update tests

Signed-off-by: Aaron Choo <achoo30@bloomberg.net>

internal/controller/ai_gateway_route.go

@@ -3,6 +3,7 @@ package controller
 import (
 	"context"
 	"fmt"
+
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/go-logr/logr"
 	appsv1 "k8s.io/api/apps/v1"

internal/controller/backend_security_policy.go

@@ -2,12 +2,14 @@ package controller
 
 import (
 	"context"
-	"github.com/envoyproxy/ai-gateway/api/v1alpha1"
+
 	"github.com/go-logr/logr"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/client-go/kubernetes"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	aigv1a1 "github.com/envoyproxy/ai-gateway/api/v1alpha1"
 )
 
 // TODO-AC: rewrite
@@ -34,7 +36,7 @@ func newBackendSecurityPolicyController(client client.Client, kube kubernetes.In
 
 // Reconcile implements the [reconcile.TypedReconciler] for [aigv1a1.BackendSecurityPolicy].
 func (b backendSecurityPolicyController) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	var backendSecurityPolicy v1alpha1.BackendSecurityPolicy
+	var backendSecurityPolicy aigv1a1.BackendSecurityPolicy
 	if err := b.client.Get(ctx, req.NamespacedName, &backendSecurityPolicy); err != nil {
 		if errors.IsNotFound(err) {
 			ctrl.Log.Info("Deleting Backend Security Policy",

internal/controller/backend_security_policy_test.go

@@ -2,15 +2,17 @@ package controller
 
 import (
 	"context"
-	aigv1a1 "github.com/envoyproxy/ai-gateway/api/v1alpha1"
+	"testing"
+
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	fake2 "k8s.io/client-go/kubernetes/fake"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"testing"
+
+	aigv1a1 "github.com/envoyproxy/ai-gateway/api/v1alpha1"
 )
 
 func TestBackendSecurityController_Reconcile(t *testing.T) {

internal/controller/sink.go

@@ -3,10 +3,10 @@ package controller
 import (
 	"context"
 	"fmt"
-	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
 
 	"github.com/go-logr/logr"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/utils/ptr"
@@ -23,7 +23,7 @@ const selectedBackendHeaderKey = "x-envoy-ai-gateway-selected-backend"
 // MountedExtProcSecretPath specifies the secret file mounted on the external proc. The idea is to update the mounted
 //
 //	secret with backendSecurityPolicy auth instead of mounting new secret files to the external proc.
-const MountedExtProcSecretPath = "/etc/backend_security_policy"
+const MountedExtProcSecretPath = "/etc/backend_security_policy" // #nosec G101
 
 // ConfigSinkEvent is the interface for the events that the configSink can handle.
 // It can be either an AIServiceBackend, an AIGatewayRoute, or a deletion event.
@@ -156,6 +156,13 @@ func (c *configSink) syncAIGatewayRoute(aiGatewayRoute *aigv1a1.AIGatewayRoute)
 		c.logger.Error(err, "failed to update extproc configmap", "namespace", aiGatewayRoute.Namespace, "name", aiGatewayRoute.Name)
 		return
 	}
+
+	// Deploy extproc deployment with potential updates.
+	err = c.syncExtProcDeployment(context.Background(), aiGatewayRoute)
+	if err != nil {
+		c.logger.Error(err, "failed to deploy ext proc", "namespace", aiGatewayRoute.Namespace, "name", aiGatewayRoute.Name)
+		return
+	}
 }
 
 func (c *configSink) syncAIServiceBackend(aiBackend *aigv1a1.AIServiceBackend) {
@@ -221,7 +228,6 @@ func (c *configSink) updateExtProcConfigMap(aiGatewayRoute *aigv1a1.AIGatewayRou
 			if bspRef := backendObj.Spec.BackendSecurityPolicyRef; bspRef != nil {
 				bspKey := fmt.Sprintf("%s.%s", bspRef.Name, aiGatewayRoute.Namespace)
 				backendSecurityPolicy, err := c.backendSecurityPolicy(aiGatewayRoute.Namespace, string(bspRef.Name))
-
 				if err != nil {
 					return fmt.Errorf("failed to get BackendSecurityPolicy %s: %w", bspRef.Name, err)
 				}

internal/controller/sink_test.go

@@ -27,7 +27,7 @@ func TestConfigSink_init(t *testing.T) {
 	kube := fake2.NewClientset()
 
 	eventChan := make(chan ConfigSinkEvent)
-	s := newConfigSink(fakeClient, kube, logr.Discard(), eventChan)
+	s := newConfigSink(fakeClient, kube, logr.Discard(), eventChan, "defaultExtProcImage")
 	require.NotNil(t, s)
 }
 
