Add support for envoy gateway

[smatting]

This PR:

• Introduces a new Helm chart wire-ingress that targets Envoy Gateway. It is intended as a replacement for the nginx-ingress-services chart, which uses ingress-nginx. The wire-ingress chart is not production-ready yet.

• Changes the integration test suite: all tests now run against the wire-ingress chart. The ingress solution can be selected via the WIRE_INGRESS_MODE environment variable. The federation domains change in Envoy mode — see comments in the code. Changes to the federator and integration charts are made to accommodate both variants for
  testing. As a consequence, any changes to nginx-ingress-services will be untested once this PR is merged. I've added a check integration-setup-federation.sh that prevents any changes to nginx-ingress-services to avoid this being overlooked.

• Changes the temporary filenames used in the integration test suite. This fixes issues with filenames that were too long for nginz to handle.

• Deletes the unused file hack/helmfile-federation-v0.yaml.gotmpl.

• Add a post-upgrade to all objects needed for testing. This makes running tests on the cluster manually more convenient

Checklist

• Revert .envrc before merging !!!!
• Add a new entry in an appropriate subdirectory of changelog.d
• Read and follow the PR guidelines

[wartraxx51]

Naming thing that bugs me across the whole PR, the chart is wire-ingress, the file is ingress-envoy.yaml the route is nginz-websockets. None of thes have any Ingress in them. My point of view, name it like the replacement wire-gateway , gateway-envoy.yaml etc... not blocking when I open a file called ingress-envoy.yaml and the first thing I see is kind: gateway. I have to stop and double check.

[wartraxx51]

A BackendTrafficPolicy is missing for WebSockets, the default timeouts will terminate long-lived connections, I didn't check the default value, https://gateway.envoyproxy.io/latest/api/extension_types/#backendtrafficpolicy

[smatting]

Naming thing that bugs me across the whole PR, the chart is wire-ingress, the file is ingress-envoy.yaml the route is nginz-websockets. None of thes have any Ingress in them. My point of view, name it like the replacement wire-gateway , gateway-envoy.yaml etc... not blocking when I open a file called ingress-envoy.yaml and the first thing I see is kind: gateway. I have to stop and double check.

I changed the ingress-envoy.yaml filename. But I couldn't find other occurences. Everywhere the filenames should be <kind>...
Can you please more concrete?

[smatting]

A BackendTrafficPolicy is missing for WebSockets, the default timeouts will terminate long-lived connections, I didn't check the default value, https://gateway.envoyproxy.io/latest/api/extension_types/#backendtrafficpolicy

Thank you! Added the policy. We need to run QA tests against this on staging to see if it really works

[wartraxx51]

Why don't you use the same approach las in charts/wire-ingress/templates/envoypatchpolicy-federator.yaml:36-41

[smatting]

ah, this is a leftover from a previous solution. I switched to the new solution in 05e23ad

[wartraxx51]

parameter

[wartraxx51]

is created by federator chart ?

[smatting]

Same as previous comment

[fisx]

i've read all the non-helm code (3 files), LGTM!

[fisx]

so this guard only works if i don't commit my changes first, before running tests. i guess that's a lot better than no guard. you could compute a sha256sum from all of nginx-ingress-services i guess, and compare against a stored copy of the hash. if there is a mismatch, the error will instruct you to commit the changes and update the hash in the script.

i'm not saying you should do that, this is just my brain having ideas.

[smatting]

there was a misunderstanding, which @fisx resolved in 1on1: the guard actually compares against the merge-base of the PR in the ci pipeline, so it effectively prevents any changes