feat(securitypolicy): add MergeType support for policy merging

[rajatvig]

Add MergeType field to SecurityPolicy to enable policy merging similar
to BackendTrafficPolicy. This allows route-level policies to merge with
parent Gateway/Listener policies rather than completely overriding them.

Fixes #6734

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 ready!

Name	Link
🔨 Latest commit	215388d
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/699317c9dbfabd00077fe8cf
😎 Deploy Preview	https://deploy-preview-7918--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 80.58824% with 33 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.56%. Comparing base (38b0ad1) to head (215388d).

Files with missing lines	Patch %	Lines
internal/gatewayapi/securitypolicy.go	80.58%	29 Missing and 4 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7918      +/-   ##
==========================================
+ Coverage   73.55%   73.56%   +0.01%     
==========================================
  Files         242      242              
  Lines       36949    37071     +122     
==========================================
+ Hits        27178    27272      +94     
- Misses       7851     7876      +25     
- Partials     1920     1923       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[rajatvig]

@arkodg @kkk777-7 The PR is ready. Please do review when you have bandwidth. The E2E tests for the feature are passing, CI seems to have a bit of flakiness.

[kkk777-7]

Hi @rajatvig , thanks for working on this!
I left some comments.

[kkk777-7]

/retest

[zhaohuabing]

LGTM.

#7918 (comment) is tracked in #8088 and can be addressed later.

[kkk777-7]

/retest

[kkk777-7]

@rajatvig
Sorry, there’s one point I missed in the last review. I left a comment, so could you please take a look?

[rajatvig]

@rajatvig Sorry, there’s one point I missed in the last review. I left a comment, so could you please take a look?

Just fixed the last bit I think.

[rajatvig]

@kkk777-7 @zhaohuabing Does this look good now? Any other points I need to address?

[rudrakhp]

Note that you might need to handle refs from parent policy after merge, see #8210 that fixes ref resolution for merged BTPs.

[rajatvig]

Note that you might need to handle refs from parent policy after merge, see #8210 that fixes ref resolution for merged BTPs.

@rudrakhp From what I could gather looking at the code, it would mostly affect secrets when the parent policy refers to a secret that the merged policy tries looking up in the route's namespace.

There is an issue #8094 tracking that. Would it be ok to resolve this as part of that issue?

[rudrakhp]

@rajatvig it will affect not only secrets but any LocalObjectReference, I would recommend waiting on #8210 attempting to provide a generic way to handle local object references in merge scenarios.