Merge branch 'main' into response-api

Signed-off-by: Dan Sun <[email protected]>

Author: yuzisun

.envoy-version

@@ -0,0 +1 @@
+1.36.2

.github/workflows/build_and_test.yaml

@@ -68,8 +68,6 @@ jobs:
             ~/go/bin
           key: unittest-${{ hashFiles('**/go.mod', '**/go.sum', '**/Makefile') }}-${{ matrix.os }}
       - run: make test-coverage
-      - if: failure()
-        run: cat ollama.log || true
       - name: Upload coverage to Codecov
         if: matrix.os == 'ubuntu-latest'
         uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
@@ -136,20 +134,13 @@ jobs:
   test_extproc:
     needs: changes
     if: ${{ needs.changes.outputs.code == 'true' }}
-    name: External Processor Test (Envoy v${{ matrix.version }} on ${{ matrix.os }})
+    name: External Processor Test (${{ matrix.os }})
     strategy:
       fail-fast: false
       matrix:
-        # Note: we cannot run the latest Envoy version on macOS due to https://github.com/tetratelabs/archive-envoy/issues/12.
-        # Once it's supported, the following "binary installation" steps below can be just removed and
-        # we can simply exec.Cmd with "go tool -modfile=tools/go.mod func-e run" with the envoy version configured via ENVOY_VERSION env var.
-        include:
-          - version: 1.35.0 # NOTE: when updating this, also update the comment in the CONTRIBUTING.md file.
-            os: ubuntu-latest
-          - version: 1.35.0 # NOTE: when updating this, also update the comment in the CONTRIBUTING.md file.
-            os: macos-latest
-          - version: latest
-            os: ubuntu-latest
+        os:
+          - ubuntu-latest
+          - macos-latest
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
@@ -164,19 +155,6 @@ jobs:
             ~/go/pkg/mod
             ~/go/bin
           key: extproc-tests-${{ hashFiles('**/go.mod', '**/go.sum', '**/Makefile') }}
-      - name: Install stable Envoy via func-e
-        if: matrix.version != 'latest'
-        run: |
-          go tool -modfile=tools/go.mod func-e use ${{ matrix.version }}
-          echo $HOME/.func-e/versions/${{ matrix.version }}/bin >> $GITHUB_PATH
-      - name: Install latest Envoy
-        if: matrix.version == 'latest'
-        run: |
-          export ENVOY_BIN_DIR=$HOME/envoy/bin
-          mkdir -p $ENVOY_BIN_DIR
-          docker run -v $ENVOY_BIN_DIR:/tmp/ci -w /tmp/ci \
-          --entrypoint /bin/cp envoyproxy/envoy-dev:latest /usr/local/bin/envoy .
-          echo $ENVOY_BIN_DIR >> $GITHUB_PATH
       - env:
           TEST_AWS_ACCESS_KEY_ID: ${{ secrets.AWS_BEDROCK_USER_AWS_ACCESS_KEY_ID }}
           TEST_AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_BEDROCK_USER_AWS_SECRET_ACCESS_KEY }}
@@ -292,10 +270,6 @@ jobs:
           key: e2e-test-${{ hashFiles('**/go.mod', '**/go.sum', '**/Makefile') }}
       - uses: docker/setup-buildx-action@v3
       - run: make test-e2e-inference-extension
-        env:
-          # We only need to test with the latest stable version of EG, since these e2e tests
-          # do not depend on the EG version.
-          EG_VERSION: v1.5.0
 
   test_e2e_namespaced:
     needs: changes
@@ -361,7 +335,7 @@ jobs:
       - name: Download Envoy via func-e
         run: go tool -modfile=tools/go.mod func-e run --version
         env:
-          FUNC_E_HOME: /tmp/envoy-gateway # hard-coded directory in EG
+          FUNC_E_DATA_HOME: ~/.local/share/aigw
       - name: Install Goose
         env:
           GOOSE_VERSION: v1.10.0

