Merge pull request #99 from kgateway-dev/codex/issue_59_11_tls_fix

agentgateway: drop unsupported frontend TLS annotations

Author: danehans

pkg/i2gw/emitter_intermediate/intermediate_representation.go

@@ -161,12 +161,6 @@ type BackendTLSPolicy struct {
 	Hostname   string
 }
 
-// FrontendTLSPolicy defines frontend TLS listener policy extracted from annotations.
-type FrontendTLSPolicy struct {
-	HandshakeTimeout *metav1.Duration
-	ALPNProtocols    []string
-}
-
 // Policy describes per-Ingress policy knobs projected by providers.
 type Policy struct {
 	ClientBodyBufferSize *resource.Quantity
@@ -182,7 +176,6 @@ type Policy struct {
 	SessionAffinity      *SessionAffinityPolicy
 	LoadBalancing        *BackendLoadBalancingPolicy
 	BackendTLS           *BackendTLSPolicy
-	FrontendTLS          *FrontendTLSPolicy
 	BackendProtocol      *BackendProtocol
 	SSLRedirect          *bool
 	RewriteTarget        *string

pkg/i2gw/emitters/agentgateway/README.md

@@ -287,25 +287,12 @@ These are mapped into an `AgentgatewayPolicy` using agentgateway’s `Traffic.Ti
 
 #### Frontend TLS Settings
 
-The agentgateway emitter supports projecting frontend TLS listener settings via:
-
-- `nginx.ingress.kubernetes.io/ssl-handshake-timeout`
-- `nginx.ingress.kubernetes.io/ssl-alpn`
-
-These are mapped into an `AgentgatewayPolicy` using agentgateway's `Frontend.TLS` model:
-
-- `ssl-handshake-timeout` -> `AgentgatewayPolicy.spec.frontend.tls.handshakeTimeout`
-- `ssl-alpn` -> `AgentgatewayPolicy.spec.frontend.tls.alpnProtocols`
+Ingress NGINX does not document per-Ingress annotations for the downstream TLS handshake timeout or ALPN protocol
+settings exposed by `AgentgatewayPolicy.spec.frontend.tls`.
 
 **Notes:**
 
-- Agentgateway validates `spec.frontend` only on `Gateway` targets, so ingress2gateway emits a single
-  Gateway-targeted policy named `<gateway>-frontend-tls`.
-- If multiple source Ingresses on the same Gateway request different frontend TLS settings, the emitter returns an
-  error because agentgateway cannot scope these settings to an individual HTTPRoute or listener.
-- `ssl-handshake-timeout` accepts either Go-style durations (`20s`, `1m`) or bare seconds (`20`) and must be at least `100ms`.
-- `ssl-alpn` is parsed as a comma-separated list and de-duplicated while preserving order.
-- If only `ssl-alpn` is set, the provider projects a default `15s` handshake timeout so `spec.frontend.tls` remains valid.
+- ingress2gateway does not currently emit additional `frontend.tls` settings for ingress-nginx inputs.
 
 #### Frontend HTTP Settings
 

pkg/i2gw/emitters/agentgateway/emitter.go

@@ -65,11 +65,6 @@ func (e *Emitter) Emit(ir emitterir.EmitterIR) (i2gw.GatewayResources, field.Err
 	// Track AgentgatewayPolicies per ingress name
 	agentgatewayPolicies := map[string]*agentgatewayv1alpha1.AgentgatewayPolicy{}
 
-	// Track Gateway-scoped frontend TLS policies. Agentgateway validates
-	// spec.frontend only when the policy targets the Gateway directly.
-	gatewayFrontendTLSPolicies := map[types.NamespacedName]*agentgatewayv1alpha1.AgentgatewayPolicy{}
-	gatewayFrontendTLSPolicySources := map[types.NamespacedName]string{}
-
 	// Track backend-scoped AgentgatewayPolicies per Service (ns/name) (e.g. TLS, connect timeout)
 	backendPolicies := map[types.NamespacedName]*agentgatewayv1alpha1.AgentgatewayPolicy{}
 
@@ -117,18 +112,6 @@ func (e *Emitter) Emit(ir emitterir.EmitterIR) (i2gw.GatewayResources, field.Err
 				touched = true
 			}
 
-			// Frontend TLS settings are Gateway-scoped in agentgateway.
-			if _, frontendTLSErr := applyFrontendTLSPolicy(
-				pol,
-				polSourceIngressName,
-				httpRouteContext.HTTPRoute,
-				httpRouteKey.Namespace,
-				gatewayFrontendTLSPolicies,
-				gatewayFrontendTLSPolicySources,
-			); frontendTLSErr != nil {
-				errs = append(errs, frontendTLSErr)
-			}
-
 			// Check if SSL redirect is enabled but don't apply it yet (will split route later).
 			if applySSLRedirectPolicy(pol) {
 				routesToSplitForSSLRedirect[httpRouteKey] = true
@@ -355,11 +338,6 @@ func (e *Emitter) Emit(ir emitterir.EmitterIR) (i2gw.GatewayResources, field.Err
 		}
 	}
 
-	// Collect Gateway-scoped frontend TLS policies.
-	for _, ap := range gatewayFrontendTLSPolicies {
-		agentgatewayObjs = append(agentgatewayObjs, ap)
-	}
-
 	// Collect AgentgatewayPolicies
 	for _, ap := range agentgatewayPolicies {
 		agentgatewayObjs = append(agentgatewayObjs, ap)

pkg/i2gw/emitters/agentgateway/emitter_integration_test.go

@@ -311,32 +311,6 @@ func TestAgentgatewayIngressNginxIntegration_Timeouts(t *testing.T) {
 	}
 }
 
-func TestAgentgatewayIngressNginxIntegration_FrontendTLS(t *testing.T) {
-	t.Helper()
-
-	tests := []struct {
-		name      string
-		inputRel  string
-		goldenRel string
-	}{
-		{
-			name: "frontend_tls",
-			inputRel: filepath.Join(
-				"pkg", "i2gw", "emitters", "agentgateway", "testing", "testdata", "input", "frontend_tls.yaml",
-			),
-			goldenRel: filepath.Join(
-				"pkg", "i2gw", "emitters", "agentgateway", "testing", "testdata", "output", "frontend_tls.yaml",
-			),
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			runGoldenTest(t, tt.inputRel, tt.goldenRel)
-		})
-	}
-}
-
 func TestAgentgatewayIngressNginxIntegration_CORS(t *testing.T) {
 	t.Helper()