00:00:00 2001
From: Ilya Lobkov <ilya.lobkov@konghq.com>
Date: Thu, 23 Nov 2023 17:48:56 +0100
Subject: [PATCH 1/8] fix(kuma-cp): don't remove Service if MeshGateway is
 absent for a while (i.e. due to renaming)

Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
---
 .../runtime/k8s/controllers/gateway_instance_controller.go  | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkg/plugins/runtime/k8s/controllers/gateway_instance_controller.go b/pkg/plugins/runtime/k8s/controllers/gateway_instance_controller.go
index f2d82e20ccb3..1038e32da5d3 100644
--- a/pkg/plugins/runtime/k8s/controllers/gateway_instance_controller.go
+++ b/pkg/plugins/runtime/k8s/controllers/gateway_instance_controller.go
@@ -118,9 +118,11 @@ func (r *GatewayInstanceReconciler) createOrUpdateService(
 	obj, err := ctrls_util.ManageControlledObject(
 		ctx, r.Client, gatewayInstance, &kube_core.ServiceList{},
 		func(obj kube_client.Object) (kube_client.Object, error) {
-			// If we don't have a gateway, we don't want our Service anymore
+			// If we don't have a gateway, we don't change anything. If the Service was already created, we keep it.
+			// If there is no Service, we don't create one. We don't want to break the traffic if MeshGateway is absent
+			// for a short period of time (i.e. due to renaming).
 			if gateway == nil {
-				return nil, nil
+				return obj, nil
 			}
 
 			svcAnnotations := map[string]string{metadata.KumaGatewayAnnotation: metadata.AnnotationBuiltin}

From 30b4b5b423e87bca9c3691921ebee73e42104209 Mon Sep 17 00:00:00 2001
From: Ilya Lobkov <ilya.lobkov@konghq.com>
Date: Fri, 24 Nov 2023 17:11:31 +0100
Subject: [PATCH 2/8] fix(kuma-cp): updateStatus checks 'gateway' instead
 'service'

Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
---
 .../gateway_instance_controller.go            | 24 ++++++++++++-------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/pkg/plugins/runtime/k8s/controllers/gateway_instance_controller.go b/pkg/plugins/runtime/k8s/controllers/gateway_instance_controller.go
index 1038e32da5d3..c303652e7755 100644
--- a/pkg/plugins/runtime/k8s/controllers/gateway_instance_controller.go
+++ b/pkg/plugins/runtime/k8s/controllers/gateway_instance_controller.go
@@ -71,7 +71,7 @@ func (r *GatewayInstanceReconciler) Reconcile(ctx context.Context, req kube_ctrl
 	mesh := k8s_util.MeshOfByLabelOrAnnotation(r.Log, gatewayInstance, &ns)
 
 	orig := gatewayInstance.DeepCopyObject().(kube_client.Object)
-	svc, err := r.createOrUpdateService(ctx, mesh, gatewayInstance)
+	svc, gateway, err := r.createOrUpdateService(ctx, mesh, gatewayInstance)
 	if err != nil {
 		return kube_ctrl.Result{}, errors.Wrap(err, "unable to reconcile Service for Gateway")
 	}
@@ -84,7 +84,7 @@ func (r *GatewayInstanceReconciler) Reconcile(ctx context.Context, req kube_ctrl
 		}
 	}
 
-	updateStatus(gatewayInstance, mesh, svc, deployment)
+	updateStatus(gatewayInstance, gateway, mesh, svc, deployment)
 
 	if err := r.Client.Status().Patch(ctx, gatewayInstance, kube_client.MergeFrom(orig)); err != nil {
 		if kube_apierrs.IsNotFound(err) {
@@ -106,10 +106,10 @@ func (r *GatewayInstanceReconciler) createOrUpdateService(
 	ctx context.Context,
 	mesh string,
 	gatewayInstance *mesh_k8s.MeshGatewayInstance,
-) (*kube_core.Service, error) {
+) (*kube_core.Service, *core_mesh.MeshGatewayResource, error) {
 	gatewayList := &core_mesh.MeshGatewayResourceList{}
 	if err := r.ResourceManager.List(ctx, gatewayList, store.ListByMesh(mesh)); err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	gateway := xds_topology.SelectGateway(gatewayList.Items, func(selector mesh_proto.TagSelector) bool {
 		return selector.Matches(gatewayInstance.Spec.Tags)
@@ -197,14 +197,14 @@ func (r *GatewayInstanceReconciler) createOrUpdateService(
 		},
 	)
 	if err != nil {
-		return nil, err
+		return nil, gateway, err
 	}
 
