Adding more agw backend tests and return errors as part of status

Signed-off-by: Markus Kobler <[email protected]>

Author: markuskobler

pkg/agentgateway/plugins/backend_policies.go

@@ -93,7 +93,11 @@ func translateBackendPolicyToAgw(
 		}
 
 		if backend.MCP.Authentication != nil {
-			pol := translateBackendMCPAuthentication(ctx, policy, policyTarget)
+			pol, err := translateBackendMCPAuthentication(ctx, policy, policyTarget)
+			if err != nil {
+				logger.Error("error processing backend mcp auth", "err", err)
+				errs = append(errs, err)
+			}
 			agwPolicies = append(agwPolicies, pol...)
 		}
 	}
@@ -283,14 +287,14 @@ func translateBackendMCPAuthorization(policy *agentgateway.AgentgatewayPolicy, t
 	return []AgwPolicy{{Policy: mcpPolicy}}
 }
 
-func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.AgentgatewayPolicy, target *api.PolicyTarget) []AgwPolicy {
+func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.AgentgatewayPolicy, target *api.PolicyTarget) ([]AgwPolicy, error) {
 	backend := policy.Spec.Backend
 	if backend == nil || backend.MCP == nil || backend.MCP.Authentication == nil {
-		return nil
+		return nil, nil
 	}
 	authnPolicy := backend.MCP.Authentication
 	if authnPolicy == nil {
-		return nil
+		return nil, nil
 	}
 
 	idp := api.BackendPolicySpec_McpAuthentication_AUTH0
@@ -301,9 +305,10 @@ func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.Agent
 	translatedInlineJwks, err := resolveRemoteJWKSInline(ctx, authnPolicy.JWKS.JwksUri)
 	if err != nil {
 		logger.Error("failed resolving jwks", "jwks_uri", authnPolicy.JWKS.JwksUri, "error", err)
-		return nil
+		return nil, err
 	}
 
+	var errs []error
 	var extraResourceMetadata map[string]*structpb.Value
 	for k, v := range authnPolicy.ResourceMetadata {
 		if extraResourceMetadata == nil {
@@ -313,6 +318,7 @@ func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.Agent
 		pbVal, err := structpb.NewValue(v)
 		if err != nil {
 			logger.Error("error converting resource metadata", "key", k, "error", err)
+			errs = append(errs, err)
 			continue
 		}
 
@@ -345,7 +351,7 @@ func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.Agent
 		"policy", policy.Name,
 		"agentgateway_policy", mcpAuthnPolicy.Name)
 
-	return []AgwPolicy{{Policy: mcpAuthnPolicy}}
+	return []AgwPolicy{{Policy: mcpAuthnPolicy}}, errors.Join(errs...)
 }
 
 // translateBackendAI processes AI configuration and creates corresponding Agw policies

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-auth-secret-ref-not-found.yaml

@@ -0,0 +1,24 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: openai-backend
+spec:
+  ai:
+    provider:
+      openai:
+        model: gpt-4
+  policies:
+    auth:
+      secretRef:
+        name: missing-secret
+---
+# Output
+output: []
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: failed to translate backend secret default/missing-secret not found
+    reason: TranslationError
+    status: "False"
+    type: Accepted

…end/testdata/backend/backend-secret.yaml …testdata/backend/ai-auth-secret-ref.yamlpkg/kgateway/agentgatewaysyncer/backend/testdata/backend/backend-secret.yaml renamed to pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-auth-secret-ref.yaml pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/backend-secret.yaml renamed to pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-auth-secret-ref.yaml

@@ -1,8 +1,8 @@
 apiVersion: agentgateway.dev/v1alpha1
 kind: AgentgatewayBackend
 metadata:
-  name: anthropic-backend
   namespace: default
+  name: anthropic-backend
 spec:
   ai:
     provider:
@@ -23,25 +23,21 @@ data:
 ---
 # Output
 output:
-- gateway:
-    Name: ""
-    Namespace: ""
-  resource:
-    backend:
-      ai:
-        providerGroups:
-        - providers:
-          - anthropic:
-              model: claude-4-5-sonnet
-            name: backend
-      inlinePolicies:
-      - auth:
-          key:
-            secret: test
-      key: default/anthropic-backend
-      name:
-        name: anthropic-backend
-        namespace: default
+- backend:
+    ai:
+      providerGroups:
+      - providers:
+        - anthropic:
+            model: claude-4-5-sonnet
+          name: backend
+    inlinePolicies:
+    - auth:
+        key:
+          secret: test
+    key: default/anthropic-backend
+    name:
+      name: anthropic-backend
+      namespace: default
 status:
   conditions:
   - lastTransitionTime: fake

