Merge pull request #19 from puertomontt/passthrough

ssl passthrough

Author: danehans

pkg/i2gw/implementations/kgateway/README.md

@@ -61,6 +61,7 @@ The command should generate Gateway API and Kgateway resources.
 - `nginx.ingress.kubernetes.io/proxy-read-timeout`
 - `nginx.ingress.kubernetes.io/ssl-redirect`: When set to `"true"`, adds a `RequestRedirect` filter to HTTPRoute rules that redirects HTTP to HTTPS with a 301 status code.
 - `nginx.ingress.kubernetes.io/force-ssl-redirect`: When set to `"true"`, adds a `RequestRedirect` filter to HTTPRoute rules that redirects HTTP to HTTPS with a 301 status code. Treated identically to `ssl-redirect`.
+- `nginx.ingress.kubernetes.io/ssl-passthrough`: When set to `"true"`, enables TLS passthrough mode. Converts the Ingress to a `TLSRoute` with a Gateway listener using `protocol: TLS` and `tls.mode: Passthrough`. The HTTPRoute that would normally be created is removed.
 
 ### Backend Behavior
 
@@ -114,6 +115,7 @@ Examples:
 - Rate limit annotations control `spec.rateLimit.local.tokenBucket`
 - Timeout annotations control `spec.timeouts.request` or `streamIdle`
 - SSL redirect annotations add `RequestRedirect` filters to HTTPRoute rules
+- SSL passthrough annotation converts HTTPRoute to TLSRoute with TLS passthrough Gateway listener
 
 ## BackendConfigPolicy Projection
 
@@ -128,6 +130,19 @@ Currently supported:
 If multiple Ingresses target the same Service with conflicting `proxy-connect-timeout` values,
 the lowest timeout wins and a warning is emitted.
 
+## TLSRoute Projection
+
+Annotations that require TLS passthrough mode are converted into `TLSRoute` resources instead of `HTTPRoute` resources.
+
+Currently supported:
+
+- `nginx.ingress.kubernetes.io/ssl-passthrough`:
+  - When enabled, the Ingress is converted to a `TLSRoute` resource
+  - A Gateway listener is created with `protocol: TLS` and `tls.mode: Passthrough`
+  - The listener uses port 443 (when hostname is specified) or 8443 (default)
+  - The HTTPRoute that would normally be created is removed
+  - Backend services must handle TLS termination themselves
+
 ## Backend Projection
 
 Annotations that change how upstreams are represented (rather than how they are load balanced or configured)
@@ -148,6 +163,7 @@ Currently supported:
 | Request/response behavior          | `TrafficPolicy`       |
 | Upstream connection behavior       | `BackendConfigPolicy` |
 | Upstream representation (static IP)| `Backend`             |
+| TLS passthrough                    | `TLSRoute`            |
 
 ## Limitations
 

pkg/i2gw/implementations/kgateway/emitter_integration_test.go

@@ -147,6 +147,10 @@ func runGoldenTest(t *testing.T, inputRel, goldenRel string) {
 
 	actual := stdout.Bytes()
 
+	// Normalize trivial formatting differences
+	actualTrimmed := bytes.TrimSpace(actual)
+	actualCanonicalized := canonicalizeMultiDocYAML(t, actualTrimmed)
+
 	// Golden file handling
 	writeGolden := false
 	goldenBytes, err := os.ReadFile(goldenPath)
@@ -161,19 +165,16 @@ func runGoldenTest(t *testing.T, inputRel, goldenRel string) {
 	}
 
 	if writeGolden {
-		if err := os.WriteFile(goldenPath, actual, 0o600); err != nil {
+		if err := os.WriteFile(goldenPath, actualCanonicalized, 0o600); err != nil {
 			t.Fatalf("failed to write golden file %q: %v", goldenPath, err)
 		}
 		t.Logf("wrote golden file: %s", goldenPath)
 		return
 	}
 
