feat: add Envoy Gateway Component

bundles/k3d-standard/uds-bundle.yaml

@@ -43,6 +43,7 @@ packages:
       - istio-passthrough-gateway
       - istio-egress-gateway
       - metrics-server
+      - envoy-gateway
     overrides:
       pepr-uds-core:
         module:

packages/base/zarf.yaml

@@ -77,3 +77,8 @@ components:
     required: false
     import:
       path: ../../src/istio
+
+  - name: envoy-gateway
+    required: false
+    import:
+      path: ../../src/envoy-gateway

packages/standard/zarf.yaml

@@ -84,6 +84,11 @@ components:
     import:
       path: ../metrics-server
 
+  - name: envoy-gateway
+    required: false
+    import:
+      path: ../base
+
   - name: keycloak
     required: true
     import:

src/envoy-gateway/chart/Chart.yaml

@@ -0,0 +1,7 @@
+# Copyright 2026 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+apiVersion: v2
+name: uds-envoy-gateway-config
+version: 0.1.0
+description: "UDS configuration chart for Envoy Gateway"

src/envoy-gateway/chart/templates/gatewayclass.yaml

@@ -0,0 +1,9 @@
+# Copyright 2026 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: envoy-gateway
+spec:
+  controllerName: gateway.envoyproxy.io/gatewayclass-controller

src/envoy-gateway/chart/templates/uds-package.yaml

@@ -0,0 +1,46 @@
+# Copyright 2026 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+apiVersion: uds.dev/v1alpha1
+kind: Package
+metadata:
+  name: envoy-gateway
+  namespace: {{ .Release.Namespace }}
+spec:
+  monitor:
+    - selector:
+        control-plane: envoy-gateway
+      portName: metrics
+      targetPort: 19001
+      description: Metrics
+  network:
+    serviceMesh:
+      mode: ambient
+    allow:
+      - direction: Egress
+        selector:
+          control-plane: envoy-gateway
+        remoteGenerated: KubeAPI
+        description: "KubeAPI access for controller"
+      - direction: Egress
+        selector:
+          control-plane: envoy-gateway
+        remoteGenerated: IntraNamespace
+        description: "Intra-namespace communication for managed proxies and cert generation"
+      - direction: Ingress
+        selector:
+          control-plane: envoy-gateway
+        remoteGenerated: IntraNamespace
+        description: "Intra-namespace communication from managed proxies"
+      - direction: Ingress
+        selector:
+          control-plane: envoy-gateway
+        # todo: evaluate a "KubeAPI" ingress generated rule for webhook calls
+        remoteGenerated: Anywhere
+        port: 9443
+        description: "Webhook admission from kube-apiserver"
+      - direction: Egress
+        selector:
+          app: certgen
+        remoteGenerated: KubeAPI
+        description: "KubeAPI access for certgen pre-install job"

src/envoy-gateway/common/zarf.yaml

@@ -0,0 +1,29 @@
+# Copyright 2026 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+kind: ZarfPackageConfig
+metadata:
+  name: uds-core-envoy-gateway-common
+  description: "UDS Core Envoy Gateway Common"
+  url: https://github.com/envoyproxy/gateway
+
+components:
+  - name: envoy-gateway
+    required: false
+    charts:
+      - name: uds-envoy-gateway-config
+        namespace: envoy-gateway-system
+        version: 0.1.0
+        localPath: ../chart
+      - name: envoy-gateway
+        namespace: envoy-gateway-system
+        url: oci://docker.io/envoyproxy/gateway-helm
+        version: v1.8.0
+        # SSA disabled to avoid field manager conflict: the chart's crds/ dir contains the
+        # safe-upgrades.gateway.networking.k8s.io VAP, which Istio already owns with field
+        # manager "uds". SSA causes a conflict on the .spec.matchConstraints field.
+        # Once https://github.com/envoyproxy/gateway/issues/8560 lands we can skip CRDs
+        # entirely and remove this.
+        serverSideApply: "false"
+        valuesFiles:
+          - "../values/values.yaml"

src/envoy-gateway/tasks.yaml

@@ -0,0 +1,19 @@
+# Copyright 2026 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+tasks:
+  - name: validate
+    actions:
+      - description: Wait for envoy-gateway deployment to be ready
+        wait:
+          cluster:
+            kind: Deployment
+            name: envoy-gateway
+            namespace: envoy-gateway-system
+            condition: available
+      - description: Wait for GatewayClass envoy-gateway to be accepted
+        wait:
+          cluster:
+            kind: GatewayClass
+            name: envoy-gateway
+            condition: Accepted

src/envoy-gateway/values/registry1-values.yaml

@@ -0,0 +1,7 @@
+# Copyright 2026 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+global:
+  images:
+    envoyGateway:
+      image: registry1.dso.mil/ironbank/opensource/envoy_proxy/community/gateway:v1.8.0

src/envoy-gateway/values/unicorn-values.yaml

@@ -0,0 +1,7 @@
+# Copyright 2026 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+global:
+  images:
+    envoyGateway:
+      image: cgr.dev/defenseunicorns.com/envoy-gateway-fips:1.8.0

src/envoy-gateway/values/upstream-values.yaml

@@ -0,0 +1,7 @@
+# Copyright 2026 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+global:
+  images:
+    envoyGateway:
+      image: docker.io/envoyproxy/gateway:v1.8.0

src/envoy-gateway/values/values.yaml

@@ -0,0 +1,2 @@
+# Copyright 2024-2026 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

src/envoy-gateway/zarf.yaml

@@ -0,0 +1,48 @@
+# Copyright 2026 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+kind: ZarfPackageConfig
+metadata:
+  name: uds-core-envoy-gateway
+  description: "UDS Core Envoy Gateway"
+  url: https://github.com/envoyproxy/gateway
+
+components:
+  - name: envoy-gateway
+    required: false
+    only:
+      flavor: upstream
+    import:
+      path: common
+    charts:
+      - name: envoy-gateway
+        valuesFiles:
+          - "values/upstream-values.yaml"
+    images:
+      - docker.io/envoyproxy/gateway:v1.8.0
+
+  - name: envoy-gateway
+    required: false
+    only:
+      flavor: registry1
+    import:
+      path: common
+    charts:
+      - name: envoy-gateway
+        valuesFiles:
+          - "values/registry1-values.yaml"
+    images:
+      - registry1.dso.mil/ironbank/opensource/envoy_proxy/community/gateway:v1.8.0
+
+  - name: envoy-gateway
+    required: false
+    only:
+      flavor: unicorn
+    import:
+      path: common
+    charts:
+      - name: envoy-gateway
+        valuesFiles:
+          - "values/unicorn-values.yaml"
+    images:
+      - cgr.dev/defenseunicorns.com/envoy-gateway-fips:1.8.0