.github/workflows/retest.yaml

@@ -9,12 +9,11 @@ permissions:
 
 jobs:
   retest:
-    if: |
-      ${{
-         github.event.issue.pull_request
-         && github.repository == 'envoyproxy/ai-gateway'
-         && github.actor != 'repokitteh-read-only[bot]'
-         && github.actor != 'dependabot[bot]'
+    if: ${{
+      github.event.issue.pull_request
+      && github.repository == 'envoyproxy/ai-gateway'
+      && github.actor != 'repokitteh-read-only[bot]'
+      && github.actor != 'dependabot[bot]'
       }}
     name: Retest
     runs-on: ubuntu-22.04

.gitignore

@@ -49,3 +49,4 @@ inference-extension-conformance-test-report.yaml
 .mcp.json
 
 .goose
+/aigw

CONTRIBUTING.md

@@ -43,12 +43,6 @@ For example,
 
 - The latest `kubectl` binary for running `make test-e2e`.
   - See: https://kubernetes.io/docs/tasks/tools/
-- The latest `envoy` binary for running `make test-extproc`. The current required version is v1.35 or later.
-  - On Linux, you can download the latest Envoy binary as described in https://www.envoyproxy.io/docs/envoy/latest/start/install.
-    Alternatively, you can use `func-e` on Linux as well like on macOS below.
-  - On macOS, since `brew envoy` tends to behind the latest version, it is recommended use `func-e` to run the latest Envoy. See https://func-e.io/.
-  - `alias envoy='func-e run'` is a convenient way to run the latest Envoy binary via `func-e` on both macOS and Linux.
-    For example, `func-e use 1.34` can be used to switch to a specific version of Envoy to be run with `func-e run`.
 
 Other than that, everything will be automatically managed and installed via `make` targets,
 and you should not need to worry about the dependencies (tell us if you do).
@@ -106,3 +100,4 @@ make sure that these automated checks pass after you open a PR by following the
   as commit message by default. Maintainers may request contributors to
   edit the pull request title and description to ensure that it remains descriptive as a
   commit message. Alternatively, maintainers may change the commit message directly at the time of merge.
+- If you have any questions during the review, please feel free to ask the maintainers listed in [MAINTAINERS.md](./MAINTAINERS.md).

Dockerfile

@@ -15,30 +15,44 @@ FROM golang:1.25 AS envoy-downloader
 ARG TARGETOS
 ARG TARGETARCH
 ARG COMMAND_NAME
-# Hard-coded directory for envoy-gateway resources
-# See https://github.com/envoyproxy/gateway/blob/d95ce4ce564cfff47ed1fd6c97e29c1058aa4a61/internal/infrastructure/host/proxy_infra.go#L16
-WORKDIR /tmp/envoy-gateway
+# Download Envoy binary to AIGW_DATA_HOME for the nonroot user
+WORKDIR /build
 RUN if [ "$COMMAND_NAME" = "aigw" ]; then \
       go install github.com/tetratelabs/func-e/cmd/func-e@latest && \
-      func-e --platform ${TARGETOS}/${TARGETARCH} --home-dir . run --version; \
+      FUNC_E_DATA_HOME=/home/nonroot/.local/share/aigw func-e --platform ${TARGETOS}/${TARGETARCH} run --version; \
     fi \
-    && mkdir -p certs \
-    && chown -R 65532:65532 . \
-    && chmod -R 755 .
+    # Create directories for the nonroot user
+    && mkdir -p /home/nonroot /tmp/envoy-gateway/certs \
+    && chown -R 65532:65532 /home/nonroot /tmp/envoy-gateway \
+    && chmod -R 755 /home/nonroot /tmp/envoy-gateway
 
 FROM gcr.io/distroless/${VARIANT}-debian12:nonroot
 ARG COMMAND_NAME
 ARG TARGETOS
 ARG TARGETARCH
 
+# Copy pre-downloaded Envoy binary and EG certs directory
+COPY --from=envoy-downloader /home/nonroot /home/nonroot
 COPY --from=envoy-downloader /tmp/envoy-gateway /tmp/envoy-gateway
 COPY ./out/${COMMAND_NAME}-${TARGETOS}-${TARGETARCH} /app
 
