diff --git a/api/v1alpha1/api.go b/api/v1alpha1/api.go index bf296b81..9d94a889 100644 --- a/api/v1alpha1/api.go +++ b/api/v1alpha1/api.go @@ -145,7 +145,7 @@ const ( LLMModelHeaderKey = "x-envoy-ai-gateway-llm-model" ) -// LLMProviderType specifies the type of the LLMProviderPolicy. +// LLMProviderType specifies the type of the LLMSecurityPolicy. type LLMProviderType string const ( @@ -154,15 +154,15 @@ const ( // +kubebuilder:object:root=true -// LLMProviderPolicy specifies the provider specific configuration. -type LLMProviderPolicy struct { +// LLMSecurityPolicy specifies the provider specific configuration. +type LLMSecurityPolicy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - Spec LLMProviderPolicySpec `json:"spec,omitempty"` + Spec LLMSecurityPolicySpec `json:"spec,omitempty"` } -// LLMProviderPolicySpec specifies a provider (e.g.AWS Bedrock, Azure etc.) specific-configuration like auth -type LLMProviderPolicySpec struct { +// LLMSecurityPolicySpec specifies a provider (e.g.AWS Bedrock, Azure etc.) specific-configuration like auth +type LLMSecurityPolicySpec struct { // BackendRefs lists the LLMBackends that this provider policy will apply // The namespace is "local", i.e. the same namespace as the LLMRoute. // @@ -180,11 +180,11 @@ type LLMProviderPolicySpec struct { // +kubebuilder:object:root=true -// LLMProviderPolicyList contains a list of LLMProviderPolicy -type LLMProviderPolicyList struct { +// LLMSecurityPolicyList contains a list of LLMSecurityPolicy +type LLMSecurityPolicyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` - Items []LLMProviderPolicy `json:"items"` + Items []LLMSecurityPolicy `json:"items"` } // LLMProviderAPIKey specifies the API key. @@ -207,10 +207,6 @@ type LLMProviderAPIKey struct { // // +optional Inline *string `json:"inline,omitempty"` - - // BackendRefs lists the LLMBackends that this API Key will apply - // - BackendRefs []egv1a1.BackendRef `json:"backendRefs"` } // LLMProviderAPIKeyType specifies the type of LLMProviderAPIKey. diff --git a/api/v1alpha1/registry.go b/api/v1alpha1/registry.go index 6df967b9..ed238bca 100644 --- a/api/v1alpha1/registry.go +++ b/api/v1alpha1/registry.go @@ -8,7 +8,7 @@ import ( func init() { SchemeBuilder.Register(&LLMRoute{}, &LLMRouteList{}) SchemeBuilder.Register(&LLMBackend{}, &LLMBackendList{}) - SchemeBuilder.Register(&LLMProviderPolicy{}, &LLMProviderPolicyList{}) + SchemeBuilder.Register(&LLMSecurityPolicy{}, &LLMSecurityPolicyList{}) } const GroupName = "aigateway.envoyproxy.io" diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index d7eb36f0..ecf06146 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -113,13 +113,6 @@ func (in *LLMProviderAPIKey) DeepCopyInto(out *LLMProviderAPIKey) { *out = new(string) **out = **in } - if in.BackendRefs != nil { - in, out := &in.BackendRefs, &out.BackendRefs - *out = make([]apiv1alpha1.BackendRef, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LLMProviderAPIKey. @@ -133,25 +126,25 @@ func (in *LLMProviderAPIKey) DeepCopy() *LLMProviderAPIKey { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *LLMProviderPolicy) DeepCopyInto(out *LLMProviderPolicy) { +func (in *LLMRoute) DeepCopyInto(out *LLMRoute) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LLMProviderPolicy. -func (in *LLMProviderPolicy) DeepCopy() *LLMProviderPolicy { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LLMRoute. +func (in *LLMRoute) DeepCopy() *LLMRoute { if in == nil { return nil } - out := new(LLMProviderPolicy) + out := new(LLMRoute) in.DeepCopyInto(out) return out } // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *LLMProviderPolicy) DeepCopyObject() runtime.Object { +func (in *LLMRoute) DeepCopyObject() runtime.Object { if c := in.DeepCopy(); c != nil { return c } @@ -159,31 +152,31 @@ func (in *LLMProviderPolicy) DeepCopyObject() runtime.Object { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *LLMProviderPolicyList) DeepCopyInto(out *LLMProviderPolicyList) { +func (in *LLMRouteList) DeepCopyInto(out *LLMRouteList) { *out = *in out.TypeMeta = in.TypeMeta in.ListMeta.DeepCopyInto(&out.ListMeta) if in.Items != nil { in, out := &in.Items, &out.Items - *out = make([]LLMProviderPolicy, len(*in)) + *out = make([]LLMRoute, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LLMProviderPolicyList. -func (in *LLMProviderPolicyList) DeepCopy() *LLMProviderPolicyList { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LLMRouteList. +func (in *LLMRouteList) DeepCopy() *LLMRouteList { if in == nil { return nil } - out := new(LLMProviderPolicyList) + out := new(LLMRouteList) in.DeepCopyInto(out) return out } // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *LLMProviderPolicyList) DeepCopyObject() runtime.Object { +func (in *LLMRouteList) DeepCopyObject() runtime.Object { if c := in.DeepCopy(); c != nil { return c } @@ -191,52 +184,42 @@ func (in *LLMProviderPolicyList) DeepCopyObject() runtime.Object { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *LLMProviderPolicySpec) DeepCopyInto(out *LLMProviderPolicySpec) { +func (in *LLMRouteSpec) DeepCopyInto(out *LLMRouteSpec) { *out = *in - if in.BackendRefs != nil { - in, out := &in.BackendRefs, &out.BackendRefs - *out = make([]apiv1alpha1.BackendRef, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - if in.APIKey != nil { - in, out := &in.APIKey, &out.APIKey - *out = new(LLMProviderAPIKey) - (*in).DeepCopyInto(*out) - } + out.APISchema = in.APISchema + in.HTTPRoute.DeepCopyInto(&out.HTTPRoute) } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LLMProviderPolicySpec. -func (in *LLMProviderPolicySpec) DeepCopy() *LLMProviderPolicySpec { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LLMRouteSpec. +func (in *LLMRouteSpec) DeepCopy() *LLMRouteSpec { if in == nil { return nil } - out := new(LLMProviderPolicySpec) + out := new(LLMRouteSpec) in.DeepCopyInto(out) return out } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *LLMRoute) DeepCopyInto(out *LLMRoute) { +func (in *LLMSecurityPolicy) DeepCopyInto(out *LLMSecurityPolicy) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LLMRoute. -func (in *LLMRoute) DeepCopy() *LLMRoute { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LLMSecurityPolicy. +func (in *LLMSecurityPolicy) DeepCopy() *LLMSecurityPolicy { if in == nil { return nil } - out := new(LLMRoute) + out := new(LLMSecurityPolicy) in.DeepCopyInto(out) return out } // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *LLMRoute) DeepCopyObject() runtime.Object { +func (in *LLMSecurityPolicy) DeepCopyObject() runtime.Object { if c := in.DeepCopy(); c != nil { return c } @@ -244,31 +227,31 @@ func (in *LLMRoute) DeepCopyObject() runtime.Object { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *LLMRouteList) DeepCopyInto(out *LLMRouteList) { +func (in *LLMSecurityPolicyList) DeepCopyInto(out *LLMSecurityPolicyList) { *out = *in out.TypeMeta = in.TypeMeta in.ListMeta.DeepCopyInto(&out.ListMeta) if in.Items != nil { in, out := &in.Items, &out.Items - *out = make([]LLMRoute, len(*in)) + *out = make([]LLMSecurityPolicy, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LLMRouteList. -func (in *LLMRouteList) DeepCopy() *LLMRouteList { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LLMSecurityPolicyList. +func (in *LLMSecurityPolicyList) DeepCopy() *LLMSecurityPolicyList { if in == nil { return nil } - out := new(LLMRouteList) + out := new(LLMSecurityPolicyList) in.DeepCopyInto(out) return out } // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *LLMRouteList) DeepCopyObject() runtime.Object { +func (in *LLMSecurityPolicyList) DeepCopyObject() runtime.Object { if c := in.DeepCopy(); c != nil { return c } @@ -276,18 +259,28 @@ func (in *LLMRouteList) DeepCopyObject() runtime.Object { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *LLMRouteSpec) DeepCopyInto(out *LLMRouteSpec) { +func (in *LLMSecurityPolicySpec) DeepCopyInto(out *LLMSecurityPolicySpec) { *out = *in - out.APISchema = in.APISchema - in.HTTPRoute.DeepCopyInto(&out.HTTPRoute) + if in.BackendRefs != nil { + in, out := &in.BackendRefs, &out.BackendRefs + *out = make([]apiv1alpha1.BackendRef, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.APIKey != nil { + in, out := &in.APIKey, &out.APIKey + *out = new(LLMProviderAPIKey) + (*in).DeepCopyInto(*out) + } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LLMRouteSpec. -func (in *LLMRouteSpec) DeepCopy() *LLMRouteSpec { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LLMSecurityPolicySpec. +func (in *LLMSecurityPolicySpec) DeepCopy() *LLMSecurityPolicySpec { if in == nil { return nil } - out := new(LLMRouteSpec) + out := new(LLMSecurityPolicySpec) in.DeepCopyInto(out) return out } diff --git a/manifests/charts/ai-gateway-helm/crds/aigateway.envoyproxy.io_llmproviderpolicies.yaml b/manifests/charts/ai-gateway-helm/crds/aigateway.envoyproxy.io_llmsecuritypolicies.yaml similarity index 64% rename from manifests/charts/ai-gateway-helm/crds/aigateway.envoyproxy.io_llmproviderpolicies.yaml rename to manifests/charts/ai-gateway-helm/crds/aigateway.envoyproxy.io_llmsecuritypolicies.yaml index 61b225a3..a6157076 100644 --- a/manifests/charts/ai-gateway-helm/crds/aigateway.envoyproxy.io_llmproviderpolicies.yaml +++ b/manifests/charts/ai-gateway-helm/crds/aigateway.envoyproxy.io_llmsecuritypolicies.yaml @@ -4,20 +4,20 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.16.2 - name: llmproviderpolicies.aigateway.envoyproxy.io + name: llmsecuritypolicies.aigateway.envoyproxy.io spec: group: aigateway.envoyproxy.io names: - kind: LLMProviderPolicy - listKind: LLMProviderPolicyList - plural: llmproviderpolicies - singular: llmproviderpolicy + kind: LLMSecurityPolicy + listKind: LLMSecurityPolicyList + plural: llmsecuritypolicies + singular: llmsecuritypolicy scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: - description: LLMProviderPolicy specifies the provider specific configuration. + description: LLMSecurityPolicy specifies the provider specific configuration. properties: apiVersion: description: |- @@ -37,97 +37,13 @@ spec: metadata: type: object spec: - description: LLMProviderPolicySpec specifies a provider (e.g.AWS Bedrock, + description: LLMSecurityPolicySpec specifies a provider (e.g.AWS Bedrock, Azure etc.) specific-configuration like auth properties: apiKey: description: APIKey specific configuration. The API key will be injected into the Authorization header. properties: - backendRefs: - description: BackendRefs lists the LLMBackends that this API Key - will apply - items: - description: BackendRef defines how an ObjectReference that - is specific to BackendRef. - properties: - fallback: - description: |- - Fallback indicates whether the backend is designated as a fallback. - Multiple fallback backends can be configured. - It is highly recommended to configure active or passive health checks to ensure that failover can be detected - when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again. - The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when - the health of the active backends falls below 72%. - type: boolean - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Service - description: |- - Kind is the Kubernetes resource kind of the referent. For example - "Service". - - Defaults to "Service" when not specified. - - ExternalName services can refer to CNAME DNS records that may live - outside of the cluster and as such are difficult to reason about in - terms of conformance. They also may not be safe to forward to (see - CVE-2021-25740 for more information). Implementations SHOULD NOT - support ExternalName Services. - - Support: Core (Services with a type other than ExternalName) - - Support: Implementation-specific (Services with type ExternalName) - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the backend. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - port: - description: |- - Port specifies the destination port number to use for this resource. - Port is required when the referent is a Kubernetes Service. In this - case, the port number is the service port number, not the target port. - For other resources, destination port might be derived from the referent - resource or this field. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - name - type: object - x-kubernetes-validations: - - message: Must have port for Service reference - rule: '(size(self.group) == 0 && self.kind == ''Service'') - ? has(self.port) : true' - type: array inline: description: Inline specifies the inline API key. type: string @@ -185,7 +101,6 @@ spec: - Inline type: string required: - - backendRefs - type type: object backendRefs: diff --git a/tests/cel-validation/main_test.go b/tests/cel-validation/main_test.go index 6311c15d..1cf7d369 100644 --- a/tests/cel-validation/main_test.go +++ b/tests/cel-validation/main_test.go @@ -37,7 +37,7 @@ func runTest(m *testing.M) int { for _, crd := range []string{ "aigateway.envoyproxy.io_llmroutes.yaml", "aigateway.envoyproxy.io_llmbackends.yaml", - "aigateway.envoyproxy.io_llmproviderpolicies.yaml", + "aigateway.envoyproxy.io_llmsecuritypolicies.yaml", } { crds = append(crds, filepath.Join(base, crd)) } @@ -136,7 +136,7 @@ func TestLLMBackends(t *testing.T) { } } -func TestLLMProviderPolicy(t *testing.T) { +func TestLLMSecurityPolicies(t *testing.T) { ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(30*time.Second)) defer cancel() @@ -151,18 +151,18 @@ func TestLLMProviderPolicy(t *testing.T) { }, } { t.Run(tc.name, func(t *testing.T) { - data, err := tests.ReadFile(path.Join("testdata/llmproviderpolicies", tc.name)) + data, err := tests.ReadFile(path.Join("testdata/llmsecuritypolicies", tc.name)) require.NoError(t, err) - llmProviderPolicy := &aigv1a1.LLMProviderPolicy{} - err = yaml.UnmarshalStrict(data, llmProviderPolicy) + llmSecurityPolicy := &aigv1a1.LLMSecurityPolicy{} + err = yaml.UnmarshalStrict(data, llmSecurityPolicy) require.NoError(t, err) if tc.expErr != "" { - require.ErrorContains(t, c.Create(ctx, llmProviderPolicy), tc.expErr) + require.ErrorContains(t, c.Create(ctx, llmSecurityPolicy), tc.expErr) } else { - require.NoError(t, c.Create(ctx, llmProviderPolicy)) - require.NoError(t, c.Delete(ctx, llmProviderPolicy)) + require.NoError(t, c.Create(ctx, llmSecurityPolicy)) + require.NoError(t, c.Delete(ctx, llmSecurityPolicy)) } }) } diff --git a/tests/cel-validation/testdata/llmproviderpolicies/basic.yaml b/tests/cel-validation/testdata/llmsecuritypolicies/basic.yaml similarity index 100% rename from tests/cel-validation/testdata/llmproviderpolicies/basic.yaml rename to tests/cel-validation/testdata/llmsecuritypolicies/basic.yaml diff --git a/tests/cel-validation/testdata/llmproviderpolicies/unknown_provider.yaml b/tests/cel-validation/testdata/llmsecuritypolicies/unknown_provider.yaml similarity index 100% rename from tests/cel-validation/testdata/llmproviderpolicies/unknown_provider.yaml rename to tests/cel-validation/testdata/llmsecuritypolicies/unknown_provider.yaml