kgateway-dev · jenshu · Jun 4, 2025 · May 10, 2025 · May 10, 2025 · May 10, 2025
diff --git a/.github/workflows/pr-kubernetes-tests.yaml b/.github/workflows/pr-kubernetes-tests.yaml
@@ -39,7 +39,7 @@ jobs:
         # May 19, 2025: ~18 minutes
         - cluster-name: 'cluster-three'
           go-test-args: '-v -timeout=25m'
-          go-test-run-regex: '^TestKgateway$$/^Deployer$$|^TestKgateway$$/^RouteDelegation$$|^TestKgateway$$/^Lambda$$|^TestKgateway$$/^AccessLog$$|^TestKgateway$$/^LocalRateLimit$$|^TestKgateway$$/^Cors$$|^TestKgateway$$/^BackendConfigPolicy$$'
+          go-test-run-regex: '^TestKgateway$$/^DynamicForwardProxy$$|^TestKgateway$$/^Deployer$$|^TestKgateway$$/^RouteDelegation$$|^TestKgateway$$/^Lambda$$|^TestKgateway$$/^AccessLog$$|^TestKgateway$$/^LocalRateLimit$$|^TestKgateway$$/^Cors$$|^TestKgateway$$/^BackendConfigPolicy$$'
           localstack: 'true'
         # May 19, 2025: ~20 minutes
         - cluster-name: 'cluster-four'

diff --git a/api/applyconfiguration/api/v1alpha1/backendspec.go b/api/applyconfiguration/api/v1alpha1/backendspec.go
diff --git a/api/applyconfiguration/api/v1alpha1/dynamicforwardproxybackend.go b/api/applyconfiguration/api/v1alpha1/dynamicforwardproxybackend.go
diff --git a/api/applyconfiguration/internal/internal.go b/api/applyconfiguration/internal/internal.go
diff --git a/api/applyconfiguration/utils.go b/api/applyconfiguration/utils.go
diff --git a/api/v1alpha1/backend_types.go b/api/v1alpha1/backend_types.go
@@ -35,6 +35,8 @@ const (
 	BackendTypeAWS BackendType = "AWS"
 	// BackendTypeStatic is the type for static backends.
 	BackendTypeStatic BackendType = "Static"
+	// BackendTypeDynamicForwardProxy is the type for dynamic forward proxy backends.
+	BackendTypeDynamicForwardProxy BackendType = "DynamicForwardProxy"
 )
 
 // BackendSpec defines the desired state of Backend.
@@ -45,10 +47,12 @@ const (
 // +kubebuilder:validation:XValidation:message="aws backend must be specified when type is 'aws'",rule="!(!has(self.aws) && self.type == 'AWS')"
 // +kubebuilder:validation:XValidation:message="static backend must be nil if the type is not 'static'",rule="!(has(self.static) && self.type != 'Static')"
 // +kubebuilder:validation:XValidation:message="static backend must be specified when type is 'static'",rule="!(!has(self.static) && self.type == 'Static')"
+// +kubebuilder:validation:XValidation:message="dynamic forward proxy backend must be nil if the type is not 'dynamicForwardProxy'",rule="!(has(self.dynamicForwardProxy) && self.type != 'DynamicForwardProxy')"
+// +kubebuilder:validation:XValidation:message="dynamic forward proxy backend must be specified when type is 'dynamicForwardProxy'",rule="!(!has(self.dynamicForwardProxy) && self.type == 'DynamicForwardProxy')"
 type BackendSpec struct {
 	// Type indicates the type of the backend to be used.
 	// +unionDiscriminator
-	// +kubebuilder:validation:Enum=AI;AWS;Static
+	// +kubebuilder:validation:Enum=AI;AWS;Static;DynamicForwardProxy
 	// +kubebuilder:validation:Required
 	Type BackendType `json:"type"`
 	// AI is the AI backend configuration.
@@ -60,6 +64,18 @@ type BackendSpec struct {
 	// Static is the static backend configuration.
 	// +optional
 	Static *StaticBackend `json:"static,omitempty"`
+	// DynamicForwardProxy is the dynamic forward proxy backend configuration.
+	// +optional
+	DynamicForwardProxy *DynamicForwardProxyBackend `json:"dynamicForwardProxy,omitempty"`
+}
+
+// DynamicForwardProxyBackend is the dynamic forward proxy backend configuration.
+type DynamicForwardProxyBackend struct {
+	// EnableTls enables TLS. When true, the backend will be configured to use TLS. System CA will be used for validation.
+	// The hostname will be used for SNI and auto SAN validation.
+	// +optional
+	// +kubebuilder:validation:Optional
+	EnableTls bool `json:"enableTls,omitempty"`
 }
 
 // AwsBackend is the AWS backend configuration.