 USER nonroot:nonroot
 
+# Set AIGW_RUN_ID=0 for predictable file paths in containers.
+# This creates the following directory structure:
+#   ~/.config/aigw/                     - XDG config (e.g., envoy-version preference)
+#   ~/.local/share/aigw/                - XDG data (downloaded Envoy binaries via func-e)
+#   ~/.local/state/aigw/runs/0/         - XDG state (aigw.log, envoy-gateway-config.yaml, extproc-config.yaml, resources/)
+#   ~/.local/state/aigw/envoy-runs/0/   - XDG state (func-e stdout.log, stderr.log)
+#   /tmp/aigw-0/                        - XDG runtime (uds.sock, admin-address.txt)
+ENV AIGW_RUN_ID=0
+
 # The healthcheck subcommand performs an HTTP GET to localhost:1064/healthlthy for "aigw run".
 # NOTE: This is only for aigw in practice since this is ignored by Kubernetes.
 HEALTHCHECK --interval=10s --timeout=5s --start-period=5s --retries=3 \
     CMD ["/app", "healthcheck"]
 
 ENTRYPOINT ["/app"]
+
+# Default CMD for aigw - uses AIGW_RUN_ID from environment
+CMD ["run"]

MAINTAINERS.md

@@ -0,0 +1,27 @@
+## Maintainers
+
+The following people are responsible for maintaining the Envoy AI Gateway project.
+Please reach out to them for any questions, issues, or contributions related to the project.
+
+- Takeshi Yoneda ([@mathetake](https://github.com/mathetake))
+  - Area: Everything
+  - [Envoy Proxy](https://github.com/envoyproxy/envoy) Maintainer
+- Dan Sun ([@yuzisun](https://github.com/yuzisun))
+  - Area: Everything, focusing on enterprise integration & core LLM features
+  - [KServe](https://github.com/kserve/kserve) Maintainer
+- Erica Hughberg ([@missBerg](https://github.com/missBerg))
+  - Area: Documentation, WebSite, Community
+- Aaron Choo ([@aabchoo](https://github.com/aabchoo))
+  - Area: Control Plane, Security Policy, Testing
+- Yao Weng ([@wengyao04](https://github.com/wengyao04))
+  - Area: Control Plane, Testing
+- Xunzhuo (Bit) Liu ([@Xunzhuo](https://github.com/Xunzhuo))
+  - Area: Control Plane, Inference Pool & Gateway API Inference Extension
+  - [Envoy Gateway](https://github.com/envoyproxy/gateway) Maintainer
+- Ignasi Barrera ([@nacx](https://github.com/nacx))
+  - Area: MCP, aigw CLI (standalone mode)
+- Johnu George ([@johnugeorge](https://github.com/johnugeorge))
+  - Area: Enterprise features and integration, LLM features
+  - [Kubeflow](https://github.com/kubeflow/kubeflow) Steering Committee member
+- Gavrish Prabhu ([@gavrissh](https://github.com/gavrissh))
+  - Area: Control plane, Testing

Makefile

@@ -49,9 +49,11 @@ precommit: ## Run all necessary steps to prepare for a commit.
 precommit: tidy spellcheck apigen apidoc format lint editorconfig helm-test
 
 .PHONY: lint
-lint: ## This runs the linter, formatter, and tidy on the codebase.
-	@echo "lint => ./..."
+lint: ## This runs the linter on the codebase.
+	@echo "golangci-lint => ./..."
 	@$(GO_TOOL) golangci-lint run --build-tags==test_crdcel,test_controller,test_extproc,test_e2e ./...
+	@echo "actionlint => ./..."
+	@$(GO_TOOL) actionlint -shellcheck="" # Disabling shellcheck as it requires additional host dependencies.
 
