Enhancing agw backend status support and testing

pkg/agentgateway/plugins/backend_policies.go

@@ -93,7 +93,11 @@ func translateBackendPolicyToAgw(
 		}
 
 		if backend.MCP.Authentication != nil {
-			pol := translateBackendMCPAuthentication(ctx, policy, policyTarget)
+			pol, err := translateBackendMCPAuthentication(ctx, policy, policyTarget)
+			if err != nil {
+				logger.Error("error processing backend mcp auth", "err", err)
+				errs = append(errs, err)
+			}
 			agwPolicies = append(agwPolicies, pol...)
 		}
 	}
@@ -283,14 +287,14 @@ func translateBackendMCPAuthorization(policy *agentgateway.AgentgatewayPolicy, t
 	return []AgwPolicy{{Policy: mcpPolicy}}
 }
 
-func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.AgentgatewayPolicy, target *api.PolicyTarget) []AgwPolicy {
+func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.AgentgatewayPolicy, target *api.PolicyTarget) ([]AgwPolicy, error) {
 	backend := policy.Spec.Backend
 	if backend == nil || backend.MCP == nil || backend.MCP.Authentication == nil {
-		return nil
+		return nil, nil
 	}
 	authnPolicy := backend.MCP.Authentication
 	if authnPolicy == nil {
-		return nil
+		return nil, nil
 	}
 
 	idp := api.BackendPolicySpec_McpAuthentication_AUTH0
@@ -301,9 +305,10 @@ func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.Agent
 	translatedInlineJwks, err := resolveRemoteJWKSInline(ctx, authnPolicy.JWKS.JwksUri)
 	if err != nil {
 		logger.Error("failed resolving jwks", "jwks_uri", authnPolicy.JWKS.JwksUri, "error", err)
-		return nil
+		return nil, err
 	}
 
+	var errs []error
 	var extraResourceMetadata map[string]*structpb.Value
 	for k, v := range authnPolicy.ResourceMetadata {
 		if extraResourceMetadata == nil {
@@ -313,6 +318,7 @@ func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.Agent
 		pbVal, err := structpb.NewValue(v)
 		if err != nil {
 			logger.Error("error converting resource metadata", "key", k, "error", err)
+			errs = append(errs, err)
 			continue
 		}
 
@@ -345,7 +351,7 @@ func translateBackendMCPAuthentication(ctx PolicyCtx, policy *agentgateway.Agent
 		"policy", policy.Name,
 		"agentgateway_policy", mcpAuthnPolicy.Name)
 
-	return []AgwPolicy{{Policy: mcpAuthnPolicy}}
+	return []AgwPolicy{{Policy: mcpAuthnPolicy}}, errors.Join(errs...)
 }
 
 // translateBackendAI processes AI configuration and creates corresponding Agw policies

pkg/agentgateway/translator/backend_translator.go

@@ -1,12 +1,8 @@
 package translator
 
 import (
-	"github.com/agentgateway/agentgateway/go/api"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 
-	"github.com/kgateway-dev/kgateway/v2/api/v1alpha1/agentgateway"
-	"github.com/kgateway-dev/kgateway/v2/pkg/agentgateway/plugins"
-	agwbackend "github.com/kgateway-dev/kgateway/v2/pkg/kgateway/agentgatewaysyncer/backend"
 	sdk "github.com/kgateway-dev/kgateway/v2/pkg/pluginsdk"
 	"github.com/kgateway-dev/kgateway/v2/pkg/pluginsdk/ir"
 )
@@ -28,11 +24,3 @@ func NewAgwBackendTranslator(extensions sdk.Plugin) *AgwBackendTranslator {
 	}
 	return translator
 }
-
-// TranslateBackend converts a BackendObjectIR to agent gateway Backend and Policy resources
-func (t *AgwBackendTranslator) TranslateBackend(
-	ctx plugins.PolicyCtx,
-	backend *agentgateway.AgentgatewayBackend,
-) ([]*api.Backend, error) {
-	return agwbackend.BuildAgwBackend(ctx, backend)
-}

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-auth-secret-missing-authorization.yaml

@@ -0,0 +1,33 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: openai-backend
+spec:
+  ai:
+    provider:
+      openai:
+        model: gpt-4
+  policies:
+    auth:
+      secretRef:
+        name: secret-without-auth
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret-without-auth
+  namespace: default
+data:
+  someOtherKey: dGVzdA==
+---
+# Output
+output: []
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: 'failed to translate backend: secret default/secret-without-auth missing
+      Authorization value'
+    reason: TranslationError
+    status: "False"
+    type: Accepted

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-auth-secret-ref-not-found.yaml

