dynamic forward proxy

api/v1alpha1/backend_types.go

@@ -35,6 +35,8 @@ const (
 	BackendTypeAWS BackendType = "AWS"
 	// BackendTypeStatic is the type for static backends.
 	BackendTypeStatic BackendType = "Static"
+	// BackendTypeDynamicForwardProxy is the type for dynamic forward proxy backends.
+	BackendTypeDynamicForwardProxy BackendType = "DynamicForwardProxy"
 )
 
 // BackendSpec defines the desired state of Backend.
@@ -45,10 +47,12 @@ const (
 // +kubebuilder:validation:XValidation:message="aws backend must be specified when type is 'aws'",rule="!(!has(self.aws) && self.type == 'AWS')"
 // +kubebuilder:validation:XValidation:message="static backend must be nil if the type is not 'static'",rule="!(has(self.static) && self.type != 'Static')"
 // +kubebuilder:validation:XValidation:message="static backend must be specified when type is 'static'",rule="!(!has(self.static) && self.type == 'Static')"
+// +kubebuilder:validation:XValidation:message="dynamic forward proxy backend must be nil if the type is not 'dynamicForwardProxy'",rule="!(has(self.dynamicForwardProxy) && self.type != 'DynamicForwardProxy')"
+// +kubebuilder:validation:XValidation:message="dynamic forward proxy backend must be specified when type is 'dynamicForwardProxy'",rule="!(!has(self.dynamicForwardProxy) && self.type == 'DynamicForwardProxy')"
 type BackendSpec struct {
 	// Type indicates the type of the backend to be used.
 	// +unionDiscriminator
-	// +kubebuilder:validation:Enum=AI;AWS;Static
+	// +kubebuilder:validation:Enum=AI;AWS;Static;DynamicForwardProxy
 	// +kubebuilder:validation:Required
 	Type BackendType `json:"type"`
 	// AI is the AI backend configuration.
@@ -60,6 +64,13 @@ type BackendSpec struct {
 	// Static is the static backend configuration.
 	// +optional
 	Static *StaticBackend `json:"static,omitempty"`
+	// DynamicForwardProxy is the dynamic forward proxy backend configuration.
+	// +optional
+	DynamicForwardProxy *DynamicForwardProxyBackend `json:"dynamicForwardProxy,omitempty"`
+}
+
+// DynamicForwardProxyBackend is the dynamic forward proxy backend configuration.
+type DynamicForwardProxyBackend struct {
 }
 
 // AwsBackend is the AWS backend configuration.

install/helm/kgateway-crds/templates/gateway.kgateway.dev_backends.yaml

@@ -519,6 +519,8 @@ spec:
                 required:
                 - accountId
                 type: object
+              dynamicForwardProxy:
+                type: object
               static:
                 properties:
                   hosts:
@@ -546,6 +548,7 @@ spec:
                 - AI
                 - AWS
                 - Static
+                - DynamicForwardProxy
                 type: string
             required:
             - type
@@ -563,6 +566,12 @@ spec:
               rule: '!(has(self.static) && self.type != ''Static'')'
             - message: static backend must be specified when type is 'static'
               rule: '!(!has(self.static) && self.type == ''Static'')'
+            - message: dynamic forward proxy backend must be nil if the type is not
+                'dynamicForwardProxy'
+              rule: '!(has(self.dynamicForwardProxy) && self.type != ''DynamicForwardProxy'')'
+            - message: dynamic forward proxy backend must be specified when type is
+                'dynamicForwardProxy'
+              rule: '!(!has(self.dynamicForwardProxy) && self.type == ''DynamicForwardProxy'')'
           status:
             properties:
               conditions:

internal/kgateway/extensions2/plugins/backend/dfp.go

@@ -0,0 +1,46 @@
+package backend
+
+import (
+	"context"
+
+	envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
+	envoy_dfp_cluster "github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/dynamic_forward_proxy/v3"
+	envoydfp "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/dynamic_forward_proxy/v3"
+
+	"github.com/kgateway-dev/kgateway/v2/api/v1alpha1"
+	"github.com/kgateway-dev/kgateway/v2/internal/kgateway/utils"
+)
+
+var (
+	dfpFilterConfig = &envoydfp.FilterConfig{
+		ImplementationSpecifier: &envoydfp.FilterConfig_SubClusterConfig{
+			SubClusterConfig: &envoydfp.SubClusterConfig{},
+		},
+	}
+)
+
+func processDynamicForwardProxy(ctx context.Context, in *v1alpha1.DynamicForwardProxyBackend, out *envoy_config_cluster_v3.Cluster) error {
+	out.LbPolicy = envoy_config_cluster_v3.Cluster_CLUSTER_PROVIDED
+	c := &envoy_dfp_cluster.ClusterConfig{
+		ClusterImplementationSpecifier: &envoy_dfp_cluster.ClusterConfig_SubClustersConfig{
+			SubClustersConfig: &envoy_dfp_cluster.SubClustersConfig{
+				LbPolicy: envoy_config_cluster_v3.Cluster_LEAST_REQUEST,
+			},
+		},
+	}
+	anyCluster, err := utils.MessageToAny(c)
+	if err != nil {
+		return err
+	}
+
+	// the upstream has a DNS name. We need Envoy to resolve the DNS name
+	// set the type to strict dns
+	out.ClusterDiscoveryType = &envoy_config_cluster_v3.Cluster_ClusterType{
+		ClusterType: &envoy_config_cluster_v3.Cluster_CustomClusterType{
+			Name:        "envoy.clusters.dynamic_forward_proxy",
+			TypedConfig: anyCluster,
+		},
+	}
+
+	return nil
+}

