refactor: envoyfilters as types

[hown3d]

What this PR does / why we need it:
Refactors the code to use the proto definitions of envoy instead of relying on map[string]interface{}.
This ensures type safety and increases developer experience a lot, since you no longer have to dig deep in the envoy documentation in regards to syntax.

Special notes for your reviewer:
/cc @timebertt
Tested on ond-lamb with shoot acl

[dergeberl]

Very nice to have this objects typed! 🎉

We added a few comments.
I will have a second look incl. the cluster on the ondemand after resolving our comments.

[dergeberl]

In the gjson we only checked the ConfigPatches[0].

[hown3d]

We could break the outer loop when we find the first occurence of"envoy.filters.network.tcp_proxy" in a filterList. This way we are safe if the configPatches changes and something is added before the tcp_proxy filter

[hown3d]

This was previously a bug, there is not stat_prefix field in http.rbac.v3.RBAC message.
Ref: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/rbac/v3/rbac.proto

[Copilot]

Pull request overview

Refactors EnvoyFilter generation to use typed Envoy/Istio protobuf definitions (instead of map[string]interface{}), improving type safety and easing future maintenance.

Changes:

• Reworks EnvoyFilter builders to return typed *istio.io/api/networking/v1alpha3.EnvoyFilter objects and constructs typed RBAC filter configs using go-control-plane protos.
• Updates unit tests and golden testdata to compare rendered output via JSON equivalence (and adjusts field names like rules_stat_prefix).
• Wires new builder signatures through the actuator and updates module dependencies to include protobuf/Envoy proto packages.

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/envoyfilters/envoyfilters.go	Core refactor: build typed EnvoyFilter + typed RBAC configs; introduces proto→structpb.Struct helper.
pkg/envoyfilters/envoyfilters_test.go	Updates tests to compare JSON-equivalent output; adapts to new return types and signatures.
pkg/envoyfilters/testdata/*.yaml	Adjusts golden specs for protojson defaults (e.g., action omitted) and rules_stat_prefix naming.
pkg/controller/actuator.go	Updates call sites to handle new (spec, error) builder signatures.
go.mod / go.sum	Adds dependencies for Envoy protos and protobuf tooling; adjusts YAML/protobuf deps.

Comments suppressed due to low confidence (1)

pkg/envoyfilters/envoyfilters.go:416

• ruleCIDRsToPrincipal appends alwaysAllowedCIDRs only when rule.Action == "ALLOW", which is case-sensitive. Since validation accepts any casing, an action like "allow" would skip adding always-allowed CIDRs and could unintentionally block cluster-internal communication. Consider using a case-insensitive check (or reusing actionProto() / normalized action) here as well.

	// if the rule has action "ALLOW" (which means "limit the access to only the
	// specified IPs", we need to insert the node CIDR range to not block
	// cluster-internal communication)
	if rule.Action == "ALLOW" {
		for _, cidr := range alwaysAllowedCIDRs {
			prefix, length, err := getPrefixAndPrefixLength(cidr)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[timebertt]

Ufff, this is really hard to review. I can only judge high-level code quality, e.g., error handling, etc.
However, the tests comparing the marshalled results with the expected YAML give me confidence that everything will still work as expected.

[timebertt]

Can we remove the singleFiltersAllowEntry.yaml file?