feat: add Envoy Gateway Component

[chance-coleman]

Description

Adds Envoy Gateway as an optional UDS Core component, providing the controller and GatewayClass infrastructure needed for UDP ingress support.

• New src/envoy-gateway/ component wrapping oci://docker.io/envoyproxy/gateway-helm:v1.8.0 with upstream, registry1, and unicorn flavor variants
• Deploys Envoy Gateway controller in envoy-gateway-system with a GatewayClass named envoy-gateway
• UDS Package CR with ambient mesh mode and network policies covering controller, webhook, and certgen job
• ServiceMonitor targeting port 19001 for Prometheus scraping
• Wired into packages/standard as an optional component and bundles/k3d-standard as an opt-in via optionalComponents

Chart version pinned to v1.8.0, this ships Gateway API CRDs at v1.5.1, which is required to pass the safe-upgrades.gateway.networking.k8s.io ValidatingAdmissionPolicy installed by Istio. Earlier chart versions bundle v1.4.1 CRDs and will be blocked on install.

On-demand Gateway lifecycle (Pepr operator) and UDPRoute generation are scoped to CORE-502.

Related Issue

Fixes Core-482

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Other (security config, docs update, etc)

Steps to Validate

1. Deploy the standard package with the envoy-gateway component enabled
2. Run uds run src/envoy-gateway:validate, waits for the envoy-gateway Deployment to be available and GatewayClass envoy-gateway to be Accepted

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide followed

[greptile-apps]

Greptile Summary

Adds envoy-gateway as a new optional UDS Core component, providing the Envoy Gateway controller, CRDs, GatewayClass infrastructure, and UDS Package CR needed for future UDP ingress support (CORE-502). The implementation follows the established common/flavor pattern used by other optional components.

• src/envoy-gateway/: New component with common/zarf.yaml (CRD install via raw kubectl + controller Helm chart with a pre-deploy CRD readiness wait) and flavor-specific overrides for upstream, registry1, and unicorn; chart version pinned to v1.8.0 which ships Gateway API CRDs v1.5.1 required to satisfy the Istio safe-upgrades ValidatingAdmissionPolicy.
• packages/base & packages/standard: Both envoy-gateway-crds and envoy-gateway wired in as optional, in correct CRD-before-controller order; bundles/k3d-standard adds them to optionalComponents.
• chart/: Deploys an EnvoyProxy CR (data-plane image per flavor) and a GatewayClass, with a UDS Package CR covering ambient mesh mode, controller/webhook/certgen network policies, and a port-19001 metrics ServiceMonitor.

Confidence Score: 5/5

Safe to merge — new optional component that is off by default and does not affect existing deployments.

The change is entirely additive: all new components are required: false, the CRD installation is guarded by a readiness wait loop, the Helm chart SSA conflict is documented and intentionally worked around, and the webhook network policy broadness is acknowledged with a TODO. No existing components are modified in a breaking way.

No files require special attention. The one nit is the copyright year in src/envoy-gateway/values/values.yaml.

Important Files Changed

Filename	Overview
src/envoy-gateway/common/zarf.yaml	Defines the shared CRD installation (via raw kubectl apply with SSA + field-manager=uds) and the base Helm chart deploy with a pre-deploy CRD readiness wait loop; the approach and comments are well-justified.
src/envoy-gateway/zarf.yaml	Flavor-gated (upstream/registry1/unicorn) component definitions that import from common and overlay flavor-specific image values; follows the established pattern used by metrics-server and other optional components.
src/envoy-gateway/chart/templates/uds-package.yaml	UDS Package CR with ambient mesh mode, controller/webhook/certgen network policies, and a metrics ServiceMonitor on port 19001; the Anywhere webhook rule has an acknowledged TODO for tightening to KubeAPI.
src/envoy-gateway/chart/templates/envoyproxy.yaml	EnvoyProxy CR that sets the data-plane image per flavor via a required Helm value; correctly scoped to envoy-gateway-system.
src/envoy-gateway/chart/templates/gatewayclass.yaml	GatewayClass pointing to the uds-default EnvoyProxy parametersRef; correctly uses the envoyproxy.io controller name and namespace reference.
src/envoy-gateway/values/values.yaml	Empty base values file (only a copyright header); has an inconsistent 2024-2026 copyright year vs. all other new files in this component which use 2026.
packages/base/zarf.yaml	Adds envoy-gateway-crds (between istio-common and istio-admin-gateway) and envoy-gateway (at the end) as optional components importing from src/envoy-gateway; ordering ensures CRDs precede the controller.
packages/standard/zarf.yaml	Re-exports the two optional envoy-gateway components from packages/base in adjacent, correctly-ordered positions (crds before controller) ahead of keycloak.
bundles/k3d-standard/uds-bundle.yaml	Adds envoy-gateway-crds and envoy-gateway to the k3d-standard bundle's optionalComponents list in the correct order.
src/envoy-gateway/tasks.yaml	Validate task waits for Deployment availability and GatewayClass Accepted condition; no e2e-test task (tracked in prior review thread).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[envoy-gateway-crds component] -->|kubectl apply --server-side| B[Gateway API CRDs v1.5.1\n+ EnvoyProxy CRD\n+ VAP safe-upgrades...]
    B --> C{CRD readiness wait\n60 × 2s loop}
    C -->|CRD found| D[envoy-gateway component]
    D -->|Helm install| E[envoy-gateway controller\nDeployment in envoy-gateway-system]
    D -->|uds-envoy-gateway-config chart| F[EnvoyProxy CR: uds-default\nflavor-specific data-plane image]
    D -->|uds-envoy-gateway-config chart| G[GatewayClass: envoy-gateway\nparametersRef → EnvoyProxy/uds-default]
    D -->|uds-envoy-gateway-config chart| H[UDS Package CR\nambient mesh + network policies\n+ ServiceMonitor port 19001]
    G -->|accepted by controller| I[GatewayClass condition: Accepted]
    E -->|deployment ready| J[validate task: done]
    I --> J

Loading

_{Reviews (4): Last reviewed commit: "chore: update envoy distroless for reg1,..." | Re-trigger Greptile}

[briantwatson]

Nice addition! A couple small comments

[joelmccoy]

Generally looking good. A couple comments and suggested changes.

[joelmccoy]

After playing around with this, I realize that we don't bundle the envoy proxy image in this PR, so this feature is not really usable/testable e2e yet. It was called out in the design doc to include this in this part and I think we would include the proxy image in zarf and also include the CRD to override the envoy proxy image: https://www.notion.so/defense-unicorns/UDP-Envoy-Gateway-Component-34be512f24fc8082ac78d3e5c41ce991?source=copy_link#35ae512f24fc8010a8eccb8d6398a766.

[chance-coleman]

@greptileai review this

[joelmccoy]

@greptileai review

[joelmccoy]

is there a reason why you removed this test? I think it can ultimately be replaced once we have the operator logic in... but it might be good to keep in for now so that envoy gateway creation is tested on all flavors and IAC as well?

[chance-coleman]

No strong reasons, mainly because they'll be improved/replaced with future testing. I've added them back in.