agentgateway emitter: add service-upstream backends

Project ingress-nginx service-upstream annotations into AgentgatewayBackend\nresources and rewrite covered HTTPRoute backendRefs to target those\nbackends. This keeps service-scoped backend protocol policy behavior\nintact while enabling static upstream routing semantics for\nagentgateway output.\n\nAdd an agentgateway integration fixture and golden output for\nservice_upstream, and update emitter/provider documentation to describe\nthe new mapping.

Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io>

Author: danehans

pkg/i2gw/emitters/agentgateway/README.md

@@ -382,6 +382,33 @@ This is projected into a **Service-targeted** `AgentgatewayPolicy` by setting:
 - The provider currently maps only gRPC-family values into policy IR, so the agentgateway emitter currently emits
   only `HTTP2` for this feature.
 
+#### Service Upstream
+
+The agentgateway emitter supports projecting Service-upstream behavior via:
+
+- `nginx.ingress.kubernetes.io/service-upstream: "true"`
+
+This is projected by emitting one `AgentgatewayBackend` per covered backend Service and rewriting covered
+`HTTPRoute.spec.rules[].backendRefs[]` entries to reference that `AgentgatewayBackend`.
+
+Mappings:
+
+- `<service>` backendRef → `AgentgatewayBackend` named `<service>-service-upstream`
+- `AgentgatewayBackend.spec.static.host` → `<service>.<namespace>.svc.cluster.local`
+- `AgentgatewayBackend.spec.static.port` → original HTTPRoute backendRef port
+- rewritten HTTPRoute backendRef:
+  - `group: agentgateway.dev`
+  - `kind: AgentgatewayBackend`
+  - `name: <service>-service-upstream`
+  - `port` removed (port is defined on `AgentgatewayBackend.spec.static.port`)
+
+**Notes:**
+
+- Rewrites only apply to core Service backendRefs (empty group and kind `Service` / unset kind).
+- If the provider could not determine an explicit backendRef port, that backendRef is skipped.
+- `backend-protocol` remains a Service-targeted `AgentgatewayPolicy` and continues to control upstream HTTP version
+  (`spec.backend.http.version`) independently from `service-upstream`.
+
 ## AgentgatewayPolicy Projection
 
 Rate limit, timeout, CORS, rewrite target, etc. annotations are converted into AgentgatewayPolicy resources.
@@ -451,8 +478,3 @@ to the output extensions list.
 
 - Only the **ingress-nginx provider** is currently supported by the Agentgateway emitter.
 - Regex path matching is not currently implemented for agentgateway output.
-
-## Future Work
-
-The code defines GVKs for additional agentgateway extension types (e.g. `AgentgatewayBackend`), but they are not
-yet emitted by the current implementation.

pkg/i2gw/emitters/agentgateway/emitter.go

@@ -68,6 +68,9 @@ func (e *Emitter) Emit(ir emitterir.EmitterIR) (i2gw.GatewayResources, field.Err
 	// Track backend-scoped AgentgatewayPolicies per Service (ns/name) (e.g. TLS, connect timeout)
 	backendPolicies := map[types.NamespacedName]*agentgatewayv1alpha1.AgentgatewayPolicy{}
 
+	// Track AgentgatewayBackends per Service-upstream backend key (ns/name).
+	agentgatewayBackends := map[types.NamespacedName]*agentgatewayv1alpha1.AgentgatewayBackend{}
+
 	// Track HTTPRoutes that need SSL redirect splitting
 	routesToSplitForSSLRedirect := map[types.NamespacedName]bool{}
 
@@ -158,6 +161,16 @@ func (e *Emitter) Emit(ir emitterir.EmitterIR) (i2gw.GatewayResources, field.Err
 				backendPolicies,
 			)
 
+			// service-upstream maps to AgentgatewayBackend (spec.static) and rewrites HTTPRoute backendRefs.
+			// Keep this after Service-targeted backend policy projection so those policies still target Services.
+			applyServiceUpstream(
+				pol,
+				polSourceIngressName,
+				httpRouteKey,
+				&httpRouteContext,
+				agentgatewayBackends,
+			)
+
 			// BasicAuth maps to AgentgatewayPolicy.spec.traffic.basicAuthentication.
 			// Note: agentgateway expects htpasswd content under a '.htaccess' key; see BasicAuthentication docs.
 			if applyBasicAuthPolicy(pol, polSourceIngressName, httpRouteKey.Namespace, agentgatewayPolicies) {
@@ -326,6 +339,11 @@ func (e *Emitter) Emit(ir emitterir.EmitterIR) (i2gw.GatewayResources, field.Err
 		agentgatewayObjs = append(agentgatewayObjs, ap)
 	}
 
+	// Collect AgentgatewayBackends generated by service-upstream.
+	for _, be := range agentgatewayBackends {
+		agentgatewayObjs = append(agentgatewayObjs, be)
+	}
+
 	// Sort by Kind, then Namespace, then Name to make output deterministic for testing.
 	sort.SliceStable(agentgatewayObjs, func(i, j int) bool {
 		oi, oj := agentgatewayObjs[i], agentgatewayObjs[j]

pkg/i2gw/emitters/agentgateway/emitter_integration_test.go

@@ -440,3 +440,29 @@ func TestAgentgatewayIngressNginxIntegration_SSLRedirect(t *testing.T) {
 		})
 	}
 }
+
+func TestAgentgatewayIngressNginxIntegration_ServiceUpstream(t *testing.T) {
+	t.Helper()
+
+	tests := []struct {
+		name      string
+		inputRel  string
+		goldenRel string
+	}{
+		{
+			name: "service_upstream",
+			inputRel: filepath.Join(
+				"pkg", "i2gw", "emitters", "agentgateway", "testing", "testdata", "input", "service_upstream.yaml",
+			),
+			goldenRel: filepath.Join(
+				"pkg", "i2gw", "emitters", "agentgateway", "testing", "testdata", "output", "service_upstream.yaml",
+			),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			runGoldenTest(t, tt.inputRel, tt.goldenRel)
+		})
+	}
+}

pkg/i2gw/emitters/agentgateway/service_upstream.go

@@ -0,0 +1,133 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package agentgateway
+
+import (
+	emitterir "github.com/kgateway-dev/ingress2gateway/pkg/i2gw/emitter_intermediate"
+
+	agentgatewayv1alpha1 "github.com/kgateway-dev/kgateway/v2/api/v1alpha1/agentgateway"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+const sourceIngressAnnotation = "ingress2gateway.kubernetes.io/source-ingress"
+
+// applyServiceUpstream projects provider service-upstream backend metadata into
+// AgentgatewayBackend CRs and rewrites HTTPRoute backendRefs to target them.
+func applyServiceUpstream(
+	pol emitterir.Policy,
+	ingressName string,
+	httpRouteKey types.NamespacedName,
+	httpRouteCtx *emitterir.HTTPRouteContext,
+	backends map[types.NamespacedName]*agentgatewayv1alpha1.AgentgatewayBackend,
+) {
+	if len(pol.Backends) == 0 || len(pol.RuleBackendSources) == 0 {
+		return
+	}
+
+	for _, idx := range pol.RuleBackendSources {
+		if idx.Rule >= len(httpRouteCtx.Spec.Rules) {
+			continue
+		}
+		rule := &httpRouteCtx.Spec.Rules[idx.Rule]
+		if idx.Backend >= len(rule.BackendRefs) {
+			continue
+		}
+
+		br := &rule.BackendRefs[idx.Backend]
+
+		// Only core Services are eligible for service-upstream rewriting.
+		if br.BackendRef.Group != nil && *br.BackendRef.Group != "" {
+			continue
+		}
+		if br.BackendRef.Kind != nil && *br.BackendRef.Kind != "Service" {
+			continue
+		}
+		if br.BackendRef.Name == "" {
+			continue
+		}
+
+		svcName := string(br.BackendRef.Name)
+		backendKey := serviceUpstreamBackendKey(httpRouteKey.Namespace, svcName)
+
+		be, ok := pol.Backends[backendKey]
+		if !ok {
+			continue
+		}
+
+		agb := ensureServiceUpstreamBackend(
+			ingressName,
+			backendKey,
+			be.Host,
+			be.Port,
+			backends,
+		)
+
+		// Rewrite HTTPRoute backendRef to point at the AgentgatewayBackend.
+		group := gatewayv1.Group(AgentgatewayBackendGVK.Group)
+		kind := gatewayv1.Kind(AgentgatewayBackendGVK.Kind)
+
+		br.BackendRef.Group = &group
+		br.BackendRef.Kind = &kind
+		br.BackendRef.Name = gatewayv1.ObjectName(agb.Name)
+		// Port is defined by AgentgatewayBackend.spec.static.
+		br.BackendRef.Port = nil
+	}
+}
+
+func serviceUpstreamBackendKey(ns, svcName string) types.NamespacedName {
+	return types.NamespacedName{
+		Namespace: ns,
+		Name:      svcName + "-service-upstream",
+	}
+}
+
+func ensureServiceUpstreamBackend(
+	ingressName string,
+	backendKey types.NamespacedName,
+	host string,
+	port int32,
+	backends map[types.NamespacedName]*agentgatewayv1alpha1.AgentgatewayBackend,
+) *agentgatewayv1alpha1.AgentgatewayBackend {
+	if be, ok := backends[backendKey]; ok {
+		return be
+	}
+
+	be := &agentgatewayv1alpha1.AgentgatewayBackend{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       AgentgatewayBackendGVK.Kind,
+			APIVersion: AgentgatewayBackendGVK.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      backendKey.Name,
+			Namespace: backendKey.Namespace,
+			Labels: map[string]string{
+				sourceIngressAnnotation: ingressName,
+			},
+		},
+		Spec: agentgatewayv1alpha1.AgentgatewayBackendSpec{
+			Static: &agentgatewayv1alpha1.StaticBackend{
+				Host: agentgatewayv1alpha1.ShortString(host),
+				Port: port,
+			},
+		},
+	}
+
+	backends[backendKey] = be
+	return be
+}

pkg/i2gw/emitters/agentgateway/testing/testdata/input/service_upstream.yaml

@@ -0,0 +1,63 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/service-upstream: "true"
+  name: ingress-myservicea1
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: myservicea.foo.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: myservicea
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+---
+# No service-upstream annotation here so an AgentgatewayBackend won't be created for this Ingress.
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+  name: ingress-myservicea2
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: myservicea.foo.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: myservicea
+            port:
+              number: 80
+        path: /2
+        pathType: Prefix
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/service-upstream: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
+  name: ingress-myserviceb
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: myserviceb.foo.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: myserviceb
+            port:
+              number: 80
+        path: /
+        pathType: Prefix