-	// Normalize trivial formatting differences
-	actualTrimmed := bytes.TrimSpace(actual)
 	expectedTrimmed := bytes.TrimSpace(goldenBytes)
-
-	got := canonicalizeMultiDocYAML(t, actualTrimmed)
 	want := canonicalizeMultiDocYAML(t, expectedTrimmed)
+	got := actualCanonicalized
 
 	if diff := cmp.Diff(string(want), string(got)); diff != "" {
 		t.Fatalf("golden output mismatch (-want +got):\n%s", diff)
@@ -260,6 +261,15 @@ func TestKgatewayIngressNginxIntegration_Golden(t *testing.T) {
 				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "basic_auth.yaml",
 			),
 		},
+		{
+			name: "ssl_passthrough",
+			inputRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "input", "ssl_passthrough.yaml",
+			),
+			goldenRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "ssl_passthrough.yaml",
+			),
+		},
 	}
 
 	for _, tt := range tests {

pkg/i2gw/implementations/kgateway/testing/testdata/input/ssl_passthrough.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+  name: tls-passthrough
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: nginx.example.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: my-nginx
+            port:
+              number: 443
+        path: /
+        pathType: Prefix

pkg/i2gw/implementations/kgateway/testing/testdata/output/backend_tls.yaml

@@ -1,3 +1,36 @@
+apiVersion: gateway.kgateway.dev/v1alpha1
+kind: BackendConfigPolicy
+metadata:
+  name: httpbin-insecure-backend-config
+  namespace: default
+spec:
+  targetRefs:
+    - group: ""
+      kind: Service
+      name: httpbin-insecure
+  tls:
+    insecureSkipVerify: true
+    sni: tls.example.com
+status:
+  ancestors: null
+---
+apiVersion: gateway.kgateway.dev/v1alpha1
+kind: BackendConfigPolicy
+metadata:
+  name: httpbin2-backend-config
+  namespace: default
+spec:
+  targetRefs:
+    - group: ""
+      kind: Service
+      name: httpbin2
+  tls:
+    secretRef:
+      name: base-certificate-tls
+    sni: tls.example.com
+status:
+  ancestors: null
+---
 apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
 metadata:
@@ -8,14 +41,14 @@ metadata:
 spec:
   gatewayClassName: kgateway
   listeners:
-  - hostname: insecure-tls.example.org
-    name: insecure-tls-example-org-http
-    port: 80
-    protocol: HTTP
-  - hostname: tls.example.org
-    name: tls-example-org-http
-    port: 80
-    protocol: HTTP
+    - hostname: insecure-tls.example.org
+      name: insecure-tls-example-org-http
+      port: 80
+      protocol: HTTP
+    - hostname: tls.example.org
+      name: tls-example-org-http
+      port: 80
+      protocol: HTTP
 status: {}
 ---
 apiVersion: gateway.networking.k8s.io/v1
@@ -27,17 +60,17 @@ metadata:
   namespace: default
 spec:
   hostnames:
-  - tls.example.org
+    - tls.example.org
   parentRefs:
-  - name: nginx
+    - name: nginx
   rules:
-  - backendRefs:
-    - name: httpbin2
-      port: 80
-    matches:
-    - path:
-        type: PathPrefix
-        value: /
+    - backendRefs:
+        - name: httpbin2
+          port: 80
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
 status:
   parents: []
 ---
@@ -50,49 +83,16 @@ metadata:
   namespace: default
 spec:
   hostnames:
-  - insecure-tls.example.org
+    - insecure-tls.example.org
   parentRefs:
-  - name: nginx
+    - name: nginx
   rules:
-  - backendRefs:
-    - name: httpbin-insecure
-      port: 80
-    matches:
-    - path:
-        type: PathPrefix
-        value: /
+    - backendRefs:
+        - name: httpbin-insecure
+          port: 80
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
 status:
   parents: []
----
-apiVersion: gateway.kgateway.dev/v1alpha1
-kind: BackendConfigPolicy
-metadata:
-  name: httpbin-insecure-backend-config
-  namespace: default
-spec:
-  targetRefs:
-  - group: ""
-    kind: Service
-    name: httpbin-insecure
-  tls:
-    insecureSkipVerify: true
-    sni: tls.example.com
-status:
-  ancestors: null
----
-apiVersion: gateway.kgateway.dev/v1alpha1
-kind: BackendConfigPolicy
-metadata:
-  name: httpbin2-backend-config
-  namespace: default
-spec:
-  targetRefs:
-  - group: ""
-    kind: Service
-    name: httpbin2
-  tls:
-    secretRef:
-      name: base-certificate-tls
-    sni: tls.example.com
-status:
-  ancestors: null