External Auth

If you’re using NGINX’s auth-url to call an external authentication service, this becomes a kgateway GatewayExtension with external auth configuration.

Before: Ingress with external auth 

cat <<'EOF' > external-auth-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ext-auth-demo
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "http://auth-service.auth.svc.cluster.local/verify"
    nginx.ingress.kubernetes.io/auth-response-headers: "X-User-ID, X-User-Email"
spec:
  ingressClassName: nginx
  rules:
  - host: app.example.com
    http:
      paths:
      - backend:
          service:
            name: protected-app
            port:
              number: 8080
        path: /
        pathType: Prefix
EOF

Convert 

ingress2gateway print --providers=ingress-nginx --emitter=kgateway \
  --input-file external-auth-ingress.yaml > external-auth-kgateway.yaml

After: GatewayExtension 

cat external-auth-kgateway.yaml

The tool creates a GatewayExtension that configures the external auth service:

apiVersion: gateway.kgateway.dev/v1alpha1
kind: GatewayExtension
metadata:
  name: ext-auth-demo-ext-auth
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: ext-auth-demo-app-example-com
  extAuth:
    httpService:
      serverRef:
        name: auth-service
        namespace: auth
        port: 80
      pathPrefix: /verify
      authorizationResponse:
        headersToBackend:
        - X-User-ID
        - X-User-Email

Apply 

kubectl apply -f external-auth-kgateway.yaml
SSL RedirectCanary Deployments