diff --git a/api/v1alpha1/agentgateway/agentgateway_policy_types.go b/api/v1alpha1/agentgateway/agentgateway_policy_types.go index 478bc16cb12..99bbe9a2ba2 100644 --- a/api/v1alpha1/agentgateway/agentgateway_policy_types.go +++ b/api/v1alpha1/agentgateway/agentgateway_policy_types.go @@ -707,7 +707,7 @@ const ( HostnameRewriteModeNone HostnameRewriteMode = "None" ) -// +kubebuilder:validation:ExactlyOneOf=key;secretRef;passthrough +// +kubebuilder:validation:ExactlyOneOf=key;secretRef;passthrough;aws type BackendAuth struct { // key provides an inline key to use as the value of the Authorization header. // This option is the least secure; usage of a Secret is preferred. @@ -726,7 +726,21 @@ type BackendAuth struct { // request, the original token would be unchanged, so this would have no effect. // +optional Passthrough *BackendAuthPassthrough `json:"passthrough,omitempty"` - // TODO: aws, azure, gcp + // TODO: azure, gcp + + // Auth specifies an explicit AWS authentication method for the backend. + // When omitted, we will try to use the default AWS SDK authentication methods. + // + // +optional + AWS *AwsAuth `json:"aws,omitempty"` +} + +// AwsAuth specifies the authentication method to use for the backend. +type AwsAuth struct { + // SecretRef references a Kubernetes Secret containing the AWS credentials. + // The Secret must have keys "accessKey", "secretKey", and optionally "sessionToken". + // +required + SecretRef corev1.LocalObjectReference `json:"secretRef"` } type BackendAuthPassthrough struct { diff --git a/api/v1alpha1/agentgateway/zz_generated.deepcopy.go b/api/v1alpha1/agentgateway/zz_generated.deepcopy.go index b4f50c334ea..45c59be8ea0 100644 --- a/api/v1alpha1/agentgateway/zz_generated.deepcopy.go +++ b/api/v1alpha1/agentgateway/zz_generated.deepcopy.go @@ -630,6 +630,22 @@ func (in *AttributeAdd) DeepCopy() *AttributeAdd { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AwsAuth) DeepCopyInto(out *AwsAuth) { + *out = *in + out.SecretRef = in.SecretRef +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsAuth. +func (in *AwsAuth) DeepCopy() *AwsAuth { + if in == nil { + return nil + } + out := new(AwsAuth) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AzureOpenAIConfig) DeepCopyInto(out *AzureOpenAIConfig) { *out = *in @@ -731,6 +747,11 @@ func (in *BackendAuth) DeepCopyInto(out *BackendAuth) { *out = new(BackendAuthPassthrough) **out = **in } + if in.AWS != nil { + in, out := &in.AWS, &out.AWS + *out = new(AwsAuth) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendAuth. diff --git a/go.mod b/go.mod index cdf91b7dc4e..989eb3adb04 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.25.3 require ( // Also update AgentgatewayDefaultTag in pkg/deployer/wellknown.go and test/deployer/testdata/* - github.com/agentgateway/agentgateway v0.10.6-0.20251203184148-f45f1a94cdfa + github.com/agentgateway/agentgateway v0.10.6-0.20251211180119-76b0afc55496 github.com/avast/retry-go/v4 v4.3.3 github.com/cncf/xds/go v0.0.0-20251110193048-8bfbf64dc13e github.com/envoyproxy/go-control-plane v0.14.0 diff --git a/go.sum b/go.sum index ef9b5f56ee6..0d808aef012 100644 --- a/go.sum +++ b/go.sum @@ -196,8 +196,8 @@ github.com/PuerkitoBio/goquery v1.10.1 h1:Y8JGYUkXWTGRB6Ars3+j3kN0xg1YqqlwvdTV8W github.com/PuerkitoBio/goquery v1.10.1/go.mod h1:IYiHrOMps66ag56LEH7QYDDupKXyo5A8qrjIx3ZtujY= github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpHMqeKTCYkitsPqHNxTmd4SNR5r94FGM8= github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo= -github.com/agentgateway/agentgateway v0.10.6-0.20251203184148-f45f1a94cdfa h1:PWDaZIBsPpGIo/3PdYRRIrU5kCKC86nkkEZLqTDi5rI= -github.com/agentgateway/agentgateway v0.10.6-0.20251203184148-f45f1a94cdfa/go.mod h1:/Lzpteag/nnE4bwW/3Dh5GaxuICmCQs40VhQpkTatlk= +github.com/agentgateway/agentgateway v0.10.6-0.20251211180119-76b0afc55496 h1:A7qJ8Ac6vMHDSqcFDpk/IBfZPjxbH44/78dtsodxiEk= +github.com/agentgateway/agentgateway