envoyproxy · nareddyt · Oct 9, 2025 · Oct 9, 2025 · Oct 9, 2025 · Oct 9, 2025
@@ -5,13 +5,15 @@ tools.srcdir = tools/src
 $(tools.bindir)/%: $(tools.srcdir)/%/pin.go $(tools.srcdir)/%/go.mod
 	cd $(<D) && GOOS= GOARCH= go build -o $(abspath $@) $$(sed -En 's,^import _ "(.*)".*,\1,p' pin.go)
 
-IMAGE_PREFIX ?= envoyproxy/gateway-
-APP_NAME ?= extension-server
-TAG ?= latest
+IMAGE_PREFIX ?= nareddyt/
+APP_NAME ?= kubecon-2025-extension-server
+TAG ?= 3.1.0
+
+PLATFORMS ?= linux/amd64,linux/arm64
 
 .PHONY: docker-buildx
 docker-buildx:
-	docker buildx build -f tools/docker/extension-server/Dockerfile . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --load
+	docker buildx build --platform $(PLATFORMS) -f tools/docker/extension-server/Dockerfile . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --build-arg GO_LDFLAGS="$(GO_LDFLAGS)" --push
 
 build: generate manifests
 	mkdir -p bin

@@ -12,31 +12,27 @@ import (
 
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
-//
-// ListenerContext provides an example extension policy context resource.
-type ListenerContextExample struct {
+type CustomBackendMtlsPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec ListenerContextExampleSpec `json:"spec"`
+	Spec CustomBackendMtlsPolicySpec `json:"spec"`
 }
 
-type ListenerContextExampleSpec struct {
+type CustomBackendMtlsPolicySpec struct {
 	TargetRefs []gwapiv1a2.LocalPolicyTargetReferenceWithSectionName `json:"targetRefs"`
 
-	Username string `json:"username"`
-	Password string `json:"password"`
+	TrustDomain        string `json:"trustDomain"`
+	WorkloadIdentifier string `json:"workloadIdentifier"`
 }
 
 // +kubebuilder:object:root=true
-//
-// ListenerContextList contains a list of ListenerContext resources.
-type ListenerContextExampleList struct {
+type CustomBackendMtlsPolicyList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ListenerContextExample `json:"items"`
+	Items           []CustomBackendMtlsPolicy `json:"items"`
 }
 
 func init() {
-	SchemeBuilder.Register(&ListenerContextExample{}, &ListenerContextExampleList{})
+	SchemeBuilder.Register(&CustomBackendMtlsPolicy{}, &CustomBackendMtlsPolicyList{})
 }
@@ -3,22 +3,20 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.1
-  name: listenercontextexamples.example.extensions.io
+    controller-gen.kubebuilder.io/version: v0.18.0
+  name: custombackendmtlspolicies.example.extensions.io
 spec:
   group: example.extensions.io
   names:
-    kind: ListenerContextExample
-    listKind: ListenerContextExampleList
-    plural: listenercontextexamples
-    singular: listenercontextexample
+    kind: CustomBackendMtlsPolicy
+    listKind: CustomBackendMtlsPolicyList
+    plural: custombackendmtlspolicies
+    singular: custombackendmtlspolicy
   scope: Namespaced
   versions:
   - name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: ListenerContext provides an example extension policy context
-          resource.
         properties:
           apiVersion:
             description: |-
@@ -39,8 +37,6 @@ spec:
             type: object
           spec:
             properties:
-              password:
-                type: string
               targetRefs:
                 items:
                   description: |-
@@ -93,12 +89,14 @@ spec:
                   - name
                   type: object
                 type: array
-              username:
+              trustDomain:
+                type: string
+              workloadIdentifier:
                 type: string
             required:
-            - password
             - targetRefs
-            - username
+            - trustDomain
+            - workloadIdentifier
             type: object
         required:
         - spec

@@ -5,10 +5,9 @@
 replicaCount: 1
 
 image:
-  repository: extension-server
-  pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
-  tag: "latest"
+  repository: docker.io/nareddyt/kubecon-2025-extension-server
+  pullPolicy: Always
+  tag: "3.1.0"
 
 imagePullSecrets: []
 nameOverride: ""

@@ -6,6 +6,9 @@
 package main
 
 import (
+	extensionv1alpha1 "github.com/exampleorg/envoygateway-extension/api/v1alpha1"
+	"k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/kubernetes/scheme"
 	"log/slog"
 	"net"
 	"os"
@@ -19,6 +22,10 @@ import (
 	pb "github.com/envoyproxy/gateway/proto/extension"
 )
 
+func init() {
+	runtime.Must(extensionv1alpha1.AddToScheme(scheme.Scheme))
+}
+
 func main() {
 	app := cli.App{
 		Name:           "extension-server",

@@ -0,0 +1,63 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: "2025-10-09T03:33:12Z"
+  name: custom-backend-mtls-policy-example-status-update
+  resourceVersion: "174193194"
+  uid: 19bc0de3-f2f1-42cd-ae93-2e4c9bef7265
+rules:
+  - apiGroups:
+      - example.extensions.io
+    resources:
+      - custombackendmtlspolicies/status
+    verbs:
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: "2025-10-09T03:33:12Z"
+  name: custom-backend-mtls-policy-example-viewer
+  resourceVersion: "174193195"
+  uid: bb4a6f95-346c-4793-ac7e-a9656e3dd57b
+rules:
+  - apiGroups:
+      - example.extensions.io
+    resources:
+      - custombackendmtlspolicies
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  creationTimestamp: "2025-10-09T03:33:12Z"
+  name: envoy-gateway-custom-backend-mtls-policy
+  resourceVersion: "174193196"
+  uid: 9d0e50ad-3f67-4b25-8f97-baa6656bbf63
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: custom-backend-mtls-policy-example-viewer
+subjects:
+  - kind: ServiceAccount
+    name: envoy-gateway
+    namespace: envoy-gateway-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  creationTimestamp: "2025-10-09T03:33:12Z"
+  name: envoy-gateway-custom-backend-mtls-policy-status
+  resourceVersion: "174193197"
+  uid: 0f4b2eaa-91c5-4a36-aba4-5a856c4d63ac
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: custom-backend-mtls-policy-example-status-update
+subjects:
+  - kind: ServiceAccount
+    name: envoy-gateway
+    namespace: envoy-gateway-system
@@ -0,0 +1,12 @@
+apiVersion: example.extensions.io/v1alpha1
+kind: CustomBackendMtlsPolicy
+metadata:
+  name: mtls-for-backend-httproute
+  namespace: default
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: eg
+  trustDomain: "examples.extensions.io"
+  workloadIdentifier: "aws/us-west-2/envoy-proxy"
@@ -17,23 +17,12 @@ data:
       policyResources:
       - group: example.extensions.io
         version: v1alpha1
-        kind: ListenerContextExample
+        kind: CustomBackendMtlsPolicy
       hooks:
         # The type of hooks that should be invoked
         xdsTranslator:
           post:
-          - HTTPListener
           - Translation
-          # Enable listeners and routes in PostTranslateModifyHook
-          # This allows the extension server to receive and modify all four resource types:
-          # clusters, secrets, listeners, and routes
-          # Default: false for listeners and routes (for backward compatibility)
-          # Default: true for clusters and secrets (for backward compatibility)
-          translation:
-            listener:
-              includeAll: true
-            route:
-              includeAll: true
       service:
         # The service that is hosting the extension server
         fqdn: