envoyproxy
diff --git a/‎api/v1alpha1/backendtrafficpolicy_types.go‎
Lines changed: 0 additions & 1 deletion b/‎api/v1alpha1/backendtrafficpolicy_types.go‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎api/v1alpha1/envoyproxy_types.go‎
Lines changed: 6 additions & 1 deletion b/‎api/v1alpha1/envoyproxy_types.go‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml‎
Lines changed: 5 additions & 0 deletions b/‎charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml‎
Lines changed: 5 additions & 0 deletions b/‎charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎internal/gatewayapi/backendtrafficpolicy.go‎
Lines changed: 69 additions & 0 deletions b/‎internal/gatewayapi/backendtrafficpolicy.go‎
Lines changed: 69 additions & 0 deletions
diff --git a/‎internal/gatewayapi/testdata/backendtrafficpolicy-with-bandwidth-invalid-limit.in.yaml‎
Lines changed: 51 additions & 0 deletions b/‎internal/gatewayapi/testdata/backendtrafficpolicy-with-bandwidth-invalid-limit.in.yaml‎
Lines changed: 51 additions & 0 deletions
@@ -67,7 +67,6 @@ type BackendTrafficPolicySpec struct {
 	// BandwidthLimit allows the user to limit the bandwidth of traffic
 	// sent to and received from the backend.
 	// +optional
-	// +notImplementedHide
 	BandwidthLimit *BandwidthLimitSpec `json:"bandwidthLimit,omitempty"`
 
 	// FaultInjection defines the fault injection policy to be applied. This configuration can be used to
 
@@ -150,6 +150,8 @@ type EnvoyProxySpec struct {
 	//
 	// - envoy.filters.http.compressor
 	//
+	// - envoy.filters.http.bandwidth_limit
+	//
 	// - envoy.filters.http.dynamic_forward_proxy
 	//
 	// - envoy.filters.http.router
@@ -286,7 +288,7 @@ type FilterPosition struct {
 }
 
 // EnvoyFilter defines the type of Envoy HTTP filter.
-// +kubebuilder:validation:Enum=envoy.filters.http.custom_response;envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.header_mutation;envoy.filters.http.ext_authz;envoy.filters.http.api_key_auth;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.buffer;envoy.filters.http.lua;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.dynamic_modules;envoy.filters.http.geoip;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.grpc_web;envoy.filters.http.grpc_stats;envoy.filters.http.credential_injector;envoy.filters.http.compressor;envoy.filters.http.dynamic_forward_proxy
+// +kubebuilder:validation:Enum=envoy.filters.http.custom_response;envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.header_mutation;envoy.filters.http.ext_authz;envoy.filters.http.api_key_auth;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.buffer;envoy.filters.http.lua;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.dynamic_modules;envoy.filters.http.geoip;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.grpc_web;envoy.filters.http.grpc_stats;envoy.filters.http.credential_injector;envoy.filters.http.compressor;envoy.filters.http.bandwidth_limit;envoy.filters.http.dynamic_forward_proxy
 type EnvoyFilter string
 
 const (
@@ -363,6 +365,9 @@ const (
 	// EnvoyFilterCompressor defines the Envoy HTTP compressor filter.
 	EnvoyFilterCompressor EnvoyFilter = "envoy.filters.http.compressor"
 
+	// EnvoyFilterBandwidthLimit defines the Envoy HTTP bandwidth limit filter.
+	EnvoyFilterBandwidthLimit EnvoyFilter = "envoy.filters.http.bandwidth_limit"
+
 	// EnvoyFilterDynamicForwardProxy defines the Envoy HTTP dynamic forward proxy filter.
 	EnvoyFilterDynamicForwardProxy EnvoyFilter = "envoy.filters.http.dynamic_forward_proxy"
 
 
@@ -459,6 +459,8 @@ spec:
 
                   - envoy.filters.http.compressor
 
+                  - envoy.filters.http.bandwidth_limit
+
                   - envoy.filters.http.dynamic_forward_proxy
 
                   - envoy.filters.http.router
@@ -497,6 +499,7 @@ spec:
                       - envoy.filters.http.grpc_stats
                       - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
+                      - envoy.filters.http.bandwidth_limit
                       - envoy.filters.http.dynamic_forward_proxy
                       type: string
                     before:
@@ -528,6 +531,7 @@ spec:
                       - envoy.filters.http.grpc_stats
                       - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
+                      - envoy.filters.http.bandwidth_limit
                       - envoy.filters.http.dynamic_forward_proxy
                       type: string
                     name:
@@ -557,6 +561,7 @@ spec:
                       - envoy.filters.http.grpc_stats
                       - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
+                      - envoy.filters.http.bandwidth_limit
                       - envoy.filters.http.dynamic_forward_proxy
                       type: string
                   required:
 
@@ -458,6 +458,8 @@ spec:
 
                   - envoy.filters.http.compressor
 
+                  - envoy.filters.http.bandwidth_limit
+
                   - envoy.filters.http.dynamic_forward_proxy
 
                   - envoy.filters.http.router
@@ -496,6 +498,7 @@ spec:
                       - envoy.filters.http.grpc_stats
                       - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
+                      - envoy.filters.http.bandwidth_limit
                       - envoy.filters.http.dynamic_forward_proxy
                       type: string
                     before:
@@ -527,6 +530,7 @@ spec:
                       - envoy.filters.http.grpc_stats
                       - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
+                      - envoy.filters.http.bandwidth_limit
                       - envoy.filters.http.dynamic_forward_proxy
                       type: string
                     name:
@@ -556,6 +560,7 @@ spec:
                       - envoy.filters.http.grpc_stats
                       - envoy.filters.http.credential_injector
                       - envoy.filters.http.compressor
+                      - envoy.filters.http.bandwidth_limit
                       - envoy.filters.http.dynamic_forward_proxy
                       type: string
                   required:
 
@@ -1031,6 +1031,7 @@ func (t *Translator) mergeBackendTrafficPolicy(routePolicy, gwPolicy *egv1a1.Bac
 func (t *Translator) buildTrafficFeatures(policy *egv1a1.BackendTrafficPolicy) (*ir.TrafficFeatures, error) {
 	var (
 		rl          *ir.RateLimit
+		bl          *ir.BandwidthLimit
 		lb          *ir.LoadBalancer
 		pp          *ir.ProxyProtocol
 		hc          *ir.HealthCheck
@@ -1055,6 +1056,12 @@ func (t *Translator) buildTrafficFeatures(policy *egv1a1.BackendTrafficPolicy) (
 			errs = errors.Join(errs, err)
 		}
 	}
+	if policy.Spec.BandwidthLimit != nil {
+		if bl, err = buildBandwidthLimit(policy.Spec.BandwidthLimit); err != nil {
+			err = perr.WithMessage(err, "BandwidthLimit")
+			errs = errors.Join(errs, err)
+		}
+	}
 	if lb, err = buildLoadBalancer(&policy.Spec.ClusterSettings); err != nil {
 		err = perr.WithMessage(err, "LoadBalancer")
 		errs = errors.Join(errs, err)
@@ -1120,6 +1127,7 @@ func (t *Translator) buildTrafficFeatures(policy *egv1a1.BackendTrafficPolicy) (
 
 	return &ir.TrafficFeatures{
 		RateLimit:         rl,
+		BandwidthLimit:    bl,
 		LoadBalancer:      lb,
 		ProxyProtocol:     pp,
 		HealthCheck:       hc,
@@ -1668,6 +1676,67 @@ func int64ToUint32(in int64) (uint32, bool) {
 	return 0, false
 }
 
+func buildBandwidthLimit(bandwidth *egv1a1.BandwidthLimitSpec) (*ir.BandwidthLimit, error) {
+	if bandwidth == nil {
+		return nil, nil
+	}
+
+	bl := &ir.BandwidthLimit{}
+
+	if bandwidth.Request != nil {
+		bytes, ok := bandwidth.Request.Limit.Value.AsInt64()
+		if !ok {
+			return nil, fmt.Errorf("request limit value must be convertible to an int64")
+		}
+		kibps, err := bandwidthToKibps(uint64(bytes), bandwidth.Request.Limit.Unit)
+		if err != nil {
+			return nil, fmt.Errorf("request: %w", err)
+		}
+		bl.Request = &ir.BandwidthLimitConfig{
+			LimitKibps: kibps,
+		}
+	}
+	if bandwidth.Response != nil {
+		bytes, ok := bandwidth.Response.Limit.Value.AsInt64()
+		if !ok {
+			return nil, fmt.Errorf("response limit value must be convertible to an int64")
+		}
+		kibps, err := bandwidthToKibps(uint64(bytes), bandwidth.Response.Limit.Unit)
+		if err != nil {
+			return nil, fmt.Errorf("response: %w", err)
+		}
+		bl.Response = &ir.BandwidthLimitConfig{
+			LimitKibps: kibps,
+		}
+
+		if bandwidth.Response.ResponseTrailers != nil {
+			bl.Response.ResponseTrailers = &ir.BandwidthLimitResponseTrailers{
+				Prefix: bandwidth.Response.ResponseTrailers.Prefix,
+			}
+		}
+	}
+	return bl, nil
+}
+
+// bandwidthToKibps converts bytes-per-unit to kibibytes-per-second (KiB/s).
+// Returns an error if the result is below Envoy's minimum of 1 KiB/s.
+func bandwidthToKibps(limit uint64, unit egv1a1.BandwidthLimitUnit) (uint64, error) {
+	var secondsPerUnit uint64
+	switch unit {
+	case egv1a1.BandwidthLimitUnitMinute:
+		secondsPerUnit = 60
+	case egv1a1.BandwidthLimitUnitHour:
+		secondsPerUnit = 3600
+	default: // Second
+		secondsPerUnit = 1
+	}
+	kibps := limit / (secondsPerUnit * 1024)
+	if kibps == 0 {
+		return 0, fmt.Errorf("bandwidth limit of %d bytes per %s is below the minimum of 1 KiB/s", limit, unit)
+	}
+	return kibps, nil
+}
+
 func (t *Translator) buildFaultInjection(policy *egv1a1.BackendTrafficPolicy) *ir.FaultInjection {
 	var (
 		fi  *ir.FaultInjection
 
@@ -0,0 +1,51 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    namespace: envoy-gateway
+    name: gateway-1
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-1
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/"
+      backendRefs:
+      - name: service-1
+        port: 8080
+backendTrafficPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: BackendTrafficPolicy
+  metadata:
+    namespace: envoy-gateway
+    name: policy-for-gateway
+  spec:
+    targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: gateway-1
+    bandwidthLimit:
+      request:
+        limit:
+          value: 1023
+          unit: Second