v0.10.6-0.20251211180119-76b0afc55496/go.mod h1:/Lzpteag/nnE4bwW/3Dh5GaxuICmCQs40VhQpkTatlk= github.com/agnivade/levenshtein v1.2.1 h1:EHBY3UOn1gwdy/VbFwgo4cxecRznFk7fKWN1KOX7eoM= github.com/agnivade/levenshtein v1.2.1/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU= github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs= diff --git a/hack/utils/oss_compliance/osa_provided.md b/hack/utils/oss_compliance/osa_provided.md index b5f3f241c4d..77fe36a15e9 100644 --- a/hack/utils/oss_compliance/osa_provided.md +++ b/hack/utils/oss_compliance/osa_provided.md @@ -3,7 +3,7 @@ Name|Version|License [cel.dev/expr](https://cel.dev/expr)|v0.24.0|Apache License 2.0 [semver/v3](https://github.com/Masterminds/semver)|v3.4.0|MIT License [PuerkitoBio/goquery](https://github.com/PuerkitoBio/goquery)|v1.10.1|BSD 3-clause "New" or "Revised" License -[agentgateway/agentgateway](https://github.com/agentgateway/agentgateway)|v0.10.6-0.20251203184148-f45f1a94cdfa|Apache License 2.0 +[agentgateway/agentgateway](https://github.com/agentgateway/agentgateway)|v0.10.6-0.20251211180119-76b0afc55496|Apache License 2.0 [anthropics/anthropic-sdk-go](https://github.com/anthropics/anthropic-sdk-go)|v1.13.0|MIT License [retry-go/v4](https://github.com/avast/retry-go)|v4.3.3|MIT License [xds/go](https://github.com/cncf/xds)|v0.0.0-20251110193048-8bfbf64dc13e|Apache License 2.0 diff --git a/install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaybackends.yaml b/install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaybackends.yaml index f83338e8743..c28f5dcc81f 100644 --- a/install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaybackends.yaml +++ b/install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaybackends.yaml @@ -477,6 +477,30 @@ spec: authentication to the backend properties: + aws: + description: |- + Auth specifies an explicit AWS authentication method for the backend. + When omitted, we will try to use the default AWS SDK authentication methods. + properties: + secretRef: + description: |- + SecretRef references a Kubernetes Secret containing the AWS credentials. + The Secret must have keys "accessKey", "secretKey", and optionally "sessionToken". + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - secretRef + type: object key: description: |- key provides an inline key to use as the value of the Authorization header. @@ -510,9 +534,9 @@ spec: x-kubernetes-validations: - message: exactly one of the fields in [key secretRef - passthrough] must be - set - rule: '[has(self.key),has(self.secretRef),has(self.passthrough)].filter(x,x==true).size() + passthrough aws] must + be set + rule: '[has(self.key),has(self.secretRef),has(self.passthrough),has(self.aws)].filter(x,x==true).size() == 1' http: description: http defines @@ -1213,6 +1237,30 @@ spec: description: auth defines settings for managing authentication to the backend properties: + aws: + description: |- + Auth specifies an explicit AWS authentication method for the backend. + When omitted, we will try to use the default AWS SDK authentication methods. + properties: + secretRef: + description: |- + SecretRef references a Kubernetes Secret containing the AWS credentials. + The Secret must have keys "accessKey", "secretKey", and optionally "sessionToken". + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - secretRef + type: object key: description: |- key provides an inline key to use as the value of the Authorization header. @@ -1245,8 +1293,8 @@ spec: type: object x-kubernetes-validations: - message: exactly one of the fields in [key secretRef - passthrough] must be set - rule: '[has(self.key),has(self.secretRef),has(self.passthrough)].filter(x,x==true).size() + passthrough aws] must be set + rule: '[has(self.key),has(self.secretRef),has(self.passthrough),has(self.aws)].filter(x,x==true).size() == 1' http: description: http defines settings for managing @@ -1829,6 +1877,30 @@ spec: description: auth defines settings for managing