feat: add L4RoutePolicy CRD for attaching stream plugins to Gateway API L4 routes

Add a new L4RoutePolicy custom resource that enables attaching APISIX stream
plugins to Gateway API L4 routes (TCPRoute, UDPRoute, TLSRoute). This follows
the Gateway API Policy Attachment pattern (GEP-713) consistent with the existing
BackendTrafficPolicy and HTTPRoutePolicy CRDs.

Changes:
- Add L4RoutePolicy CRD type (api/v1alpha1/l4routepolicy_types.go)
  - targetRefs support TCPRoute, UDPRoute, TLSRoute (validated via CEL rule)
  - plugins list reuses the existing Plugin type (name + config)
  - LocalPolicyTargetReferenceWithSectionName for future per-rule targeting
- Add DeepCopy methods in zz_generated.deepcopy.go
- Add L4RoutePolicies to TranslateContext in provider.go
- Register L4RoutePolicy indexer (by group+kind+namespace+name) in indexer.go
- Add ProcessL4RoutePolicy in policies.go with deterministic conflict resolution
  (oldest creationTimestamp wins; tie-break by namespace/name; losers get
  Accepted=False, Reason=Conflicted)
- Add updateL4RoutePolicyStatusOnDeleting for route deletion cleanup
- Add AttachL4RoutePolicyPlugins translator helper; plugins are attached at the
  service level (one service per L4 rule) to avoid duplication in TLS multi-SNI
- Wire up TCPRoute, UDPRoute, TLSRoute controllers:
  - Watch L4RoutePolicy and enqueue affected routes
  - Call ProcessL4RoutePolicy during reconcile
  - Clear policy ancestor status on route deletion
- Add RBAC markers for l4routepolicies resources
- Add unit tests for AttachL4RoutePolicyPlugins