@@ -36,7 +36,7 @@ func TestConfigSink_syncAIGatewayRoute(t *testing.T) {
 	kube := fake2.NewClientset()
 
 	eventChan := make(chan ConfigSinkEvent, 10)
-	s := newConfigSink(fakeClient, kube, logr.FromSlogHandler(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{})), eventChan)
+	s := newConfigSink(fakeClient, kube, logr.FromSlogHandler(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{})), eventChan, "defaultExtProcImage")
 	require.NotNil(t, s)
 
 	for _, backend := range []*aigv1a1.AIServiceBackend{
@@ -100,14 +100,21 @@ func TestConfigSink_syncAIGatewayRoute(t *testing.T) {
 func TestConfigSink_syncAIServiceBackend(t *testing.T) {
 	eventChan := make(chan ConfigSinkEvent)
 	fakeClient := fake.NewClientBuilder().WithScheme(scheme).Build()
-	s := newConfigSink(fakeClient, nil, logr.Discard(), eventChan)
+	s := newConfigSink(fakeClient, nil, logr.Discard(), eventChan, "defaultExtProcImage")
 	s.syncAIServiceBackend(&aigv1a1.AIServiceBackend{ObjectMeta: metav1.ObjectMeta{Name: "apple", Namespace: "ns1"}})
 }
 
+func TestConfigSink_syncBackendSecurityPolicy(t *testing.T) {
+	eventChan := make(chan ConfigSinkEvent)
+	fakeClient := fake.NewClientBuilder().WithScheme(scheme).Build()
+	s := newConfigSink(fakeClient, nil, logr.Discard(), eventChan, "defaultExtProcImage")
+	s.syncBackendSecurityPolicy(&aigv1a1.BackendSecurityPolicy{ObjectMeta: metav1.ObjectMeta{Name: "apple", Namespace: "ns1"}})
+}
+
 func Test_newHTTPRoute(t *testing.T) {
 	eventChan := make(chan ConfigSinkEvent)
 	fakeClient := fake.NewClientBuilder().WithScheme(scheme).Build()
-	s := newConfigSink(fakeClient, nil, logr.Discard(), eventChan)
+	s := newConfigSink(fakeClient, nil, logr.Discard(), eventChan, "defaultExtProcImage")
 	httpRoute := &gwapiv1.HTTPRoute{
 		ObjectMeta: metav1.ObjectMeta{Name: "route1", Namespace: "ns1"},
 		Spec:       gwapiv1.HTTPRouteSpec{},
@@ -210,21 +217,41 @@ func Test_updateExtProcConfigMap(t *testing.T) {
 	kube := fake2.NewClientset()
 
 	eventChan := make(chan ConfigSinkEvent)
-	s := newConfigSink(fakeClient, kube, logr.Discard(), eventChan)
+	s := newConfigSink(fakeClient, kube, logr.Discard(), eventChan, "defaultExtProcImage")
+	err := fakeClient.Create(context.Background(), &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "some-secret-policy"}})
+	require.NoError(t, err)
+
+	for _, bsp := range []*aigv1a1.BackendSecurityPolicy{
+		{
+			ObjectMeta: metav1.ObjectMeta{Name: "some-backend-security-policy-1", Namespace: "ns"},
+			Spec: aigv1a1.BackendSecurityPolicySpec{
+				Type: aigv1a1.BackendSecurityPolicyTypeAPIKey,
+				APIKey: &aigv1a1.BackendSecurityPolicyAPIKey{
+					SecretRef: &gwapiv1.SecretObjectReference{Name: "some-secret-policy", Namespace: ptr.To[gwapiv1.Namespace]("ns")},
+				},
+			},
+		},
+	} {
+		err := fakeClient.Create(context.Background(), bsp, &client.CreateOptions{})
+		require.NoError(t, err)
+	}
+
 	for _, b := range []*aigv1a1.AIServiceBackend{
 		{
 			ObjectMeta: metav1.ObjectMeta{Name: "apple", Namespace: "ns"},
 			Spec: aigv1a1.AIServiceBackendSpec{
 				APISchema: aigv1a1.VersionedAPISchema{
 					Schema: aigv1a1.APISchemaAWSBedrock,
 				},
-				BackendRef: gwapiv1.BackendObjectReference{Name: "some-backend1", Namespace: ptr.To[gwapiv1.Namespace]("ns")},
+				BackendRef:               gwapiv1.BackendObjectReference{Name: "some-backend1", Namespace: ptr.To[gwapiv1.Namespace]("ns")},
+				BackendSecurityPolicyRef: &gwapiv1.LocalObjectReference{Name: "some-backend-security-policy-1"},
 			},
 		},
 		{
 			ObjectMeta: metav1.ObjectMeta{Name: "cat", Namespace: "ns"},
 			Spec: aigv1a1.AIServiceBackendSpec{
-				BackendRef: gwapiv1.BackendObjectReference{Name: "some-backend2", Namespace: ptr.To[gwapiv1.Namespace]("ns")},
+				BackendRef:               gwapiv1.BackendObjectReference{Name: "some-backend2", Namespace: ptr.To[gwapiv1.Namespace]("ns")},
+				BackendSecurityPolicyRef: &gwapiv1.LocalObjectReference{Name: "some-backend-security-policy-1"},
 			},
 		},
 		{
@@ -276,13 +303,24 @@ func Test_updateExtProcConfigMap(t *testing.T) {
 				Rules: []filterconfig.RouteRule{
 					{
 						Backends: []filterconfig.Backend{
-							{Name: "apple.ns", Weight: 1, OutputSchema: filterconfig.VersionedAPISchema{Schema: filterconfig.APISchemaAWSBedrock}}, {Name: "pineapple.ns", Weight: 2},
+							{Name: "apple.ns", Weight: 1, OutputSchema: filterconfig.VersionedAPISchema{Schema: filterconfig.APISchemaAWSBedrock}, Auth: &filterconfig.BackendAuth{
+								Type: filterconfig.AuthTypeAPIKey,
+								APIKey: &filterconfig.APIKeyAuth{
+									Filename: "/etc/backend_security_policy/some-backend-security-policy-1.ns",
+								},
+							}},
+							{Name: "pineapple.ns", Weight: 2},
 						},
 						Headers: []filterconfig.HeaderMatch{{Name: aigv1a1.AIModelHeaderKey, Value: "some-ai"}},
 					},
 					{
-						Backends: []filterconfig.Backend{{Name: "cat.ns", Weight: 1}},
-						Headers:  []filterconfig.HeaderMatch{{Name: aigv1a1.AIModelHeaderKey, Value: "another-ai"}},
+						Backends: []filterconfig.Backend{{Name: "cat.ns", Weight: 1, Auth: &filterconfig.BackendAuth{
+							Type: filterconfig.AuthTypeAPIKey,
+							APIKey: &filterconfig.APIKeyAuth{
+								Filename: "/etc/backend_security_policy/some-backend-security-policy-1.ns",
+							},
+						}}},
+						Headers: []filterconfig.HeaderMatch{{Name: aigv1a1.AIModelHeaderKey, Value: "another-ai"}},
 					},
 				},
 			},
@@ -309,6 +347,55 @@ func Test_updateExtProcConfigMap(t *testing.T) {
 	}
 }
 
