Refactors Code for Service AppProtocol

danehans · danehans · commit c7e008fb1bf6 · 2025-12-12T15:54:41.000-08:00
Signed-off-by: Daneyon Hansen &lt;daneyon.hansen@solo.io&gt;
diff --git a/pkg/i2gw/implementations/kgateway/README.md b/pkg/i2gw/implementations/kgateway/README.md
@@ -87,12 +87,13 @@ The command should generate Gateway API and Kgateway resources.
 - `nginx.ingress.kubernetes.io/service-upstream`: When set to `"true"`, configures Kgateway to route to the Service’s cluster IP (or equivalent static host) instead of individual Pod IPs. For each covered Service, the emitter creates a `Backend` resource with `spec.type: Static` and rewrites the corresponding `HTTPRoute.spec.rules[].backendRefs[]` to reference that `Backend` (group `gateway.kgateway.dev`, kind `Backend`).
 - `nginx.ingress.kubernetes.io/backend-protocol`: Indicates the L7 protocol that is used to communicate with the proxied backend.
   - **Supported values (mapped):** `GRPC`, `GRPCS`
-    - The emitter creates (or reuses) a `Backend` with `spec.type: Static` and sets `spec.static.appProtocol: grpc`.
-    - Matching `HTTPRoute.spec.rules[].backendRefs[]` are rewritten to reference this `Backend` (group `gateway.kgateway.dev`, kind `Backend`).
+    - If `service-upstream: "true"` is also set for the same Service backend, the emitter sets `spec.static.appProtocol: grpc` on the generated `Backend`.
+    - Otherwise, the emitter does **not** create or modify Kubernetes `Service` resources. Instead, it emits an **INFO** notification with a `kubectl patch`
+      command to update the existing Service port with `appProtocol: grpc`.
   - **Values treated as default HTTP/1.x (no-op):** `HTTP`, `HTTPS`, `AUTO_HTTP`
   - **Unsupported values (rejected by provider):** `FCGI` (and others)
-  - **Independent from features that create a `Backend`:** For example, `backend-protocol` does **not** require `service-upstream: "true"`. If `backend-protocol` is set to `GRPC/GRPCS`,
-    the provider will still produce the needed static backend metadata so the emitter can create `Backend` resources and rewrite `backendRefs`.
+  - **Safety note:** Because emitting Service manifests could overwrite user-managed Service configuration, ingress2gateway intentionally avoids generating
+    Service resources for this annotation.
 
 ### External Auth
 
@@ -194,21 +195,19 @@ Currently supported:
     - `spec.type: Static`
     - `spec.static.hosts` containing a single `{host, port}` entry derived from the Service (e.g. `myservice.default.svc.cluster.local:80`).
   - Matching `HTTPRoute.spec.rules[].backendRefs[]` are rewritten to reference this `Backend` instead of the core Service.
-- `nginx.ingress.kubernetes.io/backend-protocol` (partial support):
-  - When set to `GRPC` or `GRPCS`, the provider emits backend protocol metadata and the emitter ensures there is a `Backend` with:
-    - `spec.type: Static`
-    - `spec.static.hosts` containing a single `{host, port}` entry derived from the Service
-    - `spec.static.appProtocol: grpc`
-  - Matching `HTTPRoute.spec.rules[].backendRefs[]` are rewritten to reference this `Backend` instead of the core Service.
-  - **Note:** `HTTP`, `HTTPS`, and `AUTO_HTTP` are treated as default HTTP/1.x behavior and do not emit additional config.
+- `nginx.ingress.kubernetes.io/backend-protocol`:
+  - When set to `GRPC` or `GRPCS` **and** `service-upstream: "true"` is set for the same backend, the emitter stamps `spec.static.appProtocol: grpc` on the generated `Backend`.
+  - When set to `GRPC` or `GRPCS` **without** `service-upstream: "true"`, the emitter emits an **INFO** notification that includes a `kubectl patch service ...`
+    command to set `spec.ports[].appProtocol` on the existing Service.
+  - `HTTP`, `HTTPS`, and `AUTO_HTTP` are treated as default HTTP/1.x behavior and do not emit additional config. 
 