 	if obj == nil {
-		return nil, nil
+		return nil, gateway, nil
 	}
 
-	return obj.(*kube_core.Service), nil
+	return obj.(*kube_core.Service), gateway, nil
 }
 
 // createOrUpdateDeployment can either return an error, a created Deployment or
@@ -362,12 +362,18 @@ func getCombinedReadiness(svc *kube_core.Service, deployment *kube_apps.Deployme
 	return kube_meta.ConditionFalse, mesh_k8s.GatewayInstanceAddressNotReady
 }
 
-func updateStatus(gatewayInstance *mesh_k8s.MeshGatewayInstance, mesh string, svc *kube_core.Service, deployment *kube_apps.Deployment) {
+func updateStatus(
+	gatewayInstance *mesh_k8s.MeshGatewayInstance,
+	gateway *core_mesh.MeshGatewayResource,
+	mesh string,
+	svc *kube_core.Service,
+	deployment *kube_apps.Deployment,
+) {
 	var status kube_meta.ConditionStatus
 	var reason string
 	var message string
 
-	if svc == nil {
+	if gateway == nil {
 		status, reason, message = kube_meta.ConditionFalse, mesh_k8s.GatewayInstanceNoGatewayMatched, fmt.Sprintf("No Gateway matched by tags in mesh: '%s'", mesh)
 	} else {
 		status, reason = getCombinedReadiness(svc, deployment)

From ed6e0e67da2e3d82dfd243c7c3db3545a8ff068f Mon Sep 17 00:00:00 2001
From: Ilya Lobkov <ilya.lobkov@konghq.com>
Date: Mon, 27 Nov 2023 11:37:29 +0100
Subject: [PATCH 3/8] fix(kuma-cp): KDS feature to show Zone supports
 hash-suffix names (it means Zone CP has #8450 fix)

Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
---
 pkg/kds/client/stream.go                   |  1 +
 pkg/kds/context/context.go                 | 15 +++++++++-----
 pkg/kds/features.go                        |  2 ++
 pkg/kds/reconcile/snapshot_generator.go    | 24 ++++++++++++++--------
 pkg/kds/v2/client/stream.go                |  1 +
 pkg/kds/v2/reconcile/snapshot_generator.go | 24 ++++++++++++++--------
 6 files changed, 44 insertions(+), 23 deletions(-)

diff --git a/pkg/kds/client/stream.go b/pkg/kds/client/stream.go
index 4d1c5075abfa..d37f99cc635f 100644
--- a/pkg/kds/client/stream.go
+++ b/pkg/kds/client/stream.go
@@ -69,6 +69,7 @@ func (s *stream) DiscoveryRequest(resourceType model.ResourceType) error {
 					kds.MetadataFeatures: {Kind: &structpb.Value_ListValue{ListValue: &structpb.ListValue{
 						Values: []*structpb.Value{
 							{Kind: &structpb.Value_StringValue{StringValue: kds.FeatureZoneToken}},
+							{Kind: &structpb.Value_StringValue{StringValue: kds.FeatureHashSuffix}},
 						},
 					}}},
 				},
diff --git a/pkg/kds/context/context.go b/pkg/kds/context/context.go
index a1476fac7fbc..6f88af87a38e 100644
--- a/pkg/kds/context/context.go
+++ b/pkg/kds/context/context.go
@@ -88,14 +88,14 @@ func DefaultContext(
 // a single ResourceMapper which calls each in order. If an error
 // occurs, the first one is returned and no further mappers are executed.
 func CompositeResourceMapper(mappers ...reconcile.ResourceMapper) reconcile.ResourceMapper {
-	return func(r model.Resource) (model.Resource, error) {
+	return func(features kds.Features, r model.Resource) (model.Resource, error) {
 		var err error
 		for _, mapper := range mappers {
 			if mapper == nil {
 				continue
 			}
 
-			r, err = mapper(r)
+			r, err = mapper(features, r)
 			if err != nil {
 				return r, err
 			}
@@ -112,7 +112,7 @@ type specWithDiscoverySubscriptions interface {
 // MapInsightResourcesZeroGeneration zeros "generation" field in resources for which
 // the field has only local relevance. This prevents reconciliation from unnecessarily
 // deeming the object to have changed.
-func MapInsightResourcesZeroGeneration(r model.Resource) (model.Resource, error) {
+func MapInsightResourcesZeroGeneration(_ kds.Features, r model.Resource) (model.Resource, error) {
 	if spec, ok := r.GetSpec().(specWithDiscoverySubscriptions); ok {
 		spec = proto.Clone(spec).(specWithDiscoverySubscriptions)
 		for _, sub := range spec.GetSubscriptions() {
@@ -135,6 +135,7 @@ func MapInsightResourcesZeroGeneration(r model.Resource) (model.Resource, error)
 }
 
 func MapZoneTokenSigningKeyGlobalToPublicKey(
+	_ kds.Features,
 	r model.Resource,
 ) (model.Resource, error) {
 	resType := r.Descriptor().Name
@@ -184,7 +185,7 @@ func RemoveK8sSystemNamespaceSuffixFromPluginOriginatedResourcesMapper(
 		return nil
 	}
 
-	return func(r model.Resource) (model.Resource, error) {
+	return func(_ kds.Features, r model.Resource) (model.Resource, error) {
 		if r.Descriptor().IsPluginOriginated {
 			util.TrimSuffixFromName(r, k8sSystemNamespace)
 		}
@@ -193,7 +194,11 @@ func RemoveK8sSystemNamespaceSuffixFromPluginOriginatedResourcesMapper(
 	}
 }
 
-func AddHashSuffix(r model.Resource) (model.Resource, error) {
+func AddHashSuffix(features kds.Features, r model.Resource) (model.Resource, error) {
+	if !features.HasFeature(kds.FeatureHashSuffix) {
+		return r, nil
+	}
+
 	if r.Descriptor().Scope == model.ScopeGlobal {
 		return r, nil
 	}
diff --git a/pkg/kds/features.go b/pkg/kds/features.go
index 4a5d3b53c890..b25e0b20c986 100644
--- a/pkg/kds/features.go
+++ b/pkg/kds/features.go
@@ -17,3 +17,5 @@ const FeatureZoneToken string = "zone-token"
 // FeatureZonePingHealth means that the zone control plane sends pings to the
 // global control plane to indicate it's still running.
 const FeatureZonePingHealth string = "zone-ping-health"
+
+const FeatureHashSuffix string = "hash-suffix"
diff --git a/pkg/kds/reconcile/snapshot_generator.go b/pkg/kds/reconcile/snapshot_generator.go
index 6ef079502fb4..2fce8fa82580 100644
--- a/pkg/kds/reconcile/snapshot_generator.go
+++ b/pkg/kds/reconcile/snapshot_generator.go
@@ -17,7 +17,7 @@ import (
 
 type (
 	ResourceFilter func(ctx context.Context, clusterID string, features kds.Features, r model.Resource) bool
-	ResourceMapper func(r model.Resource) (model.Resource, error)
+	ResourceMapper func(features kds.Features, r model.Resource) (model.Resource, error)
 )
 
 func NoopResourceMapper(r model.Resource) (model.Resource, error) {
@@ -66,7 +66,7 @@ func (s *snapshotGenerator) getResources(ctx context.Context, typ model.Resource
 		return nil, err
 	}
 
