Adds Support for use-regex and rewrite-target Annotations

Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io>

Author: danehans

pkg/i2gw/implementations/kgateway/README.md

@@ -62,6 +62,12 @@ The command should generate Gateway API and Kgateway resources.
 - `nginx.ingress.kubernetes.io/ssl-redirect`: When set to `"true"`, adds a `RequestRedirect` filter to HTTPRoute rules that redirects HTTP to HTTPS with a 301 status code.
 - `nginx.ingress.kubernetes.io/force-ssl-redirect`: When set to `"true"`, adds a `RequestRedirect` filter to HTTPRoute rules that redirects HTTP to HTTPS with a 301 status code. Treated identically to `ssl-redirect`.
 - `nginx.ingress.kubernetes.io/ssl-passthrough`: When set to `"true"`, enables TLS passthrough mode. Converts the Ingress to a `TLSRoute` with a Gateway listener using `protocol: TLS` and `tls.mode: Passthrough`. The HTTPRoute that would normally be created is removed.
+- `nginx.ingress.kubernetes.io/use-regex`: When set to `"true"`, indicates that the paths defined on an Ingress should be treated as regular expressions.
+  Uses host-group semantics: if any Ingress contributing rules for a given host has `use-regex: "true"`, regex-style path matching is enforced on **all**
+  paths for that host (across all contributing Ingresses).
+- `nginx.ingress.kubernetes.io/rewrite-target`: Rewrites the request path using regex rewrite semantics.
+  Uses host-group semantics: if any Ingress contributing rules for a given host sets `rewrite-target`, regex-style path matching is enforced on **all**
+  paths for that host (across all contributing Ingresses), consistent with ingress-nginx behavior.
 
 ### Backend Behavior
 
@@ -71,6 +77,8 @@ The command should generate Gateway API and Kgateway resources.
 - `nginx.ingress.kubernetes.io/affinity`: Enables session affinity (only "cookie" type is supported). Maps to `BackendConfigPolicy.spec.loadBalancer.ringHash.hashPolicies`.
 - `nginx.ingress.kubernetes.io/session-cookie-name`: Specifies the name of the cookie used for session affinity. Maps to `BackendConfigPolicy.spec.loadBalancer.ringHash.hashPolicies[].cookie.name`.
 - `nginx.ingress.kubernetes.io/session-cookie-path`: Defines the path that will be set on the cookie. Maps to `BackendConfigPolicy.spec.loadBalancer.ringHash.hashPolicies[].cookie.path`.
+- **Note (regex-mode constraint):** Ingress NGINX session cookie paths do not support regex. If regex-mode is enabled for a host (via `use-regex: "true"` or
+  `rewrite-target`) and cookie affinity is used, `session-cookie-path` must be set; the provider validates this and emits an error if it is missing.
 - `nginx.ingress.kubernetes.io/session-cookie-domain`: Sets the Domain attribute of the sticky cookie. **Note:** This annotation is parsed but not currently mapped to kgateway as the Cookie type doesn't support domain.
 - `nginx.ingress.kubernetes.io/session-cookie-samesite`: Applies a SameSite attribute to the sticky cookie. Browser accepted values are None, Lax, and Strict. Maps to `BackendConfigPolicy.spec.loadBalancer.ringHash.hashPolicies[].cookie.sameSite`.
 - `nginx.ingress.kubernetes.io/session-cookie-expires`: Sets the TTL/expiration time for the cookie. Maps to `BackendConfigPolicy.spec.loadBalancer.ringHash.hashPolicies[].cookie.ttl`.
@@ -99,6 +107,29 @@ The command should generate Gateway API and Kgateway resources.
 
 - `nginx.ingress.kubernetes.io/enable-access-log`: If enabled, will create an HTTPListenerPolicy that will configure a basic policy for envoy access logging. Maps to `HTTPListenerPolicy.spec.accessLog[].fileSink`. This can be further customized as needed, see [docs](https://kgateway.dev/docs/envoy/2.0.x/security/access-logging/).
 
+### Regex Path Matching and Rewrites
+
+- `use-regex` and `rewrite-target` may **mutate HTTPRoute path matching** for a host:
+  - When regex-mode is enabled for a host, the emitter converts **all** `PathPrefix`/`Exact` matches under that host to `RegularExpression` matches.
+  - For Ingresses that set `use-regex: "true"`, their contributed path strings are treated as **regex** (not escaped as literals).
+  - For other Ingresses under the same host (that did not set `use-regex: "true"`), their contributed path strings are treated as **literals** within a regex
+    match (escaped), to preserve the original non-regex intent.
+
+- `rewrite-target` generates `TrafficPolicy` URL rewrite:
+  - For each rule covered by an Ingress that sets `rewrite-target`, the emitter creates a **per-rule TrafficPolicy** named:
+    - `<ingress-name>-rewrite-<rule-index>`
+  - That policy sets:
+
+    ```yaml
+    spec:
+      urlRewrite:
+        pathRegex:
+          pattern: <regex pattern derived from the HTTPRoute rule match>
+          substitution: <rewrite-target value>
+    ```
+
+  - The policy is attached via `ExtensionRef` filters to only the covered backendRefs (partial coverage), rather than using `targetRefs`.
+
 ## TrafficPolicy Projection
 
 Annotations in the **Traffic Behavior** category are converted into
@@ -169,6 +200,8 @@ Currently supported:
 
 - Only the **ingress-nginx provider** is currently supported by the Kgateway emitter.
 - Some NGINX behaviors cannot be reproduced exactly due to Envoy/Kgateway differences.
+- Regex-mode is implemented by converting HTTPRoute path matches to `RegularExpression`. Some ingress-nginx details (such as case-insensitive `~*` behavior)
+  may not be reproduced exactly depending on the underlying Gateway API/Envoy behavior and the patterns provided.
 
 ## Supported but not tranlated Annotations
 

pkg/i2gw/implementations/kgateway/emitter.go

@@ -93,6 +93,22 @@ func (e *Emitter) Emit(ir *intermediate.IR) ([]client.Object, error) {
 		// One TrafficPolicy per source Ingress name.
 		tp := map[string]*kgateway.TrafficPolicy{}
 
+		// Apply host-wide regex enforcement first (so rule path regex is finalized)
+		applyRegexPathMatchingForHost(ingx, &httpRouteContext)
+
+		// deterministic policy iteration
+		policyNames := make([]string, 0, len(ingx.Policies))
+		for name := range ingx.Policies {
+			policyNames = append(policyNames, name)
+		}
+		sort.Strings(policyNames)
+
+		// Rewrite-target pass: creates per-rule TPs and attaches filters itself.
+		for _, name := range policyNames {
+			pol := ingx.Policies[name]
+			applyRewriteTargetPolicies(pol, name, httpRouteKey.Namespace, &httpRouteContext, tp)
+		}
+
 		for polSourceIngressName, pol := range ingx.Policies {
 			// Normalize (rule, backend) coverage to unique pairs to avoid
 			// generating duplicate filters on the same backendRef.

pkg/i2gw/implementations/kgateway/emitter_integration_test.go

@@ -270,6 +270,33 @@ func TestKgatewayIngressNginxIntegration_Golden(t *testing.T) {
 				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "ssl_passthrough.yaml",
 			),
 		},
+		{
+			name: "use_regex",
+			inputRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "input", "use_regex.yaml",
+			),
+			goldenRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "use_regex.yaml",
+			),
+		},
+		{
+			name: "rewrite_target",
+			inputRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "input", "rewrite_target.yaml",
+			),
+			goldenRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "rewrite_target.yaml",
+			),
+		},
+		{
+			name: "rewrite_target_and_use_regex",
+			inputRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "input", "rewrite_target_and_use_regex.yaml",
+			),
+			goldenRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "rewrite_target_and_use_regex.yaml",
+			),
+		},
 	}
 
 	for _, tt := range tests {

pkg/i2gw/implementations/kgateway/rewrite_target.go

@@ -0,0 +1,151 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kgateway
+
+import (
+	"fmt"
+	"sort"
+
+	"github.com/kgateway-dev/ingress2gateway/pkg/i2gw/intermediate"
+	"github.com/kgateway-dev/kgateway/v2/api/v1alpha1/kgateway"
+	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// applyRewriteTargetPolicies projects ingress-nginx rewrite-target into *per-rule* Kgateway TrafficPolicies
+// and attaches them via ExtensionRef filters to the covered backendRefs.
+//
+// Why per-rule?
+//   - The regex rewrite pattern must align with the rule's path regex so capture groups ($1, $2, ...)
+//     behave like ingress-nginx.
+//
+// Assumptions:
+//   - applyRegexPathMatchingForHost(...) has already run (if host-wide regex location mode is enabled),
+//     so rule path matches will already be RegularExpression where needed.
+func applyRewriteTargetPolicies(
+	pol intermediate.Policy,
+	sourceIngressName, namespace string,
+	httpRouteCtx *intermediate.HTTPRouteContext,
+	tp map[string]*kgateway.TrafficPolicy,
+) {
+	if pol.RewriteTarget == nil || *pol.RewriteTarget == "" {
+		return
+	}
+	if httpRouteCtx == nil {
+		return
+	}
+
+	// Group covered backendRefs by rule index.
+	// ruleIdx -> set(backendIdx)
+	byRule := map[int]map[int]struct{}{}
+	for _, idx := range pol.RuleBackendSources {
+		if idx.Rule < 0 || idx.Backend < 0 {
+			continue
+		}
+		if _, ok := byRule[idx.Rule]; !ok {
+			byRule[idx.Rule] = map[int]struct{}{}
+		}
+		byRule[idx.Rule][idx.Backend] = struct{}{}
+	}
+	if len(byRule) == 0 {
+		return
+	}
+
+	// Deterministic iteration for stable goldens.
+	ruleIdxs := make([]int, 0, len(byRule))
+	for r := range byRule {
+		ruleIdxs = append(ruleIdxs, r)
+	}
+	sort.Ints(ruleIdxs)
+
+	for _, ruleIdx := range ruleIdxs {
+		if ruleIdx >= len(httpRouteCtx.Spec.Rules) {
+			continue
+		}
+
+		pattern := deriveRulePathRegexPattern(httpRouteCtx.Spec.Rules[ruleIdx])
+
+		// Name is unique per ingress + rule, so we can safely create multiple TPs per ingress.
+		tpName := fmt.Sprintf("%s-rewrite-%d", sourceIngressName, ruleIdx)
+		t := ensureTrafficPolicy(tp, tpName, namespace)
+
+		t.Spec.UrlRewrite = &kgateway.URLRewrite{
+			PathRegex: &kgateway.PathRegexRewrite{
+				Pattern:      pattern,
+				Substitution: *pol.RewriteTarget,
+			},
+		}
+
+		// Attach this rewrite TP to every covered backendRef in the rule via ExtensionRef filter.
+		backendSet := byRule[ruleIdx]
+		backendIdxs := make([]int, 0, len(backendSet))
+		for b := range backendSet {
+			backendIdxs = append(backendIdxs, b)
+		}
+		sort.Ints(backendIdxs)
+
+		for _, backendIdx := range backendIdxs {
+			if backendIdx >= len(httpRouteCtx.Spec.Rules[ruleIdx].BackendRefs) {
+				continue
+			}
+
+			httpRouteCtx.Spec.Rules[ruleIdx].BackendRefs[backendIdx].Filters =
+				append(
+					httpRouteCtx.Spec.Rules[ruleIdx].BackendRefs[backendIdx].Filters,
+					gwv1.HTTPRouteFilter{
+						Type: gwv1.HTTPRouteFilterExtensionRef,
+						ExtensionRef: &gwv1.LocalObjectReference{
+							Group: gwv1.Group(TrafficPolicyGVK.Group),
+							Kind:  gwv1.Kind(TrafficPolicyGVK.Kind),
+							Name:  gwv1.ObjectName(t.Name),
+						},
+					},
+				)
+		}
+	}
+}
+
+// deriveRulePathRegexPattern returns a single regex pattern for the rule if possible.
+// If the rule has:
+//   - exactly one distinct RegularExpression path value -> return it
+//   - zero or multiple distinct regex values            -> fall back to "^(.*)"
+//
+// Note: If a rule has multiple *different* path regex matches, we can't represent
+// match-specific rewrites without splitting the rule, so we choose a safe fallback.
+func deriveRulePathRegexPattern(rule gwv1.HTTPRouteRule) string {
+	patterns := map[string]struct{}{}
+
+	for i := range rule.Matches {
+		m := rule.Matches[i]
+		if m.Path == nil || m.Path.Type == nil || m.Path.Value == nil {
+			continue
+		}
+		if *m.Path.Type != gwv1.PathMatchRegularExpression {
+			continue
+		}
+		if v := *m.Path.Value; v != "" {
+			patterns[v] = struct{}{}
+		}
+	}
+
+	if len(patterns) == 1 {
+		for p := range patterns {
+			return p
+		}
+	}
+
+	return "^(.*)"
+}

pkg/i2gw/implementations/kgateway/testing/testdata/input/rewrite_target.yaml

@@ -0,0 +1,63 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/rewrite-target: /rewritten
+  name: ingress-myservicea1
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: myservicea.foo.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: myservicea
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+  name: ingress-myservicea2
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: myservicea.foo.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: myservicea
+            port:
+              number: 80
+        path: /2
+        pathType: Prefix
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+  name: ingress-myserviceb
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: myserviceb.foo.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: myserviceb
+            port:
+              number: 80
+        path: /
+        pathType: Prefix

pkg/i2gw/implementations/kgateway/testing/testdata/input/rewrite_target_and_use_regex.yaml

@@ -0,0 +1,64 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$1
+  name: ingress-myservicea1
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: myservicea.foo.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: myservicea
+            port:
+              number: 80
+        path: /foo/(.*)
+        pathType: Prefix
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+  name: ingress-myservicea2
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: myservicea.foo.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: myservicea
+            port:
+              number: 80
+        path: /v1.+
+        pathType: Prefix
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+  name: ingress-myserviceb
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: myserviceb.foo.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: myserviceb
+            port:
+              number: 80
+        path: /
+        pathType: Prefix