fix: add watch with timeouts and rename backend tls config (#327)

This pull request reorganizes the Gateway API configuration for ingress
by moving related manifests from the `ingress` directory to a new
`components/gateway-api` directory. It updates references throughout the
codebase to use the new location, adds a dedicated kustomization for the
component, and enhances the HTTPRoute configuration to better support
watch streams and query parameters.

**Gateway API configuration reorganization:**

* Moved `kustomization.yaml`, `httproute.yaml` and
`backend-tls-policy.yaml` from `config/ingress/gateway-api/` to
`config/components/gateway-api/` and updated their contents and naming
conventions for clarity.
* Added a new `kustomization.yaml` in `config/components/gateway-api/`
to manage the component's resources.
* Removed the old kustomization and resource files from
`config/ingress/gateway-api/`.

**Configuration and documentation updates:**

* Updated overlays and documentation to reference the new
`components/gateway-api` directory instead of the old ingress location.

Author: zachsmith1

…ress/gateway-api/backend-tls-policy.yaml …ents/gateway-api/backend-tls-policy.yamlconfig/ingress/gateway-api/backend-tls-policy.yaml renamed to config/components/gateway-api/backend-tls-policy.yaml config/ingress/gateway-api/backend-tls-policy.yaml renamed to config/components/gateway-api/backend-tls-policy.yaml

@@ -1,7 +1,7 @@
 apiVersion: gateway.networking.k8s.io/v1alpha3
 kind: BackendTLSPolicy
 metadata:
-  name: milo-apiserver-tls
+  name: milo-apiserver-backend-tls
 spec:
   targetRefs:
   - group: ""

config/components/gateway-api/httproute.yaml

@@ -0,0 +1,43 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: milo-apiserver
+spec:
+  parentRefs:
+  - name: default-gateway
+    namespace: envoy-gateway-system
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: "/"
+      - queryParams:
+        - type: Exact
+          name: watch
+          value: "true"
+      timeouts:
+        # Allow users to keep watch streams open for a long duration.
+        request: 86400s
+        backendRequest: 86400s
+      backendRefs:
+        - group: ""
+          kind: Service
+          name: milo-apiserver
+          port: 6443
+      retry: # Retry on 429s so that project storage initialization has time to complete
+        codes: [429]
+        attempts: 5
+        backoff: 300ms
+    - matches:
+        - path:
+            type: PathPrefix
+            value: "/"
+      backendRefs:
+        - group: ""
+          kind: Service
+          name: milo-apiserver
+          port: 6443
+      retry: # Retry on 429s so that project storage initialization has time to complete
+        codes: [429]
+        attempts: 5
+        backoff: 300ms

config/components/gateway-api/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - httproute.yaml
+  - backend-tls-policy.yaml

config/ingress/gateway-api/httproute.yaml

@@ -30,7 +30,7 @@ Manages TLS certificates for the test environment:
 ## Shared Resources
 
 ### Gateway API Configuration
-This overlay uses the shared Gateway API configuration from `config/ingress/gateway-api/` which provides:
+This overlay uses the shared Gateway API configuration from `components/gateway-api/` which provides:
 - HTTPRoute for routing traffic to the API server
 - BackendTLSPolicy for TLS backend connections
 

config/ingress/gateway-api/kustomization.yaml

@@ -14,14 +14,14 @@ resources:
   - ../../apiserver
   - ../../controller-manager/overlays/core-control-plane
 
-  # Ingress configuration (shared Gateway API with Envoy)
-  - ../../ingress/gateway-api
 
 components:
   - components/auth
   - components/certificates
   - ../../components/certificates
   - ../../components/apiserver-audit-logging
+  # Ingress configuration (shared Gateway API with Envoy)
+  - ../../components/gateway-api
 
 patches:
   # Configure API server for etcd connection