diff --git a/assets/agw-docs/pages/reference/api/api-main.md b/assets/agw-docs/pages/reference/api/api-main.md
index 7c4df4c7..ac75d82e 100644
--- a/assets/agw-docs/pages/reference/api/api-main.md
+++ b/assets/agw-docs/pages/reference/api/api-main.md
@@ -25,7 +25,7 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `provider` _[LLMProvider](#llmprovider)_ | `provider` specifies configuration for how to reach the configured LLM
provider. | | ExactlyOneOf: [openai azureopenai anthropic gemini vertexai bedrock]
Optional: \{\}
|
+| `provider` _[LLMProvider](#llmprovider)_ | `provider` specifies configuration for how to reach the configured LLM
provider. | | ExactlyOneOf: [openai azureopenai azure anthropic gemini vertexai bedrock]
Optional: \{\}
|
| `groups` _[PriorityGroup](#prioritygroup) array_ | `groups` specifies a list of groups in priority order where each group
defines a set of LLM providers. The priority determines the priority of
the backend endpoints chosen.
Note: provider names must be unique across all providers in all priority
groups. Backend policies may target a specific provider by name using
`targetRefs[].sectionName`.
Example configuration with two priority groups:
groups:
- providers:
- azureopenai:
deploymentName: gpt-4o-mini
apiVersion: 2024-02-15-preview
endpoint: ai-gateway.openai.azure.com
- providers:
- azureopenai:
deploymentName: gpt-4o-mini-2
apiVersion: 2024-02-15-preview
endpoint: ai-gateway-2.openai.azure.com
policies:
auth:
secretRef:
name: azure-secret | | MaxItems: 8
MinItems: 1
Optional: \{\}
|
@@ -588,6 +588,27 @@ _Appears in:_
| `managedIdentity` _[AzureManagedIdentity](#azuremanagedidentity)_ | Details for managed identity authentication | | Optional: \{\}
|
+#### AzureConfig
+
+
+
+AzureConfig settings for Azure AI backends, supporting both Azure OpenAI and Azure AI Foundry.
+
+
+
+_Appears in:_
+- [LLMProvider](#llmprovider)
+- [NamedLLMProvider](#namedllmprovider)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `resourceName` _[ShortString](#shortstring)_ | The Azure resource name used to construct the endpoint host.
For OpenAI: \{resourceName\}.openai.azure.com
For Foundry: \{resourceName\}-resource.services.ai.azure.com | | MaxLength: 256
MinLength: 1
Required: \{\}
|
+| `resourceType` _[AzureResourceType](#azureresourcetype)_ | The type of Azure endpoint. Determines the host suffix. | | Enum: [OpenAI Foundry]
Required: \{\}
|
+| `model` _[ShortString](#shortstring)_ | Optional: Override the model name, such as `gpt-4o-mini`.
If unset, the model name is taken from the request. | | MaxLength: 256
MinLength: 1
Optional: \{\}
|
+| `apiVersion` _[TinyString](#tinystring)_ | The version of the Azure OpenAI API to use.
If unset, defaults to `v1`. | | MaxLength: 64
MinLength: 1
Optional: \{\}
|
+| `projectName` _[ShortString](#shortstring)_ | The Foundry project name, required when `resourceType` is `Foundry`.
Used to construct paths: /api/projects/\{projectName\}/openai/v1/... | | MaxLength: 256
MinLength: 1
Optional: \{\}
|
+
+
#### AzureManagedIdentity
@@ -610,7 +631,7 @@ _Appears in:_
-AzureOpenAIConfig settings for the [Azure OpenAI](https://learn.microsoft.com/en-us/azure/ai-foundry/?view=foundry-classic) LLM provider.
+AzureOpenAIConfig settings for the [Azure OpenAI](https://learn.microsoft.com/en-us/azure/foundry/?view=foundry-classic) LLM provider.
@@ -621,8 +642,26 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `endpoint` _[ShortString](#shortstring)_ | The endpoint for the Azure OpenAI API to use, such as `my-endpoint.openai.azure.com`.
If the scheme is included, it is stripped. | | MaxLength: 256
MinLength: 1
Required: \{\}
|
-| `deploymentName` _[ShortString](#shortstring)_ | The name of the Azure OpenAI model deployment to use.
For more information, see the [Azure OpenAI model docs](https://learn.microsoft.com/en-us/azure/ai-foundry/foundry-models/concepts/models-sold-directly-by-azure?view=foundry-classic).
This is required if `apiVersion` is not `v1`. For `v1`, the model can be
set in the request. | | MaxLength: 256
MinLength: 1
Optional: \{\}
|
-| `apiVersion` _[TinyString](#tinystring)_ | The version of the Azure OpenAI API to use.