 .PHONY: spellcheck
 spellcheck:  ## Spell check the codebase.
@@ -102,7 +104,6 @@ editorconfig:
 apigen: ## Generate CRDs for the API defined in the api directory.
 	@echo "apigen => ./api/v1alpha1/..."
 	@$(GO_TOOL) controller-gen object crd paths="./api/v1alpha1/..." output:dir=./api/v1alpha1 output:crd:dir=./manifests/charts/ai-gateway-crds-helm/templates
-	@$(GO_TOOL) controller-gen object crd paths="./api/v1alpha1/..." output:dir=./api/v1alpha1 output:crd:dir=./manifests/charts/ai-gateway-helm/crds
 
 # This generates the API documentation for the API defined in the api/v1alpha1 directory.
 .PHONY: apidoc
@@ -155,6 +156,8 @@ test-crdcel: apigen ## Run the integration tests of CEL validation in CRD defini
 .PHONY: test-extproc # This requires the extproc binary to be built.
 test-extproc: build.extproc ## Run the integration tests for extproc without controller or k8s at all.
 	@$(MAKE) build.testupstream CMD_PATH_PREFIX=tests/internal/testupstreamlib
+	@echo "Ensure func-e is built and Envoy is installed"
+	@@$(GO_TOOL) func-e run --version >/dev/null 2>&1
 	@echo "Run ExtProc test"
 	@EXTPROC_BIN=$(OUTPUT_DIR)/extproc-$(shell go env GOOS)-$(shell go env GOARCH) go test ./tests/extproc/... $(GO_TEST_E2E_ARGS)
 

README.md

@@ -83,6 +83,12 @@ Envoy AI Gateway supports a wide range of AI providers, making it easy to integr
         <br><sub><b>Tetrate Agent Router Service</b></sub>
       </td>
     </tr>
+    <tr>
+      <td align="center" width="120">
+        <img src="site/static/img/providers/anthropic.svg" width="60" height="60" alt="Anthropic"/>
+        <br><sub><b>Anthropic</b></sub>
+      </td>
+    </tr>
   </table>
 </div>
 

api/v1alpha1/ai_gateway_route.go

@@ -200,7 +200,11 @@ type AIGatewayRouteRule struct {
 	// BackendRefs is the list of backends that this rule will route the traffic to.
 	// Each backend can have a weight that determines the traffic distribution.
 	//
-	// The namespace of each backend is "local", i.e. the same namespace as the AIGatewayRoute.
+	// The namespace of each backend defaults to the same namespace as the AIGatewayRoute when not specified.
+	// Cross-namespace references are supported by specifying the namespace field.
+	// When a namespace different than the AIGatewayRoute's namespace is specified,
+	// a ReferenceGrant object is required in the referent namespace to allow that
+	// namespace's owner to accept the reference.
 	//
 	// BackendRefs can reference either AIServiceBackend resources (default) or InferencePool resources
 	// from the Gateway API Inference Extension. When referencing InferencePool resources:
@@ -278,6 +282,17 @@ type AIGatewayRouteRuleBackendRef struct {
 	// +kubebuilder:validation:MinLength=1
 	Name string `json:"name"`
 
+	// Namespace is the namespace of the backend resource.
+	// When unspecified (or empty string), this refers to the local namespace of the AIGatewayRoute.
+	//
+	// Note that when a namespace different than the local namespace is specified,
+	// a ReferenceGrant object is required in the referent namespace to allow that
+	// namespace's owner to accept the reference. See the ReferenceGrant
+	// documentation for details.
+	//
+	// +optional
+	Namespace *gwapiv1.Namespace `json:"namespace,omitempty"`
+
 	// Group is the group of the backend resource.
 	// When not specified, defaults to aigateway.envoyproxy.io (AIServiceBackend).
 	// Currently, only "inference.networking.k8s.io" is supported for InferencePool resources.
@@ -302,6 +317,14 @@ type AIGatewayRouteRuleBackendRef struct {
 	// +optional
 	ModelNameOverride string `json:"modelNameOverride,omitempty"`
 
+	// HeaderMutation defines the request header mutation to be applied to this backend.
+	// When both route-level and backend-level HeaderMutation are defined,
+	// route-level takes precedence over backend-level for conflicting operations.
+	// This field is ignored when referencing InferencePool resources.
+	//
+	// +optional
+	HeaderMutation *HTTPHeaderMutation `json:"headerMutation,omitempty"`
+
 	// Weight is the weight of the backend. This is exactly the same as the weight in
 	// the BackendRef in the Gateway API. See for the details:
 	// https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.BackendRef