Skip to content

Invalid JSON in AI Policy field defaults not caught by validation #11559

New issue
New issue
Open
Bug
#11594
Open
Invalid JSON in AI Policy field defaults not caught by validation#11559
Bug
#11594
Assignees
zhengkezhou1
Labels
Type: BugSomething isn't working
@timflannagan

Description

@timflannagan
timflannagan
opened on Jul 1, 2025

kgateway version

main

Kubernetes Version

N/A

Describe the bug

We have a validation gap where invalid JSON in AI Policy field defaults is not caught by either proto validation or XDS validation. This allows invalid configurations to pass validation and potentially cause runtime errors.

Given an AI Policy with invalid JSON in a field default:

transformationTemplate:
  mergeJsonKeys:
    jsonKeys:
      custom_list:
        tmpl:
          text: '{{ default(custom_list, "[1,2,3") }}'  # Missing closing bracket

The following AI policy snippet reproduces this scenario:

  ai:
    routeType: CHAT
    defaults:
    - field: "custom_list"
      value: "[1,2,3"  # Invalid JSON array missing closing bracket

And the corresponding code wraps that custom list with the default inja template:

		var tmpl string
		if field.Override != nil && *field.Override {
			tmpl = string(marshalled)
		} else {
			// Inja default function will use the default value if the field provided is falsey
			tmpl = fmt.Sprintf("{{ default(%s, %s) }}", field.Field, string(marshalled))
		}

Expected Behavior

Surprised this isn't caught by xDS validation like other transformation templates that are structurally invalid. Potentially the usage of default is relevant? Didn't dive too deep

Steps to reproduce the bug

See the following reproducer:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: example-gateway
  namespace: gwtest
spec:
  gatewayClassName: kgateway
  listeners:
  - name: http
    port: 8080
    protocol: HTTP
    hostname: www.example.com
    allowedRoutes:
      namespaces:
        from: All
---
apiVersion: v1
kind: Secret
metadata:
  name: openai-secret
  namespace: gwtest
type: Opaque
data:
  Authorization: c2stdGVzdC1hYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejEyMzQ= # Base64 encoded "sk-test-abcdefghijklmnopqrstuvwxyz1234"
---
apiVersion: gateway.kgateway.dev/v1alpha1
kind: Backend
metadata:
  name: example-ai-backend
  namespace: gwtest
spec:
  type: AI
  ai:
    llm:
      provider:
        openai:
          model: "gpt-4"
          authToken:
            kind: "SecretRef"
            secretRef:
              name: openai-secret
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: invalid-ai-route
  namespace: gwtest
spec:
  parentRefs:
  - name: example-gateway
  rules:
  - backendRefs:
    - name: example-ai-backend
      kind: Backend
      group: gateway.kgateway.dev
---
apiVersion: gateway.kgateway.dev/v1alpha1
kind: TrafficPolicy
metadata:
  name: invalid-ai-field-default
  namespace: gwtest
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: invalid-ai-route
  ai:
    routeType: CHAT
    defaults:
    - field: "custom_list"
      value: "[1,2,3"  # Invalid JSON array missing closing bracket

Additional Environment Detail

No response

Additional Context

No response

Metadata

Metadata

Assignees

Labels

Type: BugSomething isn't working

Type

Projects

Kgateway Planning

Status

Backlog

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions