feat: make host mode directory paths configurable

[codefromthecrypt]

What this PR does / why we need it:

Before, all paths were hard coded to start with /tmp/envoy-gateway, making parallel runs impractical, especially when certs change.

This adds configuration fields to EnvoyGatewayHostInfrastructureProvider to allow users to specify custom paths for configuration, data, state, and runtime directories, following XDG Base Directory Specification conventions while maintaining backward compatibility.

The implementation introduces four configurable directory paths:

• configHome: certificates and configuration files (default: ~/.config/envoy-gateway)
• dataHome: Envoy binaries, sharable across configs (default: ~/.local/share/envoy-gateway)
• stateHome: logs and persistent state (default: ~/.local/state/envoy-gateway)
• runtimeDir: ephemeral runtime files (default: /tmp/envoy-gateway-${UID})

Certificates are stored under configHome to ensure isolation between different configurations when running multiple EnvoyGateway instances in parallel, preventing certificate conflicts.

These paths are propagated to func-e which creates subdirectories as needed:

• dataHome/envoy-versions/ for Envoy binaries
• stateHome/envoy-runs/{runID}/ for per-run logs
• runtimeDir/{runID}/ for per-run runtime files

[codefromthecrypt]

license check fails due to not indexed yet. I'll fix the other things later https://deps.dev/go/github.com%2Ftetratelabs%2Ffunc-e

[codecov]

Codecov Report

❌ Patch coverage is 63.10680% with 38 lines in your changes missing coverage. Please review.
✅ Project coverage is 71.99%. Comparing base (a2ce000) to head (bf2fb0c).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/infrastructure/host/infra.go	0.00%	15 Missing ⚠️
internal/cmd/certgen.go	35.29%	11 Missing ⚠️
internal/globalratelimit/runner/runner.go	66.66%	5 Missing and 1 partial ⚠️
internal/gatewayapi/runner/runner.go	85.71%	1 Missing and 1 partial ⚠️
internal/infrastructure/host/paths.go	91.66%	1 Missing and 1 partial ⚠️
internal/xds/runner/runner.go	81.81%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7225      +/-   ##
==========================================
+ Coverage   71.97%   71.99%   +0.01%     
==========================================
  Files         229      230       +1     
  Lines       33201    33280      +79     
==========================================
+ Hits        23897    23960      +63     
- Misses       7573     7579       +6     
- Partials     1731     1741      +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[codefromthecrypt]

🤞 build is green now

[codefromthecrypt]

@arkodg @nacx @missBerg fyi I am off next week but wanted to eliminate this nagging tech debt for good. This PR uses XDG conventions (like prometheus, goose etc), which map into the same change made in func-e. The result is no more hard-coded /tmp/envoy-gateway and flexibility to change things in docker etc.

Most importantly, envoy-ai-gateway is blocked on this because the certs directory is hard-coded here. This causes problems as when you run tests that update certs it breaks your host configuration, as there's no way to overwrite it before this change.

So, TL;DR; this isn't just a random TODO fix, this is a big deal for sustainability forward and we should merge soon, especially as I can finish up the whole thing soup-to-nuts including ai gateway if folks can prioritize it this week!

[codefromthecrypt]

OIDC_with_BackendCluster is a very flaky test.

• Issue flaky: FAIL TestE2E/OIDC http_route_with_oidc_authentication #3898: "flaky: FAIL TestE2E/OIDC http_route_with_oidc_authentication" was filed and later closed
• PR workaroud for the flaky oidc e2e test #4603 (Nov 2024): A workaround was specifically added to handle flaky OIDC tests, which deletes and recreates the SecurityPolicy when failures occur
• PR Use BackendCluster to represent OIDCProvider #4227 (Oct 2024): The OIDC_with_BackendCluster test was added as part of implementing BackendCluster support for OIDC providers

Please kick the build. Maybe we can prioritize deflaking this after merge, especially as you can use a clean certs directory after. The certs being hard-coded directory smashed by other tests, caused flakes in ai-gateway also.

[codefromthecrypt]

incidentally this flake reminded me certs should be in the ConfigHome as they are configuration bound (for exactly the same reason as flakes when one test needs certs for its config). changing this now

[codefromthecrypt]

updated wrt cert location

[jukie]

/retest

[zirain]

/retest

[arkodg]

LGTM thanks

[zirain]

@codefromthecrypt can you fix the conflict?

[mathetake]

adrian is ooo until next week i think

[mathetake]

if the conflicts are not huge then you maintainer folks can push directly to the branch then merge i guess

[mathetake]

shouldn't this be ~/.config/envoy-gateway given that CertDir is written like this? cc @codefromthecrypt

// CertDir returns the certificate directory path (under ConfigHome).
func (p *Paths) CertDir(component string) string {
	return filepath.Join(p.ConfigHome, "certs", component)
}

[mathetake]

the other way works too (changing CertDir to use ~/.local/share/envoy-gateway)

[mathetake]

#7351