authentication to the backend properties: + aws: + description: |- + Auth specifies an explicit AWS authentication method for the backend. + When omitted, we will try to use the default AWS SDK authentication methods. + properties: + secretRef: + description: |- + SecretRef references a Kubernetes Secret containing the AWS credentials. + The Secret must have keys "accessKey", "secretKey", and optionally "sessionToken". + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - secretRef + type: object key: description: |- key provides an inline key to use as the value of the Authorization header. @@ -1861,8 +1933,8 @@ spec: type: object x-kubernetes-validations: - message: exactly one of the fields in [key secretRef - passthrough] must be set - rule: '[has(self.key),has(self.secretRef),has(self.passthrough)].filter(x,x==true).size() + passthrough aws] must be set + rule: '[has(self.key),has(self.secretRef),has(self.passthrough),has(self.aws)].filter(x,x==true).size() == 1' http: description: http defines settings for managing @@ -2528,6 +2600,30 @@ spec: description: auth defines settings for managing authentication to the backend properties: + aws: + description: |- + Auth specifies an explicit AWS authentication method for the backend. + When omitted, we will try to use the default AWS SDK authentication methods. + properties: + secretRef: + description: |- + SecretRef references a Kubernetes Secret containing the AWS credentials. + The Secret must have keys "accessKey", "secretKey", and optionally "sessionToken". + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - secretRef + type: object key: description: |- key provides an inline key to use as the value of the Authorization header. @@ -2560,9 +2656,9 @@ spec: type: object x-kubernetes-validations: - message: exactly one of the fields in - [key secretRef passthrough] must be - set - rule: '[has(self.key),has(self.secretRef),has(self.passthrough)].filter(x,x==true).size() + [key secretRef passthrough aws] must + be set + rule: '[has(self.key),has(self.secretRef),has(self.passthrough),has(self.aws)].filter(x,x==true).size() == 1' http: description: http defines settings for managing @@ -3221,6 +3317,30 @@ spec: description: auth defines settings for managing authentication to the backend properties: + aws: + description: |- + Auth specifies an explicit AWS authentication method for the backend. + When omitted, we will try to use the default AWS SDK authentication methods. + properties: + secretRef: + description: |- + SecretRef references a Kubernetes Secret containing the AWS credentials. + The Secret must have keys "accessKey", "secretKey", and optionally "sessionToken". + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - secretRef + type: object key: description: |- key provides an inline key to use as the value of the Authorization header. @@ -3252,9 +3372,9 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-validations: - - message: exactly one of the fields in [key secretRef passthrough] - must be set - rule: '[has(self.key),has(self.secretRef),has(self.passthrough)].filter(x,x==true).size() + - message: exactly one of the fields in [key secretRef passthrough + aws] must be set + rule: '[has(self.key),has(self.secretRef),has(self.passthrough),has(self.aws)].filter(x,x==true).size() == 1' http: description: http defines settings for managing HTTP requests diff --git a/install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaypolicies.yaml b/install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaypolicies.yaml index 986372210b1..ed25f8935d8 100644 --- a/install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaypolicies.yaml +++ b/install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaypolicies.yaml @@ -315,6 +315,30 @@ spec: description: auth defines settings for managing authentication to the backend properties: + aws: + description: |- + Auth specifies an explicit AWS authentication method for the backend. + When omitted, we will try to use the default AWS SDK authentication methods. + properties: + secretRef: + description: |- + SecretRef references a Kubernetes Secret containing the AWS credentials. + The Secret must have keys "accessKey", "secretKey", and optionally "sessionToken". + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - secretRef + type: object key: description: |- key provides an inline key to use as the value of the Authorization header. @@ -347,9 +371,9 @@ spec: type: object x-kubernetes-validations: - message: exactly one of the fields in - [key secretRef passthrough] must be - set - rule: '[has(self.key),has(self.secretRef),has(self.passthrough)].filter(x,x==true).size() + [key secretRef passthrough aws] must + be set + rule: '[has(self.key),has(self.secretRef),has(self.passthrough),has(self.aws)].filter(x,x==true).size() == 1' http: description: http defines settings for managing @@ -1008,6 +1032,30 @@ spec: description: auth defines settings for managing authentication to the backend properties: + aws: + description: |- + Auth specifies an explicit AWS authentication method for the backend. + When omitted, we will try to use the default AWS SDK authentication methods. + properties: + secretRef: + description: |- + SecretRef references a Kubernetes Secret containing the AWS credentials. + The Secret must have keys "accessKey", "secretKey", and optionally "sessionToken". + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - secretRef + type: object key: description: |- key provides an inline key to use as the value of the Authorization header. @@ -1039,9 +1087,9 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-validations: - - message: exactly one of the fields in [key secretRef passthrough] - must be set - rule: '[has(self.key),has(self.secretRef),has(self.passthrough)].filter(x,x==true).size() + - message: exactly one of the fields in [key secretRef passthrough + aws] must be set + rule: '[has(self.key),has(self.secretRef),has(self.passthrough),has(self.aws)].filter(x,x==true).size() == 1' http: description: http defines settings for managing HTTP requests diff --git a/pkg/agentgateway/plugins/backend_policies.go b/pkg/agentgateway/plugins/backend_policies.go index bfe55be102c..1da56902404 100644 --- a/pkg/agentgateway/plugins/backend_policies.go +++ b/pkg/agentgateway/plugins/backend_policies.go @@ -482,6 +482,10 @@ func translateBackendAuth(ctx PolicyCtx, policy *agentgateway.AgentgatewayPolicy errs = append(errs, fmt.Errorf("secret %s/%s missing Authorization value", policy.Namespace, auth.SecretRef.Name)) } } + } else if auth.AWS != nil { + awsAuth, err := buildAwsAuthPolicy(ctx.Krt, auth.AWS, ctx.Collections.Secrets, policy.Namespace) + translatedAuth = awsAuth + errs = append(errs, err) } else { errs = append(errs, fmt.Errorf("backend auth requires either inline key or secretRef")) } @@ -529,3 +533,69 @@ func translateRouteType(rt agentgateway.RouteType) api.BackendPolicySpec_Ai_Rout return api.BackendPolicySpec_Ai_COMPLETIONS } } + +func buildAwsAuthPolicy(krtctx krt.HandlerContext, auth *agentgateway.AwsAuth, secrets krt.Collection[*corev1.Secret], namespace string) (*api.BackendAuthPolicy, error) { + var errs []error + if auth == nil { + logger.Warn("using implicit AWS auth for AI backend") + return &api.BackendAuthPolicy{ + Kind: &api.BackendAuthPolicy_Aws{ + Aws: &api.Aws{ + Kind: &api.Aws_Implicit{ + Implicit: &api.AwsImplicit{}, + }, + }, + }, + }, nil + } + + if auth.SecretRef.Name == "" { + logger.Warn("not using any auth for AWS - it's most likely not what you want") + return nil, nil + } + + // Get secret using the SecretIndex + secret, err := kubeutils.GetSecret(secrets, krtctx, auth.SecretRef.Name, namespace) + if err != nil { + // Return nil auth policy if secret not found - this will be handled upstream + // TODO(npolshak): Add backend status errors https://github.com/kgateway-dev/kgateway/issues/11966 + return