envoyproxy · mathetake · Jan 29, 2025 · Jan 29, 2025 · Jan 29, 2025 · Jan 29, 2025
@@ -66,6 +66,8 @@ modelNameHeaderKey: x-ai-eg-model
 // From Envoy configuration perspective, configuring the header matching based on `x-ai-eg-selected-backend` is enough to route the request to the selected backend.
 // That is because the matching decision is made by the filter and the selected backend is populated in the header `x-ai-eg-selected-backend`.
 type Config struct {
+	// UUID is the unique identifier of the filter configuration assigned by the AI Gateway when the configuration is updated.
+	UUID string `json:"uuid,omitempty"`
 	// MetadataNamespace is the namespace of the dynamic metadata to be used by the filter.
 	MetadataNamespace string `json:"metadataNamespace"`
 	// LLMRequestCost configures the cost of each LLM-related request. Optional. If this is provided, the filter will populate

@@ -22,23 +22,10 @@ import (
 )
 
 const (
-	managedByLabel                                   = "app.kubernetes.io/managed-by"
-	expProcConfigFileName                            = "extproc-config.yaml"
-	k8sClientIndexBackendToReferencingAIGatewayRoute = "BackendToReferencingAIGatewayRoute"
+	managedByLabel        = "app.kubernetes.io/managed-by"
+	expProcConfigFileName = "extproc-config.yaml"
 )
 
-func aiGatewayRouteIndexFunc(o client.Object) []string {
-	aiGatewayRoute := o.(*aigv1a1.AIGatewayRoute)
-	var ret []string
-	for _, rule := range aiGatewayRoute.Spec.Rules {
-		for _, backend := range rule.BackendRefs {
-			key := fmt.Sprintf("%s.%s", backend.Name, aiGatewayRoute.Namespace)
-			ret = append(ret, key)
-		}
-	}
-	return ret
-}
-
 // aiGatewayRouteController implements [reconcile.TypedReconciler].
 //
 // This handles the AIGatewayRoute resource and creates the necessary resources for the external process.

@@ -10,7 +10,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
 	fake2 "k8s.io/client-go/kubernetes/fake"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -144,50 +143,3 @@ func Test_applyExtProcDeploymentConfigUpdate(t *testing.T) {
 		require.Equal(t, int32(123), *dep.Replicas)
 	})
 }
-
-func Test_aiGatewayRouteIndexFunc(t *testing.T) {
-	scheme := runtime.NewScheme()
-	require.NoError(t, aigv1a1.AddToScheme(scheme))
-
-	c := fake.NewClientBuilder().
-		WithScheme(scheme).
-		WithIndex(&aigv1a1.AIGatewayRoute{}, k8sClientIndexBackendToReferencingAIGatewayRoute, aiGatewayRouteIndexFunc).
-		Build()
-
-	// Create a AIGatewayRoute.
-	aiGatewayRoute := &aigv1a1.AIGatewayRoute{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "myroute",
-			Namespace: "default",
-		},
-		Spec: aigv1a1.AIGatewayRouteSpec{
-			TargetRefs: []gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{
-				{LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{Name: "mytarget"}},
-				{LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{Name: "mytarget2"}},
-			},
-			Rules: []aigv1a1.AIGatewayRouteRule{
-				{
-					Matches: []aigv1a1.AIGatewayRouteRuleMatch{},
-					BackendRefs: []aigv1a1.AIGatewayRouteRuleBackendRef{
-						{Name: "backend1", Weight: 1},
-						{Name: "backend2", Weight: 1},
-					},
-				},
-			},
-		},
-	}
-	require.NoError(t, c.Create(context.Background(), aiGatewayRoute))
-
-	var aiGatewayRoutes aigv1a1.AIGatewayRouteList
-	err := c.List(context.Background(), &aiGatewayRoutes,
-		client.MatchingFields{k8sClientIndexBackendToReferencingAIGatewayRoute: "backend1.default"})
-	require.NoError(t, err)
-	require.Len(t, aiGatewayRoutes.Items, 1)
-	require.Equal(t, aiGatewayRoute.Name, aiGatewayRoutes.Items[0].Name)
-
-	err = c.List(context.Background(), &aiGatewayRoutes,
-		client.MatchingFields{k8sClientIndexBackendToReferencingAIGatewayRoute: "backend2.default"})
-	require.NoError(t, err)
-	require.Len(t, aiGatewayRoutes.Items, 1)
-	require.Equal(t, aiGatewayRoute.Name, aiGatewayRoutes.Items[0].Name)
-}
@@ -2,7 +2,6 @@ package controller
 
 import (
 	"context"
-	"fmt"
 
 	"github.com/go-logr/logr"
 	"k8s.io/client-go/kubernetes"
@@ -13,10 +12,6 @@ import (
 	aigv1a1 "github.com/envoyproxy/ai-gateway/api/v1alpha1"
 )
 
-const (
-	k8sClientIndexBackendSecurityPolicyToReferencingAIServiceBackend = "BackendSecurityPolicyToReferencingAIServiceBackend"
-)
-
 // aiBackendController implements [reconcile.TypedReconciler] for [aigv1a1.AIServiceBackend].
 //
 // This handles the AIServiceBackend resource and sends it to the config sink so that it can modify the configuration together with the state of other resources.
@@ -52,12 +47,3 @@ func (l *aiBackendController) Reconcile(ctx context.Context, req reconcile.Reque
 	l.eventChan <- aiBackend.DeepCopy()
 	return ctrl.Result{}, nil
 }
-
-func aiServiceBackendIndexFunc(o client.Object) []string {
-	aiServiceBackend := o.(*aigv1a1.AIServiceBackend)
-	var ret []string
-	if ref := aiServiceBackend.Spec.BackendSecurityPolicyRef; ref != nil {
-		ret = append(ret, fmt.Sprintf("%s.%s", ref.Name, aiServiceBackend.Namespace))
-	}
-	return ret
-}
@@ -94,6 +94,13 @@ func StartControllers(ctx context.Context, config *rest.Config, logger logr.Logg
 		return fmt.Errorf("failed to create controller for BackendSecurityPolicy: %w", err)
 	}
 
+	secretC := NewSecretController(c, kubernetes.NewForConfigOrDie(config), logger, sinkChan)
+	if err = ctrl.NewControllerManagedBy(mgr).
+		For(&corev1.Secret{}).
+		Complete(secretC); err != nil {
+		return fmt.Errorf("failed to create controller for Secret: %w", err)
+	}
+
 	sink := newConfigSink(c, kubernetes.NewForConfigOrDie(config), logger, sinkChan, options.ExtProcImage)
 
 	// Before starting the manager, initialize the config sink to sync all AIServiceBackend and AIGatewayRoute objects in the cluster.
@@ -109,6 +116,18 @@ func StartControllers(ctx context.Context, config *rest.Config, logger logr.Logg
 	return nil
 }
 
