fix: use one gExt per ingress

Signed-off-by: omar <omar.hammami@solo.io>

Author: puertomontt

pkg/i2gw/implementations/kgateway/auth.go

@@ -150,45 +150,40 @@ func applyExtAuthPolicy(
 		return false
 	}
 
-	// Use the URL as a key to deduplicate GatewayExtensions.
-	if _, exists := gatewayExtensions[authURL]; !exists {
-		// Create GatewayExtension with ExtAuth using HttpService.
-		extHttpService := &kgateway.ExtHttpService{
-			BackendRef: gwv1.BackendRef{
-				BackendObjectReference: gwv1.BackendObjectReference{
-					Name:      gwv1.ObjectName(parsed.service),
-					Namespace: ptr.To(gwv1.Namespace(parsed.namespace)), // TODO: confirm that different namespace works
-					Port:      ptr.To(gwv1.PortNumber(parsed.port)),
-				},
+	// Create GatewayExtension with ExtAuth using HttpService.
+	extHttpService := &kgateway.ExtHttpService{
+		BackendRef: gwv1.BackendRef{
+			BackendObjectReference: gwv1.BackendObjectReference{
+				Name:      gwv1.ObjectName(parsed.service),
+				Namespace: ptr.To(gwv1.Namespace(parsed.namespace)), // TODO: confirm that different namespace works
+				Port:      ptr.To(gwv1.PortNumber(parsed.port)),
 			},
-			PathPrefix: parsed.path,
-		}
+		},
+		PathPrefix: parsed.path,
+	}
 
-		// Set AuthorizationResponse if response headers are specified.
-		if len(pol.ExtAuth.ResponseHeaders) > 0 {
-			extHttpService.AuthorizationResponse = &kgateway.AuthorizationResponse{
-				HeadersToBackend: pol.ExtAuth.ResponseHeaders,
-			}
+	// Set AuthorizationResponse if response headers are specified.
+	if len(pol.ExtAuth.ResponseHeaders) > 0 {
+		extHttpService.AuthorizationResponse = &kgateway.AuthorizationResponse{
+			HeadersToBackend: pol.ExtAuth.ResponseHeaders,
 		}
+	}
 
-		ge := &kgateway.GatewayExtension{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      fmt.Sprintf("%s-extauth", parsed.service),
-				Namespace: namespace,
-			},
-			Spec: kgateway.GatewayExtensionSpec{
-				ExtAuth: &kgateway.ExtAuthProvider{
-					HttpService: extHttpService,
-				},
+	ge := &kgateway.GatewayExtension{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      fmt.Sprintf("%s-extauth", ingressName),
+			Namespace: namespace,
+		},
+		Spec: kgateway.GatewayExtensionSpec{
+			ExtAuth: &kgateway.ExtAuthProvider{
+				HttpService: extHttpService,
 			},
-		}
-		ge.SetGroupVersionKind(GatewayExtensionGVK)
-		gatewayExtensions[authURL] = ge
+		},
 	}
+	ge.SetGroupVersionKind(GatewayExtensionGVK)
 
 	// Add ExtAuthPolicy to TrafficPolicy.
 	t := ensureTrafficPolicy(tp, ingressName, namespace)
-	ge := gatewayExtensions[authURL]
 
 	t.Spec.ExtAuth = &kgateway.ExtAuthPolicy{
 		ExtensionRef: &shared.NamespacedObjectReference{
@@ -197,5 +192,6 @@ func applyExtAuthPolicy(
 		},
 	}
 
+	gatewayExtensions[ingressName] = ge
 	return true
 }

pkg/i2gw/implementations/kgateway/emitter.go

@@ -78,7 +78,7 @@ func (e *Emitter) Emit(ir *intermediate.IR) ([]client.Object, error) {
 	// Track HTTPListenerPolicies per Gateway (for access logging).
 	httpListenerPolicies := map[types.NamespacedName]*kgateway.HTTPListenerPolicy{}
 
