Merge pull request #20 from danehans/be_proto

Adds backend-protocol Ingress-Nginx Annotation Support

Author: danehans

pkg/i2gw/implementations/kgateway/README.md

@@ -85,6 +85,15 @@ The command should generate Gateway API and Kgateway resources.
 - `nginx.ingress.kubernetes.io/session-cookie-max-age`: Sets the TTL/expiration time for the cookie (takes precedence over `session-cookie-expires`). Maps to `BackendConfigPolicy.spec.loadBalancer.ringHash.hashPolicies[].cookie.ttl`.
 - `nginx.ingress.kubernetes.io/session-cookie-secure`: Sets the Secure flag on the cookie. Maps to `BackendConfigPolicy.spec.loadBalancer.ringHash.hashPolicies[].cookie.secure`.
 - `nginx.ingress.kubernetes.io/service-upstream`: When set to `"true"`, configures Kgateway to route to the Service’s cluster IP (or equivalent static host) instead of individual Pod IPs. For each covered Service, the emitter creates a `Backend` resource with `spec.type: Static` and rewrites the corresponding `HTTPRoute.spec.rules[].backendRefs[]` to reference that `Backend` (group `gateway.kgateway.dev`, kind `Backend`).
+- `nginx.ingress.kubernetes.io/backend-protocol`: Indicates the L7 protocol that is used to communicate with the proxied backend.
+  - **Supported values (mapped):** `GRPC`, `GRPCS`
+    - If `service-upstream: "true"` is also set for the same Service backend, the emitter sets `spec.static.appProtocol: grpc` on the generated `Backend`.
+    - Otherwise, the emitter does **not** create or modify Kubernetes `Service` resources. Instead, it emits an **INFO** notification with a `kubectl patch`
+      command to update the existing Service port with `appProtocol: grpc`.
+  - **Values treated as default HTTP/1.x (no-op):** `HTTP`, `HTTPS`, `AUTO_HTTP`
+  - **Unsupported values (rejected by provider):** `FCGI` (and others)
+  - **Safety note:** Because emitting Service manifests could overwrite user-managed Service configuration, ingress2gateway intentionally avoids generating
+    Service resources for this annotation.
 
 ### External Auth
 
@@ -186,14 +195,19 @@ Currently supported:
     - `spec.type: Static`
     - `spec.static.hosts` containing a single `{host, port}` entry derived from the Service (e.g. `myservice.default.svc.cluster.local:80`).
   - Matching `HTTPRoute.spec.rules[].backendRefs[]` are rewritten to reference this `Backend` instead of the core Service.
+- `nginx.ingress.kubernetes.io/backend-protocol`:
+  - When set to `GRPC` or `GRPCS` **and** `service-upstream: "true"` is set for the same backend, the emitter stamps `spec.static.appProtocol: grpc` on the generated `Backend`.
+  - When set to `GRPC` or `GRPCS` **without** `service-upstream: "true"`, the emitter emits an **INFO** notification that includes a `kubectl patch service ...`
+    command to set `spec.ports[].appProtocol` on the existing Service.
+  - `HTTP`, `HTTPS`, and `AUTO_HTTP` are treated as default HTTP/1.x behavior and do not emit additional config. 
 
 ### Summary of Policy Types
 
 | Annotation Type                    | Kgateway Resource     |
 |------------------------------------|-----------------------|
 | Request/response behavior          | `TrafficPolicy`       |
 | Upstream connection behavior       | `BackendConfigPolicy` |
-| Upstream representation (static IP)| `Backend`             |
+| Upstream representation.           | `Backend`             |
 | TLS passthrough                    | `TLSRoute`            |
 
