Add istio meshConfig, internal auth gateway and token-vendor auth httproutes

[awhdesmond]

1. Configure extension providers in Istio's mesh_config to use crc-auth-gateway
2. Deploy crc-auth-gateway using Gateway API Gateway resource, but only give it an internal clusterIP.
3. Apply AuthorizationPolicy on crc-gateway to use crc-auth-gateway extension provider for external HTTP authorization.
4. Add auth HTTPRoute for public-key-access-auth and public-key-access-auth, targetting crc-auth-gateway
5. Include an explicity-allow catch-all route for crc-auth-gateway as not all paths require authz. (It can be switched to explicit-deny)

[awhdesmond]

Will we be allowed to use open-source (Apache 2 license) NGINX image here for CRC?

[koonpeng]

Not authoritative, but CRC itself is apache-2.0 so I would assume yes.

[awhdesmond]

i have updated to use nginxinc/nginx-unprivileged:1.30.1-alpine

[ensonic]

Yes, the license is fine. We can also consider a simple go-lang server if all it needs to do is to reply with OK 200. But that can be a followup.

[awhdesmond]

It's may be worth to refactor this service out to its own file.

[koonpeng]

Yeah, it appears to be only for testing?

[awhdesmond]

This service is used as the catch-all service with pathprefix / under the auth gateway. I would assume not all paths require authz, so this catch-all service will respond with HTTP 200 for all those services.

[ensonic]

Yes, we need to support routes that don't require auth.

[ensonic]

Can we try this:

filters:
    - type: RequestRedirect
      requestRedirect:
        statusCode: 200

[awhdesmond]

will result in:

The HTTPRoute "crc-auth-catchall" is invalid: 
* spec.rules[0].filters[0].requestRedirect.statusCode: Unsupported value: 200: supported values: "301", "302"
* <nil>: Invalid value: null: some validation rules were not checked because the object was invalid; correct the existing errors to complete validation

[ensonic]

Awesome, lets iterate in followups to finetune it.