internal/kgateway/extensions2/plugins/backend/plugin.go

@@ -6,10 +6,8 @@ import (
 
 	envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
 	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
-	envoy_config_listener_v3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
 	envoy_ext_proc_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3"
-	envoy_hcm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	envoyauth "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
 	envoywellknown "github.com/envoyproxy/go-control-plane/pkg/wellknown"
 	"github.com/solo-io/go-utils/contextutils"
@@ -261,16 +259,16 @@ func processBackend(ctx context.Context, in ir.BackendObjectIR, out *envoy_confi
 	// TODO(tim): Bubble up error to Backend status once https://github.com/kgateway-dev/kgateway/issues/10555
 	// is resolved and add test cases for invalid endpoint URLs.
 	spec := up.Spec
-	switch {
-	case spec.Type == v1alpha1.BackendTypeStatic:
+	switch spec.Type {
+	case v1alpha1.BackendTypeStatic:
 		if err := processStatic(ctx, spec.Static, out); err != nil {
 			log.Error("failed to process static backend", "error", err)
 		}
-	case spec.Type == v1alpha1.BackendTypeAWS:
+	case v1alpha1.BackendTypeAWS:
 		if err := processAws(ctx, spec.Aws, ir.AwsIr, out); err != nil {
 			log.Error("failed to process aws backend", "error", err)
 		}
-	case spec.Type == v1alpha1.BackendTypeAI:
+	case v1alpha1.BackendTypeAI:
 		err := ai.ProcessAIBackend(ctx, spec.AI, ir.AIIr.AISecret, ir.AIIr.AIMultiSecret, out)
 		if err != nil {
 			log.Error(err)
@@ -279,6 +277,10 @@ func processBackend(ctx context.Context, in ir.BackendObjectIR, out *envoy_confi
 		if err != nil {
 			log.Error(err)
 		}
+	case v1alpha1.BackendTypeDynamicForwardProxy:
+		if err := processDynamicForwardProxy(ctx, spec.DynamicForwardProxy, out); err != nil {
+			log.Error("failed to process dynamic forward proxy backend", "error", err)
+		}
 	}
 	return nil
 }
@@ -308,6 +310,7 @@ func processEndpoints(up *v1alpha1.Backend) *ir.EndpointsForBackend {
 type backendPlugin struct {
 	ir.UnimplementedProxyTranslationPass
 	aiGatewayEnabled map[string]bool
+	neededDfpFilter  map[string]bool
 }
 
 func newPlug(ctx context.Context, tctx ir.GwTranslationCtx, reporter reports.Reporter) ir.ProxyTranslationPass {
@@ -318,20 +321,6 @@ func (p *backendPlugin) Name() string {
 	return ExtensionName
 }
 
-func (p *backendPlugin) ApplyListenerPlugin(ctx context.Context, pCtx *ir.ListenerContext, out *envoy_config_listener_v3.Listener) {
-}
-
-func (p *backendPlugin) ApplyHCM(ctx context.Context, pCtx *ir.HcmContext, out *envoy_hcm.HttpConnectionManager) error { // no-op
-	return nil
-}
-
-func (p *backendPlugin) ApplyVhostPlugin(ctx context.Context, pCtx *ir.VirtualHostContext, out *envoy_config_route_v3.VirtualHost) {
-}
-
-func (p *backendPlugin) ApplyForRoute(ctx context.Context, pCtx *ir.RouteContext, outputRoute *envoy_config_route_v3.Route) error {
-	return nil
-}
-
 func (p *backendPlugin) ApplyForBackend(ctx context.Context, pCtx *ir.RouteBackendContext, in ir.HttpBackend, out *envoy_config_route_v3.Route) error {
 	backend := pCtx.Backend.Obj.(*v1alpha1.Backend)
 	backendIr := pCtx.Backend.ObjIr.(*BackendIr)
@@ -356,6 +345,11 @@ func (p *backendPlugin) ApplyForBackend(ctx context.Context, pCtx *ir.RouteBacke
 			},
 		}
 		pCtx.TypedFilterConfig.AddTypedConfig(wellknown.AIExtProcFilterName, disabledExtprocSettings)
+	case v1alpha1.BackendTypeDynamicForwardProxy:
+		if p.neededDfpFilter == nil {
+			p.neededDfpFilter = make(map[string]bool)
+		}
+		p.neededDfpFilter[pCtx.FilterChainName] = true
 	}
 
 	return nil
@@ -383,6 +377,11 @@ func (p *backendPlugin) HttpFilters(ctx context.Context, fc ir.FilterChainCommon
 		}
 		result = append(result, aiFilters...)
 	}
+	if p.neededDfpFilter[fc.FilterChainName] {
+		pluginStage := plugins.DuringStage(plugins.OutAuthStage)
+		f, _ := plugins.NewStagedFilter("envoy.filters.http.dynamic_forward_proxy", dfpFilterConfig, pluginStage)
+		result = append(result, f)
+	}
 	return result, errors.Join(errs...)
 }