For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.
Multi-level delegation
Create a 3-level route delegation hierarchy with a parent, child, and grandchild HTTPRoute.
Verified Code examples on this page have been automatically tested and verified.Create a 3-level route delegation hierarchy with a parent, child, and grandchild HTTPRoute.
Configuration overview
In this guide, you set up a 3-level route delegation hierarchy. The parent HTTPRoute delegates to a child, and the child delegates to a grandchild that forwards traffic to an httpbin sample app.
The following image illustrates the route delegation hierarchy:
parent HTTPRoute:
- Delegates traffic as follows:
/anything/team1is delegated to the child HTTPRoutechild-team1in namespaceteam1./anything/team2is delegated to the child HTTPRoutechild-team2in namespaceteam2.
child-team1 HTTPRoute:
- Matches incoming traffic for the
/anything/team1/fooprefix path and routes that traffic to the httpbin app in theteam1namespace.
child-team2 HTTPRoute:
- Delegates traffic on the
/anything/team2/grandchild/prefix to a grandchild HTTPRoute in theteam2namespace.
grandchild HTTPRoute:
- Matches incoming traffic for the
/anything/team2/grandchild/.*regex path and routes that traffic to the httpbin app in theteam2namespace.
Before you begin
Follow the Get started guide to install agentgateway.
Follow the Sample app guide to create the
agentgateway-proxyGateway with an HTTP listener.Get the external address of the agentgateway proxy and save it in an environment variable.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n agentgateway-system agentgateway-proxy -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESSCreate the namespaces for
team1andteam2.kubectl create namespace team1 kubectl create namespace team2Deploy the httpbin app into both namespaces. The httpbin app exposes endpoints such as
/anything/...,/headers, and/delay/Nthat are useful for verifying routing and policy behavior.curl -sL https://raw.githubusercontent.com/kgateway-dev/kgateway/main/examples/httpbin.yaml \ | awk 'BEGIN{skip=0} /^kind: Namespace$/{skip=1} skip==0{print} /^---$/{skip=0}' \ | sed 's/namespace: httpbin/namespace: team1/g' \ | kubectl apply -f - curl -sL https://raw.githubusercontent.com/kgateway-dev/kgateway/main/examples/httpbin.yaml \ | awk 'BEGIN{skip=0} /^kind: Namespace$/{skip=1} skip==0{print} /^---$/{skip=0}' \ | sed 's/namespace: httpbin/namespace: team2/g' \ | kubectl apply -f -Verify that the httpbin apps are up and running.
kubectl get pods -n team1 kubectl get pods -n team2Example output:
NAME READY STATUS RESTARTS AGE httpbin-6bc5b79755-xlvjf 3/3 Running 0 7s NAME READY STATUS RESTARTS AGE httpbin-6bc5b79755-twxq9 3/3 Running 0 6s
Setup
Create the parent HTTPRoute that matches incoming traffic on the
delegation.exampledomain. The HTTPRoute specifies two routes:/anything/team1: The routing decision is delegated to a child HTTPRoute in theteam1namespace./anything/team2: The routing decision is delegated to a child HTTPRoute in theteam2namespace.
kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: parent namespace: agentgateway-system spec: hostnames: - delegation.example parentRefs: - name: agentgateway-proxy rules: - matches: - path: type: PathPrefix value: /anything/team1 backendRefs: - group: gateway.networking.k8s.io kind: HTTPRoute name: child-team1 namespace: team1 - matches: - path: type: PathPrefix value: /anything/team2 backendRefs: - group: gateway.networking.k8s.io kind: HTTPRoute name: child-team2 namespace: team2 EOFCreate the
child-team1HTTPRoute in theteam1namespace that matches traffic on the/anything/team1/fooprefix and routes traffic to the httpbin app.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: child-team1 namespace: team1 spec: rules: - matches: - path: type: PathPrefix value: /anything/team1/foo backendRefs: - name: httpbin port: 8000 EOFCreate the
child-team2HTTPRoute in theteam2namespace that matches traffic on the/anything/team2/grandchild/prefix and delegates traffic to a grandchild HTTPRoute in theteam2namespace. Because the child delegates to a grandchild, the rule must use aPathPrefixmatcher.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: child-team2 namespace: team2 spec: rules: - matches: - path: type: PathPrefix value: /anything/team2/grandchild/ backendRefs: - group: gateway.networking.k8s.io kind: HTTPRoute name: grandchild namespace: team2 EOFCreate a grandchild HTTPRoute that matches traffic on the
/anything/team2/grandchild/.*regex path and routes traffic to the httpbin app in theteam2namespace.kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: grandchild namespace: team2 spec: rules: - matches: - path: type: RegularExpression value: /anything/team2/grandchild/.* backendRefs: - name: httpbin port: 8000 EOFSend a request to the
delegation.exampledomain along the/anything/team1/foopath. Verify that you get a 200 HTTP response.curl -i http://$INGRESS_GW_ADDRESS:8080/anything/team1/foo -H "host: delegation.example"Example output:
HTTP/1.1 200 OK access-control-allow-credentials: true access-control-allow-origin: * content-type: application/json; encoding=utf-8 server: agentgatewaySend another request to the
delegation.exampledomain along the/anything/team1/barpath. Verify that you get a 404 HTTP response, because this path is not specified inchild-team1.curl -i http://$INGRESS_GW_ADDRESS:8080/anything/team1/bar -H "host: delegation.example"Example output:
HTTP/1.1 404 Not Found content-type: text/plain server: agentgatewaySend another request to the
delegation.exampledomain. This time, use the/anything/team2/grandchild/barpath that is matched by thegrandchildHTTPRoute. Verify that you get a 200 HTTP response.curl -i http://$INGRESS_GW_ADDRESS:8080/anything/team2/grandchild/bar -H "host: delegation.example"Example output:
HTTP/1.1 200 OK access-control-allow-credentials: true access-control-allow-origin: * content-type: application/json; encoding=utf-8 server: agentgatewaySend another request along the
/anything/team2/grandchild/foopath. Because the grandchild HTTPRoute uses a regular expression to match incoming traffic, any path that begins with/anything/team2/grandchild/is routed to the httpbin app in theteam2namespace.curl -i http://$INGRESS_GW_ADDRESS:8080/anything/team2/grandchild/foo -H "host: delegation.example"Example output:
HTTP/1.1 200 OK access-control-allow-credentials: true access-control-allow-origin: * content-type: application/json; encoding=utf-8 server: agentgateway
Cleanup
You can remove the resources that you created in this guide.kubectl delete httproute parent -n agentgateway-system
kubectl delete httproute child-team1 -n team1
kubectl delete httproute child-team2 -n team2
kubectl delete httproute grandchild -n team2
kubectl delete namespaces team1 team2