Adding more agw backend tests

Signed-off-by: Markus Kobler <[email protected]>

Author: markuskobler

pkg/agentgateway/plugins/backend_policies.go

@@ -93,7 +93,11 @@ func translateBackendPolicyToAgw(
 		}
 
 		if backend.MCP.Authentication != nil {
-			pol := translateBackendMCPAuthentication(ctx, policy, policyTarget)
+			pol, err := translateBackendMCPAuthentication(ctx, policy, policyTarget)
+			if err != nil {
+				logger.Error("error processing backend mcp auth", "err", err)
+				errs = append(errs, err)
+			}
 			agwPolicies = append(agwPolicies, pol...)
 		}
 	}
@@ -280,14 +284,14 @@ func translateBackendMCPAuthorization(policy *agentgateway.AgentgatewayPolicy, t
 	return []AgwPolicy{{Policy: mcpPolicy}}
 }
 
-func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.AgentgatewayPolicy, target *api.PolicyTarget) []AgwPolicy {
+func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.AgentgatewayPolicy, target *api.PolicyTarget) ([]AgwPolicy, error) {
 	backend := policy.Spec.Backend
 	if backend == nil || backend.MCP == nil || backend.MCP.Authentication == nil {
-		return nil
+		return nil, nil
 	}
 	authnPolicy := backend.MCP.Authentication
 	if authnPolicy == nil {
-		return nil
+		return nil, nil
 	}
 
 	idp := api.BackendPolicySpec_McpAuthentication_AUTH0
@@ -298,9 +302,10 @@ func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.Agent
 	translatedInlineJwks, err := resolveRemoteJWKSInline(ctx, authnPolicy.JWKS.JwksUri)
 	if err != nil {
 		logger.Error("failed resolving jwks", "jwks_uri", authnPolicy.JWKS.JwksUri, "error", err)
-		return nil
+		return nil, err
 	}
 
+	var errs []error
 	var extraResourceMetadata map[string]*structpb.Value
 	for k, v := range authnPolicy.ResourceMetadata {
 		if extraResourceMetadata == nil {
@@ -310,6 +315,7 @@ func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.Agent
 		pbVal, err := structpb.NewValue(v)
 		if err != nil {
 			logger.Error("error converting resource metadata", "key", k, "error", err)
+			errs = append(errs, err)
 			continue
 		}
 
@@ -341,7 +347,7 @@ func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.Agent
 		"policy", policy.Name,
 		"agentgateway_policy", mcpAuthnPolicy.Name)
 
-	return []AgwPolicy{{Policy: mcpAuthnPolicy}}
+	return []AgwPolicy{{Policy: mcpAuthnPolicy}}, errors.Join(errs...)
 }
 
 // translateBackendAI processes AI configuration and creates corresponding Agw policies

…ta/backend/backend-secret-not-found.yaml …ackend/ai-auth-secret-ref-not-found.yamlpkg/kgateway/agentgatewaysyncer/backend/testdata/backend/backend-secret-not-found.yaml renamed to pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-auth-secret-ref-not-found.yaml pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/backend-secret-not-found.yaml renamed to pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-auth-secret-ref-not-found.yaml

@@ -1,17 +1,17 @@
 apiVersion: agentgateway.dev/v1alpha1
 kind: AgentgatewayBackend
 metadata:
-  name: openai-backend
   namespace: default
+  name: openai-backend
 spec:
-  policies:
-    auth:
-      secretRef:
-        name: missing-secret
   ai:
     provider:
       openai:
         model: gpt-4
+  policies:
+    auth:
+      secretRef:
+        name: missing-secret
 ---
 # Output
 output:

…end/testdata/backend/backend-secret.yaml …testdata/backend/ai-auth-secret-ref.yamlpkg/kgateway/agentgatewaysyncer/backend/testdata/backend/backend-secret.yaml renamed to pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-auth-secret-ref.yaml pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/backend-secret.yaml renamed to pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-auth-secret-ref.yaml

@@ -1,8 +1,8 @@
 apiVersion: agentgateway.dev/v1alpha1
 kind: AgentgatewayBackend
 metadata:
-  name: anthropic-backend
   namespace: default
+  name: anthropic-backend
 spec:
   ai:
     provider:

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-webhook-backend-ref-not-found.yaml

@@ -0,0 +1,51 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: anthropic-backend
+spec:
+  ai:
+    provider:
+      anthropic:
+        model: claude-4-5-sonnet
+  policies:
+    ai:
+      promptGuard:
+        request:
+        - webhook:
+            backendRef:
+              name: invalid-request-ref
+              port: 123
+        response:
+        - webhook:
+            backendRef:
+              name: invalid-response-ref
+              port: 456
+---
+# Output
+output:
+- gateway:
+    Name: ""
+    Namespace: ""
+  resource:
+    backend:
+      ai:
+        providerGroups:
+        - providers:
+          - anthropic:
+              model: claude-4-5-sonnet
+            name: backend
+      inlinePolicies:
+      - ai:
+          promptGuard: {}
+      key: default/anthropic-backend
+      name:
+        name: anthropic-backend
+        namespace: default
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: Backend successfully accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/mcp-authentication-jwks-store-init.yaml

@@ -0,0 +1,38 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: mcp-backend
+spec:
+  mcp:
+    targets:
+    - name: mcp-example
+      selector:
+        namespaces:
+          matchLabels:
+            kubernetes.io/metadata.name: mcp-servers
+  policies:
+    mcp:
+      authentication:
+        jwks:
+          uri: http://store-uninitialized/
+---
+# Output
+output:
+- gateway:
+    Name: ""
+    Namespace: ""
+  resource:
+    backend:
+      key: default/mcp-backend
+      mcp: {}
+      name:
+        name: mcp-backend
+        namespace: default
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: Backend successfully accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/static-auth-passthrough.yaml

@@ -0,0 +1,35 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: static-backend
+spec:
+  static:
+    host: example.com
+    port: 8888
+  policies:
+    auth:
+      # kubebuilder:validate allows this but `translateBackendAuth` exepects "inline key or secretRef"
+      passthrough: {}
+---
+# Output
+output:
+- gateway:
+    Name: ""
+    Namespace: ""
+  resource:
+    backend:
+      key: default/static-backend
+      name:
+        name: static-backend
+        namespace: default
+      static:
+        host: example.com
+        port: 8888
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: Backend successfully accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/static-secrets-not-found.yaml

@@ -0,0 +1,35 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: static-backend
+spec:
+  static:
+    host: example.com
+    port: 8888
+  policies:
+    auth:
+      secretRef:
+        name: missing-secret
+---
+# Output
+output:
+- gateway:
+    Name: ""
+    Namespace: ""
+  resource:
+    backend:
+      key: default/static-backend
+      name:
+        name: static-backend
+        namespace: default
+      static:
+        host: example.com
+        port: 8888
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: Backend successfully accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/static-tls-ca-bundle-not-found.yaml

@@ -0,0 +1,39 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: tls-backend
+spec:
+  static:
+    host: example.com
+    port: 8888
+  policies:
+    tls:
+      mtlsCertificateRef:
+      - name: unknown-mtls
+      caCertificateRefs:
+      - name: unknown-ca-bundle
+---
+# Output
+output:
+- gateway:
+    Name: ""
+    Namespace: ""
+  resource:
+    backend:
+      inlinePolicies:
+      - backendTls: {}
+      key: default/tls-backend
+      name:
+        name: tls-backend
+        namespace: default
+      static:
+        host: example.com
+        port: 8888
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: Backend successfully accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted

pkg/kgateway/agentgatewaysyncer/backend/translate_test.go

@@ -723,7 +723,7 @@ func createMockMCPService(namespace, serviceName, labels string) *corev1.Service
 	return mockService
 }
 
-// createMockServiceCollectionMultiNamespace creates a mock service collection with services in multiple namespaces
+// createMockMultipleNamespaceServices creates a mock service collection with services in multiple namespaces
 func createMockMultipleNamespaceServices() []any {
 	services := []any{
 		&corev1.Service{