kgateway-dev
diff --git a/‎Makefile‎
Lines changed: 14 additions & 5 deletions b/‎Makefile‎
Lines changed: 14 additions & 5 deletions
diff --git a/‎go.mod‎
Lines changed: 1 addition & 1 deletion b/‎go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 2 additions & 2 deletions b/‎go.sum‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎pkg/i2gw/implementations/kgateway/README.md‎
Lines changed: 15 additions & 1 deletion b/‎pkg/i2gw/implementations/kgateway/README.md‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎pkg/i2gw/implementations/kgateway/backend_common.go‎
Lines changed: 105 additions & 0 deletions b/‎pkg/i2gw/implementations/kgateway/backend_common.go‎
Lines changed: 105 additions & 0 deletions
diff --git a/‎pkg/i2gw/implementations/kgateway/backend_protocol.go‎
Lines changed: 108 additions & 0 deletions b/‎pkg/i2gw/implementations/kgateway/backend_protocol.go‎
Lines changed: 108 additions & 0 deletions
@@ -38,23 +38,32 @@ help:
 		awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-17s\033[0m %s\n", $$1, $$2}'
 
 .PHONY: all
-all: vet fmt verify test build;$(info $(M)...Begin to test, verify and build this project.) @ ## Test, verify and build this project.
+all: vet fmt verify build test-all;$(info $(M)...Begin to test, verify and build this project.) @ ## Test, verify and build this project.
 
 # Run go fmt against code
 .PHONY: fmt
 fmt: ;$(info $(M)...Begin to run go fmt against code.)  @ ## Run go fmt against code.
-	gofmt -w ./pkg ./cmd
+	gofmt -w ./pkg ./cmd ./test
 
 # Run go vet against code
 .PHONY: vet
 vet: ;$(info $(M)...Begin to run go vet against code.)  @ ## Run go vet against code.
-	go vet ./pkg/... ./cmd/...
+	go vet ./pkg/... ./cmd/... ./test/...
 
-# Run go test against code
+# Run integration tests
 .PHONY: test
-test: vet;$(info $(M)...Begin to run tests.)  @ ## Run tests.
+test: vet;$(info $(M)...Begin to run integration tests.)  @ ## Run integration tests.
 	go test -race -cover ./pkg/... ./cmd/...
 
+# Run e2e tests
+.PHONY: test-e2e
+test-e2e: vet;$(info $(M)...Begin to run e2e tests.) @ ## Run e2e tests.
+	go test -v ./test/e2e/...
+
+# Run integration and e2e tests
+.PHONY: test-all
+test-all: test test-e2e;$(info $(M)...Completed test-all.) @ ## Run integration and e2e tests.
+
 # Build the binary
 .PHONY: build
 build: vet;$(info $(M)...Build the binary.)  @ ## Build the binary.
 
@@ -4,7 +4,7 @@ go 1.25.3
 
 require (
 	github.com/google/go-cmp v0.7.0
-	github.com/kgateway-dev/kgateway/v2 v2.2.0-beta.1.0.20251203210329-f0eb663ac5bd
+	github.com/kgateway-dev/kgateway/v2 v2.2.0-beta.3
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/samber/lo v1.39.0
 	github.com/spf13/cobra v1.10.1
 
@@ -51,8 +51,8 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kgateway-dev/kgateway/v2 v2.2.0-beta.1.0.20251203210329-f0eb663ac5bd h1:l6uyDclySJpQmXuT433sX/q1d1NpzYUCl6Nxbys5vGo=
-github.com/kgateway-dev/kgateway/v2 v2.2.0-beta.1.0.20251203210329-f0eb663ac5bd/go.mod h1:PTFdy5PWnh0b4FNvc4X93UkinNobzyct5oCtN6RNsV0=
+github.com/kgateway-dev/kgateway/v2 v2.2.0-beta.3 h1:+JISpfq0iPP1rWfLGBH+6b0GuWV7E1uJo6AR5uqE90U=
+github.com/kgateway-dev/kgateway/v2 v2.2.0-beta.3/go.mod h1:+WYYf8FRhr5YJ67+3DB0c3TzIntaGyLTtHQCVqzBkTk=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 
@@ -85,6 +85,15 @@ The command should generate Gateway API and Kgateway resources.
 - `nginx.ingress.kubernetes.io/session-cookie-max-age`: Sets the TTL/expiration time for the cookie (takes precedence over `session-cookie-expires`). Maps to `BackendConfigPolicy.spec.loadBalancer.ringHash.hashPolicies[].cookie.ttl`.
 - `nginx.ingress.kubernetes.io/session-cookie-secure`: Sets the Secure flag on the cookie. Maps to `BackendConfigPolicy.spec.loadBalancer.ringHash.hashPolicies[].cookie.secure`.
 - `nginx.ingress.kubernetes.io/service-upstream`: When set to `"true"`, configures Kgateway to route to the Service’s cluster IP (or equivalent static host) instead of individual Pod IPs. For each covered Service, the emitter creates a `Backend` resource with `spec.type: Static` and rewrites the corresponding `HTTPRoute.spec.rules[].backendRefs[]` to reference that `Backend` (group `gateway.kgateway.dev`, kind `Backend`).
+- `nginx.ingress.kubernetes.io/backend-protocol`: Indicates the L7 protocol that is used to communicate with the proxied backend.
+  - **Supported values (mapped):** `GRPC`, `GRPCS`
+    - If `service-upstream: "true"` is also set for the same Service backend, the emitter sets `spec.static.appProtocol: grpc` on the generated `Backend`.
+    - Otherwise, the emitter does **not** create or modify Kubernetes `Service` resources. Instead, it emits an **INFO** notification with a `kubectl patch`
+      command to update the existing Service port with `appProtocol: grpc`.
+  - **Values treated as default HTTP/1.x (no-op):** `HTTP`, `HTTPS`, `AUTO_HTTP`
+  - **Unsupported values (rejected by provider):** `FCGI` (and others)
+  - **Safety note:** Because emitting Service manifests could overwrite user-managed Service configuration, ingress2gateway intentionally avoids generating
+    Service resources for this annotation.
 
 ### External Auth
 
@@ -186,14 +195,19 @@ Currently supported:
     - `spec.type: Static`
     - `spec.static.hosts` containing a single `{host, port}` entry derived from the Service (e.g. `myservice.default.svc.cluster.local:80`).
   - Matching `HTTPRoute.spec.rules[].backendRefs[]` are rewritten to reference this `Backend` instead of the core Service.
+- `nginx.ingress.kubernetes.io/backend-protocol`:
+  - When set to `GRPC` or `GRPCS` **and** `service-upstream: "true"` is set for the same backend, the emitter stamps `spec.static.appProtocol: grpc` on the generated `Backend`.
+  - When set to `GRPC` or `GRPCS` **without** `service-upstream: "true"`, the emitter emits an **INFO** notification that includes a `kubectl patch service ...`
+    command to set `spec.ports[].appProtocol` on the existing Service.
+  - `HTTP`, `HTTPS`, and `AUTO_HTTP` are treated as default HTTP/1.x behavior and do not emit additional config. 
 
 ### Summary of Policy Types
 
 | Annotation Type                    | Kgateway Resource     |
 |------------------------------------|-----------------------|
 | Request/response behavior          | `TrafficPolicy`       |
 | Upstream connection behavior       | `BackendConfigPolicy` |
-| Upstream representation (static IP)| `Backend`             |
+| Upstream representation.           | `Backend`             |
 | TLS passthrough                    | `TLSRoute`            |
 