@@ -0,0 +1,24 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: openai-backend
+spec:
+  ai:
+    provider:
+      openai:
+        model: gpt-4
+  policies:
+    auth:
+      secretRef:
+        name: missing-secret
+---
+# Output
+output: []
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: 'failed to translate backend: secret default/missing-secret not found'
+    reason: TranslationError
+    status: "False"
+    type: Accepted

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-auth-secret-ref.yaml

@@ -0,0 +1,47 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: anthropic-backend
+spec:
+  ai:
+    provider:
+      anthropic:
+        model: claude-4-5-sonnet
+  policies:
+    auth:
+      secretRef:
+        name: valid-secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: valid-secret
+  namespace: default
+data:
+  Authorization: QmVhcmVyIHRlc3Q=
+---
+# Output
+output:
+- backend:
+    ai:
+      providerGroups:
+      - providers:
+        - anthropic:
+            model: claude-4-5-sonnet
+          name: backend
+    inlinePolicies:
+    - auth:
+        key:
+          secret: test
+    key: default/anthropic-backend
+    name:
+      name: anthropic-backend
+      namespace: default
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: Backend successfully accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-priority-groups-secret-ref-invalid.yaml

@@ -0,0 +1,37 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: ai-priority-with-secret
+spec:
+  ai:
+    groups:
+    - providers:
+      - name: openai-secure
+        openai:
+          model: gpt-4o
+        policies:
+          auth:
+            secretRef:
+              name: openai-secret
+---
+# Output
+output:
+- backend:
+    ai:
+      providerGroups:
+      - providers:
+        - name: openai-secure
+          openai:
+            model: gpt-4o
+    key: default/ai-priority-with-secret
+    name:
+      name: ai-priority-with-secret
+      namespace: default
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: Backend successfully accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-priority-groups-secret-ref.yaml

@@ -0,0 +1,71 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: ai-priority-with-secret
+spec:
+  ai:
+    groups:
+    - providers:
+      - name: openai-secure
+        openai:
+          model: gpt-4o
+        policies:
+          auth:
+            secretRef:
+              name: openai-secret
+      - name: anthropic-secure
+        anthropic:
+          model: claude-3-5-sonnet
+        policies:
+          auth:
+            secretRef:
+              name: anthropic-secret
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: openai-secret
+  namespace: default
+data:
+  Authorization: QmVhcmVyIHRlc3Q=
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: anthropic-secret
+  namespace: default
+data:
+  Authorization: QmVhcmVyIHRlc3Q=
+---
+# Output
+output:
+- backend:
+    ai:
+      providerGroups:
+      - providers:
+        - inlinePolicies:
+          - auth:
+              key:
+                secret: test
+          name: openai-secure
+          openai:
+            model: gpt-4o
+        - anthropic:
+            model: claude-3-5-sonnet
+          inlinePolicies:
+          - auth:
+              key:
+                secret: test
+          name: anthropic-secure
+    key: default/ai-priority-with-secret
+    name:
+      name: ai-priority-with-secret
+      namespace: default
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: Backend successfully accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted

pkg/kgateway/agentgatewaysyncer/backend/testdata/backend/ai-priority-groups.yaml

@@ -0,0 +1,63 @@
+apiVersion: agentgateway.dev/v1alpha1
+kind: AgentgatewayBackend
+metadata:
+  namespace: default
+  name: multi-providers
+spec:
+  ai:
+    groups:
+    - providers:
+      - name: openai
+        openai:
+          model: gpt-4o
+      - name: anthropic
+        anthropic:
+          model: claude-3-5-sonnet
+      - name: gemini
+        gemini:
+          model: gemini-1.5-pro
+      - name: vertex
+        vertexai:
+          model: gemini-pro
+          region: us-west1
+          projectId: my-gcp-project
+      - name: bedrock
+        bedrock:
+          model: anthropic.claude-3-sonnet-20240229-v1:0
+          region: us-east-1
+---
+# Output
+output:
+- backend:
+    ai:
+      providerGroups:
+      - providers:
+        - name: openai
+          openai:
+            model: gpt-4o
+        - anthropic:
+            model: claude-3-5-sonnet
+          name: anthropic
+        - gemini:
+            model: gemini-1.5-pro
+          name: gemini
+        - name: vertex
+          vertex:
+            model: gemini-pro
+            projectId: my-gcp-project
+            region: us-west1
+        - bedrock:
+            model: anthropic.claude-3-sonnet-20240229-v1:0
+            region: us-east-1
+          name: bedrock
+    key: default/multi-providers
+    name:
+      name: multi-providers
+      namespace: default
+status:
+  conditions:
+  - lastTransitionTime: fake
+    message: Backend successfully accepted
+    reason: Accepted
+    status: "True"
+    type: Accepted