feat: add Envoy Gateway Component

[chance-coleman]

Description

Adds Envoy Gateway as an optional UDS Core component, providing the controller and GatewayClass infrastructure needed for UDP ingress support.

• New src/envoy-gateway/ component wrapping oci://docker.io/envoyproxy/gateway-helm:v1.8.0 with upstream, registry1, and unicorn flavor variants
• Deploys Envoy Gateway controller in envoy-gateway-system with a GatewayClass named envoy-gateway
• UDS Package CR with ambient mesh mode and network policies covering controller, webhook, and certgen job
• ServiceMonitor targeting port 19001 for Prometheus scraping
• Wired into packages/standard as an optional component and bundles/k3d-standard as an opt-in via optionalComponents

Chart version pinned to v1.8.0, this ships Gateway API CRDs at v1.5.1, which is required to pass the safe-upgrades.gateway.networking.k8s.io ValidatingAdmissionPolicy installed by Istio. Earlier chart versions bundle v1.4.1 CRDs and will be blocked on install.

On-demand Gateway lifecycle (Pepr operator) and UDPRoute generation are scoped to CORE-502.

Related Issue

Fixes Core-482

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Other (security config, docs update, etc)

Steps to Validate

1. Deploy the standard package with the envoy-gateway component enabled
2. Run uds run src/envoy-gateway:validate, waits for the envoy-gateway Deployment to be available and GatewayClass envoy-gateway to be Accepted

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide followed

[greptile-apps]

Greptile Summary

This PR introduces Envoy Gateway as an optional UDS Core component, wiring it into packages/standard, packages/base, and bundles/k3d-standard following the established flavor-per-component pattern (upstream, registry1, unicorn). The implementation correctly separates CRD installation from the Helm chart deployment, disables SSA on the chart to avoid a field-manager conflict with Istio's ValidatingAdmissionPolicy, and adds a CRD readiness poll to guard the ordering dependency.

• New component (src/envoy-gateway/): upstream Helm chart wrapped with a local config chart that deploys a GatewayClass and EnvoyProxy CR; UDS Package CR covers ambient mesh mode and network policies for the controller, webhook, and certgen job.
• Registry1 image gap: registry1-values.yaml sets envoyProxy.image to docker.io/envoyproxy/envoy:distroless-v1.38.0 (same as upstream), so managed proxy pods in a registry1 deployment will pull from Docker Hub rather than Iron Bank.
• E2E test (test/vitest/envoy-gateway.spec.ts): creates a UDP Gateway and polls until the controller reconciles managed pods and services, with clean namespace setup/teardown.

Confidence Score: 4/5

Safe to merge for upstream and unicorn flavors; the registry1 variant has an unresolved image compliance gap that should be addressed before that flavor is used in a restricted environment.

The registry1 flavor's managed Envoy proxy image resolves to Docker Hub rather than an Iron Bank image, so any registry1 deployment that instantiates a Gateway will attempt to pull from an unapproved registry. All other aspects of the change — CRD ordering, SSA workaround, network policy coverage, and test structure — are sound.

src/envoy-gateway/values/registry1-values.yaml and the corresponding image list in src/envoy-gateway/zarf.yaml (registry1 flavor block).

Important Files Changed

Filename	Overview
src/envoy-gateway/values/registry1-values.yaml	Sets envoyProxy.image to docker.io/envoyproxy/envoy (Docker Hub) instead of an Iron Bank image, breaking registry1 compliance for managed Envoy proxy pods.
src/envoy-gateway/zarf.yaml	Flavor-specific component definitions for upstream, registry1, and unicorn. The registry1 variant includes docker.io/envoyproxy/envoy in its image list, consistent with the non-ironbank envoyProxy value issue in registry1-values.yaml.
src/envoy-gateway/common/zarf.yaml	Defines CRD and Helm chart components; applies CRDs via server-side apply with correct field-manager, disables SSA on the chart to avoid VAP field-manager conflict with Istio. CRD readiness poll before chart deploy is a sound guard.
src/envoy-gateway/chart/templates/uds-package.yaml	UDS Package CR covering ambient mesh, KubeAPI egress, intra-namespace rules, and webhook ingress on 9443. The Anywhere rule for the webhook has an acknowledged TODO and follows the same pattern used by other webhook-serving components.
test/vitest/envoy-gateway.spec.ts	E2E test that creates a UDP Gateway and polls until the controller reconciles managed pods and services. Setup/teardown logic handles pre-existing namespace gracefully.
bundles/k3d-standard/uds-bundle.yaml	Adds envoy-gateway-crds and envoy-gateway to optionalComponents; ordering is correct (crds before controller).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[packages/standard or base\noptionalComponents] -->|imports| B[src/envoy-gateway/zarf.yaml\nflavor-specific component]
    B -->|imports common| C[src/envoy-gateway/common/zarf.yaml]
    C -->|kubectl apply| D[envoy-gateway-crds\nfrom GitHub release v1.8.0]
    C -->|helm install| E[envoyproxy/gateway-helm:v1.8.0\nenvoy-gateway-system]
    B -->|helm install| F[uds-envoy-gateway-config\nlocal chart]
    F -->|creates| G[GatewayClass: envoy-gateway]
    F -->|creates| H[EnvoyProxy: uds-default\nenvoy-gateway-system]
    F -->|creates| I[UDS Package CR\nambient mesh + network policies]
    G -->|parametersRef| H
    E -->|reconciles Gateway resources| J[Managed Envoy Proxy Pods/Services\nper Gateway instance]
    H -->|configures proxy image| J

Loading

_{Reviews (3): Last reviewed commit: "add minimal e2e test" | Re-trigger Greptile}

[briantwatson]

Nice addition! A couple small comments

[joelmccoy]

Generally looking good. A couple comments and suggested changes.

[joelmccoy]

After playing around with this, I realize that we don't bundle the envoy proxy image in this PR, so this feature is not really usable/testable e2e yet. It was called out in the design doc to include this in this part and I think we would include the proxy image in zarf and also include the CRD to override the envoy proxy image: https://www.notion.so/defense-unicorns/UDP-Envoy-Gateway-Component-34be512f24fc8082ac78d3e5c41ce991?source=copy_link#35ae512f24fc8010a8eccb8d6398a766.

[chance-coleman]

@greptileai review this