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/install/helm/kgateway-crds/templates/gateway.kgateway.dev_backends.yaml b/install/helm/kgateway-crds/templates/gateway.kgateway.dev_backends.yaml
@@ -519,6 +519,11 @@ spec:
                 required:
                 - accountId
                 type: object
+              dynamicForwardProxy:
+                properties:
+                  enableTls:
+                    type: boolean
+                type: object
               static:
                 properties:
                   hosts:
@@ -546,6 +551,7 @@ spec:
                 - AI
                 - AWS
                 - Static
+                - DynamicForwardProxy
                 type: string
             required:
             - type
@@ -563,6 +569,12 @@ spec:
               rule: '!(has(self.static) && self.type != ''Static'')'
             - message: static backend must be specified when type is 'static'
               rule: '!(!has(self.static) && self.type == ''Static'')'
+            - message: dynamic forward proxy backend must be nil if the type is not
+                'dynamicForwardProxy'
+              rule: '!(has(self.dynamicForwardProxy) && self.type != ''DynamicForwardProxy'')'
+            - message: dynamic forward proxy backend must be specified when type is
+                'dynamicForwardProxy'
+              rule: '!(!has(self.dynamicForwardProxy) && self.type == ''DynamicForwardProxy'')'
           status:
             properties:
               conditions:

diff --git a/internal/kgateway/extensions2/plugins/backend/dfp.go b/internal/kgateway/extensions2/plugins/backend/dfp.go
@@ -0,0 +1,75 @@
+package backend
+
+import (
+	"context"
+
+	envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
+	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	envoy_dfp_cluster "github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/dynamic_forward_proxy/v3"
+	envoydfp "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/dynamic_forward_proxy/v3"
+	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
+
+	eiutils "github.com/kgateway-dev/kgateway/v2/internal/envoyinit/pkg/utils"
+
+	envoy_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
+
+	"github.com/kgateway-dev/kgateway/v2/api/v1alpha1"
+	"github.com/kgateway-dev/kgateway/v2/internal/kgateway/utils"
+)
+
+var (
+	dfpFilterConfig = &envoydfp.FilterConfig{
+		ImplementationSpecifier: &envoydfp.FilterConfig_SubClusterConfig{
+			SubClusterConfig: &envoydfp.SubClusterConfig{},
+		},
+	}
+)
+
+func processDynamicForwardProxy(ctx context.Context, in *v1alpha1.DynamicForwardProxyBackend, out *envoy_config_cluster_v3.Cluster) error {
+	out.LbPolicy = envoy_config_cluster_v3.Cluster_CLUSTER_PROVIDED
+	c := &envoy_dfp_cluster.ClusterConfig{
+		ClusterImplementationSpecifier: &envoy_dfp_cluster.ClusterConfig_SubClustersConfig{
+			SubClustersConfig: &envoy_dfp_cluster.SubClustersConfig{
+				LbPolicy: envoy_config_cluster_v3.Cluster_LEAST_REQUEST,
+			},
+		},
+	}
+	anyCluster, err := utils.MessageToAny(c)
+	if err != nil {
+		return err
+	}
+	out.ClusterDiscoveryType = &envoy_config_cluster_v3.Cluster_ClusterType{
+		ClusterType: &envoy_config_cluster_v3.Cluster_CustomClusterType{
+			Name:        "envoy.clusters.dynamic_forward_proxy",
+			TypedConfig: anyCluster,
+		},
+	}
+
+	if in.EnableTls {
+		validationContext := &envoy_tls_v3.CertificateValidationContext{}
+		sdsValidationCtx := &envoy_tls_v3.SdsSecretConfig{
+			Name: eiutils.SystemCaSecretName,
+		}
+
+		tlsContextDefault := &envoy_tls_v3.UpstreamTlsContext{
+			CommonTlsContext: &envoy_tls_v3.CommonTlsContext{
+				ValidationContextType: &envoy_tls_v3.CommonTlsContext_CombinedValidationContext{
+					CombinedValidationContext: &envoy_tls_v3.CommonTlsContext_CombinedCertificateValidationContext{
+						DefaultValidationContext:         validationContext,
+						ValidationContextSdsSecretConfig: sdsValidationCtx,
+					},
+				},
+			},
+		}
+
+		typedConfig, _ := utils.MessageToAny(tlsContextDefault)
+		out.TransportSocket = &envoy_config_core_v3.TransportSocket{
+			Name: wellknown.TransportSocketTls,
+			ConfigType: &envoy_config_core_v3.TransportSocket_TypedConfig{
+				TypedConfig: typedConfig,
+			},
+		}
+	}
+
+	return nil
+}
diff --git a/internal/kgateway/extensions2/plugins/backend/plugin.go b/internal/kgateway/extensions2/plugins/backend/plugin.go
@@ -263,16 +263,16 @@ func processBackend(ctx context.Context, in ir.BackendObjectIR, out *envoy_confi
 	// TODO(tim): Bubble up error to Backend status once https://github.com/kgateway-dev/kgateway/issues/10555
 	// is resolved and add test cases for invalid endpoint URLs.
 	spec := up.Spec
-	switch {
-	case spec.Type == v1alpha1.BackendTypeStatic:
+	switch spec.Type {
+	case v1alpha1.BackendTypeStatic:
 		if err := processStatic(ctx, spec.Static, out); err != nil {
 			logger.Error("failed to process static backend", "error", err)
 		}
-	case spec.Type == v1alpha1.BackendTypeAWS:
+	case v1alpha1.BackendTypeAWS:
 		if err := processAws(ctx, spec.Aws, ir.AwsIr, out); err != nil {
 			logger.Error("failed to process aws backend", "error", err)
 		}
-	case spec.Type == v1alpha1.BackendTypeAI:
+	case v1alpha1.BackendTypeAI:
 		err := ai.ProcessAIBackend(ctx, spec.AI, ir.AIIr.AISecret, ir.AIIr.AIMultiSecret, out)
 		if err != nil {
 			logger.Error("failed to process ai backend", "error", err)
@@ -281,6 +281,10 @@ func processBackend(ctx context.Context, in ir.BackendObjectIR, out *envoy_confi
 		if err != nil {
 			logger.Error("failed to add upstream cluster http filters", "error", err)
 		}
+	case v1alpha1.BackendTypeDynamicForwardProxy:
+		if err := processDynamicForwardProxy(ctx, spec.DynamicForwardProxy, out); err != nil {
+			logger.Error("failed to process dynamic forward proxy backend", "error", err)
+		}
 	}
 	return nil
 }
@@ -310,6 +314,7 @@ func processEndpoints(up *v1alpha1.Backend) *ir.EndpointsForBackend {
 type backendPlugin struct {
 	ir.UnimplementedProxyTranslationPass
 	aiGatewayEnabled map[string]bool
+	needsDfpFilter   map[string]bool
 }
 
