chore: support hostname in aigatewayroute

Signed-off-by: xianml <xian@bentoml.com>

Author: xianml

api/v1alpha1/ai_gateway_route.go

@@ -64,6 +64,13 @@ type AIGatewayRouteSpec struct {
 	// +optional
 	ParentRefs []gwapiv1.ParentReference `json:"parentRefs,omitempty"`
 
+	// Hostnames defines a set of hostnames that should be matched against the HTTP Host header
+	// before applying rules. This maps directly to HTTPRoute.Spec.Hostnames.
+	//
+	// +optional
+	// +kubebuilder:validation:MaxItems=16
+	Hostnames []gwapiv1.Hostname `json:"hostnames,omitempty"`
+
 	// Rules is the list of AIGatewayRouteRule that this AIGatewayRoute will match the traffic to.
 	// Each rule is a subset of the HTTPRoute in the Gateway API (https://gateway-api.sigs.k8s.io/api-types/httproute/).
 	//

api/v1alpha1/zz_generated.deepcopy.go

@@ -355,6 +355,8 @@ func (c *AIGatewayRouteController) newHTTPRoute(ctx context.Context, dst *gwapiv
 	dst.Annotations[httpRouteAnnotationForAIGatewayGeneratedIndication] = "true"
 
 	dst.Spec.ParentRefs = aiGatewayRoute.Spec.ParentRefs
+
+	dst.Spec.Hostnames = append(dst.Spec.Hostnames, aiGatewayRoute.Spec.Hostnames...)
 	return nil
 }
 

internal/controller/ai_gateway_route.go

@@ -555,6 +555,93 @@ func Test_newHTTPRoute_LabelAndAnnotationPropagation(t *testing.T) {
 	require.Equal(t, "ann-value-2", httpRoute.Annotations["custom-annotation-2"])
 }
 
+func Test_newHTTPRoute_Hostnames_NotSet(t *testing.T) {
+	c := requireNewFakeClientWithIndexes(t)
+
+	// Minimal backend to satisfy newHTTPRoute validation.
+	backend := &aigv1a1.AIServiceBackend{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-backend", Namespace: "test-ns"},
+		Spec: aigv1a1.AIServiceBackendSpec{
+			BackendRef: gwapiv1.BackendObjectReference{Name: "some-backend", Namespace: ptr.To(gwapiv1.Namespace("test-ns"))},
+		},
+	}
+	require.NoError(t, c.Create(context.Background(), backend))
+
+	aiGatewayRoute := &aigv1a1.AIGatewayRoute{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-route",
+			Namespace: "test-ns",
+		},
+		Spec: aigv1a1.AIGatewayRouteSpec{
+			Rules: []aigv1a1.AIGatewayRouteRule{
+				{
+					BackendRefs: []aigv1a1.AIGatewayRouteRuleBackendRef{
+						{Name: "test-backend", Weight: ptr.To[int32](100)},
+					},
+				},
+			},
+		},
+	}
+
+	controller := &AIGatewayRouteController{client: c}
+	httpRoute := &gwapiv1.HTTPRoute{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-route",
+			Namespace: "test-ns",
+		},
+	}
+
+	err := controller.newHTTPRoute(context.Background(), httpRoute, aiGatewayRoute)
+	require.NoError(t, err)
+
+	// Without spec.hostnames, Hostnames should remain empty.
+	require.Empty(t, httpRoute.Spec.Hostnames)
+}
+
+func Test_newHTTPRoute_Hostnames_Set(t *testing.T) {
+	c := requireNewFakeClientWithIndexes(t)
+
+	// Minimal backend to satisfy newHTTPRoute validation.
+	backend := &aigv1a1.AIServiceBackend{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-backend", Namespace: "test-ns"},
+		Spec: aigv1a1.AIServiceBackendSpec{
+			BackendRef: gwapiv1.BackendObjectReference{Name: "some-backend", Namespace: ptr.To(gwapiv1.Namespace("test-ns"))},
+		},
+	}
+	require.NoError(t, c.Create(context.Background(), backend))
+
+	aiGatewayRoute := &aigv1a1.AIGatewayRoute{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-route",
+			Namespace: "test-ns",
+		},
+		Spec: aigv1a1.AIGatewayRouteSpec{
+			Hostnames: []gwapiv1.Hostname{"api.example.com", "*.example.net", "sub.example.com"},
+			Rules: []aigv1a1.AIGatewayRouteRule{
+				{
+					BackendRefs: []aigv1a1.AIGatewayRouteRuleBackendRef{
+						{Name: "test-backend", Weight: ptr.To[int32](100)},
+					},
+				},
+			},
+		},
+	}
+
+	controller := &AIGatewayRouteController{client: c, logger: logr.Discard()}
+	httpRoute := &gwapiv1.HTTPRoute{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-route",
+			Namespace: "test-ns",
+		},
+	}
+
+	err := controller.newHTTPRoute(context.Background(), httpRoute, aiGatewayRoute)
+	require.NoError(t, err)
+
+	expected := []gwapiv1.Hostname{"api.example.com", "*.example.net", "sub.example.com"}
+	require.Equal(t, expected, httpRoute.Spec.Hostnames)
+}
+
 func TestAIGatewayRouteController_syncGateways_NamespaceDetermination(t *testing.T) {
 	fakeClient := requireNewFakeClientWithIndexes(t)
 	eventCh := internaltesting.NewControllerEventChan[*gwapiv1.Gateway]()