For more information, see the [Azure OpenAI API version reference](https://learn.microsoft.com/en-us/azure/ai-foundry/?view=foundry-classicreference#api-specs).
If unset, defaults to `v1`. | | MaxLength: 64
MinLength: 1
Optional: \{\}
|
+| `deploymentName` _[ShortString](#shortstring)_ | The name of the Azure OpenAI model deployment to use.
For more information, see the [Azure OpenAI model docs](https://learn.microsoft.com/en-us/azure/foundry/foundry-models/concepts/models-sold-directly-by-azure?view=foundry-classic).
This is required if `apiVersion` is not `v1`. For `v1`, the model can be
set in the request. | | MaxLength: 256
MinLength: 1
Optional: \{\}
|
+| `apiVersion` _[TinyString](#tinystring)_ | The version of the Azure OpenAI API to use.
For more information, see the [Azure OpenAI API version reference](https://learn.microsoft.com/en-us/azure/foundry/openai/reference).
If unset, defaults to `v1`. | | MaxLength: 64
MinLength: 1
Optional: \{\}
|
+
+
+#### AzureResourceType
+
+_Underlying type:_ _string_
+
+AzureResourceType specifies the type of Azure endpoint.
+
+_Validation:_
+- Enum: [OpenAI Foundry]
+
+_Appears in:_
+- [AzureConfig](#azureconfig)
+
+| Field | Description |
+| --- | --- |
+| `OpenAI` | AzureResourceTypeOpenAI uses the Azure OpenAI endpoint: \{resourceName\}.openai.azure.com
|
+| `Foundry` | AzureResourceTypeFoundry uses the Azure AI Foundry endpoint: \{resourceName\}-resource.services.ai.azure.com
|
#### BackendAI
@@ -1637,8 +1676,8 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `issuer` _[ShortString](#shortstring)_ | `issuer` identifies the IdP that issued the JWT. This corresponds to the
`iss` claim (https://tools.ietf.org/html/rfc7519#section-4.1.1). | | MaxLength: 256
MinLength: 1
Required: \{\}
|
-| `audiences` _string array_ | `audiences` specifies the list of allowed audiences that are allowed
access. This corresponds to the `aud` claim
(https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3).
If unset, any audience is allowed. | | MaxItems: 64
MinItems: 1
Optional: \{\}
|
+| `issuer` _[ShortString](#shortstring)_ | `issuer` identifies the IdP that issued the JWT. This corresponds to the
`iss` claim ([RFC 7519 §4.1.1](https://tools.ietf.org/html/rfc7519#section-4.1.1)). | | MaxLength: 256
MinLength: 1
Required: \{\}
|
+| `audiences` _string array_ | `audiences` specifies the list of allowed audiences that are allowed
access. This corresponds to the `aud` claim
([RFC 7519 §4.1.3](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3)).
If unset, any audience is allowed. | | MaxItems: 64
MinItems: 1
Optional: \{\}
|
| `jwks` _[JWKS](#jwks)_ | `jwks` defines the JSON Web Key Set used to validate the signature of the
JWT. | | ExactlyOneOf: [remote inline]
Required: \{\}
|
@@ -1668,7 +1707,7 @@ _Appears in:_
LLMProvider specifies the target large language model provider that the backend should route requests to.
_Validation:_
-- ExactlyOneOf: [openai azureopenai anthropic gemini vertexai bedrock]
+- ExactlyOneOf: [openai azureopenai azure anthropic gemini vertexai bedrock]
_Appears in:_
- [AIBackend](#aibackend)
@@ -1678,6 +1717,7 @@ _Appears in:_
| --- | --- | --- | --- |
| `openai` _[OpenAIConfig](#openaiconfig)_ | OpenAI provider | | Optional: \{\}
|
| `azureopenai` _[AzureOpenAIConfig](#azureopenaiconfig)_ | Azure OpenAI provider | | Optional: \{\}
|
+| `azure` _[AzureConfig](#azureconfig)_ | Azure provider with resource-based configuration.
Supports both Azure OpenAI and Azure AI Foundry resource types. | | Optional: \{\}
|
| `anthropic` _[AnthropicConfig](#anthropicconfig)_ | Anthropic provider | | Optional: \{\}
|
| `gemini` _[GeminiConfig](#geminiconfig)_ | Gemini provider | | Optional: \{\}
|
| `vertexai` _[VertexAIConfig](#vertexaiconfig)_ | Vertex AI provider | | Optional: \{\}
|
@@ -1762,8 +1802,8 @@ _Appears in:_
| --- | --- | --- | --- |
| `resourceMetadata` _object (keys:string, values:[JSON](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#json-v1-apiextensions-k8s-io))_ | ResourceMetadata defines the metadata to use for MCP resources. | | Optional: \{\}
|
| `provider` _[McpIDP](#mcpidp)_ | `provider` specifies the identity provider to use for authentication. | | Enum: [Auth0 Keycloak]
Optional: \{\}
|
-| `issuer` _[ShortString](#shortstring)_ | `issuer` identifies the IdP that issued the JWT. This corresponds to the
`iss` claim (https://tools.ietf.org/html/rfc7519#section-4.1.1). | | MaxLength: 256
MinLength: 1
Optional: \{\}
|
-| `audiences` _string array_ | `audiences` specifies the list of allowed audiences that are allowed
access. This corresponds to the `aud` claim
(https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3).
If unset, any audience is allowed. | | MaxItems: 64
MinItems: 1
Optional: \{\}
|
+| `issuer` _[ShortString](#shortstring)_ | `issuer` identifies the IdP that issued the JWT. This corresponds to the
`iss` claim ([RFC 7519 §4.1.1](https://tools.ietf.org/html/rfc7519#section-4.1.1)). | | MaxLength: 256
MinLength: 1
Optional: \{\}
|
+| `audiences` _string array_ | `audiences` specifies the list of allowed audiences that are allowed
access. This corresponds to the `aud` claim
([RFC 7519 §4.1.3](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3)).
If unset, any audience is allowed. | | MaxItems: 64
MinItems: 1
Optional: \{\}
|
| `jwks` _[RemoteJWKS](#remotejwks)_ | `jwks` defines the remote JSON Web Key used to validate the signature of
the JWT. | | Required: \{\}
|
| `mode` _[JWTAuthenticationMode](#jwtauthenticationmode)_ | `mode` is the validation mode for JWT authentication. | Strict | Enum: [Strict Optional Permissive]
Optional: \{\}
|
@@ -1914,6 +1954,7 @@ _Appears in:_
| `policies` _[BackendWithAI](#backendwithai)_ | `policies` controls policies for communicating with this backend.
Policies may also be set in `AgentgatewayPolicy`, or in the top-level
`AgentgatewayBackend`. Policies are merged on a field-level basis, with
order: `AgentgatewayPolicy` < `AgentgatewayBackend` < `AgentgatewayBackend`
LLM provider (this field). | | Optional: \{\}
|
| `openai` _[OpenAIConfig](#openaiconfig)_ | OpenAI provider | | Optional: \{\}
|
| `azureopenai` _[AzureOpenAIConfig](#azureopenaiconfig)_ | Azure OpenAI provider | | Optional: \{\}
|
+| `azure` _[AzureConfig](#azureconfig)_ | Azure provider with resource-based configuration.
Supports both Azure OpenAI and Azure AI Foundry resource types. | | Optional: \{\}
|
| `anthropic` _[AnthropicConfig](#anthropicconfig)_ | Anthropic provider | | Optional: \{\}
|
| `gemini` _[GeminiConfig](#geminiconfig)_ | Gemini provider | | Optional: \{\}
|
| `vertexai` _[VertexAIConfig](#vertexaiconfig)_ | Vertex AI provider | | Optional: \{\}
|
@@ -2329,7 +2370,7 @@ _Appears in:_
-
+StaticBackend specifies a static backend endpoint — either TCP (host + port) or Unix Domain Socket.
@@ -2338,8 +2379,9 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `host` _[ShortString](#shortstring)_ | host to connect to. | | MaxLength: 256
MinLength: 1
Required: \{\}
|
-| `port` _integer_ | port to connect to. | | Maximum: 65535
Minimum: 1
Required: \{\}
|
+| `host` _[ShortString](#shortstring)_ | host to connect to (for TCP backends). | | MaxLength: 256
MinLength: 1
Optional: \{\}
|
+| `port` _integer_ | port to connect to (for TCP backends). | | Maximum: 65535
Minimum: 1
Optional: \{\}
|
+| `unixPath` _string_ | unixPath is the filesystem path to a Unix Domain Socket. The gateway pod
must share a volume with the target (e.g., via emptyDir sidecar pattern).
Mutually exclusive with host/port. | | MinLength: 1
Optional: \{\}
|
#### TLSVersion
@@ -2560,7 +2602,7 @@ HeaderModifiers can be used to define the policy to modify request and response
#### KubernetesResourceOverlay
-KubernetesResourceOverlay provides a mechanism to customize generated Kubernetes resources using [Strategic Merge Patch](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md) semantics. # Overlay Application Order Overlays are applied **after** all typed configuration fields have been processed. The full merge order is: 1. `GatewayClass` typed configuration fields, for example replicas or image settings from `parametersRef` 2. `Gateway` typed configuration fields from `infrastructure.parametersRef` 3. `GatewayClass` overlays are applied 4. `Gateway` overlays are applied This ordering means `Gateway`-level configuration overrides `GatewayClass`-level configuration at each stage. For example, if both levels set the same label, the Gateway value wins.
+KubernetesResourceOverlay provides a mechanism to customize generated Kubernetes resources using [Strategic Merge Patch](https://github.com/kubernetes/community/blob/main/contributors/devel/sig-api-machinery/strategic-merge-patch.md) semantics. # Overlay Application Order Overlays are applied **after** all typed configuration fields have been processed. The full merge order is: 1. `GatewayClass` typed configuration fields, for example replicas or image settings from `parametersRef` 2. `Gateway` typed configuration fields from `infrastructure.parametersRef` 3. `GatewayClass` overlays are applied 4. `Gateway` overlays are applied This ordering means `Gateway`-level configuration overrides `GatewayClass`-level configuration at each stage. For example, if both levels set the same label, the Gateway value wins.
| Field | Type | Description |
|-------|------|-------------|
@@ -2589,7 +2631,7 @@ ObjectMetadata contains labels and annotations for metadata overlays.
| Field | Type | Description |
|-------|------|-------------|
| `ancestorRef` | gwv1.ParentReference | AncestorRef corresponds with a ParentRef in the spec that this PolicyAncestorStatus struct describes the status of. **Required.** |
-| `controllerName` | string | ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the `controllerName` field on `GatewayClass`. Example: `example.net/gateway-controller`. The format of this field is `DOMAIN "/" PATH`, where `DOMAIN` and `PATH` are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). Controllers MUST populate this field when writing status. Controllers should ensure that entries in status populated with their `ControllerName` are cleaned up when they are no longer necessary. **Required.** |
+| `controllerName` | string | ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the `controllerName` field on `GatewayClass`. Example: `example.net/gateway-controller`. The format of this field is `DOMAIN "/" PATH`, where `DOMAIN` and `PATH` are valid ([Kubernetes names](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)). Controllers MUST populate this field when writing status. Controllers should ensure that entries in status populated with their `ControllerName` are cleaned up when they are no longer necessary. **Required.** |
| `conditions` | []metav1.Condition | Conditions describes the status of the Policy with respect to the given Ancestor. |
#### PolicyStatus
diff --git a/assets/agw-docs/pages/reference/helm/main/agentgateway.md b/assets/agw-docs/pages/reference/helm/main/agentgateway.md
index d0a533f3..6ec131a1 100644
--- a/assets/agw-docs/pages/reference/helm/main/agentgateway.md
+++ b/assets/agw-docs/pages/reference/helm/main/agentgateway.md
@@ -45,7 +45,7 @@
| controller.xds | object | Configure TLS settings for the xDS gRPC servers. | `{"tls":{"enabled":false}}` |
| controller.xds.tls.enabled | bool | Enable TLS encryption for xDS communication. When enabled, the agent gateway xDS server (port 9978) will use TLS. When TLS is enabled, you must create a Secret named 'agentgateway-xds-cert' in the agentgateway installation namespace. The Secret must be of type 'kubernetes.io/tls' with 'tls.crt', 'tls.key', and 'ca.crt' data fields present. | `false` |
| deploymentAnnotations | object | Add annotations to the agentgateway deployment. | `{}` |
-| discoveryNamespaceSelectors | list | List of namespace selectors (OR'ed): each entry can use 'matchLabels' or 'matchExpressions' (AND'ed within each entry if used together). Agentgateway includes the selected namespaces in config discovery. For more information, see the docs https://kgateway.dev/docs/latest/install/advanced/#namespace-discovery. | `[]` |
+| discoveryNamespaceSelectors | list | List of namespace selectors (OR'ed): each entry can use 'matchLabels' or 'matchExpressions' (AND'ed within each entry if used together). Agentgateway includes the selected namespaces in config discovery. For more information, see the docs https://kgateway.dev/docs/envoy/latest/install/advanced/#namespace-discovery. | `[]` |
| fullnameOverride | string | Override the full name of resources created by the Helm chart, which is 'agentgateway'. If you set 'fullnameOverride: "foo", the full name of the resources that the Helm release creates become 'foo', such as the deployment, service, and service account for the agentgateway control plane in the agentgateway-system namespace. | `""` |
| gatewayClassParametersRefs | object | Map of GatewayClass names to GatewayParameters references that will be set on the default GatewayClasses managed by kgateway. Each entry must define both the name and namespace of the GatewayParameters resource. The default GatewayClasses managed by kgateway are: - agentgateway Example: gatewayClassParametersRefs: agentgateway: name: shared-gwp namespace: kgateway-system | `{}` |
| image | object | Configure the default container image for the components that Helm deploys. You can override these settings for each particular component in that component's section, such as 'controller.image' for the agentgateway control plane. If you use your own private registry, make sure to include the imagePullSecrets. | `{"pullPolicy":"IfNotPresent","registry":"cr.agentgateway.dev","tag":""}` |