kgateway-dev · yuval-k · May 22, 2025 · Apr 29, 2025 · May 21, 2025 · May 21, 2025
diff --git a/api/applyconfiguration/api/v1alpha1/localpolicytargetreference.go b/api/applyconfiguration/api/v1alpha1/localpolicytargetreference.go
diff --git a/api/applyconfiguration/internal/internal.go b/api/applyconfiguration/internal/internal.go
diff --git a/api/v1alpha1/shared_types.go b/api/v1alpha1/shared_types.go
@@ -19,6 +19,10 @@ type LocalPolicyTargetReference struct {
 
 	// The name of the target resource.
 	Name gwv1.ObjectName `json:"name"`
+
+	// The section name of the target resource.
+	// +optional
+	SectionName *gwv1.SectionName `json:"sectionName,omitempty"`
 }
 
 // Select the object to attach the policy by Group, Kind, and its labels.

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/install/helm/kgateway-crds/templates/gateway.kgateway.dev_httplistenerpolicies.yaml b/install/helm/kgateway-crds/templates/gateway.kgateway.dev_httplistenerpolicies.yaml
@@ -475,6 +475,11 @@ spec:
                       maxLength: 253
                       minLength: 1
                       type: string
+                    sectionName:
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
                   required:
                   - group
                   - kind

diff --git a/install/helm/kgateway-crds/templates/gateway.kgateway.dev_trafficpolicies.yaml b/install/helm/kgateway-crds/templates/gateway.kgateway.dev_trafficpolicies.yaml
@@ -465,6 +465,11 @@ spec:
                       maxLength: 253
                       minLength: 1
                       type: string
+                    sectionName:
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
                   required:
                   - group
                   - kind

diff --git a/internal/kgateway/extensions2/plugins/trafficpolicy/extauth_policy_test.go b/internal/kgateway/extensions2/plugins/trafficpolicy/extauth_policy_test.go
@@ -6,12 +6,10 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 
-	envoy_config_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
 	envoy_ext_authz_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"google.golang.org/protobuf/types/known/anypb"
 
 	"github.com/kgateway-dev/kgateway/v2/api/v1alpha1"
 	"github.com/kgateway-dev/kgateway/v2/internal/kgateway/ir"
@@ -104,72 +102,28 @@ func TestApplyForRoute(t *testing.T) {
 	})
 }
 
-func TestApplyListenerPlugin(t *testing.T) {
-	t.Run("configures listener with ext auth", func(t *testing.T) {
-		// Setup
-		plugin := &trafficPolicyPluginGwPass{}
-		ctx := context.Background()
-		policy := &TrafficPolicy{
-			spec: trafficPolicySpecIr{
-				extAuth: &extAuthIR{
-					provider: &TrafficPolicyGatewayExtensionIR{
-						name:    "test-extension",
-						ExtType: v1alpha1.GatewayExtensionTypeExtAuth,
-						ExtAuth: &envoy_ext_authz_v3.ExtAuthz{
-							FailureModeAllow: true,
-						},
-					},
-				},
-			},
-		}
-		pCtx := &ir.ListenerContext{
-			Policy: policy,
-		}
-		listener := &envoy_config_listener_v3.Listener{
-			FilterChains: []*envoy_config_listener_v3.FilterChain{
-				{
-					Filters: []*envoy_config_listener_v3.Filter{
-						{
-							Name: "envoy.filters.network.http_connection_manager",
-							ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{
-								TypedConfig: &anypb.Any{
-									TypeUrl: "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
-								},
-							},
-						},
-					},
-				},
-			},
-		}
-
-		// Execute
-		plugin.ApplyListenerPlugin(ctx, pCtx, listener)
-
-		// Verify
-		ir, ok := plugin.extAuthPerProvider["test-extension"]
-		assert.True(t, ok)
-		assert.True(t, ir.fromListener)
-	})
-}
-
 func TestHttpFilters(t *testing.T) {
 	t.Run("adds ext auth filter to filter chain", func(t *testing.T) {
 		// Setup
 		plugin := &trafficPolicyPluginGwPass{
-			extAuthPerProvider: map[string]providerWithFromListener{
-				"test-extension": {
-					provider: &TrafficPolicyGatewayExtensionIR{
-						name:    "test-extension",
-						ExtType: v1alpha1.GatewayExtensionTypeExtAuth,
-						ExtAuth: &envoy_ext_authz_v3.ExtAuthz{
-							FailureModeAllow: true,
+			extAuthPerProvider: ProviderNeededMap{
+				Providers: map[string]map[string]*TrafficPolicyGatewayExtensionIR{
+					"test-filter-chain": map[string]*TrafficPolicyGatewayExtensionIR{
+						"test-extension": &TrafficPolicyGatewayExtensionIR{
+							name:    "test-extension",
+							ExtType: v1alpha1.GatewayExtensionTypeExtAuth,
+							ExtAuth: &envoy_ext_authz_v3.ExtAuthz{
+								FailureModeAllow: true,
+							},
 						},
 					},
 				},
 			},
 		}
 		ctx := context.Background()
-		fcc := ir.FilterChainCommon{}
+		fcc := ir.FilterChainCommon{
+			FilterChainName: "test-filter-chain",
+		}
 
 		// Execute
 		filters, err := plugin.HttpFilters(ctx, fcc)