 ## Limitations
 
@@ -0,0 +1,105 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kgateway
+
+import (
+	"github.com/kgateway-dev/ingress2gateway/pkg/i2gw/intermediate"
+	kgw "github.com/kgateway-dev/kgateway/v2/api/v1alpha1/kgateway"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// sourceIngressAnnotation is used to label Backend CRs with the source Ingress name.
+const sourceIngressAnnotation = "ingress2gateway.kubernetes.io/source-ingress"
+
+func backendNameForService(svcName string) string {
+	return svcName + "-service-upstream"
+}
+
+func backendKeyForService(ns, svcName string) types.NamespacedName {
+	return types.NamespacedName{
+		Namespace: ns,
+		Name:      backendNameForService(svcName),
+	}
+}
+
+// ensureStaticBackendForService ensures there is a Static kgateway.Backend for the given
+// service in the provided map. If it already exists, it is reused and optionally
+// updated with the given protocol. If not, a new Backend is created.
+//
+// ingressName is only used for the source-ingress label.
+func ensureStaticBackendForService(
+	ingressName string,
+	httpRouteKey types.NamespacedName,
+	svcName string,
+	host string,
+	port int32,
+	protocol *intermediate.BackendProtocol,
+	backends map[types.NamespacedName]*kgw.Backend,
+) *kgw.Backend {
+	backendKey := backendKeyForService(httpRouteKey.Namespace, svcName)
+
+	// Reuse existing Backend CR if present.
+	if kb, ok := backends[backendKey]; ok {
+		if protocol != nil && kb.Spec.Static != nil && kb.Spec.Static.AppProtocol == nil {
+			switch *protocol {
+			case intermediate.BackendProtocolGRPC:
+				ap := kgw.AppProtocolGrpc
+				kb.Spec.Static.AppProtocol = &ap
+			}
+		}
+		return kb
+	}
+
+	kb := &kgw.Backend{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       BackendGVK.Kind,
+			APIVersion: BackendGVK.GroupVersion().String(),
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      backendKey.Name,
+			Namespace: backendKey.Namespace,
+			Labels: map[string]string{
+				sourceIngressAnnotation: ingressName,
+			},
+		},
+		Spec: kgw.BackendSpec{
+			Type: kgw.BackendTypeStatic,
+			Static: &kgw.StaticBackend{
+				Hosts: []kgw.Host{
+					{
+						Host: host,
+						Port: gwv1.PortNumber(port),
+					},
+				},
+			},
+		},
+	}
+
+	if protocol != nil {
+		switch *protocol {
+		case intermediate.BackendProtocolGRPC:
+			ap := kgw.AppProtocolGrpc
+			kb.Spec.Static.AppProtocol = &ap
+		}
+	}
+
+	backends[backendKey] = kb
+	return kb
+}
@@ -0,0 +1,108 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kgateway
+
+import (
+	"github.com/kgateway-dev/ingress2gateway/pkg/i2gw/intermediate"
+	kgw "github.com/kgateway-dev/kgateway/v2/api/v1alpha1/kgateway"
+
+	"k8s.io/apimachinery/pkg/types"
+	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+// applyBackendProtocol projects backend protocol metadata on IR Backends into
+// typed Kgateway Backend CRs and rewrites HTTPRoute backendRefs to reference
+// those Backends.
+//
+// Semantics:
+//   - For each Policy.Backends entry produced by the ingress-nginx provider,
+//     we ensure there is a Static Backend CR with the correct host / port and
+//     (if set) appProtocol (currently only gRPC).
+//   - HTTPRoute backendRefs that were originally core Services and are covered
+//     by this Policy are rewritten to:
+//     group: gateway.kgateway.dev
+//     kind:  Backend
+//     name:  <svc>-service-upstream
+//   - This works regardless of whether service-upstream was also used.
+func applyBackendProtocol(
+	pol intermediate.Policy,
+	ingressName string,
+	httpRouteKey types.NamespacedName,
+	httpRouteCtx *intermediate.HTTPRouteContext,
+	backends map[types.NamespacedName]*kgw.Backend,
+) {
+	if len(pol.Backends) == 0 || len(pol.RuleBackendSources) == 0 {
+		return
+	}
+
+	for _, idx := range pol.RuleBackendSources {
+		if idx.Rule >= len(httpRouteCtx.Spec.Rules) {
+			continue
+		}
+		rule := &httpRouteCtx.Spec.Rules[idx.Rule]
+		if idx.Backend >= len(rule.BackendRefs) {
+			continue
+		}
+
+		br := &rule.BackendRefs[idx.Backend]
+
+		// Only core Service backends.
+		if br.BackendRef.Group != nil && *br.BackendRef.Group != "" {
+			continue
+		}
+		if br.BackendRef.Kind != nil && *br.BackendRef.Kind != "Service" {
+			continue
+		}
+		if br.BackendRef.Name == "" {
+			continue
+		}
+
+		svcName := string(br.BackendRef.Name)
+		if svcName == "" {
+			continue
+		}
+
+		backendKey := backendKeyForService(httpRouteKey.Namespace, svcName)
+
+		be, ok := pol.Backends[backendKey]
+		if !ok {
+			// Provider did not produce metadata for this Service backend.
+			continue
+		}
+
+		// Ensure / create the typed Backend CR (host, port, protocol).
+		kb := ensureStaticBackendForService(
+			ingressName,
+			httpRouteKey,
+			svcName,
+			be.Host,
+			be.Port,
+			be.Protocol,
+			backends,
+		)
+
+		// Rewrite BackendRef to point to this Backend.
+		group := gwv1.Group(BackendGVK.Group)
+		kind := gwv1.Kind(BackendGVK.Kind)
+
+		br.BackendRef.Group = &group
+		br.BackendRef.Kind = &kind
+		br.BackendRef.Name = gwv1.ObjectName(kb.Name)
+		// Backend controls the port.
+		br.BackendRef.Port = nil
+	}
+}