For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.
External Auth
If you use NGINX’s auth-url to call an in-cluster authentication service, the agentgateway emitter projects this into an AgentgatewayPolicy with spec.traffic.extAuth. Only in-cluster auth URLs that resolve to a Kubernetes Service (*.svc) are supported.
Before: Ingress with external auth
cat <<'EOF' > external-auth-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ext-auth-demo
annotations:
nginx.ingress.kubernetes.io/auth-url: "http://auth-service.auth.svc.cluster.local/verify"
nginx.ingress.kubernetes.io/auth-response-headers: "X-User-ID, X-User-Email"
spec:
ingressClassName: agentgateway
rules:
- host: app.example.com
http:
paths:
- backend:
service:
name: protected-app
port:
number: 8080
path: /
pathType: Prefix
EOFConvert
ingress2gateway print --providers=ingress-nginx --emitter=agentgateway \
--input-file external-auth-ingress.yaml > external-auth-agentgateway.yamlAfter: AgentgatewayPolicy with ext auth
cat external-auth-agentgateway.yamlThe tool creates an AgentgatewayPolicy that configures the external auth service via spec.traffic.extAuth:
apiVersion: agentgateway.dev/v1alpha1
kind: AgentgatewayPolicy
metadata:
name: ext-auth-demo
namespace: default
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: ext-auth-demo-app-example-com
traffic:
extAuth:
backendRef:
name: auth-service
namespace: auth
port: 80
http:
path: '"/verify"'
allowedResponseHeaders:
- X-User-ID
- X-User-EmailThe path value is a CEL string literal (the inner quotes are part of the expression). If the auth URL path is / or empty, the emitter omits http.path.
Apply
kubectl apply -f external-auth-agentgateway.yamlWas this page helpful?
