use Gateway in ancestor ref on AgentgatewayPolicy

[npolshakova]

Description

Fixes #12696

Change Type

/kind fix

Changelog

Fixed the ancestor ref on AgentgatewayPolicy to resolve to Gateway.

Additional Notes

• GRPCRoute support will need to come after policy support is added in: WIP: support grpc policy attachment #13293
• Frontend policies can't currently attach to listeners: Feature: support listener level FrontendPolicy agentgateway/agentgateway#825 (comment)

Example from extauthz tests:

apiVersion: agentgateway.dev/v1alpha1
kind: AgentgatewayPolicy
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"agentgateway.dev/v1alpha1","kind":"AgentgatewayPolicy","metadata":{"annotations":{},"name":"secure-route-policy","namespace":"default"},"spec":{"targetRefs":[{"group":"gateway.networking.k8s.io","kind":"HTTPRoute","name":"route-example-secure"}],"traffic":{"extAuth":{"backendRef":{"name":"ext-authz","port":4444},"grpc":{}}}}}
  creationTimestamp: "2026-01-13T14:43:23Z"
  generation: 1
  name: secure-route-policy
  namespace: default
  resourceVersion: "32596"
  uid: 7d8a7f41-7d90-475f-8323-e2175ee90333
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: route-example-secure
  traffic:
    extAuth:
      backendRef:
        group: ""
        kind: Service
        name: ext-authz
        port: 4444
      grpc: {}
status:
  ancestors:
  - ancestorRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: super-gateway
      namespace: default
    conditions:
    - lastTransitionTime: "2026-01-13T14:50:11Z"
      message: Policy accepted
      reason: Valid
      status: "True"
      type: Accepted
    - lastTransitionTime: "2026-01-13T14:50:11Z"
      message: Attached to all targets
      reason: Attached
      status: "True"
      type: Attached
    controllerName: agentgateway.dev/agentgateway

[Copilot]

Pull request overview

This pull request fixes the ancestor reference reporting in AgentgatewayPolicy status to properly resolve to Gateway resources instead of the direct target (e.g., HTTPRoute). When a policy is attached to an HTTPRoute, the status now reports the Gateway(s) that the route references as ancestors, following Gateway API best practices for lower cardinality status reporting.

Changes:

• Refactored ResolvedTarget struct to use AncestorRefs (slice) instead of GatewayTarget (single reference)
• Added new resolvePolicyAncestorRefs function to resolve policy targets to their parent Gateway references
• Updated status reporting loop to handle multiple ancestor references per policy target

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
pkg/agentgateway/plugins/traffic_plugin.go	Implemented ancestor resolution logic and refactored status reporting to properly reference Gateway resources
pkg/agentgateway/plugins/testdata/trafficpolicy/http-route-ancestor-gateway.yaml	Added test case validating that HTTPRoute-targeted policies report Gateway as ancestor

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

When filtering parent references to only include Gateway parents, the code continues iterating if a non-Gateway parent is found. However, if none of the parent references are Gateways (e.g., all are custom resources), the function returns the fallback which reports the HTTPRoute as the ancestor. This could lead to inconsistent reporting. Consider documenting this behavior or adding a comment explaining why falling back to the route itself is the intended behavior when no Gateway parents are found.

[howardjohn]

this todo is still valid I think

[npolshakova]

Opened #13296 to track