Fixes: #403

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: AlinsRan

api/v1alpha1/l4routepolicy_types.go

@@ -0,0 +1,68 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+)
+
+// L4RoutePolicySpec defines the desired state of L4RoutePolicy.
+type L4RoutePolicySpec struct {
+	// TargetRefs identifies the L4 route resources (TCPRoute, UDPRoute, or TLSRoute)
+	// to which this policy applies. Only same-namespace targets are supported.
+	//
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=16
+	// +kubebuilder:validation:XValidation:rule="self.all(r, r.kind == 'TCPRoute' || r.kind == 'UDPRoute' || r.kind == 'TLSRoute')",message="targetRefs kind must be TCPRoute, UDPRoute, or TLSRoute"
+	TargetRefs []gatewayv1alpha2.LocalPolicyTargetReferenceWithSectionName `json:"targetRefs"`
+
+	// Plugins is the list of APISIX stream plugins to attach to the targeted L4 routes.
+	// Plugin names should be valid APISIX stream plugin names (e.g., limit-conn, ip-restriction).
+	//
+	// +optional
+	Plugins []Plugin `json:"plugins,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// L4RoutePolicy defines plugin configuration for Gateway API L4 routes (TCPRoute, UDPRoute, TLSRoute).
+// It follows the Gateway API Policy Attachment pattern and attaches APISIX stream plugins
+// to the targeted L4 route resources.
+type L4RoutePolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec defines the desired state of L4RoutePolicy.
+	Spec   L4RoutePolicySpec `json:"spec,omitempty"`
+	Status PolicyStatus      `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// L4RoutePolicyList contains a list of L4RoutePolicy.
+type L4RoutePolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []L4RoutePolicy `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&L4RoutePolicy{}, &L4RoutePolicyList{})
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,143 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package translator
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/go-logr/logr"
+	"github.com/stretchr/testify/assert"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8stypes "k8s.io/apimachinery/pkg/types"
+	gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+
+	adctypes "github.com/apache/apisix-ingress-controller/api/adc"
+	"github.com/apache/apisix-ingress-controller/api/v1alpha1"
+)
+
+func makeL4RoutePolicy(namespace, name, targetKind, targetName string, plugins []v1alpha1.Plugin) *v1alpha1.L4RoutePolicy {
+	return &v1alpha1.L4RoutePolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: namespace,
+			Name:      name,
+		},
+		Spec: v1alpha1.L4RoutePolicySpec{
+			TargetRefs: []gatewayv1alpha2.LocalPolicyTargetReferenceWithSectionName{
+				{
+					LocalPolicyTargetReference: gatewayv1alpha2.LocalPolicyTargetReference{
+						Group: gatewayv1alpha2.GroupName,
+						Kind:  gatewayv1alpha2.Kind(targetKind),
+						Name:  gatewayv1alpha2.ObjectName(targetName),
+					},
+				},
+			},
+			Plugins: plugins,
+		},
+	}
+}
+
+func mustJSON(v any) apiextensionsv1.JSON {
+	b, err := json.Marshal(v)
+	if err != nil {
+		panic(err)
+	}
+	return apiextensionsv1.JSON{Raw: b}
+}
+
+func TestAttachL4RoutePolicyPlugins_AttachesMatchingPolicy(t *testing.T) {
+	tr := NewTranslator(logr.Discard())
+
+	policy := makeL4RoutePolicy("default", "my-policy", "TCPRoute", "my-tcp-route", []v1alpha1.Plugin{
+		{Name: "limit-conn", Config: mustJSON(map[string]any{"conn": 100, "burst": 50})},
+		{Name: "ip-restriction", Config: mustJSON(map[string]any{"whitelist": []string{"10.0.0.0/8"}})},
+	})
+
+	policies := map[k8stypes.NamespacedName]*v1alpha1.L4RoutePolicy{
+		{Namespace: "default", Name: "my-policy"}: policy,
+	}
+
+	plugins := adctypes.Plugins{}
+	tr.AttachL4RoutePolicyPlugins(policies, "default", "my-tcp-route", "TCPRoute", plugins)
+
+	assert.Len(t, plugins, 2)
+	assert.Contains(t, plugins, "limit-conn")
+	assert.Contains(t, plugins, "ip-restriction")
+
+	cfg := plugins["limit-conn"].(map[string]any)
+	assert.EqualValues(t, 100, cfg["conn"])
+}
+
+func TestAttachL4RoutePolicyPlugins_NoMatchOnKind(t *testing.T) {
+	tr := NewTranslator(logr.Discard())
+
+	policy := makeL4RoutePolicy("default", "udp-policy", "UDPRoute", "my-udp-route", []v1alpha1.Plugin{
+		{Name: "limit-conn", Config: mustJSON(map[string]any{"conn": 10})},
+	})
+
+	policies := map[k8stypes.NamespacedName]*v1alpha1.L4RoutePolicy{
+		{Namespace: "default", Name: "udp-policy"}: policy,
+	}
+
+	plugins := adctypes.Plugins{}
+	// Looking for TCPRoute, but policy targets UDPRoute — should not match.
+	tr.AttachL4RoutePolicyPlugins(policies, "default", "my-udp-route", "TCPRoute", plugins)
+
+	assert.Empty(t, plugins)
+}
+
+func TestAttachL4RoutePolicyPlugins_NoMatchOnNamespace(t *testing.T) {
+	tr := NewTranslator(logr.Discard())
+
+	policy := makeL4RoutePolicy("other-ns", "my-policy", "TCPRoute", "my-tcp-route", []v1alpha1.Plugin{
+		{Name: "limit-conn", Config: mustJSON(map[string]any{"conn": 10})},
+	})
+
+	policies := map[k8stypes.NamespacedName]*v1alpha1.L4RoutePolicy{
+		{Namespace: "other-ns", Name: "my-policy"}: policy,
+	}
+
+	plugins := adctypes.Plugins{}
+	// Route is in "default" namespace, policy is in "other-ns" — should not match.
+	tr.AttachL4RoutePolicyPlugins(policies, "default", "my-tcp-route", "TCPRoute", plugins)
+
+	assert.Empty(t, plugins)
+}
+
+func TestAttachL4RoutePolicyPlugins_EmptyPlugins(t *testing.T) {
+	tr := NewTranslator(logr.Discard())
+
+	policy := makeL4RoutePolicy("default", "empty-policy", "TCPRoute", "my-tcp-route", nil)
+
+	policies := map[k8stypes.NamespacedName]*v1alpha1.L4RoutePolicy{
+		{Namespace: "default", Name: "empty-policy"}: policy,
+	}
+
+	plugins := adctypes.Plugins{}
+	tr.AttachL4RoutePolicyPlugins(policies, "default", "my-tcp-route", "TCPRoute", plugins)
+
+	assert.Empty(t, plugins)
+}
+
+func TestAttachL4RoutePolicyPlugins_EmptyPolicies(t *testing.T) {
+	tr := NewTranslator(logr.Discard())
+	plugins := adctypes.Plugins{}
+	tr.AttachL4RoutePolicyPlugins(nil, "default", "my-tcp-route", "TCPRoute", plugins)
+	assert.Empty(t, plugins)
+}

internal/adc/translator/l4routepolicy_test.go

@@ -18,9 +18,12 @@
 package translator
 
 import (
+	"encoding/json"
+
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/utils/ptr"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+	gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
 
 	adctypes "github.com/apache/apisix-ingress-controller/api/adc"
 	"github.com/apache/apisix-ingress-controller/api/v1alpha1"
@@ -80,3 +83,47 @@ func (t *Translator) attachBackendTrafficPolicyToUpstream(policy *v1alpha1.Backe
 		upstream.Key = policy.Spec.LoadBalancer.Key
 	}
 }
+
+// AttachL4RoutePolicyPlugins merges plugins from the matching L4RoutePolicy (if any) into the
+// provided plugins map. It looks up policies targeting the route identified by routeNamespace,
+// routeName, and routeKind.
+func (t *Translator) AttachL4RoutePolicyPlugins(
+	policies map[types.NamespacedName]*v1alpha1.L4RoutePolicy,
+	routeNamespace, routeName, routeKind string,
+	plugins adctypes.Plugins,
+) {
+	if len(policies) == 0 {
+		return
+	}
+	for _, policy := range policies {
+		if policy.Namespace != routeNamespace {
+			continue
+		}
+		for _, ref := range policy.Spec.TargetRefs {
+			if string(ref.Group) != gatewayv1alpha2.GroupName {
+				continue
+			}
+			if string(ref.Kind) != routeKind {
+				continue
+			}
+			if string(ref.Name) != routeName {
+				continue
+			}
+			t.mergeL4PolicyPlugins(policy, plugins)
+			return
+		}
+	}
+}
+
+func (t *Translator) mergeL4PolicyPlugins(policy *v1alpha1.L4RoutePolicy, plugins adctypes.Plugins) {
+	for _, plugin := range policy.Spec.Plugins {
+		cfg := make(map[string]any)
+		if len(plugin.Config.Raw) > 0 {
+			if err := json.Unmarshal(plugin.Config.Raw, &cfg); err != nil {
+				t.Log.Error(err, "failed to unmarshal L4RoutePolicy plugin config", "plugin", plugin.Name, "policy", policy.Name)
+				continue
+			}
+		}
+		plugins[plugin.Name] = cfg
+	}
+}

internal/adc/translator/policies.go

@@ -157,6 +157,12 @@ func (t *Translator) TranslateTCPRoute(tctx *provider.TranslateContext, tcpRoute
 		streamRoute.Labels = labels
 		// TODO: support remote_addr, server_addr, sni, server_port
 		service.StreamRoutes = append(service.StreamRoutes, streamRoute)
+
+		if service.Plugins == nil {
+			service.Plugins = make(adctypes.Plugins)
+		}
+		t.AttachL4RoutePolicyPlugins(tctx.L4RoutePolicies, tcpRoute.Namespace, tcpRoute.Name, "TCPRoute", service.Plugins)
+
 		result.Services = append(result.Services, service)
 	}
 	return result, nil

internal/adc/translator/tcproute.go

@@ -153,6 +153,12 @@ func (t *Translator) TranslateTLSRoute(tctx *provider.TranslateContext, tlsRoute
 			streamRoute.Labels = labels
 			service.StreamRoutes = append(service.StreamRoutes, streamRoute)
 		}
+
+		if service.Plugins == nil {
+			service.Plugins = make(adctypes.Plugins)
+		}
+		t.AttachL4RoutePolicyPlugins(tctx.L4RoutePolicies, tlsRoute.Namespace, tlsRoute.Name, "TLSRoute", service.Plugins)
+
 		result.Services = append(result.Services, service)
 	}
 	return result, nil