Fix(gatewayapi): allow mixed IP and UDS endpoints in backend route references

[stekole]

What type of PR is this?
/kind bug

What this PR does / why we need it:
Backend resources with mixed IP and Unix Domain Socket (UDS) endpoints were incorrectly rejected as unsupported mixed address types. Additionally, UDS endpoints were blocked entirely in route backend references.

• Classifies IP + UDS combinations as IP (static) instead of MIXED
• Allows UDS endpoints in route Backend references
• Only rejects MIXED when FQDN is involved with IP or UDS

Which issue(s) this PR fixes:
Fixes #8229

Release Notes: Yes

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 ready!

Name	Link
🔨 Latest commit	90cc4f1
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69c1fa50c4cfa800085f131b
😎 Deploy Preview	https://deploy-preview-8530--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 85.71429% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 74.37%. Comparing base (a049df2) to head (90cc4f1).

Files with missing lines	Patch %	Lines
internal/gatewayapi/listener.go	0.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8530      +/-   ##
==========================================
+ Coverage   74.35%   74.37%   +0.01%     
==========================================
  Files         242      242              
  Lines       37811    37808       -3     
==========================================
+ Hits        28113    28118       +5     
+ Misses       7748     7743       -5     
+ Partials     1950     1947       -3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[zirain]

IIRC, we're find to remove the last one parameter from function validateBackendRefBackend.

[stekole]

Makes sense - Thanks - Addressed.

[zirain]

is it possible to add an e2e test to ensure that a mixed backend worked as expected?

[stekole]

Yes - I can write something to validate the route is accepted (not rejected as "MIXED") and traffic flows through. If we want a full HTTP on UDS and serve traffic that may require additional containers and complexity.

I think ensuring the route is created is a good first step. Let me know if you'd like to see something else. We can discuss further or happy to address it in a follow-up.

[zirain]

/retest

[arkodg]

how would admins ensure proper access control if app developers can route back into the proxy ?

[arkodg]

cc @guydc

[stekole]

Good question. I may not have all the answers but I will references a few things I know.

rbac on Backend resources - the docs already reference restricting who can create Backend CRs, consistent with guidance on CVE-2021-25740. An app developer without RBAC to create Backend resources can't reference UDS: https://github.com/envoyproxy/gateway/blob/main/site/content/en/latest/tasks/traffic/backend.md#L14-L21

UDS also requires a mounted socket in the proxy pod - UDS path in a Backend spec is a no-op unless the socketfile is actually present in the proxy pods filesystem. Mounting it requires an envoyproxy infrastructure patch, which is an admin resource that app developers shouldnt control.
ref: https://github.com/envoyproxy/gateway/blob/main/site/content/en/contributions/design/backend.md#L129-L131
Task doc: https://github.com/envoyproxy/gateway/blob/main/site/content/en/latest/tasks/traffic/backend.md#L37

[stekole]

loopback routing also looks to be disabled - https://github.com/envoyproxy/gateway/blob/main/internal/gatewayapi/backend.go#L198