Skip to content

Add Agentgateway Azure Backend Auth #13264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
therealmitchconnors wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add Agentgateway Azure Backend Auth #13264

therealmitchconnors wants to merge 2 commits into from

Conversation

@therealmitchconnors
Copy link

@therealmitchconnors therealmitchconnors commented Jan 10, 2026

Description

Azure Auth is implemented in agentgateway protos, but not available via k8s crds with kgateway. This PR adds the fields to use Azure backend auth from k8s. Fixes #13259

Change Type

/kind feature

Changelog

Added support for configuring Agentgateway to use Azure backend auth

Additional Notes

Copilot AI review requested due to automatic review settings January 10, 2026 00:24
@therealmitchconnors therealmitchconnors requested a review from a team as a code owner January 10, 2026 00:24
@gateway-bot gateway-bot added kind/feature Categorizes issue or PR as related to a new feature. release-note labels Jan 10, 2026
Copilot AI reviewed Jan 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for Azure backend authentication to Agentgateway, enabling users to configure Azure authentication methods via Kubernetes CRDs. This complements the existing AWS authentication support and addresses issue #13259.

  • Adds AzureAuth and AzureManagedIdentity types to support both managed identity and client secret authentication methods
  • Implements buildAzureAuthPolicy and buildAzureClientSecret functions to translate K8s CRD definitions to protobuf API structures
  • Updates CRD schemas for both AgentgatewayPolicy and AgentgatewayBackend resources to include Azure authentication fields

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 11 comments.

Show a summary per file
File Description
pkg/kgateway/wellknown/constants.go Adds constants for Azure authentication secret keys (ClientID, TenantId, ClientSecret)
pkg/agentgateway/plugins/backend_policies.go Implements Azure authentication translation logic with support for managed identity and client secret
api/v1alpha1/agentgateway/agentgateway_policy_types.go Defines AzureAuth and AzureManagedIdentity types, adds Azure field to BackendAuth
api/v1alpha1/agentgateway/zz_generated.deepcopy.go Auto-generated DeepCopy methods for new Azure types
install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaypolicies.yaml Updates CRD schema to include Azure authentication fields and validation rules
install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaybackends.yaml Updates CRD schema to include Azure authentication fields and validation rules
pkg/agentgateway/plugins/testdata/backendpolicy/azureauth.yaml Adds test case for Azure managed identity authentication

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

pkg/agentgateway/plugins/testdata/backendpolicy/azureauth.yaml
Comment on lines +13 to +15
azure:
managedIdentity:
objectId: mi-object-id
Copy link

Copilot AI Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test case only covers Azure Managed Identity authentication but does not test the Client Secret authentication path. The buildAzureClientSecret function (lines 706-754 in backend_policies.go) lacks test coverage. Consider adding a test case similar to the AWS auth test that includes a Secret with clientID, tenantID, and clientSecret to ensure this code path is properly validated.

Copilot uses AI. Check for mistakes.
Copy link
Author

@therealmitchconnors therealmitchconnors Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot open a new pull request to apply changes based on this feedback

@howardjohn howardjohn self-assigned this Jan 12, 2026
howardjohn
howardjohn reviewed Jan 12, 2026
View reviewed changes
Copy link
Contributor

@howardjohn howardjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall looks good, had a few questions on slack that will answer some choices though

api/v1alpha1/agentgateway/agentgateway_policy_types.go
// +optional
AWS *AwsAuth `json:"aws,omitempty"`

// Azure specifies an Azure authentication method for the backend.
Copy link
Contributor

@howardjohn howardjohn Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just fyi I am adding GCP auth in #13262 so we will probably merge conflict one way or another

api/v1alpha1/agentgateway/agentgateway_policy_types.go
// Details for managed identity authentication
ManagedIdentity *AzureManagedIdentity `json:"managedIdentity,omitempty"`

// TODO: does not appear to have schema??
Copy link
Contributor

@howardjohn howardjohn Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This just is basically a flag. there is no config (currently?) for it, you just say you want workload identity

Copy link
Author

@therealmitchconnors therealmitchconnors Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So should it be an optional field, with type any? or a bool?

api/v1alpha1/agentgateway/agentgateway_policy_types.go
}

type BackendAuthPassthrough struct {
type AzureAuth struct {
Copy link
Contributor

@howardjohn howardjohn Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

depending on some other questions we probably want // +kubebuilder:validation:ExactlyOneOf=secretRef;managedIdentity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@howardjohn howardjohn howardjohn left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@howardjohn howardjohn

Labels

kind/feature Categorizes issue or PR as related to a new feature. release-note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AgentGateway CRDs missing Azure Auth

3 participants

@therealmitchconnors @howardjohn @gateway-bot