Feat/expand migration examples 596#641
Conversation
Ashutoshx7
force-pushed
the
feat/expand-migration-examples-596
branch
from
778018a to
781fa00
Compare
|
@artberger awaiting your reviews |
| @@ -0,0 +1,73 @@ | |||
| --- | |||
| title: "Migrate from Ingress" | |||
There was a problem hiding this comment.
The agentgateway content is no longer maintained in this repo. You can move this information to: https://github.com/agentgateway/website
| name: timeouts-demo-timeouts-example-com | ||
| timeouts: | ||
| request: 60s | ||
| backendRequest: 60s |
There was a problem hiding this comment.
timeouts.backendRequest is not a valid field. The Timeouts type has two sub-fields: request and streamIdle. The second field should be streamIdle: 60s, not backendRequest: 60s.
| metadata: | ||
| name: timeouts-demo | ||
| annotations: | ||
| nginx.ingress.kubernetes.io/proxy-connect-timeout: "15" |
There was a problem hiding this comment.
proxy-connect-timeout: "15" has no equivalent in TrafficPolicy.timeouts. The connect timeout belongs in BackendConfigPolicy.spec.connectTimeout. The page should either drop it with a note, or add a separate BackendConfigPolicy block to cover it.
| - group: gateway.networking.k8s.io | ||
| kind: HTTPRoute | ||
| name: upload-demo-upload-example-com | ||
| buffer: |
There was a problem hiding this comment.
buffer.maxRequestSize is confirmed valid and accepts a Kubernetes Quantity string. "20Mi" is a valid value. The unit mismatch (NGINX 20m = decimal megabytes, 20Mi = mebibytes) is technically imprecise but close enough in practice that it's not a blocking issue.
| - openid | ||
| credentials: | ||
| clientId: my-client-id |
There was a problem hiding this comment.
credentials.clientId is wrong. The API field is clientID (capital I and D).
| weight: 34 | ||
| --- | ||
|
|
||
| Many teams use `oauth2-proxy` as a sidecar or external service to handle OIDC/OAuth2 for NGINX. kgateway simplifies this by providing native support via a `GatewayExtension` and `TrafficPolicy`. |
There was a problem hiding this comment.
The NGINX source pattern uses an OAuth2 proxy sidecar, not direct OIDC. The page should note the reader is making an architectural change, not a one-for-one translation.
| issuer: "https://issuer.example.com" | ||
| jwks: | ||
| remote: | ||
| uri: "https://issuer.example.com/.well-known/jwks.json" |
There was a problem hiding this comment.
jwks.remote.uri uses url, not uri.
| weight: 40 | ||
| --- | ||
|
|
||
| Mutual TLS (mTLS) allows the gateway to verify the identity of the client via a certificate. NGINX uses annotations like `auth-tls-verify-client`, whereas Gateway API (v1.1+) handles this through `frontendValidation` on a Gateway listener. |
There was a problem hiding this comment.
frontendValidation.caCertificateRefs is standard Gateway API (added in v1.3, experimental in some builds). No kgateway-specific fields are involved, so the YAML itself is correct. The page should add a note on the minimum Gateway API version required, since not all clusters will have it available.
| - matches: | ||
| - path: | ||
| type: PathPrefix | ||
| value: /api/v1 |
There was a problem hiding this comment.
There is an edge case where path /api/v1 (no trailing slash) would produce an empty replacement string with ReplacePrefixMatch: / — worth a one-line callout but not a blocking bug.
|
@Ashutoshx7 Did you plan on taking another look at the conflicts and comments? Thanks! |
Ashutoshx7
force-pushed
the
feat/expand-migration-examples-596
branch
from
ea7b382 to
3b5cef8
Compare
Add 10 new migration examples for the Envoy-based migration guide: - Auth: Basic Auth, JWT, API Key, OIDC Authentication - Traffic: Header Modifiers, Timeouts, URL Rewriting, Request Buffering, Traffic Mirroring - Security: Client TLS (mTLS) Review fixes applied: - timeouts.md: use streamIdle (not backendRequest); move proxy-connect-timeout to BackendConfigPolicy - oidc-auth.md: fix clientID casing; add architectural change callout - jwt-auth.md: use url (not uri) in jwks.remote - client-tls.md: add Gateway API v1.3 version warning - url-rewriting.md: add edge-case callout for empty replacement - request-buffering.md: note decimal-vs-mebibyte unit difference Fixes kgateway-dev#596 Part of kgateway-dev#628
Ashutoshx7
force-pushed
the
feat/expand-migration-examples-596
branch
from
3b5cef8 to
f85d844
Compare
hy sorry for the delay |
2 participants
Description
This PR significantly expands the Ingress migration documentation by adding comprehensive, step-by-step examples for common NGINX patterns.
Motivation:
Addresses the lack of advanced migration examples noted in the Ingress Migration Epic #628. Specifically, it fills the feature parity gaps for the 2.2 release by providing clear paths for Authentication (JWT, OIDC, API Key) and standard Gateway API filters.
What changed:
agentgatewaysection (canary.md and session-affinity.md).GatewayExtensionfor JWT/OIDC andTrafficPolicyfor Auth/Timeouts).Related issues:
Fixes #596
Part of #628
Change Type
/kind documentation
/kind fix
Changelog