feat: Add ability to patch dataplane Service, Deployment, and DaemonSet in NginxProxy

[ciarams87]

Proposed changes

Problem: There are many Deployment and Service fields that can be customized, and having to expose all of them in the NginxProxy resource is tedious and unnecessary for uncommonly used fields.

Solution: Add a way to submit custom patches to unblock users who need to set fields that are not yet exposed in the NginxProxy CRD. This commit adds support for patching the Service, Deployment, and DaemonSet resources using StrategicMerge (default kubernetes patch strategy), Merge (used when the intelligent strategic merge behaviour is not desired, e.g. to replace an array instead of merging them), and JSONPatch (used when precise modifications are needed, such as adding elements to specific array indices or performing conditional operations based on existing values).

Testing: Unit testing, and manual testing all the variations. Example NginxProxy:

apiVersion: gateway.nginx.org/v1alpha2
kind: NginxProxy
metadata:
  name: custom-proxy
spec:
  kubernetes:
    # Service patches - demonstrates all three patch types
    service:
      patches:
        # Strategic merge patch - adds custom labels and annotations
        - type: StrategicMerge
          value:
            metadata:
              labels:
                custom-label: "service-patched"
                environment: "test"
              annotations:
                custom-annotation: "applied-via-patch"
        # Merge patch - modifies spec fields
        - type: Merge
          value:
            spec:
              sessionAffinity: "ClientIP"
        # JSON patch - adds a specific annotation
        - type: JSONPatch
          value:
            - op: add
              path: "/metadata/annotations/patched-by"
              value: "json-patch"
            - op: add
              path: "/spec/loadBalancerSourceRanges"
              value: ["10.0.0.0/8", "192.168.0.0/16"]

    # Deployment patches - for when nginx.kind is "deployment"
    deployment:
      patches:
        # Strategic merge patch - adds deployment-specific labels
        - type: StrategicMerge
          value:
            metadata:
              labels:
                deployment-type: "nginx-proxy"
                patched: "true"
            spec:
              template:
                metadata:
                  labels:
                    pod-patched: "true"
        # JSON patch - modifies strategy and adds env var
        - type: JSONPatch
          value:
            - op: add
              path: "/spec/strategy"
              value:
                type: "RollingUpdate"
                rollingUpdate:
                  maxUnavailable: 1
                  maxSurge: 1
            - op: add
              path: "/spec/template/spec/containers/0/env"
              value:
                - name: "PATCHED_BY"
                  value: "json-patch"
                - name: "DEPLOYMENT_MODE"
                  value: "patched"

Note 1: We don't have the ability to perform validation on patches. Errors in Patches will be logged in the control plane, but will not be reported in the status of the NginxProxy. Additionally, the resources will be created regardless - I don't believe we should fail the resource creation because of patch errors. It will be on the user to ensure patches have been applied correctly (this will be documented in the data plane configuration doc)

Note 2: Uses gopkg.in/evanphx/json-patch.v4 instead of the latest v5 to match Kubernetes ecosystem libraries and ensure consistent RFC 6902 compliance with kubectl. See this issue for a similar example

Closes #3568

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

Added the ability to patch the dataplane Service, Deployment, and DaemonSet resources through NginxProxy

[codecov]

Codecov Report

Attention: Patch coverage is 84.21053% with 15 lines in your changes missing coverage. Please review.

Project coverage is 86.85%. Comparing base (b5cf4be) to head (da6ed02).

Files with missing lines	Patch %	Lines
internal/controller/provisioner/objects.go	84.21%	10 Missing and 5 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3630      +/-   ##
==========================================
- Coverage   86.87%   86.85%   -0.03%     
==========================================
  Files         127      127              
  Lines       15287    15354      +67     
  Branches       62       62              
==========================================
+ Hits        13281    13335      +54     
- Misses       1851     1860       +9     
- Partials      155      159       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sjberman]

Should this field be marked as optional?

[sjberman]

I think you could just do return objects, errors.Join(errs...). If errs is empty, it should return nil.

[sjberman]

Does k8s define these types at all? If so, it'd be nice to alias our types to theirs, instead of using the string literal.

[bjee19]

I see there are some definitions here: https://github.com/kubernetes/apimachinery/blob/1ebcba2516a6683ca3be753b0b7e2cb203daf5dd/pkg/types/patch.go#L22

Which are used in the apiextentions-apiserver test code here: https://github.com/kubernetes/apiextensions-apiserver/blob/9fbc252b2071ab031a4011dd3d07fde4e281fe3c/test/integration/scope_test.go#L132-L138

[bjee19]

Isn't this if statement not needed since the check is already above?

[bjee19]

nit: can we combine the above line

if nProxyCfg != nil && nProxyCfg.Kubernetes != nil && nProxyCfg.Kubernetes.Deployment != nil {
		deploymentCfg = *nProxyCfg.Kubernetes.Deployment
	}

into this statement?

[bjee19]

if its possible, can you add another test case where a patch later on in the array overrides a field set in a previous patch?