Merge branch 'main' of ssh://github.com/envoyproxy/ai-gateway

Author: siddharth1036

.github/dependabot.yml

@@ -25,3 +25,5 @@ updates:
           - "*"
     ignore:
       - dependency-name: "github.com/envoyproxy/gateway"
+      # Usually, this requires manual changes to the codebase.
+      - dependency-name: "sigs.k8s.io/gateway-api-inference-extension"

.github/workflows/build_and_test.yaml

@@ -67,7 +67,7 @@ jobs:
             ~/go/pkg/mod
             ~/go/bin
           key: unittest-${{ hashFiles('**/go.mod', '**/go.sum', '**/Makefile') }}-${{ matrix.os }}
-      - run: make test-coverage
+      - run: make test-coverage GO_TEST_ARGS='-race'
       - name: Upload coverage to Codecov
         if: matrix.os == 'ubuntu-latest'
         uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3

.trivyignore

@@ -10,8 +10,7 @@ First of all, there are only three minimal prerequisites to contribute to the pr
 - `make`
 - `docker`
 
-which we assume you already have installed on your machine. Also, on macOS, you would need to install
-`brew install ca-certificates` to run some integration tests.
+which we assume you already have installed on your machine.
 
 Assuming you have already cloned the repository on a local machine either macOS or some Linux distribution,
 the only make targets you would need to run are listed via

CONTRIBUTING.md

@@ -30,9 +30,9 @@ HELM_CHART_VERSION ?= v0.0.0-latest
 
 # Arguments for go test. This can be used, for example, to run specific tests via
 # `GO_TEST_ARGS="-run TestName/foo/etc -v -race"`.
-GO_TEST_ARGS ?= -race
+GO_TEST_ARGS ?=
 # Arguments for go test in e2e tests in addition to GO_TEST_ARGS, applicable to test-e2e, test-extproc, and test-controller.
-GO_TEST_E2E_ARGS ?= -count=1
+GO_TEST_E2E_ARGS ?= -count=1 -timeout 30m
 
 ## help: Show this help info.
 .PHONY: help
@@ -200,7 +200,7 @@ test-e2e-namespaced: build-e2e
 .PHONY: test-e2e-aigw
 test-e2e-aigw: build.aigw ## Run the end-to-end tests for the aigw CLI.
 	@echo "Run aigw CLI E2E tests"
-	@go test -v ./tests/e2e-aigw/... -timeout 30m $(GO_TEST_E2E_ARGS)
+	@go test -v ./tests/e2e-aigw/... $(GO_TEST_E2E_ARGS)
 
 ##@ Common
 

Makefile

@@ -143,7 +143,7 @@ type MCPToolFilter struct {
 
 // MCPBackendSecurityPolicy defines the security policy for a sp
 type MCPBackendSecurityPolicy struct {
-	// APIKey is a mechanism to access a backend. The API key will be injected into the Authorization header.
+	// APIKey is a mechanism to access a backend. The API key will be injected into the request headers.
 	// +optional
 	APIKey *MCPBackendAPIKey `json:"apiKey,omitempty"`
 }
@@ -161,6 +161,16 @@ type MCPBackendAPIKey struct {
 	//
 	// +optional
 	Inline *string `json:"inline,omitempty"`
+
+	// Header is the HTTP header to inject the API key into. If not specified,
+	// defaults to "Authorization".
+	// When the header is "Authorization", the injected header value will be
+	// prefixed with "Bearer ".
+	//
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:MinLength=1
+	// +optional
+	Header *string `json:"header,omitempty"`
 }
 
 // MCPRouteSecurityPolicy defines the security policy for a MCPRoute.

api/v1alpha1/mcp_route.go

@@ -89,11 +89,7 @@ func run(ctx context.Context, c cmdRun, o *runOpts, stdout, stderr io.Writer) er
 	start := time.Now()
 
