feat: add Envoy Gateway Component

[chance-coleman]

Description

Adds Envoy Gateway as an optional UDS Core component, providing the controller and GatewayClass infrastructure needed for UDP ingress support.

• New src/envoy-gateway/ component wrapping oci://docker.io/envoyproxy/gateway-helm:v1.8.0 with upstream, registry1, and unicorn flavor variants
• Deploys Envoy Gateway controller in envoy-gateway-system with a GatewayClass named envoy-gateway
• UDS Package CR with ambient mesh mode and network policies covering controller, webhook, and certgen job
• ServiceMonitor targeting port 19001 for Prometheus scraping
• Wired into packages/standard as an optional component and bundles/k3d-standard as an opt-in via optionalComponents

Chart version pinned to v1.8.0, this ships Gateway API CRDs at v1.5.1, which is required to pass the safe-upgrades.gateway.networking.k8s.io ValidatingAdmissionPolicy installed by Istio. Earlier chart versions bundle v1.4.1 CRDs and will be blocked on install.

On-demand Gateway lifecycle (Pepr operator) and UDPRoute generation are scoped to CORE-502.

Related Issue

Fixes Core-482

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Other (security config, docs update, etc)

Steps to Validate

1. Deploy the standard package with the envoy-gateway component enabled
2. Run uds run src/envoy-gateway:validate, waits for the envoy-gateway Deployment to be available and GatewayClass envoy-gateway to be Accepted

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide followed

[greptile-apps]

Greptile Summary

Adds Envoy Gateway as an optional UDS Core component, deploying the controller in envoy-gateway-system with a GatewayClass, UDS Package network policies (ambient mesh mode), and a Prometheus ServiceMonitor. The component is wired into both packages/base and packages/standard following the established double-indirection import pattern, and is opt-in via bundles/k3d-standard.

• New src/envoy-gateway/ source tree covers all three flavors (upstream, registry1, unicorn) with correct image pins; the SSA workaround for the Gateway API CRD field-manager conflict with Istio is clearly documented with an upstream issue reference.
• E2E test exercises full UDP Gateway lifecycle — namespace setup, Gateway creation, acceptance polling, and managed pod/service verification — with proper cleanup in afterAll.
• Two style nits: the values/values.yaml copyright year range (2024-2026) disagrees with every other new file in the PR (2026), and the uds-envoy-gateway-config chart receives flavor-specific valuesFiles it never consumes.

Confidence Score: 5/5

Safe to merge; this is a purely additive optional component with no changes to existing functionality

All changes are new files under src/envoy-gateway/ plus small opt-in wiring in base/standard/bundle. No existing components are modified. The SSA workaround is well-understood and documented. The two observations are cosmetic style issues that do not affect runtime behavior.

No files require special attention; the only open item is the acknowledged TODO in uds-package.yaml to tighten the webhook ingress rule from Anywhere to KubeAPI, which is tracked for a follow-on.

Important Files Changed

Filename	Overview
src/envoy-gateway/common/zarf.yaml	Defines the shared Envoy Gateway chart deployment; SSA workaround is well-documented with an upstream issue link
src/envoy-gateway/zarf.yaml	Three-flavor component definitions (upstream/registry1/unicorn); config chart receives flavor-specific valuesFiles that the chart templates never consume
src/envoy-gateway/chart/templates/uds-package.yaml	Network policies and ServiceMonitor for the controller; webhook ingress uses Anywhere with an open TODO to scope it to KubeAPI
src/envoy-gateway/chart/templates/gatewayclass.yaml	Static GatewayClass manifest pointing to the Envoy Gateway controller; correct and minimal
packages/standard/zarf.yaml	envoy-gateway imported from ../base, consistent with how all other base-tier optional components are wired into standard
packages/base/zarf.yaml	Adds optional envoy-gateway import from src; correctly mirrors the pattern used by istio-passthrough-gateway and istio-egress-gateway
test/vitest/envoy-gateway.spec.ts	E2E test exercises UDP Gateway lifecycle end-to-end; proper beforeAll/afterAll namespace cleanup with conflict/not-found guards
bundles/k3d-standard/uds-bundle.yaml	envoy-gateway added to optionalComponents list alongside other optional Istio gateway components
src/envoy-gateway/values/values.yaml	Base values file is intentionally empty; copyright range (2024-2026) is inconsistent with the 2026-only header used by every other new file in this PR

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[bundles/k3d-standard\nuds-bundle.yaml] -->|optionalComponents: envoy-gateway| B[packages/standard\nzarf.yaml]
    B -->|import path: ../base| C[packages/base\nzarf.yaml]
    C -->|import path: ../../src/envoy-gateway| D[src/envoy-gateway\nzarf.yaml\nflavor variants]
    D -->|import path: common| E[src/envoy-gateway/common\nzarf.yaml]
    E -->|Helm chart| F[oci://envoyproxy/gateway-helm:v1.8.0\nenvoy-gateway-system]
    D -->|localPath: chart| G[uds-envoy-gateway-config\nHelm chart]
    G --> H[GatewayClass: envoy-gateway]
    G --> I[UDS Package CR\nambient mesh + network policies]
    I --> J[NetworkPolicy: KubeAPI egress\ncontroller + certgen]
    I --> K[NetworkPolicy: IntraNamespace\ningress/egress]
    I --> L[NetworkPolicy: Anywhere ingress\nport 9443 webhook]
    I --> M[ServiceMonitor\nport 19001 metrics]

Loading

_{Reviews (5): Last reviewed commit: "chore: remove envoy-gateway-crds pre-app..." | Re-trigger Greptile}

[briantwatson]

Nice addition! A couple small comments

[joelmccoy]

Generally looking good. A couple comments and suggested changes.

[joelmccoy]

After playing around with this, I realize that we don't bundle the envoy proxy image in this PR, so this feature is not really usable/testable e2e yet. It was called out in the design doc to include this in this part and I think we would include the proxy image in zarf and also include the CRD to override the envoy proxy image: https://www.notion.so/defense-unicorns/UDP-Envoy-Gateway-Component-34be512f24fc8082ac78d3e5c41ce991?source=copy_link#35ae512f24fc8010a8eccb8d6398a766.

[chance-coleman]

@greptileai review this

[joelmccoy]

@greptileai review

[joelmccoy]

Feels like we added a couple hacks here that I'm am not sure I fully understand. The raw kubectl apply probably isn't going to fly and will mostly like cause us some issues. Best practice is to have all resources managed by a helm chart.

[chance-coleman]

@greptileai review this again

[joelmccoy]

Generally looking good here! However, I think we need to enable this optional component for our IAC bundles (for example here). Will also want to see these pass the IAC tests before feeling confident to ship this. I think updating the bundles will trigger thoughts