[Feat] Translate BackendConfigPolicy TLS certs for AgentGateway

api/v1alpha1/backend_config_policy_types.go

@@ -41,12 +41,12 @@ type BackendConfigPolicySpec struct {
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=16
 	// +kubebuilder:validation:XValidation:rule="self.all(r, (r.group == '' && r.kind == 'Service') || (r.group == 'gateway.kgateway.dev' && r.kind == 'Backend'))",message="TargetRefs must reference either a Kubernetes Service or a Backend API"
-	TargetRefs []LocalPolicyTargetReference `json:"targetRefs,omitempty"`
+	TargetRefs []LocalPolicyTargetReferenceWithSectionName `json:"targetRefs,omitempty"`
 
 	// TargetSelectors specifies the target selectors to select resources to attach the policy to.
 	// +optional
 	// +kubebuilder:validation:XValidation:rule="self.all(r, (r.group == '' && r.kind == 'Service') || (r.group == 'gateway.kgateway.dev' && r.kind == 'Backend'))",message="TargetSelectors must reference either a Kubernetes Service or a Backend API"
-	TargetSelectors []LocalPolicyTargetSelector `json:"targetSelectors,omitempty"`
+	TargetSelectors []LocalPolicyTargetSelectorWithSectionName `json:"targetSelectors,omitempty"`
 
 	// The timeout for new network connections to hosts in the cluster.
 	// +optional

install/helm/kgateway-crds/templates/gateway.kgateway.dev_backendconfigpolicies.yaml

@@ -662,7 +662,7 @@ spec:
                   the policy to.
                 items:
                   description: |-
-                    Select the object to attach the policy by Group, Kind, and Name.
+                    Select the object to attach the policy by Group, Kind, Name and SectionName.
                     The object must be in the same namespace as the policy.
                     You can target only one object at a time.
                   properties:
@@ -686,6 +686,12 @@ spec:
                       maxLength: 253
                       minLength: 1
                       type: string
+                    sectionName:
+                      description: The section name of the target resource.
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
                   required:
                   - group
                   - kind
@@ -704,7 +710,7 @@ spec:
                   resources to attach the policy to.
                 items:
                   description: |-
-                    LocalPolicyTargetSelector selects the object to attach the policy by Group, Kind, and MatchLabels.
+                    LocalPolicyTargetSelectorWithSectionName the object to attach the policy by Group, Kind, MatchLabels, and optionally SectionName.
                     The object must be in the same namespace as the policy and match the
                     specified labels.
                     Do not use targetSelectors when reconciliation times are critical, especially if you
@@ -731,6 +737,12 @@ spec:
                         type: string
                       description: Label selector to select the target resource.
                       type: object
+                    sectionName:
+                      description: The section name of the target resource.
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
                   required:
                   - group
                   - kind

internal/kgateway/agentgatewaysyncer/status/collection.go

@@ -115,6 +115,8 @@ func enqueueStatus[T any](sw WorkerQueue, obj controllers.Object, ws T) {
 		res.GroupVersionKind = wellknown.TrafficPolicyGVK
 	case *gwxv1a1.XListenerSet:
 		res.GroupVersionKind = wellknown.XListenerSetGVK
+	case *v1alpha1.BackendConfigPolicy:
+		res.GroupVersionKind = wellknown.BackendConfigPolicyGVK
 	default:
 		log.Fatalf("enqueueStatus unknown type %T", t)
 	}

internal/kgateway/agentgatewaysyncer/status_syncer.go

@@ -39,7 +39,8 @@ const (
 type AgentGwStatusSyncer struct {
 	client kube.Client
 
-	trafficPolicies StatusSyncer[*v1alpha1.TrafficPolicy, *gwv1.PolicyStatus]
+	trafficPolicies       StatusSyncer[*v1alpha1.TrafficPolicy, *gwv1.PolicyStatus]
+	backendConfigPolicies StatusSyncer[*v1alpha1.BackendConfigPolicy, *gwv1.PolicyStatus]
 
 	// Configuration
 	controllerName string
@@ -144,6 +145,16 @@ func NewAgwStatusSyncer(
 				}
 			},
 		},
+		backendConfigPolicies: StatusSyncer[*v1alpha1.BackendConfigPolicy, *gwv1.PolicyStatus]{
+			name:   "backendConfigPolicy",
+			client: kclient.NewFilteredDelayed[*v1alpha1.BackendConfigPolicy](client, wellknown.BackendConfigPolicyGVR, f),
+			build: func(om metav1.ObjectMeta, s *gwv1.PolicyStatus) *v1alpha1.BackendConfigPolicy {
+				return &v1alpha1.BackendConfigPolicy{
+					ObjectMeta: om,
+					Status:     *s,
+				}
+			},
+		},
 	}
 
 	return syncer
@@ -198,6 +209,8 @@ func (s *AgentGwStatusSyncer) SyncStatus(ctx context.Context, resource status.Re
 		s.httpRoutes.ApplyStatus(ctx, resource, statusObj)
 	case wellknown.TrafficPolicyGVK:
 		s.trafficPolicies.ApplyStatus(ctx, resource, statusObj)
+	case wellknown.BackendConfigPolicyGVK:
+		s.backendConfigPolicies.ApplyStatus(ctx, resource, statusObj)
 	default:
 		log.Fatalf("SyncStatus: unknown resource type: %v", resource.GroupVersionKind)
 	}

internal/kgateway/extensions2/plugins/backendconfigpolicy/plugin.go

@@ -149,7 +149,7 @@ func NewPlugin(ctx context.Context, commoncol *collections.CommonCollections, v
 			},
 			Policy:     b,
 			PolicyIR:   policyIR,
-			TargetRefs: pluginsdkutils.TargetRefsToPolicyRefs(b.Spec.TargetRefs, b.Spec.TargetSelectors),
+			TargetRefs: pluginsdkutils.TargetRefsToPolicyRefsWithSectionName(b.Spec.TargetRefs, b.Spec.TargetSelectors),
 			Errors:     errs,
 		}
 	}, commoncol.KrtOpts.ToOptions("BackendConfigPolicyIRs")...)