 ### Summary of Policy Types
 
 | Annotation Type                    | Kgateway Resource     |
 |------------------------------------|-----------------------|
 | Request/response behavior          | `TrafficPolicy`       |
 | Upstream connection behavior       | `BackendConfigPolicy` |
-| Upstream representation/protocol   | `Backend`             |
+| Upstream representation.           | `Backend`             |
 | TLS passthrough                    | `TLSRoute`            |
 
 ## Limitations
diff --git a/pkg/i2gw/implementations/kgateway/backend_protocol_notifications.go b/pkg/i2gw/implementations/kgateway/backend_protocol_notifications.go
@@ -0,0 +1,137 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kgateway
+
+import (
+	"fmt"
+
+	"github.com/kgateway-dev/ingress2gateway/pkg/i2gw/intermediate"
+	"github.com/kgateway-dev/ingress2gateway/pkg/i2gw/notifications"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// backendProtoPatchKey de-dupes notifications across rules/routes/policies.
+type backendProtoPatchKey struct {
+	Namespace   string
+	Service     string
+	Port        int32
+	AppProtocol string
+}
+
+// emitBackendProtocolPatchNotifications emits an INFO notification with the correct kubectl patch
+// command to set ServicePort.appProtocol on an existing Service.
+//
+// IMPORTANT:
+//   - We intentionally do NOT emit a Service object to avoid overwriting user-managed Service config.
+//   - We also skip backends that have been rewritten to a kgateway Backend (service-upstream case),
+//     because the generated Backend will carry appProtocol instead.
+func emitBackendProtocolPatchNotifications(
+	pol intermediate.Policy,
+	sourceIngressName string,
+	httpRouteKey types.NamespacedName,
+	httpCtx intermediate.HTTPRouteContext,
+	seen map[backendProtoPatchKey]struct{},
+) {
+	if pol.BackendProtocol == nil {
+		return
+	}
+
+	// Map ingress-nginx backend-protocol → ServicePort.appProtocol
+	var appProto string
+	switch *pol.BackendProtocol {
+	case intermediate.BackendProtocolGRPC:
+		appProto = "grpc"
+	default:
+		// Nothing to do for unsupported/unknown mappings.
+		return
+	}
+
+	for _, idx := range pol.RuleBackendSources {
+		if idx.Rule >= len(httpCtx.Spec.Rules) {
+			continue
+		}
+		rule := httpCtx.Spec.Rules[idx.Rule]
+		if idx.Backend >= len(rule.BackendRefs) {
+			continue
+		}
+
+		br := rule.BackendRefs[idx.Backend]
+
+		// If already rewritten to a kgateway Backend, skip; appProtocol will be applied there.
+		if br.BackendRef.Group != nil && *br.BackendRef.Group != "" {
+			continue
+		}
+		if br.BackendRef.Kind != nil && *br.BackendRef.Kind != "" && *br.BackendRef.Kind != "Service" {
+			continue
+		}
+		if br.BackendRef.Name == "" || br.BackendRef.Port == nil {
+			continue
+		}
+
+		svcName := string(br.BackendRef.Name)
+		// If service-upstream is enabled for this backend, the emitter will generate a
+		// kgateway Backend with appProtocol, so do not suggest patching the Service.
+		if len(pol.Backends) > 0 {
+			if _, ok := pol.Backends[backendKeyForService(httpRouteKey.Namespace, svcName)]; ok {
+				continue
+			}
+		}
+
+		port := int32(*br.BackendRef.Port)
+
+		key := backendProtoPatchKey{
+			Namespace:   httpRouteKey.Namespace,
+			Service:     svcName,
+			Port:        port,
+			AppProtocol: appProto,
+		}
+		if _, ok := seen[key]; ok {
+			continue
+		}
+		seen[key] = struct{}{}
+
+		// Use strategic merge patch (safe for core types) so only the matching port entry is updated.
+		// This is far safer than emitting a Service manifest that users might blindly apply.
+		patch := fmt.Sprintf(`{"spec":{"ports":[{"port":%d,"appProtocol":"%s"}]}}`, port, appProto)
+		cmd := fmt.Sprintf(
+			"kubectl patch service %s -n %s --type=strategic -p '%s'",
+			svcName,
+			httpRouteKey.Namespace,
+			patch,
+		)
+
+		msg := fmt.Sprintf(
+			`Ingress %q uses nginx.ingress.kubernetes.io/backend-protocol=%q for Service %s/%s port %d.
+
+To avoid overwriting existing Service configuration, ingress2gateway does not emit a Service for this annotation.
+Apply the equivalent behavior by patching your existing Service port's appProtocol:
+
+  %s`,
+			sourceIngressName,
+			*pol.BackendProtocol,
+			httpRouteKey.Namespace,
+			svcName,
+			port,
+			cmd,
+		)
+
+		notifications.NotificationAggr.DispatchNotification(
+			notifications.NewNotification(notifications.InfoNotification, msg),
+			"ingress-nginx",
+		)
+	}
+}
diff --git a/pkg/i2gw/implementations/kgateway/emitter.go b/pkg/i2gw/implementations/kgateway/emitter.go
@@ -84,6 +84,9 @@ func (e *Emitter) Emit(ir *intermediate.IR) ([]client.Object, error) {
 	// Track Backends per (namespace, svcName) for backend-dependent features, i.e. service-upstream.
 	backends := map[types.NamespacedName]*kgateway.Backend{}
 
+	// De-dupe backend-protocol patch notifications by (ns, svc, port, appProtocol).
+	backendProtoPatchSeen := map[backendProtoPatchKey]struct{}{}
+
 	for httpRouteKey, httpRouteContext := range ir.HTTPRoutes {
 		ingx := httpRouteContext.ProviderSpecificIR.IngressNginx
 		if ingx == nil {
@@ -169,6 +172,17 @@ func (e *Emitter) Emit(ir *intermediate.IR) ([]client.Object, error) {
 				backendCfg,
 			)
 
+			// backend-protocol: do NOT emit/patch Services.
+			// Instead, emit an INFO notification with a safe kubectl patch command for the user
+			// (and skip when service-upstream rewrote the backendRef to a kgateway Backend).
+			emitBackendProtocolPatchNotifications(
+				pol,
+				polSourceIngressName,
+				httpRouteKey,
+				httpRouteContext,
+				backendProtoPatchSeen,
+			)
+
 			// Apply service-upstream via Backend and HTTPRoute backendRef rewrites.
 			applyServiceUpstream(
 				pol,
diff --git a/pkg/i2gw/implementations/kgateway/service_upstream.go b/pkg/i2gw/implementations/kgateway/service_upstream.go
@@ -85,14 +85,22 @@ func applyServiceUpstream(
 			continue
 		}
 
+		// service-upstream IR Backends don't currently carry protocol; backend-protocol
+		// is stored on the Policy. Prefer the per-backend protocol if present, otherwise
+		// fall back to the Policy-level protocol.
+		proto := be.Protocol
+		if proto == nil {
+			proto = pol.BackendProtocol
+		}
+
 		// Ensure a Kgateway Backend exists with the correct host/port.
 		kb := ensureStaticBackendForService(
 			ingressName,
 			httpRouteKey,
 			svcName,
 			be.Host,
 			be.Port,
-			be.Protocol,
+			proto,
 			backends,
 		)
 
diff --git a/pkg/i2gw/implementations/kgateway/testing/testdata/input/backend_protocol.yaml b/pkg/i2gw/implementations/kgateway/testing/testdata/input/backend_protocol.yaml
@@ -3,7 +3,7 @@ kind: Ingress
 metadata:
   annotations:
     ingress2gateway.kubernetes.io/implementation: kgateway
-    nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
+    nginx.ingress.kubernetes.io/backend-protocol: "GRPC" # A notification should be emitted for this
   name: ingress-myservicea1
   namespace: default
 spec:
@@ -20,6 +20,7 @@ spec:
         path: /
         pathType: Prefix
 ---
+# No notification should be emitted since backend-protocol is not set here
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -46,7 +47,8 @@ kind: Ingress
 metadata:
   annotations:
     ingress2gateway.kubernetes.io/implementation: kgateway
-    nginx.ingress.kubernetes.io/service-upstream: "true" # Adding service-upstream here should not interfere with backend-protocol
+    # Adding service-upstream here should generate a Backend CR and rewrite the HTTPRoute backendRef
+    nginx.ingress.kubernetes.io/service-upstream: "true"
     nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
   name: ingress-myserviceb
   namespace: default
diff --git a/pkg/i2gw/implementations/kgateway/testing/testdata/output/backend_protocol.yaml b/pkg/i2gw/implementations/kgateway/testing/testdata/output/backend_protocol.yaml
@@ -31,18 +31,13 @@ spec:
   parentRefs:
   - name: nginx
   rules:
-  # From ingress-myservicea1 (service-upstream=true, backend-protocol=GRPC)
-  # so rewritten to Backend, which has appProtocol=grpc.
   - backendRefs:
-    - group: gateway.kgateway.dev
-      kind: Backend
-      name: myservicea-service-upstream
+    - name: myservicea
+      port: 80
     matches:
     - path:
         type: PathPrefix
         value: /
-  # From ingress-myservicea2 (no service-upstream/backend-protocol)
-  # so still core Service.
   - backendRefs:
     - name: myservicea
       port: 80
@@ -66,8 +61,6 @@ spec:
   parentRefs:
   - name: nginx
   rules:
-  # From ingress-myserviceb (service-upstream=true, backend-protocol=GRPC)
-  # so rewritten to Backend, which has appProtocol=grpc.
   - backendRefs:
     - group: gateway.kgateway.dev
       kind: Backend
@@ -81,22 +74,6 @@ status:
 ---
 apiVersion: gateway.kgateway.dev/v1alpha1
 kind: Backend
-metadata:
-  labels:
-    ingress2gateway.kubernetes.io/source-ingress: ingress-myservicea1
-  name: myservicea-service-upstream
-  namespace: default
-spec:
-  type: Static
-  static:
-    hosts:
-    - host: myservicea.default.svc.cluster.local
-      port: 80
-    appProtocol: grpc
-status: {}
----
-apiVersion: gateway.kgateway.dev/v1alpha1
-kind: Backend
 metadata:
   labels:
     ingress2gateway.kubernetes.io/source-ingress: ingress-myserviceb
diff --git a/pkg/i2gw/intermediate/provider_ingressnginx.go b/pkg/i2gw/intermediate/provider_ingressnginx.go
@@ -182,6 +182,10 @@ type Policy struct {
 	// BackendTLS defines the backend TLS policy.
 	BackendTLS *BackendTLSPolicy
 
+	// BackendProtocol defines the upstream application protocol to use when communicating with
+	// backend Services covered by this policy.
+	BackendProtocol *BackendProtocol
+
 	// SSLRedirect indicates whether SSL redirect is enabled, corresponding to
 	// nginx.ingress.kubernetes.io/ssl-redirect. When true, requests should be
 	// redirected to HTTPS.
diff --git a/pkg/i2gw/providers/ingressnginx/README.md b/pkg/i2gw/providers/ingressnginx/README.md
@@ -1,6 +1,7 @@
 # Ingress Nginx Provider
 
-The project supports translating ingress-nginx specific annotations.
+The project supports translating ingress-nginx specific annotations. Some annotations may be translated into
+implementation-specific resources or user-facing notifications depending on the selected implementation.
 
 ## Ingress Class Name
 
@@ -85,6 +86,22 @@ The ingress-nginx provider currently supports translating the following annotati
 
 ---
 
+### Backend Protocol
+
+- `nginx.ingress.kubernetes.io/backend-protocol`: Indicates the L7 protocol that is used to communicate with the proxied backend.
+  - **Supported values (recorded):** `GRPC`, `GRPCS`
+    - The provider records protocol intent as policy metadata (used by implementation emitters).
+    - For the Kgateway implementation:
+      - If `service-upstream: "true"` is also enabled for the same Service backend, the Kgateway emitter stamps `spec.static.appProtocol: grpc`
+        on the generated `Backend`.
+      - Otherwise, the Kgateway emitter does **not** generate Kubernetes `Service` resources. Instead, it emits an **INFO** notification with a `kubectl patch`
+        command to set `spec.ports[].appProtocol` on the existing Service.
+  - **Values treated as default HTTP/1.x (no-op):** `HTTP`, `HTTPS`, `AUTO_HTTP`
+  - **Unsupported values (rejected):** `FCGI` (and others)
+  - **Safety note:** The provider does not attempt to create or mutate Kubernetes Services; implementation emitters decide how to safely project this intent.
+
+---
+
 ### Backend (Upstream) Configuration
 
 - `nginx.ingress.kubernetes.io/proxy-connect-timeout`: Controls the upstream connection timeout. For the Kgateway implementation,
diff --git a/pkg/i2gw/providers/ingressnginx/backend_protocol.go b/pkg/i2gw/providers/ingressnginx/backend_protocol.go
diff --git a/pkg/i2gw/providers/ingressnginx/converter.go b/pkg/i2gw/providers/ingressnginx/converter.go