+const (
+	// k8sClientIndexSecretToReferencingBackendSecurityPolicy is the index name that maps
+	// from a Secret to the BackendSecurityPolicy that references it.
+	k8sClientIndexSecretToReferencingBackendSecurityPolicy = "SecretToReferencingBackendSecurityPolicy"
+	// k8sClientIndexBackendToReferencingAIGatewayRoute is the index name that maps from a Backend to the
+	// AIGatewayRoute that references it.
+	k8sClientIndexBackendToReferencingAIGatewayRoute = "BackendToReferencingAIGatewayRoute"
+	// k8sClientIndexBackendSecurityPolicyToReferencingAIServiceBackend is the index name that maps from a BackendSecurityPolicy
+	// to the AIServiceBackend that references it.
+	k8sClientIndexBackendSecurityPolicyToReferencingAIServiceBackend = "BackendSecurityPolicyToReferencingAIServiceBackend"
+)
+
 func applyIndexing(indexer client.FieldIndexer) error {
 	err := indexer.IndexField(context.Background(), &aigv1a1.AIGatewayRoute{},
 		k8sClientIndexBackendToReferencingAIGatewayRoute, aiGatewayRouteIndexFunc)
@@ -120,6 +139,55 @@ func applyIndexing(indexer client.FieldIndexer) error {
 	if err != nil {
 		return fmt.Errorf("failed to index field for AIServiceBackend: %w", err)
 	}
-
+	err = indexer.IndexField(context.Background(), &aigv1a1.BackendSecurityPolicy{},
+		k8sClientIndexSecretToReferencingBackendSecurityPolicy, backendSecurityPolicyIndexFunc)
+	if err != nil {
+		return fmt.Errorf("failed to index field for BackendSecurityPolicy: %w", err)
+	}
 	return nil
 }
+
+func aiGatewayRouteIndexFunc(o client.Object) []string {
+	aiGatewayRoute := o.(*aigv1a1.AIGatewayRoute)
+	var ret []string
+	for _, rule := range aiGatewayRoute.Spec.Rules {
+		for _, backend := range rule.BackendRefs {
+			key := fmt.Sprintf("%s.%s", backend.Name, aiGatewayRoute.Namespace)
+			ret = append(ret, key)
+		}
+	}
+	return ret
+}
+
+func aiServiceBackendIndexFunc(o client.Object) []string {
+	aiServiceBackend := o.(*aigv1a1.AIServiceBackend)
+	var ret []string
+	if ref := aiServiceBackend.Spec.BackendSecurityPolicyRef; ref != nil {
+		ret = append(ret, fmt.Sprintf("%s.%s", ref.Name, aiServiceBackend.Namespace))
+	}
+	return ret
+}
+
+func backendSecurityPolicyIndexFunc(o client.Object) []string {
+	backendSecurityPolicy := o.(*aigv1a1.BackendSecurityPolicy)
+	var key string
+	switch backendSecurityPolicy.Spec.Type {
+	case aigv1a1.BackendSecurityPolicyTypeAPIKey:
+		apiKey := backendSecurityPolicy.Spec.APIKey
+		key = getSecretNameAndNamespace(apiKey.SecretRef, backendSecurityPolicy.Namespace)
+	case aigv1a1.BackendSecurityPolicyTypeAWSCredentials:
+		awsCreds := backendSecurityPolicy.Spec.AWSCredentials
+		if awsCreds.CredentialsFile != nil {
+			key = getSecretNameAndNamespace(awsCreds.CredentialsFile.SecretRef, backendSecurityPolicy.Namespace)
+		}
+		// TODO: OIDC.
+	}
+	return []string{key}
+}
+
+func getSecretNameAndNamespace(secretRef *gwapiv1.SecretObjectReference, namespace string) string {
+	if secretRef.Namespace != nil {
+		return fmt.Sprintf("%s.%s", secretRef.Name, *secretRef.Namespace)
+	}
+	return fmt.Sprintf("%s.%s", secretRef.Name, namespace)
+}
@@ -0,0 +1,165 @@
+package controller
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/ptr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+	gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+
+	aigv1a1 "github.com/envoyproxy/ai-gateway/api/v1alpha1"
+)
+
+func Test_aiGatewayRouteIndexFunc(t *testing.T) {
+	scheme := runtime.NewScheme()
+	require.NoError(t, aigv1a1.AddToScheme(scheme))
+
+	c := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithIndex(&aigv1a1.AIGatewayRoute{}, k8sClientIndexBackendToReferencingAIGatewayRoute, aiGatewayRouteIndexFunc).
+		Build()
+
+	// Create a AIGatewayRoute.
+	aiGatewayRoute := &aigv1a1.AIGatewayRoute{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "myroute",
+			Namespace: "default",
+		},
+		Spec: aigv1a1.AIGatewayRouteSpec{
+			TargetRefs: []gwapiv1a2.LocalPolicyTargetReferenceWithSectionName{
+				{LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{Name: "mytarget"}},
+				{LocalPolicyTargetReference: gwapiv1a2.LocalPolicyTargetReference{Name: "mytarget2"}},
+			},
+			Rules: []aigv1a1.AIGatewayRouteRule{
+				{
+					Matches: []aigv1a1.AIGatewayRouteRuleMatch{},
+					BackendRefs: []aigv1a1.AIGatewayRouteRuleBackendRef{
+						{Name: "backend1", Weight: 1},
+						{Name: "backend2", Weight: 1},
+					},
+				},
+			},
+		},
+	}
+	require.NoError(t, c.Create(context.Background(), aiGatewayRoute))
+
+	var aiGatewayRoutes aigv1a1.AIGatewayRouteList
+	err := c.List(context.Background(), &aiGatewayRoutes,
+		client.MatchingFields{k8sClientIndexBackendToReferencingAIGatewayRoute: "backend1.default"})
+	require.NoError(t, err)
+	require.Len(t, aiGatewayRoutes.Items, 1)
+	require.Equal(t, aiGatewayRoute.Name, aiGatewayRoutes.Items[0].Name)
+
+	err = c.List(context.Background(), &aiGatewayRoutes,
+		client.MatchingFields{k8sClientIndexBackendToReferencingAIGatewayRoute: "backend2.default"})
+	require.NoError(t, err)
+	require.Len(t, aiGatewayRoutes.Items, 1)
+	require.Equal(t, aiGatewayRoute.Name, aiGatewayRoutes.Items[0].Name)
+}
+
+func Test_backendSecurityPolicyIndexFunc(t *testing.T) {
+	for _, bsp := range []struct {
+		name                  string
+		backendSecurityPolicy *aigv1a1.BackendSecurityPolicy
+		expKey                string
+	}{
+		{
+			name: "api key with namespace",
+			backendSecurityPolicy: &aigv1a1.BackendSecurityPolicy{
+				ObjectMeta: metav1.ObjectMeta{Name: "some-backend-security-policy-1", Namespace: "ns"},
+				Spec: aigv1a1.BackendSecurityPolicySpec{
+					Type: aigv1a1.BackendSecurityPolicyTypeAPIKey,
+					APIKey: &aigv1a1.BackendSecurityPolicyAPIKey{
+						SecretRef: &gwapiv1.SecretObjectReference{
+							Name:      "some-secret1",
+							Namespace: ptr.To[gwapiv1.Namespace]("foo"),
+						},
+					},
+				},
+			},
+			expKey: "some-secret1.foo",
+		},
+		{
+			name: "api key without namespace",
+			backendSecurityPolicy: &aigv1a1.BackendSecurityPolicy{
+				ObjectMeta: metav1.ObjectMeta{Name: "some-backend-security-policy-2", Namespace: "ns"},
+				Spec: aigv1a1.BackendSecurityPolicySpec{
+					Type: aigv1a1.BackendSecurityPolicyTypeAPIKey,
+					APIKey: &aigv1a1.BackendSecurityPolicyAPIKey{
+						SecretRef: &gwapiv1.SecretObjectReference{Name: "some-secret2"},
+					},
+				},
+			},
+			expKey: "some-secret2.ns",
+		},
+		{
+			name: "aws credentials with namespace",
+			backendSecurityPolicy: &aigv1a1.BackendSecurityPolicy{
+				ObjectMeta: metav1.ObjectMeta{Name: "some-backend-security-policy-3", Namespace: "ns"},
+				Spec: aigv1a1.BackendSecurityPolicySpec{
+					Type: aigv1a1.BackendSecurityPolicyTypeAWSCredentials,
+					AWSCredentials: &aigv1a1.BackendSecurityPolicyAWSCredentials{
+						CredentialsFile: &aigv1a1.AWSCredentialsFile{
+							SecretRef: &gwapiv1.SecretObjectReference{
+								Name: "some-secret3", Namespace: ptr.To[gwapiv1.Namespace]("foo"),
+							},
+						},
+					},
+				},
+			},
+			expKey: "some-secret3.foo",
+		},
+		{
+			name: "aws credentials without namespace",
+			backendSecurityPolicy: &aigv1a1.BackendSecurityPolicy{
+				ObjectMeta: metav1.ObjectMeta{Name: "some-backend-security-policy-4", Namespace: "ns"},
+				Spec: aigv1a1.BackendSecurityPolicySpec{
+					Type: aigv1a1.BackendSecurityPolicyTypeAWSCredentials,
+					AWSCredentials: &aigv1a1.BackendSecurityPolicyAWSCredentials{
+						CredentialsFile: &aigv1a1.AWSCredentialsFile{
+							SecretRef: &gwapiv1.SecretObjectReference{Name: "some-secret4"},
+						},
+					},
+				},
+			},
+			expKey: "some-secret4.ns",
+		},
+	} {
+		t.Run(bsp.name, func(t *testing.T) {
+			scheme := runtime.NewScheme()
+			require.NoError(t, aigv1a1.AddToScheme(scheme))
+
+			c := fake.NewClientBuilder().
+				WithScheme(scheme).
+				WithIndex(&aigv1a1.BackendSecurityPolicy{}, k8sClientIndexSecretToReferencingBackendSecurityPolicy, backendSecurityPolicyIndexFunc).
+				Build()
+
+			require.NoError(t, c.Create(context.Background(), bsp.backendSecurityPolicy))
+
+			var backendSecurityPolicies aigv1a1.BackendSecurityPolicyList
+			err := c.List(context.Background(), &backendSecurityPolicies,
+				client.MatchingFields{k8sClientIndexSecretToReferencingBackendSecurityPolicy: bsp.expKey})
+			require.NoError(t, err)
+
+			require.Len(t, backendSecurityPolicies.Items, 1)
+			require.Equal(t, bsp.backendSecurityPolicy.Name, backendSecurityPolicies.Items[0].Name)
+			require.Equal(t, bsp.backendSecurityPolicy.Namespace, backendSecurityPolicies.Items[0].Namespace)
+		})
+	}
+}
+
+func Test_getSecretNameAndNamespace(t *testing.T) {
+	secretRef := &gwapiv1.SecretObjectReference{
+		Name:      "mysecret",
+		Namespace: ptr.To[gwapiv1.Namespace]("default"),
+	}
+	require.Equal(t, "mysecret.default", getSecretNameAndNamespace(secretRef, "foo"))
+	secretRef.Namespace = nil
+	require.Equal(t, "mysecret.foo", getSecretNameAndNamespace(secretRef, "foo"))
+}