nil, err + } + + var accessKeyId, secretAccessKey string + var sessionToken *string + + // Extract access key + if value, exists := kubeutils.GetSecretValue(secret, wellknown.AccessKey); !exists { + errs = append(errs, errors.New("accessKey is missing or not a valid string")) + } else { + accessKeyId = value + } + + // Extract secret key + if value, exists := kubeutils.GetSecretValue(secret, wellknown.SecretKey); !exists { + errs = append(errs, errors.New("secretKey is missing or not a valid string")) + } else { + secretAccessKey = value + } + + // Extract session token (optional) + if value, exists := kubeutils.GetSecretValue(secret, wellknown.SessionToken); exists { + sessionToken = ptr.Of(value) + } + + return &api.BackendAuthPolicy{ + Kind: &api.BackendAuthPolicy_Aws{ + Aws: &api.Aws{ + Kind: &api.Aws_ExplicitConfig{ + ExplicitConfig: &api.AwsExplicitConfig{ + AccessKeyId: accessKeyId, + SecretAccessKey: secretAccessKey, + SessionToken: sessionToken, + Region: "", + }, + }, + }, + }, + }, errors.Join(errs...) +} diff --git a/pkg/agentgateway/plugins/testdata/backendpolicy/awsauth.yaml b/pkg/agentgateway/plugins/testdata/backendpolicy/awsauth.yaml new file mode 100644 index 00000000000..8256ea41466 --- /dev/null +++ b/pkg/agentgateway/plugins/testdata/backendpolicy/awsauth.yaml @@ -0,0 +1,65 @@ +apiVersion: agentgateway.dev/v1alpha1 +kind: AgentgatewayPolicy +metadata: + name: agw + namespace: default +spec: + targetRefs: + - kind: HTTPRoute + name: test + group: gateway.networking.k8s.io + backend: + auth: + aws: + secretRef: + name: aws-auth-secret +--- +apiVersion: v1 +kind: Secret +metadata: + name: aws-auth-secret + namespace: default +type: Opaque +data: + accessKey: c2VjcmV0LWFjY2Vzc0tleQ== + secretKey: c2VjcmV0LXNlY3JldEtleQ== + sessionToken: c2VjcmV0LXNlc3Npb25Ub2tlbg== +--- +# Output +output: +- Policy: + backend: + auth: + aws: + explicitConfig: + accessKeyId: secret-accessKey + secretAccessKey: secret-secretKey + sessionToken: secret-sessionToken + key: backend/default/agw:backend-auth:default/test + name: + kind: AgentgatewayPolicy + name: agw + namespace: default + target: + route: + name: test + namespace: default +status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: test + namespace: default + conditions: + - lastTransitionTime: fake + message: Policy accepted + reason: Valid + status: "True" + type: Accepted + - lastTransitionTime: fake + message: Attached to all targets + reason: Attached + status: "True" + type: Attached + controllerName: agentgateway.dev/agentgateway diff --git a/pkg/agentgateway/plugins/traffic_plugin.go b/pkg/agentgateway/plugins/traffic_plugin.go index 56926677baf..2c7e513615d 100644 --- a/pkg/agentgateway/plugins/traffic_plugin.go +++ b/pkg/agentgateway/plugins/traffic_plugin.go @@ -826,8 +826,12 @@ func processExtAuthPolicy( return nil, fmt.Errorf("failed to build extAuth: %v", err) } spec := &api.TrafficPolicySpec_ExternalAuth{ - Target: be, - Context: extAuth.ContextExtensions, + Target: be, + Protocol: &api.TrafficPolicySpec_ExternalAuth_Grpc{ + Grpc: &api.TrafficPolicySpec_ExternalAuth_GRPCProtocol{ + Context: extAuth.ContextExtensions, + }, + }, } if b := extAuth.ForwardBody; b != nil { spec.IncludeRequestBody = &api.TrafficPolicySpec_ExternalAuth_BodyOptions{ diff --git a/pkg/deployer/wellknown.go b/pkg/deployer/wellknown.go index 058ef443cfd..326242cc260 100644 --- a/pkg/deployer/wellknown.go +++ b/pkg/deployer/wellknown.go @@ -17,7 +17,7 @@ const ( AgentgatewayRegistry = "ghcr.io/agentgateway" // AgentgatewayDefaultTag is the default agentgateway image tag // Note: should be in sync with version in go.mod and test/deployer/testdata/* - AgentgatewayDefaultTag = "0.11.0-alpha.f45f1a94cdfa53d96e14301d59ac62200214cb9c" + AgentgatewayDefaultTag = "0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647" // SdsImage is the image of the sds container. SdsImage = "sds" // SdsContainerName is the name of the container in the proxy deployment for the SDS integration. diff --git a/pkg/kgateway/agentgatewaysyncer/testdata/outputs/trafficpolicy/extauth-gateway.yaml b/pkg/kgateway/agentgatewaysyncer/testdata/outputs/trafficpolicy/extauth-gateway.yaml index f0138b7a9cf..0de92d767c4 100644 --- a/pkg/kgateway/agentgatewaysyncer/testdata/outputs/trafficpolicy/extauth-gateway.yaml +++ b/pkg/kgateway/agentgatewaysyncer/testdata/outputs/trafficpolicy/extauth-gateway.yaml @@ -36,6 +36,7 @@ Policies: namespace: default traffic: extAuthz: + grpc: {} target: port: 4444 service: diff --git a/pkg/kgateway/agentgatewaysyncer/testdata/outputs/trafficpolicy/extauth-listener.yaml b/pkg/kgateway/agentgatewaysyncer/testdata/outputs/trafficpolicy/extauth-listener.yaml index 5929d70e64c..811b27a6316 100644 --- a/pkg/kgateway/agentgatewaysyncer/testdata/outputs/trafficpolicy/extauth-listener.yaml +++ b/pkg/kgateway/agentgatewaysyncer/testdata/outputs/trafficpolicy/extauth-listener.yaml @@ -46,6 +46,7 @@ Policies: namespace: default traffic: extAuthz: + grpc: {} includeRequestBody: allowPartialMessage: true maxRequestBytes: 1024 diff --git a/pkg/kgateway/agentgatewaysyncer/testdata/outputs/trafficpolicy/extauth-route.yaml b/pkg/kgateway/agentgatewaysyncer/testdata/outputs/trafficpolicy/extauth-route.yaml index 52c6cec2f31..6df72ad9195 100644 --- a/pkg/kgateway/agentgatewaysyncer/testdata/outputs/trafficpolicy/extauth-route.yaml +++ b/pkg/kgateway/agentgatewaysyncer/testdata/outputs/trafficpolicy/extauth-route.yaml @@ -36,6 +36,7 @@ Policies: namespace: default traffic: extAuthz: + grpc: {} target: port: 4444 service: diff --git a/test/deployer/testdata/agentgateway-controller-but-custom-gatewayclass-out.yaml b/test/deployer/testdata/agentgateway-controller-but-custom-gatewayclass-out.yaml index 7de4b95b63f..933fe4c4b52 100644 --- a/test/deployer/testdata/agentgateway-controller-but-custom-gatewayclass-out.yaml +++ b/test/deployer/testdata/agentgateway-controller-but-custom-gatewayclass-out.yaml @@ -121,7 +121,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.f45f1a94cdfa53d96e14301d59ac62200214cb9c + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 name: agent-gateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-custom-configmap-out.yaml b/test/deployer/testdata/agentgateway-custom-configmap-out.yaml index 967b20729a4..7092aeac71f 100644 --- a/test/deployer/testdata/agentgateway-custom-configmap-out.yaml +++ b/test/deployer/testdata/agentgateway-custom-configmap-out.yaml @@ -121,7 +121,7 @@ spec: value: agent-gateway - name: RUST_LOG value: debug - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.f45f1a94cdfa53d96e14301d59ac62200214cb9c + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 name: agent-gateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-env-out.yaml b/test/deployer/testdata/agentgateway-env-out.yaml index 9cb8083ac9d..afb4a0cf8a7 100644 --- a/test/deployer/testdata/agentgateway-env-out.yaml +++ b/test/deployer/testdata/agentgateway-env-out.yaml @@ -125,7 +125,7 @@ spec: value: $(GATEWAY) - name: TEST_OF_AVOIDING_VARIABLE_EXPANSION value: $$(GATEWAY) - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.f45f1a94cdfa53d96e14301d59ac62200214cb9c + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 name: agent-gateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-image-repo-only-out.yaml b/test/deployer/testdata/agentgateway-image-repo-only-out.yaml index 5bf992c2f04..5d82b3356b7 100644 --- a/test/deployer/testdata/agentgateway-image-repo-only-out.yaml +++ b/test/deployer/testdata/agentgateway-image-repo-only-out.yaml @@ -121,7 +121,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/custom-repo:0.11.0-alpha.f45f1a94cdfa53d96e14301d59ac62200214cb9c + image: ghcr.io/agentgateway/custom-repo:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 name: agent-gateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-infrastructure-out.yaml b/test/deployer/testdata/agentgateway-infrastructure-out.yaml index 588767b1685..92683cd230f 100644 --- a/test/deployer/testdata/agentgateway-infrastructure-out.yaml +++ b/test/deployer/testdata/agentgateway-infrastructure-out.yaml @@ -153,7 +153,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.f45f1a94cdfa53d96e14301d59ac62200214cb9c + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 name: agent-gateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-logging-format-out.yaml b/test/deployer/testdata/agentgateway-logging-format-out.yaml index 7bcff1e19be..36d5e9b1046 100644 --- a/test/deployer/testdata/agentgateway-logging-format-out.yaml +++ b/test/deployer/testdata/agentgateway-logging-format-out.yaml @@ -123,7 +123,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.f45f1a94cdfa53d96e14301d59ac62200214cb9c + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 name: agent-gateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-out.yaml b/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-out.yaml index 097aa13f3c3..8deb833ddfa 100644 --- a/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-out.yaml +++ b/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-out.yaml @@ -121,7 +121,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.f45f1a94cdfa53d96e14301d59ac62200214cb9c + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 name: agent-gateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-ref-gwp-on-gw-out.yaml b/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-ref-gwp-on-gw-out.yaml index 097aa13f3c3..8deb833ddfa 100644 --- a/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-ref-gwp-on-gw-out.yaml +++ b/test/deployer/testdata/agentgateway-omitdefaultsecuritycontext-ref-gwp-on-gw-out.yaml @@ -121,7 +121,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.f45f1a94cdfa53d96e14301d59ac62200214cb9c + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 name: agent-gateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-out.yaml b/test/deployer/testdata/agentgateway-out.yaml index 3ab224ebf6d..e484e329bed 100644 --- a/test/deployer/testdata/agentgateway-out.yaml +++ b/test/deployer/testdata/agentgateway-out.yaml @@ -121,7 +121,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.f45f1a94cdfa53d96e14301d59ac62200214cb9c + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 name: agent-gateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-rawconfig-typed-conflict-out.yaml b/test/deployer/testdata/agentgateway-rawconfig-typed-conflict-out.yaml index 5c579ad8816..5a80038d0d7 100644 --- a/test/deployer/testdata/agentgateway-rawconfig-typed-conflict-out.yaml +++ b/test/deployer/testdata/agentgateway-rawconfig-typed-conflict-out.yaml @@ -125,7 +125,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.f45f1a94cdfa53d96e14301d59ac62200214cb9c + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 name: agent-gateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-shutdown-out.yaml b/test/deployer/testdata/agentgateway-shutdown-out.yaml index ace6f003f32..aa808bae43b 100644 --- a/test/deployer/testdata/agentgateway-shutdown-out.yaml +++ b/test/deployer/testdata/agentgateway-shutdown-out.yaml @@ -121,7 +121,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.f45f1a94cdfa53d96e14301d59ac62200214cb9c + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 name: agent-gateway ports: - containerPort: 15020 diff --git a/test/deployer/testdata/agentgateway-tls-out.yaml b/test/deployer/testdata/agentgateway-tls-out.yaml index 752d6e8aa89..03476a7f475 100644 --- a/test/deployer/testdata/agentgateway-tls-out.yaml +++ b/test/deployer/testdata/agentgateway-tls-out.yaml @@ -152,7 +152,7 @@ spec: fieldPath: metadata.namespace - name: GATEWAY value: gw - image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.f45f1a94cdfa53d96e14301d59ac62200214cb9c + image: ghcr.io/agentgateway/agentgateway:0.11.0-alpha.76b0afc55496e7027395a93a3ba1ceca4b832647 name: agent-gateway ports: - containerPort: 15020