Merge pull request #95 from kgateway-dev/issue_59_14

danehans · web-flow · commit 8ad1aa2c3768 · 2026-03-17T15:09:18.000-07:00
agentgateway: target backend-protocol policy to service-upstream backends
diff --git a/pkg/i2gw/emitters/agentgateway/README.md b/pkg/i2gw/emitters/agentgateway/README.md
@@ -345,7 +345,7 @@ The agentgateway emitter supports projecting upstream **connection timeout** beh
 
 - `nginx.ingress.kubernetes.io/proxy-connect-timeout`
 
-This is projected into a **Service-targeted** `AgentgatewayPolicy` by setting:
+This is projected into a backend-scoped `AgentgatewayPolicy` by setting:
 
 - `AgentgatewayPolicy.spec.backend.tcp.connectTimeout`
 
@@ -389,8 +389,12 @@ This is projected into a **Service-targeted** `AgentgatewayPolicy` by setting:
 
 **Notes:**
 
-- This feature is emitted as a **per-Service** `AgentgatewayPolicy` because backend HTTP protocol selection is
+- This feature is emitted as a **per-backend** `AgentgatewayPolicy` because backend HTTP protocol selection is
   backend-scoped.
+- Targeting behavior:
+  - For normal Service backendRefs, the policy targets `group: ""`, `kind: Service`.
+  - If `service-upstream` rewrites a backendRef to `group: agentgateway.dev`, `kind: AgentgatewayBackend`, the
+    policy targets that `AgentgatewayBackend` instead.
 - This annotation does **not** cause ingress2gateway to emit a `GRPCRoute`. The generated route remains an
   `HTTPRoute`; the emitter uses `AgentgatewayPolicy.spec.backend.http.version: HTTP2` to express how agentgateway
   should communicate with the upstream backend.
@@ -439,8 +443,8 @@ Mappings:
 
 - Rewrites only apply to core Service backendRefs (empty group and kind `Service` / unset kind).
 - If the provider could not determine an explicit backendRef port, that backendRef is skipped.
-- `backend-protocol` remains a Service-targeted `AgentgatewayPolicy` and continues to control upstream HTTP version
-  (`spec.backend.http.version`) independently from `service-upstream`.
+- `backend-protocol` remains independently projected as `spec.backend.http.version`. For rewritten backendRefs,
+  the policy targets the generated `AgentgatewayBackend`; otherwise it targets the original Service.
 
 ## AgentgatewayPolicy Projection
 
@@ -468,9 +472,9 @@ Proxy connect timeout policies are created **per backend Service**:
 - `metadata.name: <service-name>-backend-connect-timeout`
 - `metadata.namespace: <route-namespace>`
 
-Backend protocol policies are created **per backend Service**:
+Backend protocol policies are created **per targeted backend object**:
 
-- `metadata.name: <service-name>-backend-http-version`
+- `metadata.name: <backend-name>-backend-http-version`
 - `metadata.namespace: <route-namespace>`
 
 ### Attachment Semantics
diff --git a/pkg/i2gw/emitters/agentgateway/backend_protocol.go b/pkg/i2gw/emitters/agentgateway/backend_protocol.go
@@ -26,11 +26,12 @@ import (
 	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
-// applyBackendProtocolPolicy projects ingress-nginx backend-protocol into per-Service backend HTTP version policies.
+// applyBackendProtocolPolicy projects ingress-nginx backend-protocol into backend HTTP version policies.
 //
 // Current semantics:
 //   - Only BackendProtocolGRPC is produced by the provider IR and maps to HTTP2.
-//   - The policy is emitted per covered Service backend (same merge behavior as backend TLS/connect timeout).
+//   - If a backendRef points to AgentgatewayBackend (e.g. service-upstream rewrite), target that backend.
+//   - Otherwise, for core Service backendRefs, target the Service.
 func applyBackendProtocolPolicy(
 	pol emitterir.Policy,
 	httpRouteKey types.NamespacedName,
@@ -51,40 +52,48 @@ func applyBackendProtocolPolicy(
 		}
 
 		br := rule.BackendRefs[idx.Backend]
-		if br.BackendRef.Group != nil && *br.BackendRef.Group != "" {
-			continue
-		}
-		if br.BackendRef.Kind != nil && *br.BackendRef.Kind != "Service" {
+		refName := string(br.BackendRef.Name)
+		if refName == "" {
 			continue
 		}
 
-		svcName := string(br.BackendRef.Name)
-		if svcName == "" {
+		targetGroup := gwv1.Group("")
+		targetKind := gwv1.Kind("Service")
+
+		switch {
+		case br.BackendRef.Group != nil && *br.BackendRef.Group == gwv1.Group(AgentgatewayBackendGVK.Group) &&
+			br.BackendRef.Kind != nil && *br.BackendRef.Kind == gwv1.Kind(AgentgatewayBackendGVK.Kind):
+			targetGroup = gwv1.Group(AgentgatewayBackendGVK.Group)
+			targetKind = gwv1.Kind(AgentgatewayBackendGVK.Kind)
+		case (br.BackendRef.Group == nil || *br.BackendRef.Group == "") &&
+			(br.BackendRef.Kind == nil || *br.BackendRef.Kind == "Service"):
+			// Default path: target core Service backends.
+		default:
 			continue
 		}
 
