[ambient] Ingress gateway to waypoint

[sando38]

Describe the feature request

Currently, if I have cluster external ingress via a gateway, the traffic from the gateway to a waypoint enabled service does not go through the waypoint (but probably via ztunnel only).

Most L7 policies I can attach to the ingress gateway authzPol, however, I have one setup which does not work:

• admin policy for "allow-nothing"
• A CUSTOM policy on the gateway to initiate OIDC for requestAuthn
• Now using requestPrincipals in the AuthzPol of the destination application does not work, because it does not go through the waypoint. Same applies to any other L7 policies like methods: GET.

Describe alternatives you've considered

I helped myself by creating an in-between haproxy being part of the ambient mesh just inelegantly mapping and forwarding requests to destination services which then would be captured by the waypoint, because it is mesh-to-mesh traffic

Affected product area (please put an X in all that apply)

[x] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane

Additional context

[sando38]

@louiscryan as discussed. 👍

[mikemorris]

Following this as it relates to kubernetes-sigs/gateway-api#1478 - this is undefined in the Gateway API spec currently, and default behavior differs between Istio (route from ingress directly to backends, bypassing mesh rules) and Linkerd (deploy sidecar next to in-cluster 3rd party N/S gateway, follow mesh rules). Additionally, most cluster-external N/S gateways (such as those offered by cloud vendors), would typically route directly from the ingress to backend pods to avoid an extra routing hop and due to the impracticality of deploying a sidecar next to them.