-	resources, err := s.mapper(s.filter(ctx, rlist, node))
+	resources, err := s.mapper(s.filter(ctx, rlist, node), node)
 	if err != nil {
 		return nil, err
 	}
@@ -75,10 +75,7 @@ func (s *snapshotGenerator) getResources(ctx context.Context, typ model.Resource
 }
 
 func (s *snapshotGenerator) filter(ctx context.Context, rs model.ResourceList, node *envoy_core.Node) model.ResourceList {
-	features := kds.Features{}
-	for _, value := range node.GetMetadata().GetFields()[kds.MetadataFeatures].GetListValue().GetValues() {
-		features[value.GetStringValue()] = true
-	}
+	features := getFeatures(node)
 
 	rv, _ := registry.Global().NewList(rs.GetItemType())
 	for _, r := range rs.GetItems() {
@@ -89,11 +86,12 @@ func (s *snapshotGenerator) filter(ctx context.Context, rs model.ResourceList, n
 	return rv
 }
 
-func (s *snapshotGenerator) mapper(rs model.ResourceList) (model.ResourceList, error) {
-	rv, _ := registry.Global().NewList(rs.GetItemType())
+func (s *snapshotGenerator) mapper(rs model.ResourceList, node *envoy_core.Node) (model.ResourceList, error) {
+	features := getFeatures(node)
 
+	rv, _ := registry.Global().NewList(rs.GetItemType())
 	for _, r := range rs.GetItems() {
-		resource, err := s.resourceMapper(r)
+		resource, err := s.resourceMapper(features, r)
 		if err != nil {
 			return nil, err
 		}
@@ -105,3 +103,11 @@ func (s *snapshotGenerator) mapper(rs model.ResourceList) (model.ResourceList, e
 
 	return rv, nil
 }
+
+func getFeatures(node *envoy_core.Node) kds.Features {
+	features := kds.Features{}
+	for _, value := range node.GetMetadata().GetFields()[kds.MetadataFeatures].GetListValue().GetValues() {
+		features[value.GetStringValue()] = true
+	}
+	return features
+}
diff --git a/pkg/kds/v2/client/stream.go b/pkg/kds/v2/client/stream.go
index 9c28ba4713e7..5e0853371b57 100644
--- a/pkg/kds/v2/client/stream.go
+++ b/pkg/kds/v2/client/stream.go
@@ -72,6 +72,7 @@ func (s *stream) DeltaDiscoveryRequest(resourceType core_model.ResourceType) err
 					kds.MetadataFeatures: {Kind: &structpb.Value_ListValue{ListValue: &structpb.ListValue{
 						Values: []*structpb.Value{
 							{Kind: &structpb.Value_StringValue{StringValue: kds.FeatureZoneToken}},
+							{Kind: &structpb.Value_StringValue{StringValue: kds.FeatureHashSuffix}},
 						},
 					}}},
 				},
diff --git a/pkg/kds/v2/reconcile/snapshot_generator.go b/pkg/kds/v2/reconcile/snapshot_generator.go
index e51d5fad8460..41b0c906caf1 100644
--- a/pkg/kds/v2/reconcile/snapshot_generator.go
+++ b/pkg/kds/v2/reconcile/snapshot_generator.go
@@ -16,7 +16,7 @@ import (
 	cache_kds_v2 "github.com/kumahq/kuma/pkg/kds/v2/cache"
 )
 
-func NoopResourceMapper(r model.Resource) (model.Resource, error) {
+func NoopResourceMapper(_ kds.Features, r model.Resource) (model.Resource, error) {
 	return r, nil
 }
 
@@ -64,7 +64,7 @@ func (s *snapshotGenerator) getResources(ctx context.Context, typ model.Resource
 		return nil, err
 	}
 
-	resources, err := s.mapper(s.filter(ctx, rlist, node))
+	resources, err := s.mapper(s.filter(ctx, rlist, node), node)
 	if err != nil {
 		return nil, err
 	}
@@ -73,10 +73,7 @@ func (s *snapshotGenerator) getResources(ctx context.Context, typ model.Resource
 }
 
 func (s *snapshotGenerator) filter(ctx context.Context, rs model.ResourceList, node *envoy_core.Node) model.ResourceList {
-	features := kds.Features{}
-	for _, value := range node.GetMetadata().GetFields()[kds.MetadataFeatures].GetListValue().GetValues() {
-		features[value.GetStringValue()] = true
-	}
+	features := getFeatures(node)
 
 	rv, _ := registry.Global().NewList(rs.GetItemType())
 	for _, r := range rs.GetItems() {
@@ -87,11 +84,12 @@ func (s *snapshotGenerator) filter(ctx context.Context, rs model.ResourceList, n
 	return rv
 }
 
-func (s *snapshotGenerator) mapper(rs model.ResourceList) (model.ResourceList, error) {
-	rv, _ := registry.Global().NewList(rs.GetItemType())
+func (s *snapshotGenerator) mapper(rs model.ResourceList, node *envoy_core.Node) (model.ResourceList, error) {
+	features := getFeatures(node)
 
+	rv, _ := registry.Global().NewList(rs.GetItemType())
 	for _, r := range rs.GetItems() {
-		resource, err := s.resourceMapper(r)
+		resource, err := s.resourceMapper(features, r)
 		if err != nil {
 			return nil, err
 		}
@@ -103,3 +101,11 @@ func (s *snapshotGenerator) mapper(rs model.ResourceList) (model.ResourceList, e
 
 	return rv, nil
 }
+
+func getFeatures(node *envoy_core.Node) kds.Features {
+	features := kds.Features{}
+	for _, value := range node.GetMetadata().GetFields()[kds.MetadataFeatures].GetListValue().GetValues() {
+		features[value.GetStringValue()] = true
+	}
+	return features
+}

From d3da1ab0ca33d68041140f460ed8324b796924ba Mon Sep 17 00:00:00 2001
From: Ilya Lobkov <ilya.lobkov@konghq.com>
Date: Mon, 27 Nov 2023 11:38:57 +0100
Subject: [PATCH 4/8] add comment

Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
---
 pkg/kds/features.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/kds/features.go b/pkg/kds/features.go
index b25e0b20c986..21320357cde6 100644
--- a/pkg/kds/features.go
+++ b/pkg/kds/features.go
@@ -18,4 +18,6 @@ const FeatureZoneToken string = "zone-token"
 // global control plane to indicate it's still running.
 const FeatureZonePingHealth string = "zone-ping-health"
 
+// FeatureHashSuffix means that the zone control plane has a fix for the MeshGateway renaming
+// issue https://github.com/kumahq/kuma/pull/8450 and can handle the hash suffix in the resource name.
 const FeatureHashSuffix string = "hash-suffix"

From 0d3d032c71fe71e29e3bc9b528084c6f4a654a04 Mon Sep 17 00:00:00 2001
From: Ilya Lobkov <ilya.lobkov@konghq.com>
Date: Mon, 27 Nov 2023 11:47:38 +0100
Subject: [PATCH 5/8] make check + unit test

Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
---
 pkg/kds/context/context_test.go         | 23 +++++++++++++++++++++--
 pkg/kds/reconcile/snapshot_generator.go |  2 +-
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/pkg/kds/context/context_test.go b/pkg/kds/context/context_test.go
index 5c196329d4c6..0d32e14f692d 100644
--- a/pkg/kds/context/context_test.go
+++ b/pkg/kds/context/context_test.go
@@ -52,7 +52,7 @@ var _ = Describe("Context", func() {
 		DescribeTable("should zero generation field",
 			func(given testCase) {
 				// when
-				out, _ := mapper(given.resource)
+				out, _ := mapper(kds.Features{}, given.resource)
 
 				// then
 				Expect(out.GetMeta()).To(Equal(given.expect.GetMeta()))
@@ -451,6 +451,7 @@ var _ = Describe("Context", func() {
 			expectedName               string
 			isResourcePluginOriginated bool
 			scope                      model.ResourceScope
+			features                   kds.Features
 		}
 
 		genConfig := func(caseCfg config) kuma_cp.Config {
@@ -490,7 +491,7 @@ var _ = Describe("Context", func() {
 				kdsCtx := context.DefaultContext(ctx, rm, cfg)
 
 				// when
-				out, err := kdsCtx.GlobalResourceMapper(resource(given))
+				out, err := kdsCtx.GlobalResourceMapper(given.features, resource(given))
 				Expect(err).ToNot(HaveOccurred())
 
 				// then
@@ -506,6 +507,21 @@ var _ = Describe("Context", func() {
 				name:         "foo.custom-namespace",
 				expectedName: "foo-zxw6c95d42zfz9cc",
 				scope:        model.ScopeMesh,
+				features: map[string]bool{
+					kds.FeatureHashSuffix: true,
+				},
+			}),
+			Entry("should be removed when store type is kubernetes "+
+				"resource is plugin originated and no KDS hash-suffix feature", testCase{
+				isResourcePluginOriginated: true,
+				config: config{
+					storeType:          config_store.KubernetesStore,
+					k8sSystemNamespace: "custom-namespace",
+				},
+				name:         "foo.custom-namespace",
+				expectedName: "foo",
+				scope:        model.ScopeMesh,
+				features:     map[string]bool{},
 			}),
 			Entry("shouldn't be removed when store type is kubernetes "+
 				"and resource isn't plugin originated", testCase{
@@ -517,6 +533,9 @@ var _ = Describe("Context", func() {
 				name:         "foo.default",
 				expectedName: "foo.default",
 				scope:        model.ScopeGlobal,
+				features: map[string]bool{
+					kds.FeatureHashSuffix: true,
+				},
 			}),
 		)
 	})
diff --git a/pkg/kds/reconcile/snapshot_generator.go b/pkg/kds/reconcile/snapshot_generator.go
index 2fce8fa82580..3105848e6ada 100644
--- a/pkg/kds/reconcile/snapshot_generator.go
+++ b/pkg/kds/reconcile/snapshot_generator.go
@@ -20,7 +20,7 @@ type (
 	ResourceMapper func(features kds.Features, r model.Resource) (model.Resource, error)
 )
 
-func NoopResourceMapper(r model.Resource) (model.Resource, error) {
+func NoopResourceMapper(_ kds.Features, r model.Resource) (model.Resource, error) {
 	return r, nil
 }
 

From eec8ffb8d7ede1985ced922cd529d61490d59f29 Mon Sep 17 00:00:00 2001
From: Ilya Lobkov <ilya.lobkov@konghq.com>
Date: Mon, 27 Nov 2023 13:06:49 +0100
Subject: [PATCH 6/8] feat(kuma-cp): remove feature flag for KDS hash suffixes,
 the feature is enabled by default

Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
---
 pkg/config/app/kuma-cp/config.go | 4 ----
 pkg/config/loader_test.go        | 2 --
 pkg/kds/context/context.go       | 5 +----
 pkg/kds/context/context_test.go  | 2 --
 test/framework/config.go         | 2 --
 5 files changed, 1 insertion(+), 14 deletions(-)

diff --git a/pkg/config/app/kuma-cp/config.go b/pkg/config/app/kuma-cp/config.go
index 5c6507713b4d..fcff859f0d71 100644
--- a/pkg/config/app/kuma-cp/config.go
+++ b/pkg/config/app/kuma-cp/config.go
@@ -254,7 +254,6 @@ var DefaultConfig = func() Config {
 				FullResyncInterval: config_types.Duration{Duration: 1 * time.Minute},
 				DelayFullResync:    false,
 			},
-			KDSSyncNameWithHashSuffix: false,
 		},
 		Proxy:    xds.DefaultProxyConfig(),
 		InterCp:  intercp.DefaultInterCpConfig(),
@@ -418,9 +417,6 @@ type ExperimentalConfig struct {
 	// If true then control plane computes reachable services automatically based on MeshTrafficPermission.
 	// Lack of MeshTrafficPermission is treated as Deny the traffic.
 	AutoReachableServices bool `json:"autoReachableServices" envconfig:"KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES"`
-	// KDSSyncNameWithHashSuffix if true then during KDS sync resource name is going to be suffixed with hash.
-	// The hash is computed based on various resource characteristics like mesh, namespace, etc.
-	KDSSyncNameWithHashSuffix bool `json:"kdsSyncNameWithHashSuffix" envconfig:"KUMA_EXPERIMENTAL_KDS_SYNC_NAME_WITH_HASH_SUFFIX"`
 }
 
 type ExperimentalKDSEventBasedWatchdog struct {
diff --git a/pkg/config/loader_test.go b/pkg/config/loader_test.go
index 909afc31364d..84e1a1eed7d4 100644
--- a/pkg/config/loader_test.go
+++ b/pkg/config/loader_test.go
@@ -701,7 +701,6 @@ experimental:
     fullResyncInterval: 15s
     delayFullResync: true
   autoReachableServices: true
-  kdsSyncNameWithHashSuffix: true
 proxy:
   gateway:
     globalDownstreamMaxConnections: 1
@@ -966,7 +965,6 @@ tracing:
 				"KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_FULL_RESYNC_INTERVAL":                          "15s",
 				"KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_DELAY_FULL_RESYNC":                             "true",
 				"KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES":                                                "true",
-				"KUMA_EXPERIMENTAL_KDS_SYNC_NAME_WITH_HASH_SUFFIX":                                         "true",
 				"KUMA_PROXY_GATEWAY_GLOBAL_DOWNSTREAM_MAX_CONNECTIONS":                                     "1",
 				"KUMA_TRACING_OPENTELEMETRY_ENDPOINT":                                                      "otel-collector:4317",
 				"KUMA_TRACING_OPENTELEMETRY_ENABLED":                                                       "true",
diff --git a/pkg/kds/context/context.go b/pkg/kds/context/context.go
index 6f88af87a38e..a3f01edbe34f 100644
--- a/pkg/kds/context/context.go
+++ b/pkg/kds/context/context.go
@@ -67,10 +67,7 @@ func DefaultContext(
 			cfg.Store.Type,
 			cfg.Store.Kubernetes.SystemNamespace,
 		),
-	}
-
-	if cfg.Experimental.KDSSyncNameWithHashSuffix {
-		mappers = append(mappers, AddHashSuffix)
+		AddHashSuffix,
 	}
 
 	return &Context{
diff --git a/pkg/kds/context/context_test.go b/pkg/kds/context/context_test.go
index 0d32e14f692d..6b0dffa6d159 100644
--- a/pkg/kds/context/context_test.go
+++ b/pkg/kds/context/context_test.go
@@ -465,8 +465,6 @@ var _ = Describe("Context", func() {
 				cfg.Store.Kubernetes.SystemNamespace = caseCfg.k8sSystemNamespace
 			}
 
-			cfg.Experimental.KDSSyncNameWithHashSuffix = true
-
 			return cfg
 		}
 
diff --git a/test/framework/config.go b/test/framework/config.go
index c954eaae1652..80b26f8bb42b 100644
--- a/test/framework/config.go
+++ b/test/framework/config.go
@@ -162,8 +162,6 @@ func (c E2eConfig) AutoConfigure() error {
 	Config.Arch = runtime.GOARCH
 	Config.OS = runtime.GOOS
 
-	Config.KumaCpConfig.Multizone.Global.Envs["KUMA_EXPERIMENTAL_KDS_SYNC_NAME_WITH_HASH_SUFFIX"] = "true"
-
 	return nil
 }
 

From 573f96fd501cede423614b6af3a2c88fe6e46263 Mon Sep 17 00:00:00 2001
From: Ilya Lobkov <ilya.lobkov@konghq.com>
Date: Mon, 27 Nov 2023 13:57:41 +0100
Subject: [PATCH 7/8] feat(kuma-cp): update default config

Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
---
 pkg/config/app/kuma-cp/kuma-cp.defaults.yaml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/pkg/config/app/kuma-cp/kuma-cp.defaults.yaml b/pkg/config/app/kuma-cp/kuma-cp.defaults.yaml
index bba9600f6790..78dc053ae78f 100644
--- a/pkg/config/app/kuma-cp/kuma-cp.defaults.yaml
+++ b/pkg/config/app/kuma-cp/kuma-cp.defaults.yaml
@@ -743,11 +743,6 @@ experimental:
   # If true then control plane computes reachable services automatically based on MeshTrafficPermission.
   # Lack of MeshTrafficPermission is treated as Deny the traffic.
   autoReachableServices: false # ENV: KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES
-  # KDSSyncNameWithHashSuffix if true then during KDS sync resource name is going to be suffixed with hash.
-  # The hash is computed based on various resource characteristics like mesh, namespace, etc. The feature prevents name
-  # collisions when syncing policies with the same names but different meshes from Global(Universal) to Zone(Kubernetes).
-  # More extensive explanation of the problem and solution can be found in the MADR https://github.com/kumahq/kuma/blob/master/docs/madr/decisions/029-kds-sync-hash-suffix.md
-  KDSSyncNameWithHashSuffix: false # ENV: KUMA_EXPERIMENTAL_KDS_SYNC_NAME_WITH_HASH_SUFFIX
 
 proxy:
   gateway:

From 6a5dfd0d843dc0e513397de10e0f5a770fd3ec5a Mon Sep 17 00:00:00 2001
From: Ilya Lobkov <ilya.lobkov@konghq.com>
Date: Mon, 27 Nov 2023 15:33:41 +0100
Subject: [PATCH 8/8] make check

Signed-off-by: Ilya Lobkov <ilya.lobkov@konghq.com>
---
 docs/generated/kuma-cp.md       | 5 -----
 docs/generated/raw/kuma-cp.yaml | 5 -----
 2 files changed, 10 deletions(-)

diff --git a/docs/generated/kuma-cp.md b/docs/generated/kuma-cp.md
index a626a4d0fc69..16a0264c600b 100644
--- a/docs/generated/kuma-cp.md
+++ b/docs/generated/kuma-cp.md
@@ -746,11 +746,6 @@ experimental:
   # If true then control plane computes reachable services automatically based on MeshTrafficPermission.
   # Lack of MeshTrafficPermission is treated as Deny the traffic.
   autoReachableServices: false # ENV: KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES
-  # KDSSyncNameWithHashSuffix if true then during KDS sync resource name is going to be suffixed with hash.
-  # The hash is computed based on various resource characteristics like mesh, namespace, etc. The feature prevents name
-  # collisions when syncing policies with the same names but different meshes from Global(Universal) to Zone(Kubernetes).
-  # More extensive explanation of the problem and solution can be found in the MADR https://github.com/kumahq/kuma/blob/master/docs/madr/decisions/029-kds-sync-hash-suffix.md
-  KDSSyncNameWithHashSuffix: false # ENV: KUMA_EXPERIMENTAL_KDS_SYNC_NAME_WITH_HASH_SUFFIX
 
 proxy:
   gateway:
diff --git a/docs/generated/raw/kuma-cp.yaml b/docs/generated/raw/kuma-cp.yaml
index bba9600f6790..78dc053ae78f 100644
--- a/docs/generated/raw/kuma-cp.yaml
+++ b/docs/generated/raw/kuma-cp.yaml
@@ -743,11 +743,6 @@ experimental:
   # If true then control plane computes reachable services automatically based on MeshTrafficPermission.
   # Lack of MeshTrafficPermission is treated as Deny the traffic.
   autoReachableServices: false # ENV: KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES
-  # KDSSyncNameWithHashSuffix if true then during KDS sync resource name is going to be suffixed with hash.
-  # The hash is computed based on various resource characteristics like mesh, namespace, etc. The feature prevents name
-  # collisions when syncing policies with the same names but different meshes from Global(Universal) to Zone(Kubernetes).
-  # More extensive explanation of the problem and solution can be found in the MADR https://github.com/kumahq/kuma/blob/master/docs/madr/decisions/029-kds-sync-hash-suffix.md
-  KDSSyncNameWithHashSuffix: false # ENV: KUMA_EXPERIMENTAL_KDS_SYNC_NAME_WITH_HASH_SUFFIX
 
 proxy:
   gateway: