XDS tracing

api/v1alpha1/agentgateway/agentgateway_policy_types.go

@@ -250,7 +250,6 @@ type BackendTLS struct {
 	AlpnProtocols *[]TinyString `json:"alpnProtocols,omitempty"`
 }
 
-// +kubebuilder:validation:XValidation:rule="!has(self.tracing)",message="tracing is not currently implemented"
 type AgentgatewayPolicyFrontend struct {
 	// tcp defines settings on managing incoming TCP connections.
 	// +optional
@@ -267,7 +266,6 @@ type AgentgatewayPolicyFrontend struct {
 	AccessLog *AgentAccessLog `json:"accessLog,omitempty"`
 
 	// Tracing contains various settings for OpenTelemetry tracer.
-	// TODO: not currently implemented
 	// +optional
 	Tracing *AgentTracing `json:"tracing,omitempty"`
 }
@@ -1189,4 +1187,8 @@ type AgentTracing struct {
 	// 0.0-1.0, or a boolean (true/false) If unspecified, client sampling is 100% enabled.
 	// +optional
 	ClientSampling *shared.CELExpression `json:"clientSampling,omitempty"`
+
+	// Insecure specifies whether to use TLS when communicating with the OTLP server.
+	// +optional
+	Insecure *bool `json:"insecure,omitempty"`
 }

go.mod

@@ -656,3 +656,5 @@ tool (
 	sigs.k8s.io/controller-tools/cmd/controller-gen
 	sigs.k8s.io/kind
 )
+
+replace github.com/agentgateway/agentgateway => ../agentgateway

go.sum

@@ -194,8 +194,6 @@ github.com/ProtonMail/gopenpgp/v2 v2.7.1 h1:Awsg7MPc2gD3I7IFac2qE3Gdls0lZW8SzrFZ
 github.com/ProtonMail/gopenpgp/v2 v2.7.1/go.mod h1:/BU5gfAVwqyd8EfC3Eu7zmuhwYQpKs+cGD8M//iiaxs=
 github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpHMqeKTCYkitsPqHNxTmd4SNR5r94FGM8=
 github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo=
-github.com/agentgateway/agentgateway v0.10.6-0.20251203184148-f45f1a94cdfa h1:PWDaZIBsPpGIo/3PdYRRIrU5kCKC86nkkEZLqTDi5rI=
-github.com/agentgateway/agentgateway v0.10.6-0.20251203184148-f45f1a94cdfa/go.mod h1:/Lzpteag/nnE4bwW/3Dh5GaxuICmCQs40VhQpkTatlk=
 github.com/agnivade/levenshtein v1.2.1 h1:EHBY3UOn1gwdy/VbFwgo4cxecRznFk7fKWN1KOX7eoM=
 github.com/agnivade/levenshtein v1.2.1/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=
 github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs=

hack/utils/oss_compliance/osa_provided.md

@@ -2,7 +2,7 @@ Name|Version|License
 ---|---|---
 [cel.dev/expr](https://cel.dev/expr)|v0.24.0|Apache License 2.0
 [semver/v3](https://github.com/Masterminds/semver)|v3.4.0|MIT License
-[agentgateway/agentgateway](https://github.com/agentgateway/agentgateway)|v0.10.6-0.20251203184148-f45f1a94cdfa|Apache License 2.0
+[agentgateway/agentgateway](https://github.com/agentgateway/agentgateway)|latest|Apache License 2.0
 [anthropics/anthropic-sdk-go](https://github.com/anthropics/anthropic-sdk-go)|v1.13.0|MIT License
 [retry-go/v4](https://github.com/avast/retry-go)|v4.3.3|MIT License
 [xds/go](https://github.com/cncf/xds)|v0.0.0-20251110193048-8bfbf64dc13e|Apache License 2.0

install/helm/kgateway-crds/templates/agentgateway.dev_agentgatewaypolicies.yaml

@@ -1742,6 +1742,10 @@ spec:
                         maxLength: 16384
                         minLength: 1
                         type: string
+                      insecure:
+                        description: Insecure specifies whether to use TLS when communicating
+                          with the OTLP server.
+                        type: boolean
                       protocol:
                         default: HTTP
                         description: protocol specifies the OTLP protocol variant
@@ -1762,9 +1766,6 @@ spec:
                     - backendRef
                     type: object
                 type: object
-                x-kubernetes-validations:
-                - message: tracing is not currently implemented
-                  rule: '!has(self.tracing)'
               targetRefs:
                 description: targetRefs specifies the target resources by reference
                   to attach the policy to.

pkg/agentgateway/plugins/frontend_policies.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/kgateway-dev/kgateway/v2/api/v1alpha1/agentgateway"
 	"github.com/kgateway-dev/kgateway/v2/pkg/kgateway/wellknown"
+	"github.com/kgateway-dev/kgateway/v2/pkg/utils/kubeutils"
 )
 
 const (
@@ -63,18 +64,84 @@ func translateFrontendPolicyToAgw(
 
 func translateFrontendTracing(policy *agentgateway.AgentgatewayPolicy, name string, target *api.PolicyTarget) []AgwPolicy {
 	tracing := policy.Spec.Frontend.Tracing
+	if tracing == nil {
+		return nil
+	}
+
+	insecure := ptr.Of(false)
+	if tracing.Insecure != nil && *tracing.Insecure {
+		insecure = ptr.Of(true)
+	}
+
+	var provider *api.BackendReference
+	ref := tracing.BackendRef
+	if ref.Kind == nil || *ref.Kind == "Service" {
+		ns := policy.GetNamespace()
+		if tracing.BackendRef.Namespace != nil {
+			ns = string(*tracing.BackendRef.Namespace)
+		}
+		var port uint32
+		if ref.Port != nil {
+			port = uint32(*ref.Port)
+		}
+		hostname := kubeutils.GetServiceHostname(string(ref.Name), ns)
+		provider = &api.BackendReference{
+			Kind: &api.BackendReference_Service_{
+				Service: &api.BackendReference_Service{
+					Namespace: ns,
+					Hostname:  hostname,
+				},
+			},
+			Port: port,
+		}
+	} else {
+		// TODO: support other backend ref kinds
+		logger.Error("Backend reference kind is not supported", "kind", string(*ref.Kind))
+	}
+
+	var attributes []*api.FrontendPolicySpec_TracingAttribute
+	if tracing.Attributes != nil {
+		for _, add := range tracing.Attributes.Add {
+			attributes = append(attributes, &api.FrontendPolicySpec_TracingAttribute{
+				Name:  add.Name,
+				Value: string(add.Expression),
+			})
+		}
+		for _, remove := range tracing.Attributes.Remove {
+			attributes = append(attributes, &api.FrontendPolicySpec_TracingAttribute{
+				Name:  remove,
+				Value: "",
+			})
+		}
+	}
+
+	var randomSampling *string
+	if tracing.RandomSampling != nil {
+		randomSampling = ptr.Of(string(*tracing.RandomSampling))
+	}
+
+	var clientSampling *string
+	if tracing.ClientSampling != nil {
+		clientSampling = ptr.Of(string(*tracing.ClientSampling))
+	}
+
 	tracingPolicy := &api.Policy{
 		Key:    name + frontendTracingPolicySuffix + attachmentName(target),
 		Name:   TypedResourceName(wellknown.AgentgatewayPolicyGVK.Kind, policy),
 		Target: target,
 		Kind: &api.Policy_Frontend{
 			Frontend: &api.FrontendPolicySpec{
-				// TODO: implement this
-				Kind: &api.FrontendPolicySpec_Tracing_{Tracing: &api.FrontendPolicySpec_Tracing{}},
+				Kind: &api.FrontendPolicySpec_Tracing_{Tracing: &api.FrontendPolicySpec_Tracing{
+					ProviderBackend: provider,
+					Attributes:      attributes,
+					//Resources:       resources,
+					Insecure:       insecure,
+					RandomSampling: randomSampling,
+					ClientSampling: clientSampling,
+				}},
 			},
 		},
 	}
-	_ = tracing
 
 	logger.Debug("generated tracing policy",
 		"policy", policy.Name,

pkg/agentgateway/plugins/testdata/frontendpolicy/full.yaml

@@ -29,19 +29,20 @@ spec:
         add:
           - expression: 'request.headers["user-agent"]'
             name: http.useragent
-#    tracing:
-#      backendRef:
-#        name: my-otel
-#        namespace: some-other-ns
-#      protocol: GRPC
-#      clientSampling: "true"
-#      randomSampling: "true"
-#      attributes:
-#        remove:
-#          - response.code
-#        add:
-#          - expression: 'request.headers["user-agent"]'
-#            name: http.useragent
+    tracing:
+      backendRef:
+        name: my-otel
+        namespace: some-other-ns
+        port: 4317
+      protocol: GRPC
+      clientSampling: "true"
+      randomSampling: "true"
+      attributes:
+        remove:
+          - response.code
+        add:
+          - expression: 'request.headers["user-agent"]'
+            name: http.useragent
 
 ---
 # Output
@@ -111,6 +112,33 @@ output:
       gateway:
         name: test
         namespace: default
+- Policy:
+    frontend:
+      tracing:
+        attributes:
+        - name: http.useragent
+          value: request.headers["user-agent"]
+        - name: response.code
+        - name: randomSampling
+          value: "true"
+        insecure: false
+        providerBackend:
+          port: 4317
+          service:
+            hostname: my-otel.some-other-ns.svc.cluster.local
+            namespace: some-other-ns
+        resources:
+        - name: clientSampling
+          value: "true"
+    key: frontend/default/agw:frontend-tracing:default/test
+    name:
+      kind: AgentgatewayPolicy
+      name: agw
+      namespace: default
+    target:
+      gateway:
+        name: test
+        namespace: default
 status:
   ancestors:
   - ancestorRef:

pkg/agentgateway/plugins/traffic_plugin.go

@@ -812,8 +812,8 @@ func processExtAuthPolicy(
 		return nil, fmt.Errorf("failed to build extAuth: %v", err)
 	}
 	spec := &api.TrafficPolicySpec_ExternalAuth{
-		Target:  be,
-		Context: extAuth.ContextExtensions,
+		Target: be,
+		//Context: extAuth.ContextExtensions,
 	}
 	if b := extAuth.ForwardBody; b != nil {
 		spec.IncludeRequestBody = &api.TrafficPolicySpec_ExternalAuth_BodyOptions{