envoyproxy · kkk777-7 · Nov 8, 2025 · Nov 16, 2025 · Nov 16, 2025 · Nov 18, 2025
@@ -75,6 +75,7 @@ func localPolicyTargetReferenceWithSectionNameToKey(ns string, targetRef gwapiv1
 // applyBackendTLSSetting processes TLS settings from Backend resource, BackendTLSPolicy, and EnvoyProxy resource.
 // It merges the TLS settings from these resources and returns the final TLS config to be applied to the upstream cluster.
 func (t *Translator) applyBackendTLSSetting(
+	translatorContext *TranslatorContext,
 	backendRef gwapiv1.BackendObjectReference,
 	backendNamespace string,
 	parent gwapiv1.ParentReference,
@@ -113,7 +114,7 @@ func (t *Translator) applyBackendTLSSetting(
 	}
 
 	// Get the backend certificate validation settings from BackendTLSPolicy.
-	if btpValidationTLSConfig, err = t.processBackendTLSPolicy(backendRef, backendNamespace, parent, resources); err != nil {
+	if btpValidationTLSConfig, err = t.processBackendTLSPolicy(translatorContext, backendRef, backendNamespace, parent, resources); err != nil {
 		return nil, err
 	}
 
@@ -271,12 +272,13 @@ func (t *Translator) processServerValidationTLSSettings(
 }
 
 func (t *Translator) processBackendTLSPolicy(
+	translatorContext *TranslatorContext,
 	backendRef gwapiv1.BackendObjectReference,
 	backendNamespace string,
 	parent gwapiv1.ParentReference,
 	resources *resource.Resources,
 ) (*ir.TLSUpstreamConfig, error) {
-	policy := getBackendTLSPolicy(resources.BackendTLSPolicies, backendRef, backendNamespace, resources)
+	policy := getBackendTLSPolicy(translatorContext, resources.BackendTLSPolicies, backendRef, backendNamespace, resources)
 	if policy == nil {
 		return nil, nil
 	}
@@ -405,13 +407,14 @@ func backendTLSTargetMatched(policy *gwapiv1.BackendTLSPolicy, target gwapiv1.Lo
 }
 
 func getBackendTLSPolicy(
+	translatorContext *TranslatorContext,
 	policies []*gwapiv1.BackendTLSPolicy,
 	backendRef gwapiv1.BackendObjectReference,
 	backendNamespace string,
 	resources *resource.Resources,
 ) *gwapiv1.BackendTLSPolicy {
 	// SectionName is port number for EG Backend object
-	target := getTargetBackendReference(backendRef, backendNamespace, resources)
+	target := getTargetBackendReference(translatorContext, backendRef, backendNamespace, resources)
 	for _, policy := range policies {
 		if backendTLSTargetMatched(policy, target, backendNamespace) {
 			return policy

@@ -18,6 +18,7 @@ import (
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/gatewayapi/resource"
 	"github.com/envoyproxy/gateway/internal/ir"
+	"github.com/envoyproxy/gateway/internal/utils"
 )
 
 // GatewayContext wraps a Gateway and provides helper methods for
@@ -661,3 +662,22 @@ func (d DirectBackendRef) GetBackendRef() *gwapiv1.BackendRef {
 func (d DirectBackendRef) GetFilters() any {
 	return nil
 }
+
+type TranslatorContext struct {
+	ServiceMap map[types.NamespacedName]*corev1.Service
+}
+
+func (t *TranslatorContext) GetService(namespace, name string) *corev1.Service {
+	if svc, ok := t.ServiceMap[types.NamespacedName{Namespace: namespace, Name: name}]; ok {
+		return svc
+	}
+	return nil
+}
+
+func (t *TranslatorContext) SetServices(svcs []*corev1.Service) {
+	serviceMap := make(map[types.NamespacedName]*corev1.Service, len(svcs))
+	for _, svc := range svcs {
+		serviceMap[utils.NamespacedName(svc)] = svc
+	}
+	t.ServiceMap = serviceMap
+}
@@ -33,7 +33,8 @@ import (
 // oci URL prefix
 const ociURLPrefix = "oci://"
 
-func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv1a1.EnvoyExtensionPolicy,
+func (t *Translator) ProcessEnvoyExtensionPolicies(translatorContext *TranslatorContext,
+	envoyExtensionPolicies []*egv1a1.EnvoyExtensionPolicy,
 	gateways []*GatewayContext,
 	routes []RouteContext,
 	resources *resource.Resources,
@@ -85,7 +86,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv
 					handledPolicies[policyName] = policy
 				}
 
-				t.processEnvoyExtensionPolicyForRoute(resources, xdsIR,
+				t.processEnvoyExtensionPolicyForRoute(translatorContext, resources, xdsIR,
 					routeMap, gatewayRouteMap, policy, currTarget)
 			}
 		}
@@ -105,7 +106,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv
 					handledPolicies[policyName] = policy
 				}
 
-				t.processEnvoyExtensionPolicyForRoute(resources, xdsIR,
+				t.processEnvoyExtensionPolicyForRoute(translatorContext, resources, xdsIR,
 					routeMap, gatewayRouteMap, policy, currTarget)
 			}
 		}
@@ -125,7 +126,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv
 					handledPolicies[policyName] = policy
 				}
 
-				t.processEnvoyExtensionPolicyForGateway(resources, xdsIR,
+				t.processEnvoyExtensionPolicyForGateway(translatorContext, resources, xdsIR,
 					gatewayMap, gatewayRouteMap, policy, currTarget)
 			}
 		}
@@ -145,7 +146,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv
 					handledPolicies[policyName] = policy
 				}
 
-				t.processEnvoyExtensionPolicyForGateway(resources, xdsIR,
+				t.processEnvoyExtensionPolicyForGateway(translatorContext, resources, xdsIR,
 					gatewayMap, gatewayRouteMap, policy, currTarget)
 			}
 		}
@@ -161,6 +162,7 @@ func (t *Translator) ProcessEnvoyExtensionPolicies(envoyExtensionPolicies []*egv
 }
 
 func (t *Translator) processEnvoyExtensionPolicyForRoute(
+	translatorContext *TranslatorContext,
 	resources *resource.Resources,
 	xdsIR resource.XdsIRMap,
 	routeMap map[policyTargetRouteKey]*policyRouteTargetContext,
@@ -230,7 +232,7 @@ func (t *Translator) processEnvoyExtensionPolicyForRoute(
 	}
 
 	// Set conditions for translation error if it got any
-	if err := t.translateEnvoyExtensionPolicyForRoute(policy, targetedRoute, currTarget, xdsIR, resources); err != nil {
+	if err := t.translateEnvoyExtensionPolicyForRoute(translatorContext, policy, targetedRoute, currTarget, xdsIR, resources); err != nil {
 		status.SetTranslationErrorForPolicyAncestors(&policy.Status,
 			ancestorRefs,
 			t.GatewayControllerName,
@@ -263,6 +265,7 @@ func (t *Translator) processEnvoyExtensionPolicyForRoute(
 }
 
 func (t *Translator) processEnvoyExtensionPolicyForGateway(
+	translatorContext *TranslatorContext,
 	resources *resource.Resources,
 	xdsIR resource.XdsIRMap,
 	gatewayMap map[types.NamespacedName]*policyGatewayTargetContext,
@@ -301,7 +304,7 @@ func (t *Translator) processEnvoyExtensionPolicyForGateway(
 	}
 
 	// Set conditions for translation error if it got any
-	if err := t.translateEnvoyExtensionPolicyForGateway(policy, currTarget, targetedGateway, xdsIR, resources); err != nil {
+	if err := t.translateEnvoyExtensionPolicyForGateway(translatorContext, policy, currTarget, targetedGateway, xdsIR, resources); err != nil {
 		status.SetTranslationErrorForPolicyAncestor(&policy.Status,
 			&ancestorRef,
 			t.GatewayControllerName,
@@ -451,6 +454,7 @@ func resolveEnvoyExtensionPolicyRouteTargetRef(
 }
 
 func (t *Translator) translateEnvoyExtensionPolicyForRoute(
+	translatorContext *TranslatorContext,
 	policy *egv1a1.EnvoyExtensionPolicy,
 	route RouteContext,
 	target gwapiv1.LocalPolicyTargetReferenceWithSectionName,
@@ -487,7 +491,7 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(
 		}
 
 		var extProcs []ir.ExtProc
-		if extProcs, extProcError, extProcFailOpen = t.buildExtProcs(policy, resources, gtwCtx.envoyProxy); extProcError != nil {
+		if extProcs, extProcError, extProcFailOpen = t.buildExtProcs(translatorContext, policy, resources, gtwCtx.envoyProxy); extProcError != nil {
 			extProcError = perr.WithMessage(extProcError, "ExtProc")
 			errs = errors.Join(errs, extProcError)
 		}
@@ -547,6 +551,7 @@ func (t *Translator) translateEnvoyExtensionPolicyForRoute(
 }
 
 func (t *Translator) translateEnvoyExtensionPolicyForGateway(
+	translatorContext *TranslatorContext,
 	policy *egv1a1.EnvoyExtensionPolicy,
 	target gwapiv1.LocalPolicyTargetReferenceWithSectionName,
 	gateway *GatewayContext,
@@ -562,7 +567,7 @@ func (t *Translator) translateEnvoyExtensionPolicyForGateway(
 		errs                              error
 	)
 
-	if extProcs, extProcError, extProcFailOpen = t.buildExtProcs(policy, resources, gateway.envoyProxy); extProcError != nil {
+	if extProcs, extProcError, extProcFailOpen = t.buildExtProcs(translatorContext, policy, resources, gateway.envoyProxy); extProcError != nil {
 		extProcError = perr.WithMessage(extProcError, "ExtProc")
 		errs = errors.Join(errs, extProcError)
 	}
@@ -703,7 +708,7 @@ func getLuaBodyFromLocalObjectReference(valueRef *gwapiv1.LocalObjectReference,
 	}
 }
 
-func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy) ([]ir.ExtProc, error, bool) {
+func (t *Translator) buildExtProcs(translatorContext *TranslatorContext, policy *egv1a1.EnvoyExtensionPolicy, resources *resource.Resources, envoyProxy *egv1a1.EnvoyProxy) ([]ir.ExtProc, error, bool) {
 	var (
 		failOpen bool
 		errs     error
@@ -718,7 +723,7 @@ func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resource
 	hasFailClose := false
 	for idx, ep := range policy.Spec.ExtProc {
 		name := irConfigNameForExtProc(policy, idx)
-		extProcIR, err := t.buildExtProc(name, policy, ep, idx, resources, envoyProxy)
+		extProcIR, err := t.buildExtProc(translatorContext, name, policy, ep, idx, resources, envoyProxy)
 		if err != nil {
 			errs = errors.Join(errs, err)
 			if ep.FailOpen == nil || !*ep.FailOpen {
@@ -737,6 +742,7 @@ func (t *Translator) buildExtProcs(policy *egv1a1.EnvoyExtensionPolicy, resource
 }
 
 func (t *Translator) buildExtProc(
+	translatorContext *TranslatorContext,
 	name string,
 	policy *egv1a1.EnvoyExtensionPolicy,
 	extProc egv1a1.ExtProc,
@@ -750,7 +756,7 @@ func (t *Translator) buildExtProc(
 		err       error
 	)
 
-	if rd, err = t.translateExtServiceBackendRefs(policy, extProc.BackendRefs, ir.GRPC, resources, envoyProxy, "extproc", extProcIdx); err != nil {
+	if rd, err = t.translateExtServiceBackendRefs(translatorContext, policy, extProc.BackendRefs, ir.GRPC, resources, envoyProxy, "extproc", extProcIdx); err != nil {
 		return nil, err
 	}
 

@@ -23,6 +23,7 @@ import (
 
 // translateExtServiceBackendRefs translates external service backend references to route destinations.
 func (t *Translator) translateExtServiceBackendRefs(
+	translatorContext *TranslatorContext,
 	policy client.Object,
 	backendRefs []egv1a1.BackendRef,
 	protocol ir.AppProtocol,
@@ -46,6 +47,7 @@ func (t *Translator) translateExtServiceBackendRefs(
 	destName := irIndexedExtServiceDestinationName(pnn, policy.GetObjectKind().GroupVersionKind().Kind, configType, index)
 	for i, backendRef := range backendRefs {
 		if err = t.validateExtServiceBackendReference(
+			translatorContext,
 			&backendRef.BackendObjectReference,
 			policy.GetNamespace(),
 			policy.GetObjectKind().GroupVersionKind().Kind,
@@ -56,6 +58,7 @@ func (t *Translator) translateExtServiceBackendRefs(
 		settingName := irDestinationSettingName(destName, i)
 		var extServiceDest *ir.DestinationSetting
 		if extServiceDest, err = t.processExtServiceDestination(
+			translatorContext,
 			settingName,
 			&backendRef,
 			pnn,
@@ -87,6 +90,7 @@ func (t *Translator) translateExtServiceBackendRefs(
 }
 