-		svcKey := types.NamespacedName{Namespace: httpRouteKey.Namespace, Name: svcName}
-		ap, exists := backendPolicies[svcKey]
+		targetKey := types.NamespacedName{Namespace: httpRouteKey.Namespace, Name: refName}
+		ap, exists := backendPolicies[targetKey]
 		if !exists {
 			ap = &agentgatewayv1alpha1.AgentgatewayPolicy{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      svcName + "-backend-http-version",
+					Name:      refName + "-backend-http-version",
 					Namespace: httpRouteKey.Namespace,
 				},
 				Spec: agentgatewayv1alpha1.AgentgatewayPolicySpec{
 					TargetRefs: []shared.LocalPolicyTargetReferenceWithSectionName{
 						{
 							LocalPolicyTargetReference: shared.LocalPolicyTargetReference{
-								Group: gwv1.Group(""),
-								Kind:  gwv1.Kind("Service"),
-								Name:  gwv1.ObjectName(svcName),
+								Group: targetGroup,
+								Kind:  targetKind,
+								Name:  gwv1.ObjectName(refName),
 							},
 						},
 					},
 				},
 			}
 			ap.SetGroupVersionKind(AgentgatewayPolicyGVK)
-			backendPolicies[svcKey] = ap
+			backendPolicies[targetKey] = ap
 		}
 
 		if ap.Spec.Backend == nil {
diff --git a/pkg/i2gw/emitters/agentgateway/emitter.go b/pkg/i2gw/emitters/agentgateway/emitter.go
@@ -127,14 +127,6 @@ func (e *Emitter) Emit(ir emitterir.EmitterIR) (i2gw.GatewayResources, field.Err
 				backendPolicies,
 			)
 
-			// backend-protocol maps to AgentgatewayPolicy.spec.backend.http.version, targeting Services.
-			applyBackendProtocolPolicy(
-				pol,
-				httpRouteKey,
-				httpRouteContext,
-				backendPolicies,
-			)
-
 			// rewrite-target maps to AgentgatewayPolicy.spec.traffic.transformation.
 			// Note: agentgateway attaches policies at the HTTPRoute scope; this feature is only safe when
 			// it fully covers the route (enforced by the full-coverage check below).
@@ -176,6 +168,16 @@ func (e *Emitter) Emit(ir emitterir.EmitterIR) (i2gw.GatewayResources, field.Err
 				agentgatewayBackends,
 			)
 
+			// backend-protocol maps to AgentgatewayPolicy.spec.backend.http.version.
+			// If service-upstream rewrote backendRefs to AgentgatewayBackend, target those backends.
+			// Otherwise, target core Services.
+			applyBackendProtocolPolicy(
+				pol,
+				httpRouteKey,
+				httpRouteContext,
+				backendPolicies,
+			)
+
 			// BasicAuth maps to AgentgatewayPolicy.spec.traffic.basicAuthentication.
 			// Note: agentgateway expects htpasswd content under a '.htaccess' key; see BasicAuthentication docs.
 			if applyBasicAuthPolicy(pol, polSourceIngressName, httpRouteKey.Namespace, agentgatewayPolicies) {
diff --git a/pkg/i2gw/emitters/agentgateway/testing/testdata/output/service_upstream.yaml b/pkg/i2gw/emitters/agentgateway/testing/testdata/output/service_upstream.yaml
@@ -27,16 +27,16 @@ status: {}
 apiVersion: agentgateway.dev/v1alpha1
 kind: AgentgatewayPolicy
 metadata:
-  name: myserviceb-backend-http-version
+  name: myserviceb-service-upstream-backend-http-version
   namespace: default
 spec:
   backend:
     http:
       version: HTTP2
   targetRefs:
-    - group: ""
-      kind: Service
-      name: myserviceb
+    - group: agentgateway.dev
+      kind: AgentgatewayBackend
+      name: myserviceb-service-upstream
 status:
   ancestors: null
 ---
diff --git a/pkg/i2gw/providers/ingressnginx/README.md b/pkg/i2gw/providers/ingressnginx/README.md
@@ -106,6 +106,11 @@ The ingress-nginx provider currently supports translating the following annotati
       - Otherwise, the Kgateway emitter does **not** generate Kubernetes `Service` resources. Instead, it emits an **INFO** notification with a `kubectl patch`
         command to set `spec.ports[].appProtocol` on the existing Service.
       - This annotation is treated as upstream protocol metadata and does not imply `GRPCRoute` projection.
+    - For the Agentgateway implementation:
+      - The emitter projects this as `AgentgatewayPolicy.spec.backend.http.version: HTTP2`.
+      - For standard Service backendRefs, the policy targets the Service.
+      - If `service-upstream: "true"` rewrites backendRefs to `AgentgatewayBackend`, the policy instead targets the generated
+        `AgentgatewayBackend`.
   - **Values treated as default HTTP/1.x (no-op):** `HTTP`, `HTTPS`, `AUTO_HTTP`
   - **Unsupported values (rejected):** `FCGI` (and others)
   - **Safety note:** The provider does not attempt to create or mutate Kubernetes Services; implementation emitters decide how to safely project this intent.