 	// First, we need to create the self-signed certificates used for communication between the EG and Envoy.
-	// Certificates will be placed at /tmp/envoy-gateway/certs, which is currently is not configurable:
-	// https://github.com/envoyproxy/gateway/blob/779c0a6bbdf7dacbf25a730140a112f99c239f0e/internal/infrastructure/host/infra.go#L22-L23
-	//
-	// TODO: Override Envoy Gateway cert directory to use $AIGW_RUNTIME_DIR once possible via
-	// https://github.com/envoyproxy/gateway/pull/7225
+	// Certificates will be placed at ~/.config/envoy-gateway/certs, which is the default location used by Envoy Gateway.
 	certGenOut := &bytes.Buffer{}
 	certGen := root.GetRootCommand()
 	certGen.SetOut(certGenOut)

api/v1alpha1/zz_generated.deepcopy.go

@@ -206,7 +206,7 @@ spec:
       path: "/mcp/x/issues/readonly"
       toolSelector:
         include:
-          - get_issue
+          - issue_read
           - list_issues
       securityPolicy:
         apiKey:

cmd/aigw/run.go

@@ -10,15 +10,15 @@ require (
 	github.com/alecthomas/kong v1.12.1
 	github.com/andybalholm/brotli v1.2.0
 	github.com/anthropics/anthropic-sdk-go v1.14.0
-	github.com/aws/aws-sdk-go-v2 v1.39.3
+	github.com/aws/aws-sdk-go-v2 v1.39.4
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.2
-	github.com/aws/aws-sdk-go-v2/config v1.31.13
-	github.com/aws/aws-sdk-go-v2/service/sts v1.38.7
+	github.com/aws/aws-sdk-go-v2/config v1.31.15
+	github.com/aws/aws-sdk-go-v2/service/sts v1.38.9
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443
 	github.com/coreos/go-oidc/v3 v3.16.0
 	github.com/docker/docker v28.5.1+incompatible
-	github.com/envoyproxy/gateway v0.5.0-rc.1.0.20251020052851-16aa8100498d
+	github.com/envoyproxy/gateway v1.6.0-rc.0.0.20251028174200-282c916a47e1
 	github.com/envoyproxy/go-control-plane v0.13.5-0.20250929230642-07d3df27ff4f
 	github.com/envoyproxy/go-control-plane/envoy v1.35.1-0.20250929230642-07d3df27ff4f
 	github.com/go-logr/logr v1.4.3
@@ -55,8 +55,8 @@ require (
 	golang.org/x/oauth2 v0.32.0
 	golang.org/x/sync v0.17.0
 	golang.org/x/tools v0.38.0
-	google.golang.org/api v0.252.0
-	google.golang.org/genai v1.31.0
+	google.golang.org/api v0.253.0
+	google.golang.org/genai v1.32.0
 	google.golang.org/grpc v1.76.0
 	google.golang.org/protobuf v1.36.10
 	gopkg.in/dnaeon/go-vcr.v4 v4.0.5
@@ -87,15 +87,15 @@ require (
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/avast/retry-go v3.0.0+incompatible // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.17 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.10 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.19 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.11 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.29.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.29.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.3 // indirect
 	github.com/aws/smithy-go v1.23.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
@@ -164,14 +164,14 @@ require (
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
-	github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
+	github.com/grafana/regexp v0.0.0-20250905093917-f7b3be9d1853 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kelseyhightower/envconfig v1.4.0 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/compress v1.18.1 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20251013123823-9fd1530e3ec3 // indirect
 	github.com/lyft/gostats v0.4.1 // indirect
@@ -229,7 +229,7 @@ require (
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/bridges/prometheus v0.63.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
 	go.opentelemetry.io/contrib/propagators/aws v1.38.0 // indirect
 	go.opentelemetry.io/contrib/propagators/b3 v1.38.0 // indirect
 	go.opentelemetry.io/contrib/propagators/jaeger v1.38.0 // indirect
@@ -253,10 +253,10 @@ require (
 	golang.org/x/sys v0.37.0 // indirect
 	golang.org/x/term v0.36.0 // indirect
 	golang.org/x/text v0.30.0 // indirect
-	golang.org/x/time v0.13.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251002232023-7c0ddcbb5797 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251014184007-4626949a642f // indirect
 	google.golang.org/grpc/security/advancedtls v1.0.0 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect