feat: add feature to support envoy as a sidecar to gateway-plugin (#1931)

* feat: add feature to support envoy as a sidecar to gateway-plugin
* lint fix
* address gemini-code-assist comments

Signed-off-by: varungupta <varungup90@gmail.com>

Author: varungup90

dist/chart/templates/_helpers.tpl

@@ -125,3 +125,9 @@ Create the name of the metadata service service account
 {{- .Values.metadata.serviceAccount.name | default "default" -}}
 {{- end -}}
 {{- end -}}
+
+{{- define "aibrix.validateValues" -}}
+{{- if and .Values.gateway.enable .Values.gateway.envoyAsSideCar -}}
+{{- fail "gateway.enable and gateway.envoyAsSideCar are mutually exclusive and cannot both be true." -}}
+{{- end -}}
+{{- end -}}

dist/chart/templates/gateway-instance/envoy_config.yaml

@@ -0,0 +1,157 @@
+# Sidecar Envoy configuration:
+# - For advanced users who need full control without Envoy Gateway dependencies.
+# - Runs Envoy as a sidecar alongside aibrix-gateway for tighter integration, local admin, and simplified networking.
+# - No dependency on Envoy Gateway controller or data plane; you manage routes and clusters here.
+# - Recommended only if you understand Envoy configuration and operational impacts.
+# TODO: make parameters configurable such as ports, timeouts, concurrent streams
+{{- if and (not .Values.gateway.enable) (.Values.gateway.envoyAsSideCar) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "aibrix.fullname" . }}-envoy-config
+  namespace: aibrix-system
+data:
+  envoy.yaml: |
+    admin:
+      access_log:
+      - name: envoy.access_loggers.file
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+          path: /dev/null
+      address:
+        socket_address:
+          address: 127.0.0.1
+          port_value: 19000
+          ipv4_compat: true
+
+    static_resources:
+      listeners:
+      - name: envoy-gateway-proxy-ready-0.0.0.0-10080
+        address:
+          socket_address:
+            address: '0.0.0.0'
+            port_value: {{ .Values.gateway.envoySideCar.ports.http | default 10080 }}
+            protocol: TCP
+        per_connection_buffer_limit_bytes: 4194304
+        filter_chains:
+        - filters:
+          - name: envoy.filters.network.http_connection_manager
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+              stat_prefix: ingress_http
+              access_log:
+              - name: envoy.access_loggers.file
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+                  path: "/dev/stdout"
+                  log_format:
+                    json_format:
+                      ":authority": "%REQ(:AUTHORITY)%"
+                      "bytes_received": "%BYTES_RECEIVED%"
+                      "bytes_sent": "%BYTES_SENT%"
+                      "connection_termination_details": "%CONNECTION_TERMINATION_DETAILS%"
+                      "downstream_local_address": "%DOWNSTREAM_LOCAL_ADDRESS%"
+                      "downstream_remote_address": "%DOWNSTREAM_REMOTE_ADDRESS%"
+                      "duration": "%DURATION%"
+                      "method": "%REQ(:METHOD)%"
+                      "protocol": "%PROTOCOL%"
+                      "requested_server_name": "%REQUESTED_SERVER_NAME%"
+                      "response_code": "%RESPONSE_CODE%"
+                      "response_code_details": "%RESPONSE_CODE_DETAILS%"
+                      "response_flags": "%RESPONSE_FLAGS%"
+                      "route_name": "%ROUTE_NAME%"
+                      "start_time": "%START_TIME%"
+                      "upstream_cluster": "%UPSTREAM_CLUSTER%"
+                      "upstream_host": "%UPSTREAM_HOST%"
+                      "upstream_local_address": "%UPSTREAM_LOCAL_ADDRESS%"
+                      "upstream_transport_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%"
+                      "user-agent": "%REQ(USER-AGENT)%"
+                      "x-envoy-origin-path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
+                      "x-envoy-upstream-service-time": "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%"
+                      "x-forwarded-for": "%REQ(X-FORWARDED-FOR)%"
+                      "x-request-id": "%REQ(X-REQUEST-ID)%"
+              http_filters:
+              # External Processing Filter
+              - name: envoy.filters.http.ext_proc
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
+                  grpc_service:
+                    envoy_grpc:
+                      cluster_name: ext_proc_cluster
+                    timeout: 10s
+                  processing_mode:
+                    request_header_mode: SEND
+                    response_header_mode: SEND
+                    request_body_mode: BUFFERED
+                    response_body_mode: STREAMED
+                  message_timeout: 60s
+                  
+              # Router filter (must be last)
+              - name: envoy.filters.http.router
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+              
+              route_config:
+                name: local_route
+                virtual_hosts:
+                - name: original_route
+                  domains: ["*"]
+                  routes:
+                  - match:
+                      prefix: "/"
+                      headers:
+                      - name: "routing-strategy"
+                        string_match:
+                          safe_regex:
+                            regex: .*
+                    route:  
+                      cluster: original_destination_cluster
+                      timeout: 300s  # Increase route timeout
+
+                      
+      clusters:
+      # External Processor Cluster (Sidecar)
+      - name: ext_proc_cluster
+        connect_timeout: 10s
+        type: STATIC
+        lb_policy: ROUND_ROBIN
+        dns_lookup_family: AUTO  # Enable dual-stack DNS
+        upstream_connection_options:
+          tcp_keepalive:
+            keepalive_probes: 3
+            keepalive_time: 30
+            keepalive_interval: 5
+        typed_extension_protocol_options:
+          envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+            "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+            explicit_http_config:
+              http2_protocol_options: {}
+        load_assignment:
+          cluster_name: ext_proc_cluster
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: ::1  # IPv6 localhost
+                    port_value: 50052
+            - endpoint:
+                address:
+                  socket_address:
+                    address: "127.0.0.1"  # IPv4 localhost fallback
+                    port_value: 50052
+
+      - name: original_destination_cluster
+        type: ORIGINAL_DST
+        original_dst_lb_config:
+          use_http_header: true
+          http_header_name: "target-pod"
+        connect_timeout: 6s
+        lb_policy: CLUSTER_PROVIDED
+        dns_lookup_family: AUTO
+        upstream_connection_options:
+          tcp_keepalive:
+            keepalive_probes: 3
+            keepalive_time: 30
+            keepalive_interval: 5
+{{- end }}

dist/chart/templates/gateway-instance/gateway.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.gateway.enable }}
+{{- if and .Values.gateway.enable (not .Values.gateway.envoyAsSideCar) }}
 apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
 metadata:

dist/chart/templates/gateway-plugin/deployment.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.gateway.enable }}
+{{- if or .Values.gateway.enable .Values.gateway.envoyAsSideCar }}
 {{- $redisHost := default (printf "%s-redis-master" (include "aibrix.fullname" .)) .Values.gatewayPlugin.dependencies.redis.host }}
 ---
 apiVersion: apps/v1
@@ -100,6 +100,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+{{- if and .Values.gateway.envoyAsSideCar (not (hasKey .Values.gatewayPlugin.container.envs "ROUTING_ALGORITHM")) }}
+            - name: ROUTING_ALGORITHM
+              value: "random"
+{{- end }}
 {{- range $key, $val := .Values.gatewayPlugin.container.envs }}
             - name: {{ $key }}
               value: "{{ $val }}"
@@ -109,5 +113,31 @@ spec:
             {{- toYaml .Values.gatewayPlugin.container.probes.liveness | nindent 12 }}
           readinessProbe:
             {{- toYaml .Values.gatewayPlugin.container.probes.readiness | nindent 12 }}
+{{- if .Values.gateway.envoyAsSideCar }}
+        - name: envoy
+          image: {{ .Values.gateway.envoyProxy.container.envoy.image }}
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              exec /usr/local/bin/envoy \
+                -c /etc/envoy/envoy.yaml \
+                --service-cluster envoy-sidecar \
+                --log-level warn \
+                --cpuset-threads \
+                --drain-strategy immediate \
+                --drain-time-s 60
+          volumeMounts:
+            - name: {{ include "aibrix.fullname" . }}-envoy-config
+              mountPath: /etc/envoy
+{{- end }}
+{{- if .Values.gateway.envoyAsSideCar }}
+      volumes:
+        - name: {{ include "aibrix.fullname" . }}-envoy-config
+          configMap:
+            name: {{ include "aibrix.fullname" . }}-envoy-config
+            items:
+              - key: envoy.yaml
+                path: envoy.yaml
+{{- end }}
       serviceAccountName: {{ include "aibrix.gatewayPlugin.serviceAccountName" . }}
 {{- end }}

dist/chart/templates/gateway-plugin/envoy_extension_policy.yaml

@@ -1,5 +1,5 @@
 # templates/envoy-extension-policy.yaml
-{{- if .Values.gateway.enable }}
+{{- if and .Values.gateway.enable (not .Values.gateway.envoyAsSideCar) }}
 apiVersion: gateway.envoyproxy.io/v1alpha1
 kind: EnvoyExtensionPolicy
 metadata:

dist/chart/templates/gateway-plugin/httproute.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.gateway.enable }}
+{{- if and .Values.gateway.enable (not .Values.gateway.envoyAsSideCar) }}
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:

dist/chart/templates/gateway-plugin/rbac.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.gateway.enable }}
+{{- if or .Values.gateway.enable .Values.gateway.envoyAsSideCar }}
 ---
 apiVersion: v1
 kind: ServiceAccount

dist/chart/templates/gateway-plugin/service.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.gateway.enable }}
+{{- if or .Values.gateway.enable (.Values.gateway.envoyAsSideCar) }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -11,6 +11,11 @@ metadata:
     prometheus.io/port: "8080"
     prometheus.io/path: "/metrics"
 spec:
+{{- if .Values.gateway.envoyAsSideCar }}
+  type: LoadBalancer
+{{- else }}
+  type: {{ .Values.gatewayPlugin.service.type | default "ClusterIP" }}
+{{- end }}
   selector:
     {{- include "aibrix.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: aibrix-gateway-plugin
@@ -24,4 +29,9 @@ spec:
     - name: metrics
       port: 8080
       targetPort: 8080
+    {{- if .Values.gateway.envoyAsSideCar }}
+    - name: envoy-http
+      port: 10080
+      targetPort: 10080
+    {{- end }}
 {{- end }}

dist/chart/values.yaml

@@ -86,6 +86,8 @@ gatewayPlugin:
     redis:
       host: "" # aibrix-redis-master
       port: 6379
+  service:
+    type: ClusterIP
   messageTimeout: "60s"
   failOpen: false
   extProc:
@@ -133,7 +135,18 @@ gpuOptimizer:
   affinity: {}
 
 gateway:
+  # Mode Selection (mutually exclusive; values must be opposite)
+  # | gateway.enable | envoyAsSideCar | Notes |
+  # | -------------- | ------------------- | ----- |
+  # | true           | false               | Envoy managed by Envoy Gateway (data plane). Installs Gateway, GatewayClass, EnvoyProxy, and gateway-plugins. |
+  # | false          | true                | Envoy runs as a sidecar with aibrix-gateway within your workload (no Gateway data plane). Renders only the sidecar Envoy ConfigMap. |
+  # | false          | false               | Disables both. No gateway and no sidecar. Useful when using an external gateway or for CRD-only installs. |
+  # | true           | true                | INVALID: Do not enable both. Values must be opposite. |
   enable: true
+  envoyAsSideCar: false
+  envoySideCar:
+    ports:
+      http: 10080
   envoyProxy:
     replicas: 1
     imagePullSecrets: []

dist/chart/vke.yaml

@@ -102,6 +102,18 @@ gpuOptimizer:
   affinity: {}
 
 gateway:
+  # Mode Selection (mutually exclusive; values must be opposite)
+  # | gateway.enable | envoyAsSideCar | Notes |
+  # | -------------- | ------------------- | ----- |
+  # | true           | false               | Envoy managed by Envoy Gateway (data plane). Installs Gateway, GatewayClass, EnvoyProxy, and gateway-plugins. |
+  # | false          | true                | Envoy runs as a sidecar with aibrix-gateway within your workload (no Gateway data plane). Renders only the sidecar Envoy ConfigMap. |
+  # | false          | false               | Disables both. No gateway and no sidecar. Useful when using an external gateway or for CRD-only installs. |
+  # | true           | true                | INVALID: Do not enable both. Values must be opposite. |
+  enable: false
+  envoyAsSideCar: true
+  envoySideCar:
+    ports:
+      http: 10080
   envoyProxy:
     replicas: 1
     imagePullSecrets: []