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-priority-groups-secret-ref.yaml

@@ -0,0 +1,71 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: ai-priority-with-secret
+spec:
+  ai:
+    groups:
+    - providers:
+      - name: openai-secure
+        openai:
+          model: gpt-4o
+        policies:
+          auth:
+            secretRef:
+              name: openai-secret
+      - name: anthropic-secure
+        anthropic:
+          model: claude-3-5-sonnet
+        policies:
+          auth:
+            secretRef:
+              name: anthropic-secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: openai-secret
+  namespace: default
+data:
+  Authorization: QmVhcmVyIHRlc3Q=
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: anthropic-secret
+  namespace: default
+data:
+  Authorization: QmVhcmVyIHRlc3Q=
+---
+# Output
+output:
+- backend:
+    ai:
+      providerGroups:
+      - providers:
+        - inlinePolicies:
+          - auth:
+              key:
+                secret: test
+          name: openai-secure
+          openai:
+            model: gpt-4o
+        - anthropic:
+            model: claude-3-5-sonnet
+          inlinePolicies:
+          - auth:
+              key:
+                secret: test
+          name: anthropic-secure
+    key: default/ai-priority-with-secret
+    name:
+      name: ai-priority-with-secret
+      namespace: default
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: Backend successfully accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-priority-groups.yaml

@@ -0,0 +1,63 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: multi-providers
+spec:
+  ai:
+    groups:
+    - providers:
+      - name: openai
+        openai:
+          model: gpt-4o
+      - name: anthropic
+        anthropic:
+          model: claude-3-5-sonnet
+      - name: gemini
+        gemini:
+          model: gemini-1.5-pro
+      - name: vertex
+        vertexai:
+          model: gemini-pro
+          region: us-west1
+          projectId: my-gcp-project
+      - name: bedrock
+        bedrock:
+          model: anthropic.claude-3-sonnet-20240229-v1:0
+          region: us-east-1
+---
+# Output
+output:
+- backend:
+    ai:
+      providerGroups:
+      - providers:
+        - name: openai
+          openai:
+            model: gpt-4o
+        - anthropic:
+            model: claude-3-5-sonnet
+          name: anthropic
+        - gemini:
+            model: gemini-1.5-pro
+          name: gemini
+        - name: vertex
+          vertex:
+            model: gemini-pro
+            projectId: my-gcp-project
+            region: us-west1
+        - bedrock:
+            model: anthropic.claude-3-sonnet-20240229-v1:0
+            region: us-east-1
+          name: bedrock
+    key: default/multi-providers
+    name:
+      name: multi-providers
+      namespace: default
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: Backend successfully accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-webhook-backend-ref-not-found.yaml

@@ -0,0 +1,35 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: anthropic-backend
+spec:
+  ai:
+    provider:
+      anthropic:
+        model: claude-4-5-sonnet
+  policies:
+    ai:
+      promptGuard:
+        request:
+        - webhook:
+            backendRef:
+              name: invalid-request-ref
+              port: 123
+        response:
+        - webhook:
+            backendRef:
+              name: invalid-response-ref
+              port: 456
+---
+# Output
+output: []
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: |-
+      failed to translate backend failed to build webhook: unable to find the Service default/invalid-request-ref
+      failed to build webhook: unable to find the Service default/invalid-response-ref
+    reason: TranslationError
+    status: "False"
+    type: Accepted

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/backend-secret-not-found.yaml

@@ -0,0 +1,30 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: dynamic-backend-with-auth
+spec:
+  dynamicForwardProxy: {}
+  policies:
+    auth:
+      key: sk-test-token
+---
+# Output
+output:
+- backend:
+    dynamic: {}
+    inlinePolicies:
+    - auth:
+        key:
+          secret: sk-test-token
+    key: default/dynamic-backend-with-auth
+    name:
+      name: dynamic-backend-with-auth
+      namespace: default
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: Backend successfully accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted