drop inline and static key + add backendref in backendsecuritypolicy

Signed-off-by: Aaron Choo <achoo30@bloomberg.net>

api/v1alpha1/api.go

@@ -186,24 +186,25 @@ type BackendSecurityPolicy struct {
 	Spec              BackendSecurityPolicySpec `json:"spec,omitempty"`
 }
 
-// BackendSecurityPolicySpec specifies authentication and authorization rules on access the provider from the Gateway.
+// BackendSecurityPolicySpec specifies authentication rules on access the provider from the Gateway.
 type BackendSecurityPolicySpec struct {
-	// Type specifies the auth mechanism used to access the provider. Currently, only "APIKey", "StaticKey", AND "OIDC" are supported.
+	// Type specifies the auth mechanism used to access the provider. Currently, only "APIKey", AND "OIDC" are supported.
 	//
-	// +kubebuilder:validation:Enum=APIKey;StaticKey;OIDC
+	// +kubebuilder:validation:Enum=APIKey;OIDC
 	Type LLMProviderAuthenticationType `json:"type"`
 
+	// BackendRefs are refs of the backends that this BackendSecurityPolicy corresponds to.
+	//
+	// +optional
+	BackendRefs []egv1a1.BackendRef `json:"backendSecurityPolicyRefs,omitempty"`
+
 	// APIKey specific configuration. The API key will be injected into the Authorization header.
 	// +optional
 	APIKey *LLMProviderAPIKey `json:"apiKey,omitempty"`
 
 	// OIDC tokens are retrieved from the following configuration. The token and backend type will determine how Authorization is configured.
 	// +optional
 	OIDC *egv1a1.OIDC `json:"oidc,omitempty"`
-
-	// StaticKey specific configuration. The Static Key and backend type will determine how Authorization is handled.
-	// +optional
-	StaticKey *LLMProviderStaticKey `json:"staticKey,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -217,17 +218,19 @@ type BackendSecurityPolicyList struct {
 
 // LLMProviderAPIKey specifies the API key.
 type LLMProviderAPIKey struct {
-	// Type specifies the type of the API key. Currently, "SecretRef" and "Inline" are supported.
+	// Type specifies the type of the API key. Currently, "SecretRef" is supported.
 	// This defaults to "SecretRef".
 	//
-	// +kubebuilder:validation:Enum=SecretRef;Inline
+	// +kubebuilder:validation:Enum=SecretRef
 	// +kubebuilder:default=SecretRef
 	Type LLMProviderAPIKeyType `json:"type"`
 
 	// SecretRef is the reference to the secret containing the API key.
 	// ai-gateway must be given the permission to read this secret.
 	// The key of the secret should be "apiKey".
 	//
+	// For AWS specifically, the access key should be stored as "accessKey" and secret key as "secretKey".
+	//
 	// +optional
 	SecretRef *gwapiv1.SecretObjectReference `json:"secretRef"`
 
@@ -239,14 +242,3 @@ type LLMProviderAPIKey struct {
 
 // LLMProviderAPIKeyType specifies the type of LLMProviderAPIKey.
 type LLMProviderAPIKeyType string
-
-// LLMProviderStaticKey specifies the static access key and secret key.
-type LLMProviderStaticKey struct {
-	// AccessKey is the static access key.
-	AccessKey *string `json:"accessKey,omitempty"`
-
-	// SecretRef is the reference to the secret containing the static secret key.
-	// ai-gateway must be given the permission to read this secret.
-	// The key of the secret should be "secretKey".
-	SecretRef *gwapiv1.SecretObjectReference `json:"secretRef"`
-}

manifests/charts/ai-gateway-helm/crds/aigateway.envoyproxy.io_backendsecuritypolicies.yaml

@@ -39,8 +39,8 @@ spec:
           metadata:
             type: object
           spec:
-            description: BackendSecurityPolicySpec specifies authentication and authorization
-              rules on access the provider from the Gateway.
+            description: BackendSecurityPolicySpec specifies authentication rules
+              on access the provider from the Gateway.
             properties:
               apiKey:
                 description: APIKey specific configuration. The API key will be injected
@@ -54,6 +54,8 @@ spec:
                       SecretRef is the reference to the secret containing the API key.
                       ai-gateway must be given the permission to read this secret.
                       The key of the secret should be "apiKey".
+
+                      For AWS specifically, the access key should be stored as "accessKey" and secret key as "secretKey".
                     properties:
                       group:
                         default: ""
@@ -96,15 +98,98 @@ spec:
                   type:
                     default: SecretRef
                     description: |-
-                      Type specifies the type of the API key. Currently, "SecretRef" and "Inline" are supported.
+                      Type specifies the type of the API key. Currently, "SecretRef" is supported.
                       This defaults to "SecretRef".
                     enum:
                     - SecretRef
-                    - Inline
                     type: string
                 required:
                 - type
                 type: object
+              backendSecurityPolicyRefs:
+                description: BackendRefs are refs of the backends that this BackendSecurityPolicy
+                  corresponds to.
+                items:
+                  description: BackendRef defines how an ObjectReference that is specific
+                    to BackendRef.
+                  properties:
+                    fallback:
+                      description: |-
+                        Fallback indicates whether the backend is designated as a fallback.
+                        Multiple fallback backends can be configured.
+                        It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+                        when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+                        The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+                        the health of the active backends falls below 72%.
+                      type: boolean
+                    group:
+                      default: ""
+                      description: |-
+                        Group is the group of the referent. For example, "gateway.networking.k8s.io".
+                        When unspecified or empty string, core API group is inferred.
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      default: Service
+                      description: |-
+                        Kind is the Kubernetes resource kind of the referent. For example
+                        "Service".
+
+                        Defaults to "Service" when not specified.
+
+                        ExternalName services can refer to CNAME DNS records that may live
+                        outside of the cluster and as such are difficult to reason about in
+                        terms of conformance. They also may not be safe to forward to (see
+                        CVE-2021-25740 for more information). Implementations SHOULD NOT
+                        support ExternalName Services.
+
+                        Support: Core (Services with a type other than ExternalName)
+
+                        Support: Implementation-specific (Services with type ExternalName)
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: Name is the name of the referent.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: |-
+                        Namespace is the namespace of the backend. When unspecified, the local
+                        namespace is inferred.
+
+                        Note that when a namespace different than the local namespace is specified,
+                        a ReferenceGrant object is required in the referent namespace to allow that
+                        namespace's owner to accept the reference. See the ReferenceGrant
+                        documentation for details.
+
+                        Support: Core
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                    port:
+                      description: |-
+                        Port specifies the destination port number to use for this resource.
+                        Port is required when the referent is a Kubernetes Service. In this
+                        case, the port number is the service port number, not the target port.
+                        For other resources, destination port might be derived from the referent
+                        resource or this field.
+                      format: int32
+                      maximum: 65535
+                      minimum: 1
+                      type: integer
+                  required:
+                  - name
+                  type: object
+                  x-kubernetes-validations:
+                  - message: Must have port for Service reference
+                    rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port)
+                      : true'
+                type: array
               oidc:
                 description: OIDC tokens are retrieved from the following configuration.
                   The token and backend type will determine how Authorization is configured.
@@ -1138,67 +1223,11 @@ spec:
                 - clientSecret
                 - provider
                 type: object
-              staticKey:
-                description: StaticKey specific configuration. The Static Key and
-                  backend type will determine how Authorization is handled.
-                properties:
-                  accessKey:
-                    description: AccessKey is the static access key.
-                    type: string
-                  secretRef:
-                    description: |-
-                      SecretRef is the reference to the secret containing the static secret key.
-                      ai-gateway must be given the permission to read this secret.
-                      The key of the secret should be "secretKey".
-                    properties:
-                      group:
-                        default: ""
-                        description: |-
-                          Group is the group of the referent. For example, "gateway.networking.k8s.io".
-                          When unspecified or empty string, core API group is inferred.
-                        maxLength: 253
-                        pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                        type: string
-                      kind:
-                        default: Secret
-                        description: Kind is kind of the referent. For example "Secret".
-                        maxLength: 63
-                        minLength: 1
-                        pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
-                        type: string
-                      name:
-                        description: Name is the name of the referent.
-                        maxLength: 253
-                        minLength: 1
-                        type: string
-                      namespace:
-                        description: |-
-                          Namespace is the namespace of the referenced object. When unspecified, the local
-                          namespace is inferred.
-
-                          Note that when a namespace different than the local namespace is specified,
-                          a ReferenceGrant object is required in the referent namespace to allow that
-                          namespace's owner to accept the reference. See the ReferenceGrant
-                          documentation for details.
-
-                          Support: Core
-                        maxLength: 63
-                        minLength: 1
-                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-                        type: string
-                    required:
-                    - name
-                    type: object
-                required:
-                - secretRef
-                type: object
               type:
                 description: Type specifies the auth mechanism used to access the
-                  provider. Currently, only "APIKey", "StaticKey", AND "OIDC" are
-                  supported.
+                  provider. Currently, only "APIKey", AND "OIDC" are supported.
                 enum:
                 - APIKey
-                - StaticKey
                 - OIDC
                 type: string
             required:

tests/cel-validation/main_test.go

@@ -147,7 +147,7 @@ func TestBackendSecurityPolicies(t *testing.T) {
 		{name: "basic.yaml"},
 		{
 			name:   "unknown_provider.yaml",
-			expErr: "spec.type: Unsupported value: \"UnknownType\": supported values: \"APIKey\", \"StaticKey\", \"OIDC\"",
+			expErr: "spec.type: Unsupported value: \"UnknownType\": supported values: \"APIKey\", \"OIDC\"",
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {