Merge pull request #16 from danehans/svc_up

Adds Support for `service-upstream` Ingress-Nginx Annotation

Author: danehans

pkg/i2gw/implementations/kgateway/README.md

@@ -73,6 +73,7 @@ The command should generate Gateway API and Kgateway resources.
 - `nginx.ingress.kubernetes.io/session-cookie-expires`: Sets the TTL/expiration time for the cookie. Maps to `BackendConfigPolicy.spec.loadBalancer.ringHash.hashPolicies[].cookie.ttl`.
 - `nginx.ingress.kubernetes.io/session-cookie-max-age`: Sets the TTL/expiration time for the cookie (takes precedence over `session-cookie-expires`). Maps to `BackendConfigPolicy.spec.loadBalancer.ringHash.hashPolicies[].cookie.ttl`.
 - `nginx.ingress.kubernetes.io/session-cookie-secure`: Sets the Secure flag on the cookie. Maps to `BackendConfigPolicy.spec.loadBalancer.ringHash.hashPolicies[].cookie.secure`.
+- `nginx.ingress.kubernetes.io/service-upstream`: When set to `"true"`, configures Kgateway to route to the Service’s cluster IP (or equivalent static host) instead of individual Pod IPs. For each covered Service, the emitter creates a `Backend` resource with `spec.type: Static` and rewrites the corresponding `HTTPRoute.spec.rules[].backendRefs[]` to reference that `Backend` (group `gateway.kgateway.dev`, kind `Backend`).
 
 ### External Auth
 
@@ -123,12 +124,26 @@ Currently supported:
 If multiple Ingresses target the same Service with conflicting `proxy-connect-timeout` values,
 the lowest timeout wins and a warning is emitted.
 
+## Backend Projection
+
+Annotations that change how upstreams are represented (rather than how they are load balanced or configured)
+can be projected into Kgateway `Backend` resources.
+
+Currently supported:
+
+- `nginx.ingress.kubernetes.io/service-upstream`:
+  - For each Service backend covered by an Ingress with `service-upstream: "true"`, the emitter creates a `Backend` with:
+    - `spec.type: Static`
+    - `spec.static.hosts` containing a single `{host, port}` entry derived from the Service (e.g. `myservice.default.svc.cluster.local:80`).
+  - Matching `HTTPRoute.spec.rules[].backendRefs[]` are rewritten to reference this `Backend` instead of the core Service.
+
 ### Summary of Policy Types
 
-| Annotation Type              | Kgateway Resource     |
-|------------------------------|-----------------------|
-| Request/response behavior    | `TrafficPolicy`       |
-| Upstream connection behavior | `BackendConfigPolicy` |
+| Annotation Type                    | Kgateway Resource     |
+|------------------------------------|-----------------------|
+| Request/response behavior          | `TrafficPolicy`       |
+| Upstream connection behavior       | `BackendConfigPolicy` |
+| Upstream representation (static IP)| `Backend`             |
 
 ## Limitations
 

pkg/i2gw/implementations/kgateway/emitter.go

@@ -81,6 +81,9 @@ func (e *Emitter) Emit(ir *intermediate.IR) ([]client.Object, error) {
 	// Track GatewayExtensions per ingress name (for external auth).
 	gatewayExtensions := map[string]*kgateway.GatewayExtension{}
 
+	// Track Backends per (namespace, svcName) for service-upstream.
+	staticBackends := map[types.NamespacedName]*kgateway.Backend{}
+
 	for httpRouteKey, httpRouteContext := range ir.HTTPRoutes {
 		ingx := httpRouteContext.ProviderSpecificIR.IngressNginx
 		if ingx == nil {
@@ -150,6 +153,15 @@ func (e *Emitter) Emit(ir *intermediate.IR) ([]client.Object, error) {
 				backendCfg,
 			)
 
+			// Apply service-upstream via Backend and HTTPRoute backendRef rewrites.
+			applyServiceUpstreamBackend(
+				pol,
+				polSourceIngressName,
+				httpRouteKey,
+				&httpRouteContext,
+				staticBackends,
+			)
+
 			// Apply enable-access-log via HTTPListenerPolicy.
 			applyAccessLogPolicy(
 				pol,
@@ -219,6 +231,11 @@ func (e *Emitter) Emit(ir *intermediate.IR) ([]client.Object, error) {
 		}
 	}
 
+	// Collect all static Backends computed across HTTPRoutes.
+	for _, b := range staticBackends {
+		out = append(out, b)
+	}
+
 	// Collect all BackendConfigPolicies computed across HTTPRoutes.
 	for _, bcp := range backendCfg {
 		out = append(out, bcp)

pkg/i2gw/implementations/kgateway/emitter_integration_test.go

@@ -233,6 +233,15 @@ func TestKgatewayIngressNginxIntegration_Golden(t *testing.T) {
 				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "external_auth.yaml",
 			),
 		},
+		{
+			name: "service_upstream",
+			inputRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "input", "service_upstream.yaml",
+			),
+			goldenRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "service_upstream.yaml",
+			),
+		},
 	}
 
 	for _, tt := range tests {

pkg/i2gw/implementations/kgateway/service_upstream.go

@@ -0,0 +1,128 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kgateway
+
+import (
+	"github.com/kgateway-dev/ingress2gateway/pkg/i2gw/intermediate"
+	kgw "github.com/kgateway-dev/kgateway/v2/api/v1alpha1/kgateway"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// applyServiceUpstreamBackend projects provider-specific static backend mappings
+// into typed Kgateway Backend CRs and rewrites HTTPRoute backendRefs to reference
+// those Backends.
+//
+// Semantics:
+//   - One Backend CR per (namespace, svcName-service-upstream)
+//   - Backend.Spec.Static.Hosts contains a single host+port
+//   - HTTPRoute backendRefs for those services are rewritten to:
+//     group: gateway.kgateway.dev
+//     kind:  Backend
+//     name:  <svc>-service-upstream
+//
+// Returns true if it mutated the HTTPRouteContext or produced a Backend CR.
+func applyServiceUpstreamBackend(
+	pol intermediate.Policy,
+	ingressName string,
+	httpRouteKey types.NamespacedName,
+	httpRouteCtx *intermediate.HTTPRouteContext,
+	backends map[types.NamespacedName]*kgw.Backend,
+) {
+	if len(pol.Backends) == 0 || len(pol.RuleBackendSources) == 0 {
+		return
+	}
+
+	for _, idx := range pol.RuleBackendSources {
+		// Validate indices
+		if idx.Rule >= len(httpRouteCtx.Spec.Rules) {
+			continue
+		}
+		rule := &httpRouteCtx.Spec.Rules[idx.Rule]
+		if idx.Backend >= len(rule.BackendRefs) {
+			continue
+		}
+
+		br := &rule.BackendRefs[idx.Backend]
+
+		// Only core Services
+		if br.BackendRef.Group != nil && *br.BackendRef.Group != "" {
+			continue
+		}
+		if br.BackendRef.Kind != nil && *br.BackendRef.Kind != "Service" {
+			continue
+		}
+		if br.BackendRef.Name == "" {
+			continue
+		}
+
+		svcName := string(br.BackendRef.Name)
+
+		backendName := svcName + "-service-upstream"
+		backendKey := types.NamespacedName{
+			Namespace: httpRouteKey.Namespace,
+			Name:      backendName,
+		}
+
+		// Find provider-produced backend metadata
+		be, ok := pol.Backends[backendKey]
+		if !ok {
+			continue
+		}
+
+		// Create or reuse typed Backend CR
+		kb, exists := backends[backendKey]
+		if !exists {
+			kb = &kgw.Backend{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       BackendGVK.Kind,
+					APIVersion: BackendGVK.GroupVersion().String(),
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      backendKey.Name,
+					Namespace: backendKey.Namespace,
+					Labels: map[string]string{
+						"ingress2gateway.kubernetes.io/source-ingress": ingressName,
+					},
+				},
+				Spec: kgw.BackendSpec{
+					Type: kgw.BackendTypeStatic,
+					Static: &kgw.StaticBackend{
+						Hosts: []kgw.Host{
+							{
+								Host: be.Host,
+								Port: gwv1.PortNumber(be.Port),
+							},
+						},
+					},
+				},
+			}
+			backends[backendKey] = kb
+		}
+
+		// Rewrite BackendRef to point to this Backend
+		group := gwv1.Group(BackendGVK.Group)
+		kind := gwv1.Kind(BackendGVK.Kind)
+
+		br.BackendRef.Group = &group
+		br.BackendRef.Kind = &kind
+		br.BackendRef.Name = gwv1.ObjectName(backendKey.Name)
+		br.BackendRef.Port = nil // backend controls port
+	}
+}

pkg/i2gw/implementations/kgateway/testing/testdata/input/service_upstream.yaml

@@ -0,0 +1,65 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/service-upstream: "true"
+  name: ingress-myservicea1
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: myservicea.foo.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: myservicea
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+---
+# No service-upstream annotation here so a Backend won't be created for this Ingress.
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+  name: ingress-myservicea2
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: myservicea.foo.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: myservicea
+            port:
+              number: 80
+        path: /2
+        pathType: Prefix
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/service-upstream: "true"
+  name: ingress-myserviceb
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: myserviceb.foo.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: myserviceb
+            port:
+              number: 80
+        path: /
+        pathType: Prefix

pkg/i2gw/implementations/kgateway/testing/testdata/output/service_upstream.yaml

@@ -0,0 +1,107 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: nginx
+  namespace: default
+spec:
+  gatewayClassName: kgateway
+  listeners:
+  - hostname: myservicea.foo.org
+    name: myservicea-foo-org-http
+    port: 80
+    protocol: HTTP
+  - hostname: myserviceb.foo.org
+    name: myserviceb-foo-org-http
+    port: 80
+    protocol: HTTP
+status: {}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: ingress-myservicea1-myservicea-foo-org
+  namespace: default
+spec:
+  hostnames:
+  - myservicea.foo.org
+  parentRefs:
+  - name: nginx
+  rules:
+  # From ingress-myservicea1 (service-upstream=true) so rewritten to Backend
+  - backendRefs:
+    - group: gateway.kgateway.dev
+      kind: Backend
+      name: myservicea-service-upstream
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+  # From ingress-myservicea2 (no service-upstream) so still core Service
+  - backendRefs:
+    - name: myservicea
+      port: 80
+    matches:
+    - path:
+        type: PathPrefix
+        value: /2
+status:
+  parents: []
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: ingress-myserviceb-myserviceb-foo-org
+  namespace: default
+spec:
+  hostnames:
+  - myserviceb.foo.org
+  parentRefs:
+  - name: nginx
+  rules:
+  # From ingress-myserviceb (service-upstream=true) so rewritten to Backend
+  - backendRefs:
+    - group: gateway.kgateway.dev
+      kind: Backend
+      name: myserviceb-service-upstream
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+status:
+  parents: []
+---
+apiVersion: gateway.kgateway.dev/v1alpha1
+kind: Backend
+metadata:
+  labels:
+    ingress2gateway.kubernetes.io/source-ingress: ingress-myservicea1
+  name: myservicea-service-upstream
+  namespace: default
+spec:
+  type: Static
+  static:
+    hosts:
+    - host: myservicea.default.svc.cluster.local
+      port: 80
+status: {}
+---
+apiVersion: gateway.kgateway.dev/v1alpha1
+kind: Backend
+metadata:
+  labels:
+    ingress2gateway.kubernetes.io/source-ingress: ingress-myserviceb
+  name: myserviceb-service-upstream
+  namespace: default
+spec:
+  type: Static
+  static:
+    hosts:
+    - host: myserviceb.default.svc.cluster.local
+      port: 80
+status: {}