Merge pull request #96 from kgateway-dev/issue_59_11

agentgateway: map frontend TLS annotations to frontend policy

Author: danehans

pkg/i2gw/emitter_intermediate/intermediate_representation.go

@@ -161,6 +161,12 @@ type BackendTLSPolicy struct {
 	Hostname   string
 }
 
+// FrontendTLSPolicy defines frontend TLS listener policy extracted from annotations.
+type FrontendTLSPolicy struct {
+	HandshakeTimeout *metav1.Duration
+	ALPNProtocols    []string
+}
+
 // Policy describes per-Ingress policy knobs projected by providers.
 type Policy struct {
 	ClientBodyBufferSize *resource.Quantity
@@ -176,6 +182,7 @@ type Policy struct {
 	SessionAffinity      *SessionAffinityPolicy
 	LoadBalancing        *BackendLoadBalancingPolicy
 	BackendTLS           *BackendTLSPolicy
+	FrontendTLS          *FrontendTLSPolicy
 	BackendProtocol      *BackendProtocol
 	SSLRedirect          *bool
 	RewriteTarget        *string

pkg/i2gw/emitters/agentgateway/README.md

@@ -285,6 +285,28 @@ These are mapped into an `AgentgatewayPolicy` using agentgateway’s `Traffic.Ti
   `spec.traffic.timeouts.request` to avoid unexpectedly truncating requests.
 - Invalid/unsupported duration values are ignored by the provider and will not be projected.
 
+#### Frontend TLS Settings
+
+The agentgateway emitter supports projecting frontend TLS listener settings via:
+
+- `nginx.ingress.kubernetes.io/ssl-handshake-timeout`
+- `nginx.ingress.kubernetes.io/ssl-alpn`
+
+These are mapped into an `AgentgatewayPolicy` using agentgateway's `Frontend.TLS` model:
+
+- `ssl-handshake-timeout` -> `AgentgatewayPolicy.spec.frontend.tls.handshakeTimeout`
+- `ssl-alpn` -> `AgentgatewayPolicy.spec.frontend.tls.alpnProtocols`
+
+**Notes:**
+
+- Agentgateway validates `spec.frontend` only on `Gateway` targets, so ingress2gateway emits a single
+  Gateway-targeted policy named `<gateway>-frontend-tls`.
+- If multiple source Ingresses on the same Gateway request different frontend TLS settings, the emitter returns an
+  error because agentgateway cannot scope these settings to an individual HTTPRoute or listener.
+- `ssl-handshake-timeout` accepts either Go-style durations (`20s`, `1m`) or bare seconds (`20`) and must be at least `100ms`.
+- `ssl-alpn` is parsed as a comma-separated list and de-duplicated while preserving order.
+- If only `ssl-alpn` is set, the provider projects a default `15s` handshake timeout so `spec.frontend.tls` remains valid.
+
 #### Local Rate Limiting
 
 The agentgateway emitter currently supports projecting local rate limiting via:

pkg/i2gw/emitters/agentgateway/emitter.go

@@ -65,6 +65,11 @@ func (e *Emitter) Emit(ir emitterir.EmitterIR) (i2gw.GatewayResources, field.Err
 	// Track AgentgatewayPolicies per ingress name
 	agentgatewayPolicies := map[string]*agentgatewayv1alpha1.AgentgatewayPolicy{}
 
+	// Track Gateway-scoped frontend TLS policies. Agentgateway validates
+	// spec.frontend only when the policy targets the Gateway directly.
+	gatewayFrontendTLSPolicies := map[types.NamespacedName]*agentgatewayv1alpha1.AgentgatewayPolicy{}
+	gatewayFrontendTLSPolicySources := map[types.NamespacedName]string{}
+
 	// Track backend-scoped AgentgatewayPolicies per Service (ns/name) (e.g. TLS, connect timeout)
 	backendPolicies := map[types.NamespacedName]*agentgatewayv1alpha1.AgentgatewayPolicy{}
 
@@ -112,6 +117,18 @@ func (e *Emitter) Emit(ir emitterir.EmitterIR) (i2gw.GatewayResources, field.Err
 				touched = true
 			}
 
+			// Frontend TLS settings are Gateway-scoped in agentgateway.
+			if _, frontendTLSErr := applyFrontendTLSPolicy(
+				pol,
+				polSourceIngressName,
+				httpRouteContext.HTTPRoute,
+				httpRouteKey.Namespace,
+				gatewayFrontendTLSPolicies,
+				gatewayFrontendTLSPolicySources,
+			); frontendTLSErr != nil {
+				errs = append(errs, frontendTLSErr)
+			}
+
 			// Check if SSL redirect is enabled but don't apply it yet (will split route later).
 			if applySSLRedirectPolicy(pol) {
 				routesToSplitForSSLRedirect[httpRouteKey] = true
@@ -338,6 +355,11 @@ func (e *Emitter) Emit(ir emitterir.EmitterIR) (i2gw.GatewayResources, field.Err
 		}
 	}
 
+	// Collect Gateway-scoped frontend TLS policies.
+	for _, ap := range gatewayFrontendTLSPolicies {
+		agentgatewayObjs = append(agentgatewayObjs, ap)
+	}
+
 	// Collect AgentgatewayPolicies
 	for _, ap := range agentgatewayPolicies {
 		agentgatewayObjs = append(agentgatewayObjs, ap)

pkg/i2gw/emitters/agentgateway/emitter_integration_test.go

@@ -311,6 +311,32 @@ func TestAgentgatewayIngressNginxIntegration_Timeouts(t *testing.T) {
 	}
 }
 
+func TestAgentgatewayIngressNginxIntegration_FrontendTLS(t *testing.T) {
+	t.Helper()
+
+	tests := []struct {
+		name      string
+		inputRel  string
+		goldenRel string
+	}{
+		{
+			name: "frontend_tls",
+			inputRel: filepath.Join(
+				"pkg", "i2gw", "emitters", "agentgateway", "testing", "testdata", "input", "frontend_tls.yaml",
+			),
+			goldenRel: filepath.Join(
+				"pkg", "i2gw", "emitters", "agentgateway", "testing", "testdata", "output", "frontend_tls.yaml",
+			),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			runGoldenTest(t, tt.inputRel, tt.goldenRel)
+		})
+	}
+}
+
 func TestAgentgatewayIngressNginxIntegration_CORS(t *testing.T) {
 	t.Helper()
 

pkg/i2gw/emitters/agentgateway/frontend_tls.go

@@ -0,0 +1,141 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package agentgateway
+
+import (
+	"fmt"
+
+	emitterir "github.com/kgateway-dev/ingress2gateway/pkg/i2gw/emitter_intermediate"
+	agentgatewayv1alpha1 "github.com/kgateway-dev/kgateway/v2/api/v1alpha1/agentgateway"
+	"github.com/kgateway-dev/kgateway/v2/api/v1alpha1/shared"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// applyFrontendTLSPolicy projects frontend TLS listener settings into
+// AgentgatewayPolicy.spec.frontend.tls.
+//
+// Agentgateway validates frontend policies only when they target the Gateway
+// resource directly, so these settings are tracked separately from the
+// HTTPRoute-scoped policy map used by traffic features.
+func applyFrontendTLSPolicy(
+	pol emitterir.Policy,
+	ingressName string,
+	httpRoute gatewayv1.HTTPRoute,
+	defaultNamespace string,
+	ap map[types.NamespacedName]*agentgatewayv1alpha1.AgentgatewayPolicy,
+	sources map[types.NamespacedName]string,
+) (bool, *field.Error) {
+	if pol.FrontendTLS == nil {
+		return false, nil
+	}
+	if pol.FrontendTLS.HandshakeTimeout == nil && len(pol.FrontendTLS.ALPNProtocols) == 0 {
+		return false, nil
+	}
+
+	gatewayKey, ok := gatewayParentKeyForHTTPRoute(httpRoute, defaultNamespace)
+	if !ok {
+		return false, field.Invalid(
+			field.NewPath("emitter", "agentgateway", "AgentgatewayPolicy", "frontend", "tls"),
+			ingressName,
+			"frontend TLS policies require a parent Gateway target",
+		)
+	}
+
+	if existing, ok := ap[gatewayKey]; ok {
+		if !frontendTLSPoliciesEqual(existing.Spec.Frontend.TLS, pol.FrontendTLS) {
+			return false, field.Invalid(
+				field.NewPath("emitter", "agentgateway", "AgentgatewayPolicy", "frontend", "tls"),
+				ingressName,
+				fmt.Sprintf(
+					"frontend TLS settings conflict on Gateway %s/%s with source Ingress %q; agentgateway only supports Gateway-scoped frontend TLS policies",
+					gatewayKey.Namespace,
+					gatewayKey.Name,
+					sources[gatewayKey],
+				),
+			)
+		}
+		return true, nil
+	}
+
+	alpn := make([]agentgatewayv1alpha1.TinyString, 0, len(pol.FrontendTLS.ALPNProtocols))
+	for _, value := range pol.FrontendTLS.ALPNProtocols {
+		alpn = append(alpn, agentgatewayv1alpha1.TinyString(value))
+	}
+
+	ap[gatewayKey] = &agentgatewayv1alpha1.AgentgatewayPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      fmt.Sprintf("%s-frontend-tls", gatewayKey.Name),
+			Namespace: gatewayKey.Namespace,
+		},
+		Spec: agentgatewayv1alpha1.AgentgatewayPolicySpec{
+			Frontend: &agentgatewayv1alpha1.Frontend{
+				TLS: &agentgatewayv1alpha1.FrontendTLS{
+					HandshakeTimeout: pol.FrontendTLS.HandshakeTimeout,
+					AlpnProtocols:    &alpn,
+				},
+			},
+			TargetRefs: []shared.LocalPolicyTargetReferenceWithSectionName{{
+				LocalPolicyTargetReference: shared.LocalPolicyTargetReference{
+					Group: gatewayv1.Group("gateway.networking.k8s.io"),
+					Kind:  gatewayv1.Kind("Gateway"),
+					Name:  gatewayv1.ObjectName(gatewayKey.Name),
+				},
+			}},
+		},
+	}
+	ap[gatewayKey].SetGroupVersionKind(AgentgatewayPolicyGVK)
+	sources[gatewayKey] = ingressName
+
+	return true, nil
+}
+
+func frontendTLSPoliciesEqual(
+	existing *agentgatewayv1alpha1.FrontendTLS,
+	desired *emitterir.FrontendTLSPolicy,
+) bool {
+	if existing == nil || desired == nil {
+		return existing == nil && desired == nil
+	}
+
+	switch {
+	case existing.HandshakeTimeout == nil && desired.HandshakeTimeout != nil:
+		return false
+	case existing.HandshakeTimeout != nil && desired.HandshakeTimeout == nil:
+		return false
+	case existing.HandshakeTimeout != nil && desired.HandshakeTimeout != nil &&
+		existing.HandshakeTimeout.Duration != desired.HandshakeTimeout.Duration:
+		return false
+	}
+
+	existingALPN := []agentgatewayv1alpha1.TinyString{}
+	if existing.AlpnProtocols != nil {
+		existingALPN = *existing.AlpnProtocols
+	}
+	if len(existingALPN) != len(desired.ALPNProtocols) {
+		return false
+	}
+	for i, protocol := range desired.ALPNProtocols {
+		if string(existingALPN[i]) != protocol {
+			return false
+		}
+	}
+
+	return true
+}

pkg/i2gw/emitters/agentgateway/frontend_tls_test.go

@@ -0,0 +1,112 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package agentgateway
+
+import (
+	"testing"
+	"time"
+
+	emitterir "github.com/kgateway-dev/ingress2gateway/pkg/i2gw/emitter_intermediate"
+	agentgatewayv1alpha1 "github.com/kgateway-dev/kgateway/v2/api/v1alpha1/agentgateway"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+func TestApplyFrontendTLSPolicyTargetsGateway(t *testing.T) {
+	policies := map[types.NamespacedName]*agentgatewayv1alpha1.AgentgatewayPolicy{}
+	sources := map[types.NamespacedName]string{}
+	httpRoute := gatewayv1.HTTPRoute{
+		Spec: gatewayv1.HTTPRouteSpec{
+			CommonRouteSpec: gatewayv1.CommonRouteSpec{
+				ParentRefs: []gatewayv1.ParentReference{{
+					Name: gatewayv1.ObjectName("nginx"),
+				}},
+			},
+		},
+	}
+	policy := emitterir.Policy{
+		FrontendTLS: &emitterir.FrontendTLSPolicy{
+			HandshakeTimeout: &metav1.Duration{Duration: 20 * time.Second},
+			ALPNProtocols:    []string{"h2", "http/1.1"},
+		},
+	}
+
+	touched, err := applyFrontendTLSPolicy(policy, "ingress-frontend-tls", httpRoute, "default", policies, sources)
+	if err != nil {
+		t.Fatalf("applyFrontendTLSPolicy returned error: %v", err)
+	}
+	if !touched {
+		t.Fatal("expected frontend TLS policy to be emitted")
+	}
+
+	key := types.NamespacedName{Namespace: "default", Name: "nginx"}
+	got := policies[key]
+	if got == nil {
+		t.Fatalf("expected frontend TLS policy for %v", key)
+	}
+	if got.Name != "nginx-frontend-tls" {
+		t.Fatalf("expected Gateway-scoped frontend TLS policy name %q, got %q", "nginx-frontend-tls", got.Name)
+	}
+	if len(got.Spec.TargetRefs) != 1 {
+		t.Fatalf("expected a single targetRef, got %d", len(got.Spec.TargetRefs))
+	}
+	targetRef := got.Spec.TargetRefs[0]
+	if targetRef.Kind != gatewayv1.Kind("Gateway") {
+		t.Fatalf("expected Gateway target, got %q", targetRef.Kind)
+	}
+	if targetRef.Name != gatewayv1.ObjectName("nginx") {
+		t.Fatalf("expected Gateway target name %q, got %q", "nginx", targetRef.Name)
+	}
+	if targetRef.SectionName != nil {
+		t.Fatalf("expected Gateway frontend TLS policy to omit sectionName, got %q", *targetRef.SectionName)
+	}
+}
+
+func TestApplyFrontendTLSPolicyRejectsConflictingGatewaySettings(t *testing.T) {
+	policies := map[types.NamespacedName]*agentgatewayv1alpha1.AgentgatewayPolicy{}
+	sources := map[types.NamespacedName]string{}
+	httpRoute := gatewayv1.HTTPRoute{
+		Spec: gatewayv1.HTTPRouteSpec{
+			CommonRouteSpec: gatewayv1.CommonRouteSpec{
+				ParentRefs: []gatewayv1.ParentReference{{
+					Name: gatewayv1.ObjectName("nginx"),
+				}},
+			},
+		},
+	}
+
+	first := emitterir.Policy{
+		FrontendTLS: &emitterir.FrontendTLSPolicy{
+			HandshakeTimeout: &metav1.Duration{Duration: 20 * time.Second},
+			ALPNProtocols:    []string{"h2", "http/1.1"},
+		},
+	}
+	if _, err := applyFrontendTLSPolicy(first, "ingress-a", httpRoute, "default", policies, sources); err != nil {
+		t.Fatalf("unexpected error creating first frontend TLS policy: %v", err)
+	}
+
+	conflicting := emitterir.Policy{
+		FrontendTLS: &emitterir.FrontendTLSPolicy{
+			HandshakeTimeout: &metav1.Duration{Duration: 30 * time.Second},
+			ALPNProtocols:    []string{"h2", "http/1.1"},
+		},
+	}
+	if _, err := applyFrontendTLSPolicy(conflicting, "ingress-b", httpRoute, "default", policies, sources); err == nil {
+		t.Fatal("expected conflicting frontend TLS settings to return an error")
+	}
+}