Add CSRF policy support to TrafficPolicy

.github/workflows/pr-kubernetes-tests.yaml

@@ -44,7 +44,7 @@ jobs:
         # May 19, 2025: ~20 minutes
         - cluster-name: 'cluster-four'
           go-test-args: '-v -timeout=25m'
-          go-test-run-regex: '^TestKgateway$$/^ExtProc$$|^TestKgateway$$/^ExtAuth$$|^TestKgateway$$/^TCPRouteServices$$|^TestKgateway$$/^PolicySelector$$'
+          go-test-run-regex: '^TestKgateway$$/^ExtProc$$|^TestKgateway$$/^ExtAuth$$|^TestKgateway$$/^TCPRouteServices$$|^TestKgateway$$/^PolicySelector$$|^TestKgateway$$/^CSRF$$'
           localstack: 'false'
         # May 19, 2025: ~20 minutes
         - cluster-name: 'cluster-ai'

api/v1alpha1/traffic_policy_types.go

@@ -72,6 +72,10 @@ type TrafficPolicySpec struct {
 	// Cors specifies the CORS configuration for the policy.
 	// +optional
 	Cors *CorsPolicy `json:"cors,omitempty"`
+
+	// Csrf specifies the Cross-Site Request Forgery (CSRF) policy for this traffic policy.
+	// +optional
+	Csrf *CsrfPolicy `json:"csrf,omitempty"`
 }
 
 // TransformationPolicy config is used to modify envoy behavior at a route level.
@@ -342,3 +346,28 @@ type CorsPolicy struct {
 	// +kubebuilder:pruning:PreserveUnknownFields
 	*gwv1.HTTPCORSFilter `json:",inline"`
 }
+
+// CsrfPolicy can be used to set percent of requests for which the CSRF filter is enabled,
+// enable shadow-only mode where policies will be evaluated and tracked, but not enforced and
+// add additional source origins that will be allowed in addition to the destination origin.
+type CsrfPolicy struct {
+	// Specifies the percentage of requests for which the CSRF filter is enabled.
+	// If both PercentageEnabled and PercentageShadowed are set, the PercentageEnabled flag will take precedence.
+	// +required
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=100
+	PercentageEnabled *uint32 `json:"percentageEnabled,omitempty"`
+
+	// Specifies that CSRF policies will be evaluated and tracked, but not enforced.
+	// This is intended to be used when PercentageEnabled is 0 and will be ignored otherwise.
+	// If both PercentageEnabled and PercentageShadowed are set, the PercentageEnabled flag will take precedence.
+	// +optional
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=100
+	PercentageShadowed *uint32 `json:"percentageShadowed,omitempty"`
+
+	// Specifies additional source origins that will be allowed in addition to the destination origin.
+	// Only exact matches are supported.
+	// +optional
+	AdditionalOrigins []string `json:"additionalOrigins,omitempty"`
+}

install/helm/kgateway-crds/templates/gateway.kgateway.dev_trafficpolicies.yaml

@@ -333,6 +333,25 @@ spec:
                     type: integer
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              csrf:
+                properties:
+                  additionalOrigins:
+                    items:
+                      type: string
+                    type: array
+                  percentageEnabled:
+                    format: int32
+                    maximum: 100
+                    minimum: 0
+                    type: integer
+                  percentageShadowed:
+                    format: int32
+                    maximum: 100
+                    minimum: 0
+                    type: integer
+                required:
+                - percentageEnabled
+                type: object
               extAuth:
                 properties:
                   contextExtensions: