fix(gateway): reject identical main and sandbox vhost in the xDS path

The RuntimeDeployConfig transform already rejects a config whose main and sandbox resolve to the same vhost, where sandbox routes would collide with main routes on the same route key. The router xDS path built sandbox routes without that guard, so the two paths disagreed. Add the same check to the xDS path so both reject the configuration consistently.

Author: mehara-rothila

gateway/gateway-controller/pkg/xds/translator.go

@@ -866,6 +866,13 @@ func (t *Translator) translateAPIConfig(cfg *models.StoredConfig, allConfigs []*
 		}
 	}
 	if hasSandbox {
+		// Guard: sandbox and main vhosts must differ, otherwise sandbox routes share
+		// the route key with main routes and collide. This mirrors the same check in
+		// the RuntimeDeployConfig transform path so both paths reject this
+		// configuration consistently.
+		if effectiveMainVHost == effectiveSandboxVHost {
+			return nil, nil, fmt.Errorf("sandbox upstream is configured but resolves to the same vhost %q as the main upstream; configure distinct vhosts to avoid route conflicts", effectiveMainVHost)
+		}
 		var sbClusterName string
 		var parsedSbURL *url.URL
 		var sbTimeout *resolvedTimeout