-	// Track GatewayExtensions per auth URL (for external auth).
+	// Track GatewayExtensions per ingress name (for external auth).
 	gatewayExtensions := map[string]*kgateway.GatewayExtension{}
 
 	for httpRouteKey, httpRouteContext := range ir.HTTPRoutes {

pkg/i2gw/implementations/kgateway/testing/testdata/output/external_auth.yaml

@@ -27,16 +27,16 @@ kind: HTTPRoute
 metadata:
   annotations:
     gateway.networking.k8s.io/generator: ingress2gateway-dev
-  name: ingress-auth-full-fqdn-app1-example-org
+  name: ingress-auth-different-ns-app4-example-org
   namespace: default
 spec:
   hostnames:
-  - app1.example.org
+  - app4.example.org
   parentRefs:
   - name: nginx
   rules:
   - backendRefs:
-    - name: app1
+    - name: app4
       port: 80
     matches:
     - path:
@@ -50,16 +50,16 @@ kind: HTTPRoute
 metadata:
   annotations:
     gateway.networking.k8s.io/generator: ingress2gateway-dev
-  name: ingress-auth-same-ns-app3-example-org
+  name: ingress-auth-full-fqdn-app1-example-org
   namespace: default
 spec:
   hostnames:
-  - app3.example.org
+  - app1.example.org
   parentRefs:
   - name: nginx
   rules:
   - backendRefs:
-    - name: app3
+    - name: app1
       port: 80
     matches:
     - path:
@@ -73,16 +73,16 @@ kind: HTTPRoute
 metadata:
   annotations:
     gateway.networking.k8s.io/generator: ingress2gateway-dev
-  name: ingress-auth-different-ns-app4-example-org
+  name: ingress-auth-same-ns-app3-example-org
   namespace: default
 spec:
   hostnames:
-  - app4.example.org
+  - app3.example.org
   parentRefs:
   - name: nginx
   rules:
   - backendRefs:
-    - name: app4
+    - name: app3
       port: 80
     matches:
     - path:
@@ -94,45 +94,45 @@ status:
 apiVersion: gateway.kgateway.dev/v1alpha1
 kind: GatewayExtension
 metadata:
-  name: auth-extauth
+  name: ingress-auth-different-ns-extauth
   namespace: default
 spec:
   extAuth:
     httpService:
       backendRef:
         name: auth
-        namespace: default
-        port: 80
-      pathPrefix: /
+        namespace: production
+        port: 8080
+      pathPrefix: /authz
 status: {}
 ---
 apiVersion: gateway.kgateway.dev/v1alpha1
 kind: GatewayExtension
 metadata:
-  name: auth-extauth
+  name: ingress-auth-full-fqdn-extauth
   namespace: default
 spec:
   extAuth:
     httpService:
+      authorizationResponse:
+        headersToBackend:
+        - X-Auth-Token
+        - X-User-ID
       backendRef:
         name: auth
-        namespace: production
-        port: 8080
-      pathPrefix: /authz
+        namespace: default
+        port: 80
+      pathPrefix: /
 status: {}
 ---
 apiVersion: gateway.kgateway.dev/v1alpha1
 kind: GatewayExtension
 metadata:
-  name: auth-extauth
+  name: ingress-auth-same-ns-extauth
   namespace: default
 spec:
   extAuth:
     httpService:
-      authorizationResponse:
-        headersToBackend:
-        - X-Auth-Token
-        - X-User-ID
       backendRef:
         name: auth
         namespace: default
@@ -148,7 +148,7 @@ metadata:
 spec:
   extAuth:
     extensionRef:
-      name: auth-extauth
+      name: ingress-auth-different-ns-extauth
       namespace: default
   targetRefs:
   - group: gateway.networking.k8s.io
@@ -165,7 +165,7 @@ metadata:
 spec:
   extAuth:
     extensionRef:
-      name: auth-extauth
+      name: ingress-auth-full-fqdn-extauth
       namespace: default
   targetRefs:
   - group: gateway.networking.k8s.io
@@ -182,7 +182,7 @@ metadata:
 spec:
   extAuth:
     extensionRef:
-      name: auth-extauth
+      name: ingress-auth-same-ns-extauth
       namespace: default
   targetRefs:
   - group: gateway.networking.k8s.io