When deploying headless services within different namespaces the endpoint configuration is merged and results in invalid envoy configurations being pushed to the sidecars.

For example deploying headless mysql services/pods to namespaces x1/x2 will result in clients from one of the namespaces being directed to the wrong namespace but with the correct TLS certificate.  The connection therefore fails due to the inability to verify the server.

I will add an example case demonstrating the issue on completion.