diff --git a/api/tests/testdata/agentgateway_policy_valid.yaml b/api/tests/testdata/agentgateway_policy_valid.yaml index 50bf66a0b86..038321e5d48 100644 --- a/api/tests/testdata/agentgateway_policy_valid.yaml +++ b/api/tests/testdata/agentgateway_policy_valid.yaml @@ -287,9 +287,10 @@ spec: name: auth-server kind: Service port: 123 - contextExtensions: - env: production - region: us-west + grpc: + contextExtensions: + env: production + region: us-west --- apiVersion: agentgateway.dev/v1alpha1 kind: AgentgatewayPolicy @@ -302,6 +303,7 @@ spec: name: dummy traffic: extAuth: + grpc: {} backendRef: name: auth-server kind: AgentgatewayBackend @@ -599,6 +601,7 @@ spec: name: auth-server kind: Service port: 8888 + grpc: {} rateLimit: local: - requests: 100 diff --git a/api/v1alpha1/agentgateway/agentgateway_policy_types.go b/api/v1alpha1/agentgateway/agentgateway_policy_types.go index 99bbe9a2ba2..cd6efca79fb 100644 --- a/api/v1alpha1/agentgateway/agentgateway_policy_types.go +++ b/api/v1alpha1/agentgateway/agentgateway_policy_types.go @@ -963,6 +963,7 @@ type ExtProc struct { BackendRef gwv1.BackendObjectReference `json:"backendRef"` } +// +kubebuilder:validation:ExactlyOneOf=grpc;http type ExtAuth struct { // backendRef references the External Authorization server to reach. // @@ -970,15 +971,80 @@ type ExtAuth struct { // +required BackendRef gwv1.BackendObjectReference `json:"backendRef"` + // grpc specifies that the gRPC External Authorization + // [protocol](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto) should be used. + // +optional + GRPC *AgentExtAuthGRPC `json:"grpc,omitempty"` + + // http specifies that the HTTP protocol should be used for connecting to the authorization server. + // The authorization server must return a `200` status code, otherwise the request is considered an authorization failure. + // +optional + HTTP *AgentExtAuthHTTP `json:"http,omitempty"` + // forwardBody configures whether to include the HTTP body in the request. If enabled, the request body will be // buffered. // +optional ForwardBody *ExtAuthBody `json:"forwardBody,omitempty"` +} + +type AgentExtAuthHTTP struct { + // path specifies the path to send to the authorization server. If unset, this defaults to the original request path. + // This is a CEL expression, which allows customizing the path based on the incoming request. + // For example, to add a prefix: `path: '"/prefix/" + request.path'`. + // +optional + Path *shared.CELExpression `json:"path,omitempty"` + + // redirect defines an optional expression to determine a path to redirect to on authorization failure. + // This is useful to redirect to a sign-in page. + // +optional + Redirect *shared.CELExpression `json:"redirect,omitempty"` + + // allowedRequestHeaders specifies what additional headers from the client request + // will be sent to the authorization server. + // + // If unset, the following headers are sent by default: `Authorization`. + // + // +optional + // +kubebuilder:validation:MaxItems=64 + AllowedRequestHeaders []ShortString `json:"allowedRequestHeaders,omitempty"` - // contextExtensions specifies additional arbitrary key-value pairs to send to the authorization server. + // addRequestHeaders specifies what additional headers to add to the request to the authorization server. + // While allowedRequestHeaders just passes the original headers through, addRequestHeaders allows defining custom headers + // based on CEL Expressions. + // + // +optional // +kubebuilder:validation:MaxProperties=64 + AddRequestHeaders map[string]shared.CELExpression `json:"addRequestHeaders,omitempty"` + + // allowedResponseHeaders specifies what headers from the authorization response + // will be copied into the request to the backend. + // + // +optional + // +kubebuilder:validation:MaxItems=64 + AllowedResponseHeaders []ShortString `json:"allowedResponseHeaders,omitempty"` + + // responseMetadata specifies what metadata fields should be constructed *from* the authorization response. These will be + // included under the `extauthz` variable in future CEL expressions. Setting this is useful to do things like logging + // usernames, without needing to include them as headers to the backend (as `allowedResponseHeaders` would). + // // +optional + // +kubebuilder:validation:MaxProperties=64 + ResponseMetadata map[string]shared.CELExpression `json:"responseMetadata,omitempty"` +} + +type AgentExtAuthGRPC struct { + // contextExtensions specifies additional arbitrary key-value pairs to send to the authorization server in the `context_extensions` field. + // + // +optional + // +kubebuilder:validation:MaxProperties=64 ContextExtensions map[string]string `json:"contextExtensions,omitempty"` + // requestMetadata specifies metadata to be sent *to* the authorization server. + // This maps to the `metadata_context.filter_metadata` field of the request, and allows dynamic CEL expressions. + // If unset, by default the `envoy.filters.http.jwt_authn` key is set if the JWT policy is used as well, for compatibility. + // + // +optional + // +kubebuilder:validation:MaxProperties=64 + RequestMetadata map[string]shared.CELExpression `json:"requestMetadata,omitempty"` } type ExtAuthBody struct { diff --git a/api/v1alpha1/agentgateway/zz_generated.deepcopy.go b/api/v1alpha1/agentgateway/zz_generated.deepcopy.go index 45c59be8ea0..344f4783f45 100644 --- a/api/v1alpha1/agentgateway/zz_generated.deepcopy.go +++ b/api/v1alpha1/agentgateway/zz_generated.deepcopy.go @@ -159,6 +159,84 @@ func (in *AccessLog) DeepCopy() *AccessLog { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AgentExtAuthGRPC) DeepCopyInto(out *AgentExtAuthGRPC) { + *out = *in + if in.ContextExtensions != nil { + in, out := &in.ContextExtensions, &out.ContextExtensions + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.RequestMetadata != nil { + in, out := &in.RequestMetadata, &out.RequestMetadata + *out = make(map[string]shared.CELExpression, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AgentExtAuthGRPC. +func (in *AgentExtAuthGRPC) DeepCopy() *AgentExtAuthGRPC { + if in == nil { + return nil + } + out := new(AgentExtAuthGRPC) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AgentExtAuthHTTP) DeepCopyInto(out *AgentExtAuthHTTP) { + *out = *in + if in.Path != nil { + in, out := &in.Path, &out.Path + *out = new(shared.CELExpression) + **out = **in + } + if in.Redirect != nil { + in, out := &in.Redirect, &out.Redirect + *out = new(shared.CELExpression) + **out = **in + } + if in.AllowedRequestHeaders != nil { + in, out := &in.AllowedRequestHeaders, &out.AllowedRequestHeaders + *out = make([]ShortString, len(*in)) + copy(*out, *in) + } + if in.AddRequestHeaders != nil { + in, out := &in.AddRequestHeaders, &out.AddRequestHeaders + *out = make(map[string]shared.CELExpression, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.AllowedResponseHeaders != nil { + in, out := &in.AllowedResponseHeaders, &out.AllowedResponseHeaders + *out = make([]ShortString, len(*in)) + copy(*out, *in) + } + if in.ResponseMetadata != nil { + in, out := &in.ResponseMetadata, &out.ResponseMetadata + *out = make(map[string]shared.CELExpression, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AgentExtAuthHTTP. +func (in *AgentExtAuthHTTP) DeepCopy() *AgentExtAuthHTTP { + if in == nil { + return nil + } + out := new(AgentExtAuthHTTP) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AgentgatewayBackend) DeepCopyInto(out *AgentgatewayBackend) { *out = *in @@ -1150,18 +1228,21 @@ func (in *DynamicForwardProxyBackend) DeepCopy() *DynamicForwardProxyBackend { func (in *ExtAuth) DeepCopyInto(out *ExtAuth) { *out = *in in.BackendRef.DeepCopyInto(&out.BackendRef) + if in.GRPC != nil { + in, out := &in.GRPC, &out.GRPC + *out = new(AgentExtAuthGRPC) + (*in).DeepCopyInto(*out) + } + if in.HTTP != nil { + in, out := &in.HTTP, &out.HTTP + *out = new(AgentExtAuthHTTP) + (*in).DeepCopyInto(*out) + } if in.ForwardBody != nil { in, out := &in.ForwardBody, &out.ForwardBody *out = new(ExtAuthBody) **out = **in } - if in.ContextExtensions != nil { - in, out := &in.ContextExtensions, &out.ContextExtensions - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtAuth. diff --git a/install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaypolicies.yaml b/install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaypolicies.yaml index ed25f8935d8..8f0301a1efc 100644 --- a/install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaypolicies.yaml +++ b/install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaypolicies.yaml @@ -2540,13 +2540,6 @@ spec: - message: Must have port for Service reference rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' - contextExtensions: - additionalProperties: - type: string - description: contextExtensions specifies additional arbitrary - key-value pairs to send to the authorization server. - maxProperties: 64 - type: object forwardBody: description: |- forwardBody configures whether to include the HTTP body in the request. If enabled, the request body will be @@ -2562,9 +2555,109 @@ spec: required: - maxSize type: object + grpc: + description: |- + grpc specifies that the gRPC External Authorization + [protocol](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto) should be used. + properties: + contextExtensions: + additionalProperties: + type: string + description: contextExtensions specifies additional arbitrary + key-value pairs to send to the authorization server + in the `context_extensions` field. + maxProperties: 64 + type: object + requestMetadata: + additionalProperties: + description: CELExpression represents a Common Expression + Language (CEL) expression. + maxLength: 16384 + minLength: 1 + type: string + description: |- + requestMetadata specifies metadata to be sent *to* the authorization server. + This maps to the `metadata_context.filter_metadata` field of the request, and allows dynamic CEL expressions. + If unset, by default the `envoy.filters.http.jwt_authn` key is set if the JWT policy is used as well, for compatibility. + maxProperties: 64 + type: object + type: object + http: + description: |- + http specifies that the HTTP protocol should be used for connecting to the authorization server. + The authorization server must return a `200` status code, otherwise the request is considered an authorization failure. + properties: + addRequestHeaders: + additionalProperties: + description: CELExpression represents a Common Expression + Language (CEL) expression. + maxLength: 16384 + minLength: 1 + type: string + description: |- + addRequestHeaders specifies what additional headers to add to the request to the authorization server. + While allowedRequestHeaders just passes the original headers through, addRequestHeaders allows defining custom headers + based on CEL Expressions. + maxProperties: 64 + type: object + allowedRequestHeaders: + description: |- + allowedRequestHeaders specifies what additional headers from the client request + will be sent to the authorization server. + + If unset, the following headers are sent by default: `Authorization`. + items: + maxLength: 256 + minLength: 1 + type: string + maxItems: 64 + type: array + allowedResponseHeaders: + description: |- + allowedResponseHeaders specifies what headers from the authorization response + will be copied into the request to the backend. + items: + maxLength: 256 + minLength: 1 + type: string + maxItems: 64 + type: array + path: + description: |- + path specifies the path to send to the authorization server. If unset, this defaults to the original request path. + This is a CEL expression, which allows customizing the path based on the incoming request. + For example, to add a prefix: `path: '"/prefix/" + request.path'`. + maxLength: 16384 + minLength: 1 + type: string + redirect: + description: |- + redirect defines an optional expression to determine a path to redirect to on authorization failure. + This is useful to redirect to a sign-in page. + maxLength: 16384 + minLength: 1 + type: string + responseMetadata: + additionalProperties: + description: CELExpression represents a Common Expression + Language (CEL) expression. + maxLength: 16384 + minLength: 1 + type: string + description: |- + responseMetadata specifies what metadata fields should be constructed *from* the authorization response. These will be + included under the `extauthz` variable in future CEL expressions. Setting this is useful to do things like logging + usernames, without needing to include them as headers to the backend (as `allowedResponseHeaders` would). + maxProperties: 64 + type: object + type: object required: - backendRef type: object + x-kubernetes-validations: + - message: exactly one of the fields in [grpc http] must be set + rule: '[has(self.grpc),has(self.http)].filter(x,x==true).size() + == 1' extProc: description: extProc specifies the external processing configuration for the policy. diff --git a/pkg/agentgateway/plugins/testdata/trafficpolicy/extauthz-grpc.yaml b/pkg/agentgateway/plugins/testdata/trafficpolicy/extauthz-grpc.yaml new file mode 100644 index 00000000000..349f5639b7f --- /dev/null +++ b/pkg/agentgateway/plugins/testdata/trafficpolicy/extauthz-grpc.yaml @@ -0,0 +1,78 @@ +apiVersion: agentgateway.dev/v1alpha1 +kind: AgentgatewayPolicy +metadata: + name: grpc + namespace: default +spec: + targetRefs: + - kind: Gateway + name: test + group: gateway.networking.k8s.io + traffic: + extAuth: + backendRef: + name: extauthz + port: 1024 + forwardBody: + maxSize: 1024 + grpc: + contextExtensions: + hello: world + requestMetadata: + user: jwt.sub +--- +apiVersion: v1 +kind: Service +metadata: + name: extauthz + namespace: default +spec: + ports: + - port: 1024 +--- +# Output +output: +- Policy: + key: traffic/default/grpc:extauth:default/test + name: + kind: AgentgatewayPolicy + name: grpc + namespace: default + target: + gateway: + name: test + namespace: default + traffic: + extAuthz: + grpc: + context: + hello: world + metadata: + user: jwt.sub + includeRequestBody: + allowPartialMessage: true + maxRequestBytes: 1024 + target: + port: 1024 + service: + hostname: extauthz.default.svc.cluster.local + namespace: default +status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: test + namespace: default + conditions: + - lastTransitionTime: fake + message: Policy accepted + reason: Valid + status: "True" + type: Accepted + - lastTransitionTime: fake + message: Attached to all targets + reason: Attached + status: "True" + type: Attached + controllerName: agentgateway.dev/agentgateway diff --git a/pkg/agentgateway/plugins/testdata/trafficpolicy/extauthz-http.yaml b/pkg/agentgateway/plugins/testdata/trafficpolicy/extauthz-http.yaml new file mode 100644 index 00000000000..56963eb7d70 --- /dev/null +++ b/pkg/agentgateway/plugins/testdata/trafficpolicy/extauthz-http.yaml @@ -0,0 +1,94 @@ +apiVersion: agentgateway.dev/v1alpha1 +kind: AgentgatewayPolicy +metadata: + name: http + namespace: default +spec: + targetRefs: + - kind: Gateway + name: test + group: gateway.networking.k8s.io + traffic: + extAuth: + backendRef: + name: extauthz + port: 1024 + forwardBody: + maxSize: 1024 + http: + path: | + "/prefix/" + request.path + redirect: | + "/signin" + allowedRequestHeaders: + - authorization + addRequestHeaders: + x-custom-header: "random()" + allowedResponseHeaders: + - x-custom-header + responseMetadata: + githubUser: response.headers["x-auth-request-user"] +--- +apiVersion: v1 +kind: Service +metadata: + name: extauthz + namespace: default +spec: + ports: + - port: 1024 +--- +# Output +output: +- Policy: + key: traffic/default/http:extauth:default/test + name: + kind: AgentgatewayPolicy + name: http + namespace: default + target: + gateway: + name: test + namespace: default + traffic: + extAuthz: + http: + addRequestHeaders: + x-custom-header: random() + includeResponseHeaders: + - x-custom-header + metadata: + githubUser: response.headers["x-auth-request-user"] + path: | + "/prefix/" + request.path + redirect: | + "/signin" + includeRequestBody: + allowPartialMessage: true + maxRequestBytes: 1024 + includeRequestHeaders: + - authorization + target: + port: 1024 + service: + hostname: extauthz.default.svc.cluster.local + namespace: default +status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: test + namespace: default + conditions: + - lastTransitionTime: fake + message: Policy accepted + reason: Valid + status: "True" + type: Accepted + - lastTransitionTime: fake + message: Attached to all targets + reason: Attached + status: "True" + type: Attached + controllerName: agentgateway.dev/agentgateway diff --git a/pkg/agentgateway/plugins/traffic_plugin.go b/pkg/agentgateway/plugins/traffic_plugin.go index 2c7e513615d..d21657759be 100644 --- a/pkg/agentgateway/plugins/traffic_plugin.go +++ b/pkg/agentgateway/plugins/traffic_plugin.go @@ -825,13 +825,30 @@ func processExtAuthPolicy( if err != nil { return nil, fmt.Errorf("failed to build extAuth: %v", err) } + spec := &api.TrafficPolicySpec_ExternalAuth{ Target: be, - Protocol: &api.TrafficPolicySpec_ExternalAuth_Grpc{ - Grpc: &api.TrafficPolicySpec_ExternalAuth_GRPCProtocol{ - Context: extAuth.ContextExtensions, - }, - }, + } + if g := extAuth.GRPC; g != nil { + p := &api.TrafficPolicySpec_ExternalAuth_GRPCProtocol{ + Context: g.ContextExtensions, + Metadata: castMap(g.RequestMetadata), + } + spec.Protocol = &api.TrafficPolicySpec_ExternalAuth_Grpc{ + Grpc: p, + } + } else if h := extAuth.HTTP; h != nil { + p := &api.TrafficPolicySpec_ExternalAuth_HTTPProtocol{ + Path: castPtr(h.Path), + Redirect: castPtr(h.Redirect), + IncludeResponseHeaders: h.AllowedResponseHeaders, + AddRequestHeaders: castMap(h.AddRequestHeaders), + Metadata: castMap(h.ResponseMetadata), + } + spec.IncludeRequestHeaders = h.AllowedRequestHeaders + spec.Protocol = &api.TrafficPolicySpec_ExternalAuth_Http{ + Http: p, + } } if b := extAuth.ForwardBody; b != nil { spec.IncludeRequestBody = &api.TrafficPolicySpec_ExternalAuth_BodyOptions{ @@ -924,6 +941,24 @@ func cast[T ~string](items []T) []string { }) } +func castMap[T ~string](items map[string]T) map[string]string { + if items == nil { + return nil + } + res := make(map[string]string, len(items)) + for k, v := range items { + res[k] = string(v) + } + return res +} + +func castPtr[T ~string](item *T) *string { + if item == nil { + return nil + } + return ptr.Of(string(*item)) +} + // processAuthorizationPolicy processes Authorization configuration and creates corresponding Agw policies func processAuthorizationPolicy( auth *shared.Authorization, diff --git a/pkg/deployer/wellknown.go b/pkg/deployer/wellknown.go index 326242cc260..ab55bee9434 100644 --- a/pkg/deployer/wellknown.go +++ b/pkg/deployer/wellknown.go @@ -17,7 +17,7 @@ const ( AgentgatewayRegistry = "ghcr.io/agentgateway" // AgentgatewayDefaultTag is the default agentgateway image tag // Note: should be in sync with version in go.mod and test/deployer/testdata/* - AgentgatewayDefaultTag = "0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647" + AgentgatewayDefaultTag = "0.11.0-alpha.5e5533a2c6bfb8914d69662b06aef48b4e7b85d5" // SdsImage is the image of the sds container. SdsImage = "sds" // SdsContainerName is the name of the container in the proxy deployment for the SDS integration. diff --git a/pkg/kgateway/agentgatewaysyncer/testdata/inputs/trafficpolicy/extauth-gateway.yaml b/pkg/kgateway/agentgatewaysyncer/testdata/inputs/trafficpolicy/extauth-gateway.yaml index 5179a75d8db..77d41232df6 100644 --- a/pkg/kgateway/agentgatewaysyncer/testdata/inputs/trafficpolicy/extauth-gateway.yaml +++ b/pkg/kgateway/agentgatewaysyncer/testdata/inputs/trafficpolicy/extauth-gateway.yaml @@ -33,6 +33,7 @@ spec: name: example-gateway traffic: extAuth: + grpc: {} backendRef: name: ext-authz port: 4444 diff --git a/pkg/kgateway/agentgatewaysyncer/testdata/inputs/trafficpolicy/extauth-listener.yaml b/pkg/kgateway/agentgatewaysyncer/testdata/inputs/trafficpolicy/extauth-listener.yaml index 1bebf6f7c3e..60e4401fc3c 100644 --- a/pkg/kgateway/agentgatewaysyncer/testdata/inputs/trafficpolicy/extauth-listener.yaml +++ b/pkg/kgateway/agentgatewaysyncer/testdata/inputs/trafficpolicy/extauth-listener.yaml @@ -37,6 +37,7 @@ spec: sectionName: foo traffic: extAuth: + grpc: {} backendRef: name: ext-authz port: 4444 diff --git a/pkg/kgateway/agentgatewaysyncer/testdata/inputs/trafficpolicy/extauth-route.yaml b/pkg/kgateway/agentgatewaysyncer/testdata/inputs/trafficpolicy/extauth-route.yaml index 2faa3eba6dd..80bdaad45e5 100644 --- a/pkg/kgateway/agentgatewaysyncer/testdata/inputs/trafficpolicy/extauth-route.yaml +++ b/pkg/kgateway/agentgatewaysyncer/testdata/inputs/trafficpolicy/extauth-route.yaml @@ -33,6 +33,7 @@ spec: name: example-route traffic: extAuth: + grpc: {} backendRef: name: ext-authz port: 4444 diff --git a/test/deployer/testdata/agentgateway-controller-but-custom-gatewayclass-out.yaml b/test/deployer/testdata/agentgateway-controller-but-custom-gatewayclass-out.yaml index 2171db9fe5d..56aa2c19ab3 100644 --- a/test/deployer/testdata/agentgateway-controller-but-custom-gatewayclass-out.yaml +++ b/test/deployer/testdata/agentgateway-controller-but-custom-gatewayclass-out.yaml @@ -121,7 +121,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.5e5533a2c6bfb8914d69662b06aef48b4e7b85d5 name: agentgateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-custom-configmap-out.yaml b/test/deployer/testdata/agentgateway-custom-configmap-out.yaml index 5b79572f9ff..6bdf8ead405 100644 --- a/test/deployer/testdata/agentgateway-custom-configmap-out.yaml +++ b/test/deployer/testdata/agentgateway-custom-configmap-out.yaml @@ -121,7 +121,7 @@ spec: value: agentgateway - name: RUST_LOG value: debug - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.5e5533a2c6bfb8914d69662b06aef48b4e7b85d5 name: agentgateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-env-out.yaml b/test/deployer/testdata/agentgateway-env-out.yaml index 355b75ee00e..d954cfb93b0 100644 --- a/test/deployer/testdata/agentgateway-env-out.yaml +++ b/test/deployer/testdata/agentgateway-env-out.yaml @@ -125,7 +125,7 @@ spec: value: $(GATEWAY) - name: TEST_OF_AVOIDING_VARIABLE_EXPANSION value: $$(GATEWAY) - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.5e5533a2c6bfb8914d69662b06aef48b4e7b85d5 name: agentgateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-image-repo-only-out.yaml b/test/deployer/testdata/agentgateway-image-repo-only-out.yaml index e55cbe96a9c..bb125d6ceea 100644 --- a/test/deployer/testdata/agentgateway-image-repo-only-out.yaml +++ b/test/deployer/testdata/agentgateway-image-repo-only-out.yaml @@ -121,7 +121,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/custom-repo:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 + image: ghcr.io/agentgateway/custom-repo:0.11.0-alpha.5e5533a2c6bfb8914d69662b06aef48b4e7b85d5 name: agentgateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-infrastructure-out.yaml b/test/deployer/testdata/agentgateway-infrastructure-out.yaml index 37993df09e6..5c7c056e3a6 100644 --- a/test/deployer/testdata/agentgateway-infrastructure-out.yaml +++ b/test/deployer/testdata/agentgateway-infrastructure-out.yaml @@ -153,7 +153,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.5e5533a2c6bfb8914d69662b06aef48b4e7b85d5 name: agentgateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-logging-format-out.yaml b/test/deployer/testdata/agentgateway-logging-format-out.yaml index 624b246cc41..a9c076464a0 100644 --- a/test/deployer/testdata/agentgateway-logging-format-out.yaml +++ b/test/deployer/testdata/agentgateway-logging-format-out.yaml @@ -123,7 +123,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.5e5533a2c6bfb8914d69662b06aef48b4e7b85d5 name: agentgateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-out.yaml b/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-out.yaml index cd0480c8cd0..5d70b877560 100644 --- a/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-out.yaml +++ b/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-out.yaml @@ -121,7 +121,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.5e5533a2c6bfb8914d69662b06aef48b4e7b85d5 name: agentgateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-ref-gwp-on-gw-out.yaml b/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-ref-gwp-on-gw-out.yaml index cd0480c8cd0..5d70b877560 100644 --- a/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-ref-gwp-on-gw-out.yaml +++ b/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-ref-gwp-on-gw-out.yaml @@ -121,7 +121,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.5e5533a2c6bfb8914d69662b06aef48b4e7b85d5 name: agentgateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-out.yaml b/test/deployer/testdata/agentgateway-out.yaml index 087f6cb3173..c730cf9fcf5 100644 --- a/test/deployer/testdata/agentgateway-out.yaml +++ b/test/deployer/testdata/agentgateway-out.yaml @@ -121,7 +121,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.5e5533a2c6bfb8914d69662b06aef48b4e7b85d5 name: agentgateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-rawconfig-binds-out.yaml b/test/deployer/testdata/agentgateway-rawconfig-binds-out.yaml index 9107f433e98..0656cea20c6 100644 --- a/test/deployer/testdata/agentgateway-rawconfig-binds-out.yaml +++ b/test/deployer/testdata/agentgateway-rawconfig-binds-out.yaml @@ -133,7 +133,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.5e5533a2c6bfb8914d69662b06aef48b4e7b85d5 name: agentgateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-rawconfig-typed-conflict-out.yaml b/test/deployer/testdata/agentgateway-rawconfig-typed-conflict-out.yaml index 7ade97e9717..0a1e85411d1 100644 --- a/test/deployer/testdata/agentgateway-rawconfig-typed-conflict-out.yaml +++ b/test/deployer/testdata/agentgateway-rawconfig-typed-conflict-out.yaml @@ -125,7 +125,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.5e5533a2c6bfb8914d69662b06aef48b4e7b85d5 name: agentgateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-shutdown-out.yaml b/test/deployer/testdata/agentgateway-shutdown-out.yaml index 613f5dde101..561153d3c69 100644 --- a/test/deployer/testdata/agentgateway-shutdown-out.yaml +++ b/test/deployer/testdata/agentgateway-shutdown-out.yaml @@ -121,7 +121,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.5e5533a2c6bfb8914d69662b06aef48b4e7b85d5 name: agentgateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-tls-out.yaml b/test/deployer/testdata/agentgateway-tls-out.yaml index 959b9f21bf1..20614bde8f9 100644 --- a/test/deployer/testdata/agentgateway-tls-out.yaml +++ b/test/deployer/testdata/agentgateway-tls-out.yaml @@ -152,7 +152,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.5e5533a2c6bfb8914d69662b06aef48b4e7b85d5 name: agentgateway ports: - containerPort: 15020 diff --git a/test/e2e/features/agentgateway/extauth/testdata/secure-and-disable-all.yaml b/test/e2e/features/agentgateway/extauth/testdata/secure-and-disable-all.yaml index fb8c3279fa1..7bc19047ca6 100644 --- a/test/e2e/features/agentgateway/extauth/testdata/secure-and-disable-all.yaml +++ b/test/e2e/features/agentgateway/extauth/testdata/secure-and-disable-all.yaml @@ -39,6 +39,7 @@ spec: name: route-example-disableall traffic: extAuth: + grpc: {} backendRef: name: ext-authz port: 4444 diff --git a/test/e2e/features/agentgateway/extauth/testdata/secured-gateway-policy.yaml b/test/e2e/features/agentgateway/extauth/testdata/secured-gateway-policy.yaml index 48f9069627e..ce9f60c9844 100644 --- a/test/e2e/features/agentgateway/extauth/testdata/secured-gateway-policy.yaml +++ b/test/e2e/features/agentgateway/extauth/testdata/secured-gateway-policy.yaml @@ -23,6 +23,7 @@ spec: name: super-gateway traffic: extAuth: + grpc: {} backendRef: name: ext-authz port: 4444 diff --git a/test/e2e/features/agentgateway/extauth/testdata/secured-route.yaml b/test/e2e/features/agentgateway/extauth/testdata/secured-route.yaml index 5e0faa1e0d7..805c7c8ee99 100644 --- a/test/e2e/features/agentgateway/extauth/testdata/secured-route.yaml +++ b/test/e2e/features/agentgateway/extauth/testdata/secured-route.yaml @@ -24,6 +24,7 @@ spec: name: route-example-secure traffic: extAuth: + grpc: {} backendRef: name: ext-authz port: 4444