 ## Limitations

pkg/i2gw/implementations/kgateway/backend_common.go

@@ -0,0 +1,105 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kgateway
+
+import (
+	"github.com/kgateway-dev/ingress2gateway/pkg/i2gw/intermediate"
+	kgw "github.com/kgateway-dev/kgateway/v2/api/v1alpha1/kgateway"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// sourceIngressAnnotation is used to label Backend CRs with the source Ingress name.
+const sourceIngressAnnotation = "ingress2gateway.kubernetes.io/source-ingress"
+
+func backendNameForService(svcName string) string {
+	return svcName + "-service-upstream"
+}
+
+func backendKeyForService(ns, svcName string) types.NamespacedName {
+	return types.NamespacedName{
+		Namespace: ns,
+		Name:      backendNameForService(svcName),
+	}
+}
+
+// ensureStaticBackendForService ensures there is a Static kgateway.Backend for the given
+// service in the provided map. If it already exists, it is reused and optionally
+// updated with the given protocol. If not, a new Backend is created.
+//
+// ingressName is only used for the source-ingress label.
+func ensureStaticBackendForService(
+	ingressName string,
+	httpRouteKey types.NamespacedName,
+	svcName string,
+	host string,
+	port int32,
+	protocol *intermediate.BackendProtocol,
+	backends map[types.NamespacedName]*kgw.Backend,
+) *kgw.Backend {
+	backendKey := backendKeyForService(httpRouteKey.Namespace, svcName)
+
+	// Reuse existing Backend CR if present.
+	if kb, ok := backends[backendKey]; ok {
+		if protocol != nil && kb.Spec.Static != nil && kb.Spec.Static.AppProtocol == nil {
+			switch *protocol {
+			case intermediate.BackendProtocolGRPC:
+				ap := kgw.AppProtocolGrpc
+				kb.Spec.Static.AppProtocol = &ap
+			}
+		}
+		return kb
+	}
+
+	kb := &kgw.Backend{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       BackendGVK.Kind,
+			APIVersion: BackendGVK.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      backendKey.Name,
+			Namespace: backendKey.Namespace,
+			Labels: map[string]string{
+				sourceIngressAnnotation: ingressName,
+			},
+		},
+		Spec: kgw.BackendSpec{
+			Type: kgw.BackendTypeStatic,
+			Static: &kgw.StaticBackend{
+				Hosts: []kgw.Host{
+					{
+						Host: host,
+						Port: gwv1.PortNumber(port),
+					},
+				},
+			},
+		},
+	}
+
+	if protocol != nil {
+		switch *protocol {
+		case intermediate.BackendProtocolGRPC:
+			ap := kgw.AppProtocolGrpc
+			kb.Spec.Static.AppProtocol = &ap
+		}
+	}
+
+	backends[backendKey] = kb
+	return kb
+}

pkg/i2gw/implementations/kgateway/backend_protocol.go

@@ -0,0 +1,108 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kgateway
+
+import (
+	"github.com/kgateway-dev/ingress2gateway/pkg/i2gw/intermediate"
+	kgw "github.com/kgateway-dev/kgateway/v2/api/v1alpha1/kgateway"
+
+	"k8s.io/apimachinery/pkg/types"
+	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// applyBackendProtocol projects backend protocol metadata on IR Backends into
+// typed Kgateway Backend CRs and rewrites HTTPRoute backendRefs to reference
+// those Backends.
+//
+// Semantics:
+//   - For each Policy.Backends entry produced by the ingress-nginx provider,
+//     we ensure there is a Static Backend CR with the correct host / port and
+//     (if set) appProtocol (currently only gRPC).
+//   - HTTPRoute backendRefs that were originally core Services and are covered
+//     by this Policy are rewritten to:
+//     group: gateway.kgateway.dev
+//     kind:  Backend
+//     name:  <svc>-service-upstream
+//   - This works regardless of whether service-upstream was also used.
+func applyBackendProtocol(
+	pol intermediate.Policy,
+	ingressName string,
+	httpRouteKey types.NamespacedName,
+	httpRouteCtx *intermediate.HTTPRouteContext,
+	backends map[types.NamespacedName]*kgw.Backend,
+) {
+	if len(pol.Backends) == 0 || len(pol.RuleBackendSources) == 0 {
+		return
+	}
+
+	for _, idx := range pol.RuleBackendSources {
+		if idx.Rule >= len(httpRouteCtx.Spec.Rules) {
+			continue
+		}
+		rule := &httpRouteCtx.Spec.Rules[idx.Rule]
+		if idx.Backend >= len(rule.BackendRefs) {
+			continue
+		}
+
+		br := &rule.BackendRefs[idx.Backend]
+
+		// Only core Service backends.
+		if br.BackendRef.Group != nil && *br.BackendRef.Group != "" {
+			continue
+		}
+		if br.BackendRef.Kind != nil && *br.BackendRef.Kind != "Service" {
+			continue
+		}
+		if br.BackendRef.Name == "" {
+			continue
+		}
+
+		svcName := string(br.BackendRef.Name)
+		if svcName == "" {
+			continue
+		}
+
+		backendKey := backendKeyForService(httpRouteKey.Namespace, svcName)
+
+		be, ok := pol.Backends[backendKey]
+		if !ok {
+			// Provider did not produce metadata for this Service backend.
+			continue
+		}
+
+		// Ensure / create the typed Backend CR (host, port, protocol).
+		kb := ensureStaticBackendForService(
+			ingressName,
+			httpRouteKey,
+			svcName,
+			be.Host,
+			be.Port,
+			be.Protocol,
+			backends,
+		)
+
+		// Rewrite BackendRef to point to this Backend.
+		group := gwv1.Group(BackendGVK.Group)
+		kind := gwv1.Kind(BackendGVK.Kind)
+
+		br.BackendRef.Group = &group
+		br.BackendRef.Kind = &kind
+		br.BackendRef.Name = gwv1.ObjectName(kb.Name)
+		// Backend controls the port.
+		br.BackendRef.Port = nil
+	}
+}

pkg/i2gw/implementations/kgateway/backend_protocol_notifications.go

@@ -0,0 +1,137 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kgateway
+
+import (
+	"fmt"
+
+	"github.com/kgateway-dev/ingress2gateway/pkg/i2gw/intermediate"
+	"github.com/kgateway-dev/ingress2gateway/pkg/i2gw/notifications"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// backendProtoPatchKey de-dupes notifications across rules/routes/policies.
+type backendProtoPatchKey struct {
+	Namespace   string
+	Service     string
+	Port        int32
+	AppProtocol string
+}
+
+// emitBackendProtocolPatchNotifications emits an INFO notification with the correct kubectl patch
+// command to set ServicePort.appProtocol on an existing Service.
+//
+// IMPORTANT:
+//   - We intentionally do NOT emit a Service object to avoid overwriting user-managed Service config.
+//   - We also skip backends that have been rewritten to a kgateway Backend (service-upstream case),
+//     because the generated Backend will carry appProtocol instead.
+func emitBackendProtocolPatchNotifications(
+	pol intermediate.Policy,
+	sourceIngressName string,
+	httpRouteKey types.NamespacedName,
+	httpCtx intermediate.HTTPRouteContext,
+	seen map[backendProtoPatchKey]struct{},
+) {
+	if pol.BackendProtocol == nil {
+		return
+	}
+
+	// Map ingress-nginx backend-protocol → ServicePort.appProtocol
+	var appProto string
+	switch *pol.BackendProtocol {
+	case intermediate.BackendProtocolGRPC:
+		appProto = "grpc"
+	default:
+		// Nothing to do for unsupported/unknown mappings.
+		return
+	}
+
+	for _, idx := range pol.RuleBackendSources {
+		if idx.Rule >= len(httpCtx.Spec.Rules) {
+			continue
+		}
+		rule := httpCtx.Spec.Rules[idx.Rule]
+		if idx.Backend >= len(rule.BackendRefs) {
+			continue
+		}
+
+		br := rule.BackendRefs[idx.Backend]
+
+		// If already rewritten to a kgateway Backend, skip; appProtocol will be applied there.
+		if br.BackendRef.Group != nil && *br.BackendRef.Group != "" {
+			continue
+		}
+		if br.BackendRef.Kind != nil && *br.BackendRef.Kind != "" && *br.BackendRef.Kind != "Service" {
+			continue
+		}
+		if br.BackendRef.Name == "" || br.BackendRef.Port == nil {
+			continue
+		}
+
+		svcName := string(br.BackendRef.Name)
+		// If service-upstream is enabled for this backend, the emitter will generate a
+		// kgateway Backend with appProtocol, so do not suggest patching the Service.
+		if len(pol.Backends) > 0 {
+			if _, ok := pol.Backends[backendKeyForService(httpRouteKey.Namespace, svcName)]; ok {
+				continue
+			}
+		}
+
+		port := int32(*br.BackendRef.Port)
+
+		key := backendProtoPatchKey{
+			Namespace:   httpRouteKey.Namespace,
+			Service:     svcName,
+			Port:        port,
+			AppProtocol: appProto,
+		}
+		if _, ok := seen[key]; ok {
+			continue
+		}
+		seen[key] = struct{}{}
+
+		// Use strategic merge patch (safe for core types) so only the matching port entry is updated.
+		// This is far safer than emitting a Service manifest that users might blindly apply.
+		patch := fmt.Sprintf(`{"spec":{"ports":[{"port":%d,"appProtocol":"%s"}]}}`, port, appProto)
+		cmd := fmt.Sprintf(
+			"kubectl patch service %s -n %s --type=strategic -p '%s'",
+			svcName,
+			httpRouteKey.Namespace,
+			patch,
+		)
+
+		msg := fmt.Sprintf(
+			`Ingress %q uses nginx.ingress.kubernetes.io/backend-protocol=%q for Service %s/%s port %d.
+
+To avoid overwriting existing Service configuration, ingress2gateway does not emit a Service for this annotation.
+Apply the equivalent behavior by patching your existing Service port's appProtocol:
+
+  %s`,
+			sourceIngressName,
+			*pol.BackendProtocol,
+			httpRouteKey.Namespace,
+			svcName,
+			port,
+			cmd,
+		)
+
+		notifications.NotificationAggr.DispatchNotification(
+			notifications.NewNotification(notifications.InfoNotification, msg),
+			"ingress-nginx",
+		)
+	}
+}