internal/controller/ai_gateway_route_test.go

@@ -318,6 +318,7 @@ func (c *GatewayController) reconcileFilterConfigSecret(
 			continue
 		}
 		hasEffectiveRoute = true
+		hostnames := aiGatewayRoute.Spec.Hostnames
 		spec := aiGatewayRoute.Spec
 		for ruleIndex := range spec.Rules {
 			rule := &spec.Rules[ruleIndex]
@@ -330,11 +331,20 @@ func (c *GatewayController) reconcileFilterConfigSecret(
 					if (h.Type != nil && *h.Type != gwapiv1.HeaderMatchExact) || string(h.Name) != internalapi.ModelNameHeaderKeyDefault {
 						continue
 					}
-					ec.Models = append(ec.Models, filterapi.Model{
+					model := filterapi.Model{
 						Name:      h.Value,
 						CreatedAt: ptr.Deref[metav1.Time](rule.ModelsCreatedAt, aiGatewayRoute.CreationTimestamp).UTC(),
 						OwnedBy:   ptr.Deref(rule.ModelsOwnedBy, defaultOwnedBy),
-					})
+					}
+					ec.Models = append(ec.Models, model)
+					if len(hostnames) > 0 {
+						if ec.ModelsByHost == nil {
+							ec.ModelsByHost = make(map[string][]filterapi.Model)
+						}
+						for _, hn := range hostnames {
+							ec.ModelsByHost[string(hn)] = append(ec.ModelsByHost[string(hn)], model)
+						}
+					}
 				}
 			}
 			for backendRefIndex := range rule.BackendRefs {

internal/controller/gateway.go

@@ -9,6 +9,7 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"strings"
 
 	corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	extprocv3 "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3"
@@ -34,23 +35,27 @@ type modelsProcessor struct {
 var _ Processor = (*modelsProcessor)(nil)
 
 // NewModelsProcessor creates a new processor that returns the list of declared models.
-func NewModelsProcessor(config *filterapi.RuntimeConfig, _ map[string]string, logger *slog.Logger, isUpstreamFilter bool, _ bool) (Processor, error) {
+func NewModelsProcessor(config *filterapi.RuntimeConfig, requestHeaders map[string]string, logger *slog.Logger, isUpstreamFilter bool, _ bool) (Processor, error) {
 	if isUpstreamFilter {
 		return passThroughProcessor{}, nil
 	}
-	models := openai.ModelList{
+
+	host := requestHost(requestHeaders)
+	selectedModels := selectModelsForHost(host, config)
+
+	modelList := openai.ModelList{
 		Object: "list",
-		Data:   make([]openai.Model, 0, len(config.DeclaredModels)),
+		Data:   make([]openai.Model, 0, len(selectedModels)),
 	}
-	for _, m := range config.DeclaredModels {
-		models.Data = append(models.Data, openai.Model{
+	for _, m := range selectedModels {
+		modelList.Data = append(modelList.Data, openai.Model{
 			ID:      m.Name,
 			Object:  "model",
 			OwnedBy: m.OwnedBy,
 			Created: openai.JSONUNIXTime(m.CreatedAt),
 		})
 	}
-	return &modelsProcessor{logger: logger, models: models}, nil
+	return &modelsProcessor{logger: logger.With("host", host), models: modelList}, nil
 }
 
 // ProcessRequestHeaders implements [Processor.ProcessRequestHeaders].
@@ -84,3 +89,51 @@ func setHeader(headers *extprocv3.HeaderMutation, key, value string) {
 		},
 	})
 }
+
+// requestHost normalizes the host/authority header for matching (lowercases and strips port).
+func requestHost(headers map[string]string) string {
+	host := headers[":authority"]
+	if host == "" {
+		host = headers["host"]
+	}
+	if host == "" {
+		return ""
+	}
+	if idx := strings.IndexByte(host, ':'); idx != -1 {
+		host = host[:idx]
+	}
+	return strings.ToLower(host)
+}
+
+// selectModelsForHost returns the models for the given host, falling back to the global list.
+func selectModelsForHost(host string, cfg *filterapi.RuntimeConfig) []filterapi.Model {
+	if host == "" || len(cfg.ModelsByHost) == 0 {
+		return cfg.DeclaredModels
+	}
+
+	if exact, ok := cfg.ModelsByHost[host]; ok {
+		return exact
+	}
+
+	bestMatchLength := -1
+	var bestMatchModels []filterapi.Model
+	for pattern, models := range cfg.ModelsByHost {
+		if !strings.HasPrefix(pattern, "*.") {
+			continue
+		}
+		suffix := strings.TrimPrefix(pattern, "*.")
+		// Wildcard hostnames only match subdomains with a label boundary.
+		// Example: "*.bentoml.com" matches "api.bentoml.com" but not "bentoml.com" or "evilbentoml.com".
+		if strings.HasSuffix(host, "."+suffix) {
+			if len(suffix) > bestMatchLength {
+				bestMatchLength = len(suffix)
+				bestMatchModels = models
+			}
+		}
+	}
+	if bestMatchModels != nil {
+		return bestMatchModels
+	}
+
+	return []filterapi.Model{}
+}