 func (t *Translator) processExtServiceDestination(
+	translatorContext *TranslatorContext,
 	settingName string,
 	backendRef *egv1a1.BackendRef,
 	policyNamespacedName types.NamespacedName,
@@ -105,7 +109,7 @@ func (t *Translator) processExtServiceDestination(
 
 	switch KindDerefOr(backendRef.Kind, resource.KindService) {
 	case resource.KindService:
-		ds, err = t.processServiceDestinationSetting(settingName, backendRef.BackendObjectReference, backendNamespace, protocol, resources, envoyProxy)
+		ds, err = t.processServiceDestinationSetting(translatorContext, settingName, backendRef.BackendObjectReference, backendNamespace, protocol, resources, envoyProxy)
 		if err != nil {
 			return nil, err
 		}
@@ -137,6 +141,7 @@ func (t *Translator) processExtServiceDestination(
 	}
 
 	backendTLS, err = t.applyBackendTLSSetting(
+		translatorContext,
 		backendRef.BackendObjectReference,
 		backendNamespace,
 		// Gateway is not the appropriate parent reference here because the owner

@@ -32,7 +32,7 @@ type HTTPFiltersTranslator interface {
 	processRedirectFilter(redirect *gwapiv1.HTTPRequestRedirectFilter, filterContext *HTTPFiltersContext)
 	processRequestHeaderModifierFilter(headerModifier *gwapiv1.HTTPHeaderFilter, filterContext *HTTPFiltersContext)
 	processResponseHeaderModifierFilter(headerModifier *gwapiv1.HTTPHeaderFilter, filterContext *HTTPFiltersContext)
-	processRequestMirrorFilter(filterIdx int, mirror *gwapiv1.HTTPRequestMirrorFilter, filterContext *HTTPFiltersContext, resources *resource.Resources) status.Error
+	processRequestMirrorFilter(translatorContext *TranslatorContext, filterIdx int, mirror *gwapiv1.HTTPRequestMirrorFilter, filterContext *HTTPFiltersContext, resources *resource.Resources) status.Error
 	processUnsupportedHTTPFilter(filterType string, filterContext *HTTPFiltersContext)
 }
 
@@ -70,7 +70,8 @@ type HTTPFilterIR struct {
 var HeaderValueRegexp = regexp.MustCompile(`^[!-~]+([\t ]?[!-~]+)*$`)
 
 // ProcessHTTPFilters translates gateway api http filters to IRs.
-func (t *Translator) ProcessHTTPFilters(parentRef *RouteParentContext,
+func (t *Translator) ProcessHTTPFilters(translatorContext *TranslatorContext,
+	parentRef *RouteParentContext,
 	route RouteContext,
 	filters []gwapiv1.HTTPRouteFilter,
 	ruleIdx int,
@@ -104,7 +105,7 @@ func (t *Translator) ProcessHTTPFilters(parentRef *RouteParentContext,
 		case gwapiv1.HTTPRouteFilterResponseHeaderModifier:
 			t.processResponseHeaderModifierFilter(filter.ResponseHeaderModifier, httpFiltersContext)
 		case gwapiv1.HTTPRouteFilterRequestMirror:
-			err = t.processRequestMirrorFilter(i, filter.RequestMirror, httpFiltersContext, resources)
+			err = t.processRequestMirrorFilter(translatorContext, i, filter.RequestMirror, httpFiltersContext, resources)
 		case gwapiv1.HTTPRouteFilterCORS:
 			t.processCORSFilter(filter.CORS, httpFiltersContext)
 		case gwapiv1.HTTPRouteFilterExtensionRef:
@@ -118,7 +119,8 @@ func (t *Translator) ProcessHTTPFilters(parentRef *RouteParentContext,
 }
 
 // ProcessGRPCFilters translates gateway api grpc filters to IRs.
-func (t *Translator) ProcessGRPCFilters(parentRef *RouteParentContext,
+func (t *Translator) ProcessGRPCFilters(translatorContext *TranslatorContext,
+	parentRef *RouteParentContext,
 	route RouteContext,
 	filters []gwapiv1.GRPCRouteFilter,
 	resources *resource.Resources,
@@ -147,7 +149,7 @@ func (t *Translator) ProcessGRPCFilters(parentRef *RouteParentContext,
 		case gwapiv1.GRPCRouteFilterResponseHeaderModifier:
 			t.processResponseHeaderModifierFilter(filter.ResponseHeaderModifier, httpFiltersContext)
 		case gwapiv1.GRPCRouteFilterRequestMirror:
-			err := t.processRequestMirrorFilter(i, filter.RequestMirror, httpFiltersContext, resources)
+			err := t.processRequestMirrorFilter(translatorContext, i, filter.RequestMirror, httpFiltersContext, resources)
 			if err != nil {
 				return nil, err
 			}
@@ -954,6 +956,7 @@ func (t *Translator) processExtensionRefHTTPFilter(extFilter *gwapiv1.LocalObjec
 }
 
 func (t *Translator) processRequestMirrorFilter(
+	translatorContext *TranslatorContext,
 	filterIdx int,
 	mirrorFilter *gwapiv1.HTTPRequestMirrorFilter,
 	filterContext *HTTPFiltersContext,
@@ -980,7 +983,7 @@ func (t *Translator) processRequestMirrorFilter(
 	// This sets the status on the Route, should the usage be changed so that the status message reflects that the backendRef is from the filter?
 	filterNs := filterContext.Route.GetNamespace()
 	serviceNamespace := NamespaceDerefOr(mirrorBackend.Namespace, filterNs)
-	err = t.validateBackendRef(mirrorBackendRef, filterContext.Route,
+	err = t.validateBackendRef(translatorContext, mirrorBackendRef, filterContext.Route,
 		resources, serviceNamespace, routeType)
 	if err != nil {
 		return status.NewRouteStatusError(
@@ -989,7 +992,7 @@ func (t *Translator) processRequestMirrorFilter(
 
 	destName := fmt.Sprintf("%s-mirror-%d", irRouteDestinationName(filterContext.Route, filterContext.RuleIdx), filterIdx)
 	settingName := irDestinationSettingName(destName, -1 /*unused*/)
-	ds, _, err := t.processDestination(settingName, mirrorBackendRef, filterContext.ParentRef, filterContext.Route, resources)
+	ds, _, err := t.processDestination(translatorContext, settingName, mirrorBackendRef, filterContext.ParentRef, filterContext.Route, resources)
 	if err != nil {
 		return err
 	}

@@ -19,11 +19,11 @@ import (
 const envoyTLSSecretName = "envoy"
 
 // ProcessGlobalResources processes global resources that are not tied to a specific listener or route
-func (t *Translator) ProcessGlobalResources(resources *resource.Resources, xdsIRs resource.XdsIRMap, gateways []*GatewayContext) error {
+func (t *Translator) ProcessGlobalResources(translatorContext *TranslatorContext, resources *resource.Resources, xdsIRs resource.XdsIRMap, gateways []*GatewayContext) error {
 	// Add the ProxyServiceCluster information for each gateway to the IR map
 	for _, gateway := range gateways {
 		// Get the gateway IR key and RouteDestination representing the ProxyServiceCluster
-		irKey, rDest := t.processServiceClusterForGateway(gateway, resources)
+		irKey, rDest := t.processServiceClusterForGateway(translatorContext, gateway, resources)
 
 		if xdsIRs[irKey] == nil {
 			continue
@@ -63,7 +63,7 @@ func (t *Translator) ProcessGlobalResources(resources *resource.Resources, xdsIR
 }
 
 // processServiceClusterForGateway returns the matching IR key for a gateway and builds a RouteDestination to represent the ProxyServiceCluster
-func (t *Translator) processServiceClusterForGateway(gateway *GatewayContext, resources *resource.Resources) (string, *ir.RouteDestination) {
+func (t *Translator) processServiceClusterForGateway(translatorContext *TranslatorContext, gateway *GatewayContext, resources *resource.Resources) (string, *ir.RouteDestination) {
 	irKey := t.getIRKey(gateway.Gateway)
 	labels := OwnerLabels(gateway.Gateway, t.MergeGateways)
 
@@ -85,7 +85,7 @@ func (t *Translator) processServiceClusterForGateway(gateway *GatewayContext, re
 		Namespace: NamespacePtr(svcCluster.Namespace),
 		Port:      PortNumPtr(svcCluster.Spec.Ports[0].Port),
 	}
-	dst, err := t.processServiceDestinationSetting(irKey, bRef, svcCluster.Namespace, ir.AppProtocol(svcCluster.Spec.Ports[0].Protocol), resources, resources.EnvoyProxyForGatewayClass)
+	dst, err := t.processServiceDestinationSetting(translatorContext, irKey, bRef, svcCluster.Namespace, ir.AppProtocol(svcCluster.Spec.Ports[0].Protocol), resources, resources.EnvoyProxyForGatewayClass)
 	if err != nil {
 		return "", nil
 	}