Egress via Ingress VirtualServer Resource

[chase-kiefer]

Proposed changes

NSM would like the ability to egress traffic through a KIC VirtualServer. This PR adds the functionality and templating necessary to configure a VS resource for NSM egress. It diverges from the pattern implemented for ingress by using a CRD field instead of an annotation.

• added internalRoute field to the virtualserver CRD
• updated templates for internal routes in virtualserver for n+ and oss
• added unit test to validate virtual server internal routes
• updated virtualServerConfigurator type to have an enableInternalRoutes boolean
• updated virtualserver configuration items to include internRoute docs

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

[chase-kiefer]

@nginxinc/service-mesh Looking for a review from someone on our team also. I can't add us as reviewers, so just adding a comment tagging our team.

[codecov-commenter]

Codecov Report

Merging #3491 (ae6aa50) into main (96d28b2) will increase coverage by 0.01%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #3491      +/-   ##
==========================================
+ Coverage   52.34%   52.36%   +0.01%     
==========================================
  Files          59       59              
  Lines       16880    16890      +10     
==========================================
+ Hits         8836     8844       +8     
- Misses       7747     7749       +2     
  Partials      297      297              

Impacted Files	Coverage Δ
internal/configs/version2/http.go	0.00% <ø> (ø)
internal/configs/virtualserver.go	95.16% <100.00%> (+0.02%)	⬆️

... and 1 file with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[jbyers19]

LGTM

[sjberman]

LGTM, be sure to update commit messages and PR description with the new approach.

[ciarams87]

Thanks so much @chase-kiefer ! Great work 😄

[lucacome]

@chase-kiefer I think we need a couple of changes:

• we're missing the check for the CLI argument enable-internal-routes, if the flag is not set and we add internalRoute in the VirtualServer we should throw a warning and not write the config for it.
• we should align the logic and variables with the Ingress side to make it easier to maintain the code. Right now in the template we have InternalRouteServer for the Spiffe server certs and SpiffeCerts for the client certs, but in Ingress we use SpiffeCerts for the server certs and SpiffeClientCerts for the client certs. I'm fine with whatever names you think make the most sense, I'd just like to have them consistent. Maybe for the sake of merging this PR, you can just use the same logic of Ingress and then refactor for both later. Up to you.

Also #3602 might remove the CLI arguments, so we might need to change the logic and look at the annotation instead...