Description

#10453

This PR adds support for a new GatewayClass kgateway-waypoint, which can be use in place of Istio's default Waypoint implementation.

There are some sample YAMLs included, but the basic flow is:

1. Deploy a Gateway with this class
2. To route traffic through the gateway, label either a Namespace or a Service with istio.io/use-waypoint=<gateway name (and optionally istio.io/use-waypoint-namespace=<ns the gw is in> for out-of-namespace waypoints)
3. Attach policy like HTTPRoute by parenting either to the Gateway (standard) or the Service (GAMMA-style)

This PR only supports the most basic features of a Waypoint:

• Capturing to-service traffic in a single cluster
• Attaching HTTPRoute to the Service or Gateway

Potential follow ups include:

• TCPRoute
• AuthorizationPolicy
• Multi-Cluster
• ServiceEntry capture and backends

API changes

• Add new GatewayClass named kgateway-waypoint
• (Helm) Move service.kind out of gateway and onto the gatewayClass and waypointClass values.
• (Helm) Allow adding labels/annotation to GatewayClass and the generated podTemplate for each gateway class

Code changes

Helm

• Change values to allow per-class customizations
• Make templates for GatewayClass and GatewayParameters support passing in values for each class type (standard kgateway and the kgateway-waypoint)

Core

• Refactor initialization of Routes and Gateway indexes to happen within CommonCollections rather than in proxy_syncer.
• Move some collections into CommonCollections
• Make RouteIndex handle the parent group/kind so we can do service-targeted policy.
• Remove isOurGw and ExtraGatewayClasses in favor of a statically defined Set of known classes. This can be expanded later to read from an env var, but we shouldn't be passing a closure around for this.
• Start actually applying the NetworkFilter plugins on TCP filter chains.
• Gateway Queries just hold a reference to CommonCollections so that plugins can reference GatewayQueries (the routes field on it's own won't be ready till after plugins are initialized).

Waypoint Specific

• Add a waypoint plugin that provides a new translator
• Add some additional queries for waypoints for waypoint attachment and service-attached routes
• Add a sandwich plugin that can be added at the Listener level to enable PROXY protocol inbound, and restore the client identity authenticated by zTunnel (Waypoint Sandwiches)

CI changes

• E2E added to cluster-two job

Docs changes

• Added some samples
• README for the samples

Context

#10453

Testing steps

• Unit tests against translation in/out
• E2E tests for simple traffic flows and basic policy
• To test on your own, see the examples/waypoint directory.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works