internal/extproc/models_processor.go

@@ -68,3 +68,68 @@ func headers(in []*corev3.HeaderValueOption) map[string]string {
 	}
 	return h
 }
+
+func Test_selectModelsForHost(t *testing.T) {
+	defaultModels := []filterapi.Model{{Name: "default"}}
+	exactModels := []filterapi.Model{{Name: "exact"}}
+	wildcardComModels := []filterapi.Model{{Name: "wildcard-com"}}
+	wildcardBentomlModels := []filterapi.Model{{Name: "wildcard-bentoml"}}
+
+	cfg := &filterapi.RuntimeConfig{
+		DeclaredModels: defaultModels,
+		ModelsByHost: map[string][]filterapi.Model{
+			"api.bentoml.com":   exactModels,
+			"*.com":             wildcardComModels,
+			"*.bentoml.com":     wildcardBentomlModels,
+			"not-a-pattern.com": {{Name: "ignored"}},
+		},
+	}
+
+	tests := []struct {
+		name string
+		host string
+		want []filterapi.Model
+	}{
+		{
+			name: "exact match wins",
+			host: "api.bentoml.com",
+			want: exactModels,
+		},
+		{
+			name: "wildcard match with label boundary",
+			host: "chat.bentoml.com",
+			want: wildcardBentomlModels,
+		},
+		{
+			name: "more specific wildcard wins",
+			host: "foo.bentoml.com",
+			want: wildcardBentomlModels,
+		},
+		{
+			name: "wildcard does not match apex",
+			host: "bentoml.com",
+			want: wildcardComModels,
+		},
+		{
+			name: "wildcard does not match missing boundary",
+			host: "evilbentoml.com",
+			want: wildcardComModels,
+		},
+		{
+			name: "fallback to default when no match",
+			host: "localhost",
+			want: []filterapi.Model{},
+		},
+		{
+			name: "empty host falls back to default",
+			host: "",
+			want: defaultModels,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			require.Equal(t, tt.want, selectModelsForHost(tt.host, cfg))
+		})
+	}
+}

internal/extproc/models_processor_test.go

@@ -39,6 +39,9 @@ type Config struct {
 	Backends []Backend `json:"backends,omitempty"`
 	// Models is the list of models that this route is aware of. Used to populate the "/models" endpoint in OpenAI-compatible APIs.
 	Models []Model `json:"models,omitempty"`
+	// ModelsByHost is the list of models keyed by hostname. When present, the extproc "/v1/models" processor will prefer
+	// the hostname-specific list over the global Models slice.
+	ModelsByHost map[string][]Model `json:"modelsByHost,omitempty"`
 	// MCPConfig is the configuration for the MCPRoute implementations.
 	MCPConfig *MCPConfig `json:"mcpConfig,omitempty"`
 }

internal/filterapi/filterconfig.go

@@ -33,6 +33,8 @@ type RuntimeConfig struct {
 	RequestCosts []RuntimeRequestCost
 	// DeclaredModels is the list of declared models.
 	DeclaredModels []Model
+	// ModelsByHost maps hostnames to their specific model lists for per-host filtering.
+	ModelsByHost map[string][]Model
 	// Backends is the map of backends by name.
 	Backends map[string]*RuntimeBackend
 }
@@ -87,5 +89,6 @@ func NewRuntimeConfig(ctx context.Context, config *Config, fn NewBackendAuthHand
 		Backends:       backends,
 		RequestCosts:   costs,
 		DeclaredModels: config.Models,
+		ModelsByHost:   config.ModelsByHost,
 	}, nil
 }

internal/filterapi/runtime.go

@@ -68,6 +68,32 @@ spec:
           spec:
             description: Spec defines the details of the AIGatewayRoute.
             properties:
+              hostnames:
+                description: |-
+                  Hostnames defines a set of hostnames that should be matched against the HTTP Host header
+                  before applying rules. This maps directly to HTTPRoute.Spec.Hostnames.
+                items:
+                  description: |-
+                    Hostname is the fully qualified domain name of a network host. This matches
+                    the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+                     1. IPs are not allowed.
+                     2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+                        label must appear by itself as the first label.
+
+                    Hostname can be "precise" which is a domain name without the terminating
+                    dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+                    domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+                    Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+                    alphanumeric characters or '-', and must start and end with an alphanumeric
+                    character. No other punctuation is allowed.
+                  maxLength: 253
+                  minLength: 1
+                  pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                  type: string
+                maxItems: 16
+                type: array
               llmRequestCosts:
                 description: "LLMRequestCosts specifies how to capture the cost of
                   the LLM-related request, notably the token usage.\nThe AI Gateway