 var _ ir.ProxyTranslationPass = &backendPlugin{}
@@ -346,6 +351,11 @@ func (p *backendPlugin) ApplyForBackend(ctx context.Context, pCtx *ir.RouteBacke
 			},
 		}
 		pCtx.TypedFilterConfig.AddTypedConfig(wellknown.AIExtProcFilterName, disabledExtprocSettings)
+	case v1alpha1.BackendTypeDynamicForwardProxy:
+		if p.needsDfpFilter == nil {
+			p.needsDfpFilter = make(map[string]bool)
+		}
+		p.needsDfpFilter[pCtx.FilterChainName] = true
 	}
 
 	return nil
@@ -365,6 +375,11 @@ func (p *backendPlugin) HttpFilters(ctx context.Context, fc ir.FilterChainCommon
 		}
 		result = append(result, aiFilters...)
 	}
+	if p.needsDfpFilter[fc.FilterChainName] {
+		pluginStage := plugins.DuringStage(plugins.OutAuthStage)
+		f := plugins.MustNewStagedFilter("envoy.filters.http.dynamic_forward_proxy", dfpFilterConfig, pluginStage)
+		result = append(result, f)
+	}
 	return result, errors.Join(errs...)
 }
 

diff --git a/internal/kgateway/translator/gateway/gateway_translator_test.go b/internal/kgateway/translator/gateway/gateway_translator_test.go
@@ -492,6 +492,22 @@ var _ = DescribeTable("Basic GatewayTranslator Tests",
 			Name:      "example-gateway",
 		},
 	}),
+	Entry("DFP Backend with TLS", translatorTestCase{
+		inputFile:  "dfp/tls.yaml",
+		outputFile: "dfp/tls.yaml",
+		gwNN: types.NamespacedName{
+			Namespace: "default",
+			Name:      "example-gateway",
+		},
+	}),
+	Entry("DFP Backend with simple", translatorTestCase{
+		inputFile:  "dfp/simple.yaml",
+		outputFile: "dfp/simple.yaml",
+		gwNN: types.NamespacedName{
+			Namespace: "default",
+			Name:      "example-gateway",
+		},
+	}),
 	Entry("Proxy with no routes", translatorTestCase{
 		inputFile:  "edge-cases/no_route.yaml",
 		outputFile: "no_route.yaml",