Merge pull request #18 from puertomontt/sslredirect

ssl redirect

Author: puertomontt

pkg/i2gw/implementations/kgateway/README.md

@@ -59,6 +59,8 @@ The command should generate Gateway API and Kgateway resources.
 - `nginx.ingress.kubernetes.io/limit-burst-multiplier`
 - `nginx.ingress.kubernetes.io/proxy-send-timeout`
 - `nginx.ingress.kubernetes.io/proxy-read-timeout`
+- `nginx.ingress.kubernetes.io/ssl-redirect`: When set to `"true"`, adds a `RequestRedirect` filter to HTTPRoute rules that redirects HTTP to HTTPS with a 301 status code.
+- `nginx.ingress.kubernetes.io/force-ssl-redirect`: When set to `"true"`, adds a `RequestRedirect` filter to HTTPRoute rules that redirects HTTP to HTTPS with a 301 status code. Treated identically to `ssl-redirect`.
 
 ### Backend Behavior
 
@@ -111,6 +113,7 @@ Examples:
 - Body size annotations control `spec.buffer.maxRequestSize`
 - Rate limit annotations control `spec.rateLimit.local.tokenBucket`
 - Timeout annotations control `spec.timeouts.request` or `streamIdle`
+- SSL redirect annotations add `RequestRedirect` filters to HTTPRoute rules
 
 ## BackendConfigPolicy Projection
 

pkg/i2gw/implementations/kgateway/emitter.go

@@ -180,6 +180,9 @@ func (e *Emitter) Emit(ir *intermediate.IR) ([]client.Object, error) {
 				touched = true
 			}
 
+			// Apply SSL redirect via RequestRedirect filter on HTTPRoute rules.
+			applySSLRedirectPolicy(pol, httpRouteKey, &httpRouteContext, coverage)
+
 			if !touched {
 				// No TrafficPolicy fields set for this policy; skip coverage wiring.
 				continue

pkg/i2gw/implementations/kgateway/emitter_integration_test.go

@@ -242,6 +242,15 @@ func TestKgatewayIngressNginxIntegration_Golden(t *testing.T) {
 				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "service_upstream.yaml",
 			),
 		},
+		{
+			name: "ssl_redirect",
+			inputRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "input", "ssl_redirect.yaml",
+			),
+			goldenRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "ssl_redirect.yaml",
+			),
+		},
 		{
 			name: "basic_auth",
 			inputRel: filepath.Join(

pkg/i2gw/implementations/kgateway/ssl_redirect.go

@@ -0,0 +1,78 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kgateway
+
+import (
+	"github.com/kgateway-dev/ingress2gateway/pkg/i2gw/intermediate"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/ptr"
+	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// applySSLRedirectPolicy applies SSL redirect by adding a RequestRedirect filter
+// to HTTPRoute rules when SSLRedirect is enabled in the policy.
+//
+// Semantics:
+//   - If SSLRedirect is enabled, add a RequestRedirect filter to rule-level Filters
+//   - The filter redirects HTTP to HTTPS with a 301 status code
+//   - The filter is applied to all rules covered by the policy
+func applySSLRedirectPolicy(
+	pol intermediate.Policy,
+	httpRouteKey types.NamespacedName,
+	httpRouteContext *intermediate.HTTPRouteContext,
+	coverage []intermediate.PolicyIndex,
+) {
+	if pol.SSLRedirect == nil || !*pol.SSLRedirect {
+		return
+	}
+
+	// Get unique rule indices from coverage
+	ruleSet := make(map[int]struct{})
+	for _, idx := range coverage {
+		ruleSet[idx.Rule] = struct{}{}
+	}
+
+	// Add RequestRedirect filter to each covered rule
+	for ruleIdx := range ruleSet {
+		if ruleIdx >= len(httpRouteContext.Spec.Rules) {
+			continue
+		}
+
+		// Check if RequestRedirect filter already exists
+		hasRedirect := false
+		for _, filter := range httpRouteContext.Spec.Rules[ruleIdx].Filters {
+			if filter.Type == gwv1.HTTPRouteFilterRequestRedirect {
+				hasRedirect = true
+				break
+			}
+		}
+
+		if !hasRedirect {
+			// Add RequestRedirect filter to redirect HTTP to HTTPS
+			httpRouteContext.Spec.Rules[ruleIdx].Filters = append(
+				httpRouteContext.Spec.Rules[ruleIdx].Filters,
+				gwv1.HTTPRouteFilter{
+					Type: gwv1.HTTPRouteFilterRequestRedirect,
+					RequestRedirect: &gwv1.HTTPRequestRedirectFilter{
+						Scheme:     ptr.To("https"),
+						StatusCode: ptr.To(301),
+					},
+				},
+			)
+		}
+	}
+}

pkg/i2gw/implementations/kgateway/testing/testdata/input/ssl_redirect.yaml

@@ -0,0 +1,72 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+  name: ingress-ssl-redirect
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: redirect.example
+    http:
+      paths:
+      - backend:
+          service:
+            name: myservice
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+  name: ingress-ssl-redirect-multiple-paths
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: redirect.example
+    http:
+      paths:
+      - backend:
+          service:
+            name: myservice
+            port:
+              number: 80
+        path: /api
+        pathType: Prefix
+      - backend:
+          service:
+            name: myservice
+            port:
+              number: 80
+        path: /web
+        pathType: Prefix
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+  name: ingress-force-ssl-redirect
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: force-redirect.example
+    http:
+      paths:
+      - backend:
+          service:
+            name: myservice2
+            port:
+              number: 80
+        path: /
+        pathType: Prefix

pkg/i2gw/implementations/kgateway/testing/testdata/output/ssl_redirect.yaml

@@ -0,0 +1,99 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: nginx
+  namespace: default
+spec:
+  gatewayClassName: kgateway
+  listeners:
+  - hostname: force-redirect.example
+    name: force-redirect-example-http
+    port: 80
+    protocol: HTTP
+  - hostname: redirect.example
+    name: redirect-example-http
+    port: 80
+    protocol: HTTP
+status: {}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: ingress-force-ssl-redirect-force-redirect-example
+  namespace: default
+spec:
+  hostnames:
+  - force-redirect.example
+  parentRefs:
+  - name: nginx
+  rules:
+  - backendRefs:
+    - name: myservice2
+      port: 80
+    filters:
+    - requestRedirect:
+        scheme: https
+        statusCode: 301
+      type: RequestRedirect
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+status:
+  parents: []
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: ingress-ssl-redirect-redirect-example
+  namespace: default
+spec:
+  hostnames:
+  - redirect.example
+  parentRefs:
+  - name: nginx
+  rules:
+  - backendRefs:
+    - name: myservice
+      port: 80
+    filters:
+    - requestRedirect:
+        scheme: https
+        statusCode: 301
+      type: RequestRedirect
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+  - backendRefs:
+    - name: myservice
+      port: 80
+    filters:
+    - requestRedirect:
+        scheme: https
+        statusCode: 301
+      type: RequestRedirect
+    matches:
+    - path:
+        type: PathPrefix
+        value: /api
+  - backendRefs:
+    - name: myservice
+      port: 80
+    filters:
+    - requestRedirect:
+        scheme: https
+        statusCode: 301
+      type: RequestRedirect
+    matches:
+    - path:
+        type: PathPrefix
+        value: /web
+status:
+  parents: []

pkg/i2gw/intermediate/provider_ingressnginx.go

@@ -164,6 +164,11 @@ type Policy struct {
 	// BackendTLS defines the backend TLS policy.
 	BackendTLS *BackendTLSPolicy
 
+	// SSLRedirect indicates whether SSL redirect is enabled, corresponding to
+	// nginx.ingress.kubernetes.io/ssl-redirect. When true, requests should be
+	// redirected to HTTPS.
+	SSLRedirect *bool
+
 	// RuleBackendSources lists the (rule, backend) pairs within a merged HTTPRoute
 	// that this policy applies to.
 	//

pkg/i2gw/providers/ingressnginx/README.md

@@ -127,6 +127,16 @@ The ingress-nginx provider currently supports translating the following annotati
 
 ---
 
+### SSL Redirect
+
+- `nginx.ingress.kubernetes.io/ssl-redirect`: When set to `"true"`, enables SSL redirect for HTTP requests. For the Kgateway implementation, this maps to a `RequestRedirect` filter on HTTPRoute rules that redirects HTTP to HTTPS with a 301 status code.
+
+- `nginx.ingress.kubernetes.io/force-ssl-redirect`: When set to `"true"`, enables SSL redirect for HTTP requests. This annotation is treated exactly the same as `ssl-redirect`. For the Kgateway implementation, this maps to a `RequestRedirect` filter on HTTPRoute rules that redirects HTTP to HTTPS with a 301 status code.
+
+**Note:** Both annotations are supported and treated identically. If either annotation is set to `"true"` (case-insensitive), SSL redirect will be enabled. The redirect filter is added at the rule level in the HTTPRoute, redirecting all HTTP traffic to HTTPS.
+
+---
+
 ## Provider Limitations
 
 - Currently, kgateway is the only supported implementation-specific emitter.

pkg/i2gw/providers/ingressnginx/converter.go

@@ -51,6 +51,7 @@ func newResourcesToIRConverter() *resourcesToIRConverter {
 			loadBalancingFeature,
 			backendTLSFeature,
 			serviceUpstreamFeature,
+			sslRedirectFeature,
 		},
 	}
 }