-// Add test for checking mounted security policy on new backend security policy
+// TODO-AC: Finish this test case
+// func TestConfigSink_SyncExtProcDeployment(t *testing.T) {
+//	fakeClient := fake.NewClientBuilder().WithScheme(scheme).Build()
+//	kube := fake2.NewClientset()
+//	eventChan := make(chan ConfigSinkEvent)
+//
+//	ownerRef := []metav1.OwnerReference{{APIVersion: "v1", Kind: "Kind", Name: "Name"}}
+//	s := newConfigSink(fakeClient, kube, logr.Discard(), eventChan, "defaultExtProcImage")
+//	require.NotNil(t, s)
+//
+//	// TODO-AC: add backends
+//	aiGatewayRoute := &aigv1a1.AIGatewayRoute{
+//		ObjectMeta: metav1.ObjectMeta{Name: "myroute", Namespace: "default"},
+//		Spec: aigv1a1.AIGatewayRouteSpec{
+//			FilterConfig: &aigv1a1.AIGatewayFilterConfig{
+//				Type: aigv1a1.AIGatewayFilterConfigTypeExternalProcess,
+//				ExternalProcess: &aigv1a1.AIGatewayFilterConfigExternalProcess{
+//					Replicas: ptr.To[int32](123),
+//					Resources: &corev1.ResourceRequirements{
+//						Limits: corev1.ResourceList{
+//							corev1.ResourceCPU:    resource.MustParse("200m"),
+//							corev1.ResourceMemory: resource.MustParse("100Mi"),
+//						},
+//					},
+//				},
+//			},
+//		},
+//	}
+//
+//	// Create the deployment
+//
+//	// Check
+//	deployment, err := s.kube.AppsV1().Deployments("default").Get(context.Background(), extProcName(aiGatewayRoute), metav1.GetOptions{})
+//	require.NoError(t, err)
+//	require.Equal(t, extProcName(aiGatewayRoute), deployment.Name)
+//	require.Equal(t, int32(123), *deployment.Spec.Replicas)
+//	require.Equal(t, ownerRef, deployment.OwnerReferences)
+//	require.Equal(t, corev1.ResourceRequirements{
+//		Limits: corev1.ResourceList{
+//			corev1.ResourceCPU:    resource.MustParse("200m"),
+//			corev1.ResourceMemory: resource.MustParse("100Mi"),
+//		},
+//	}, deployment.Spec.Template.Spec.Containers[0].Resources)
+//	service, err := s.kube.CoreV1().Services("default").Get(context.Background(), extProcName(aiGatewayRoute), metav1.GetOptions{})
+//	require.NoError(t, err)
+//	require.Equal(t, extProcName(aiGatewayRoute), service.Name)
+//}
 
-// Add test for new security policy needed to be mounted/unmounted
+func Test_GetBackendSecurityMountPath(t *testing.T) {
+	mountPath := getBackendSecurityMountPath("policyName")
+	require.Equal(t, "/etc/backend_security_policy/policyName", mountPath)
+}

internal/extproc/backendauth/api_key.go

@@ -2,10 +2,12 @@ package backendauth
 
 import (
 	"fmt"
-	"github.com/envoyproxy/ai-gateway/filterconfig"
+	"os"
+
 	corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	extprocv3 "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3"
-	"os"
+
+	"github.com/envoyproxy/ai-gateway/filterconfig"
 )
 
 // apiKeyHandler implements [Handler] for api key authz.

tests/controller/controller_test.go

@@ -219,12 +219,8 @@ func TestStartControllers(t *testing.T) {
 
 func TestAIGatewayRouteController(t *testing.T) {
 	c, cfg, k := tests.NewEnvTest(t)
-	opts := controller.Options{
-		ExtProcImage:         "envoyproxy/ai-gateway-extproc:foo",
-		EnableLeaderElection: false,
-	}
 	ch := make(chan controller.ConfigSinkEvent)
-	rc := controller.NewAIGatewayRouteController(c, k, logr.Discard(), opts, ch)
+	rc := controller.NewAIGatewayRouteController(c, k, logr.Discard(), ch)
 
 	opt := ctrl.Options{Scheme: c.Scheme(), LeaderElection: false, Controller: config.Controller{SkipNameValidation: ptr.To(true)}}
 	mgr, err := ctrl.NewManager(cfg, opt)