feat: add Istio VirtualService Requestmatch to UDS Operator

[jeff-mccoy]

Description

This PR introduces Istio VirtualService HttpMatchRequest rules for the UDS Operator expose field. While a bit more limited than their Istio counterparts, the following fields are carried over into UDS:

• ignoreUriCase
• method
• name * UDS requires this field (optional in Istio)
• queryParams
• uri

Additional this PR mirrors naming validation/generation behavior UDS Operator uses for allow entries, including adding an optional description field to name the generated resource.

Related Issue

Fixes #114

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Other (security config, docs update, etc)

[rjferguson21]

Thanks for doing this so fast @jeff-mccoy.

It might have been a conscious choice but I don't think this implementation will satisfy the GitLab example in the issue where a single service is exposing multiple ports.

For other's context this is what the example VS with matches generates from this PR (notice the single port):

apiVersion: uds.dev/v1alpha1
kind: Package
metadata:
  name: httpbin
  namespace: test-admin-app
spec:
  network:
    expose:
      - service: httpbin
        podLabels:
          app: httpbin
        gateway: admin
        host: demo
        port: 8000
        targetPort: 80
        match:
          - name: test-get-and-prefix
            method:
              # Only allow GET requests
              regex: GET
            uri:
              # Only allow routing to /status/2*, everything else should 404
              prefix: /status/2
          - name: test-exact
            uri:
              # Only allow routing to /status/410
              exact: /status/410

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: httpbin-admin-demo
  namespace: test-admin-app
spec:
  gateways:
  - istio-admin-gateway/admin-gateway
  hosts:
  - demo.admin.uds.dev
  http:
  - match:
    - method:
        regex: GET
      name: test-get-and-prefix
      uri:
        prefix: /status/2
    - name: test-exact
      uri:
        exact: /status/410
    route:
    - destination:
        host: httpbin.test-admin-app.svc.cluster.local
        port:
          number: 8000

[jeff-mccoy]

Yeah I looked at the example, this should work, but slightly differently (as in 2 expose entries) and dropping the fault entry. I looked at why they were doing that and there are other ways in istio to do that--including using regex in this match to never include the value.

[rjferguson21]

That suggestion implies we will create two separate VS? Definitely understand the trade off to keep the Package spec as terse as possible but wanted to clarify that is what you're suggesting as the outcome.

The way the VS are named today it won't let you create multiple VS for a particular pkg/gateway/host combo and overwrites the previous one.

We could potentially merge multiple expose[] into into the same VS...

[jeff-mccoy]

Updated & tested with a few various styles to see what it would look like.