Skip to content

For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.

Page as Markdown 

    

  
  


          
External Auth

          
If you’re using NGINX’s auth-url to call an external authentication service, this becomes a kgateway GatewayExtension with external auth configuration.


Before: Ingress with external auth
    



cat <<'EOF' > external-auth-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ext-auth-demo
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "http://auth-service.auth.svc.cluster.local/verify"
    nginx.ingress.kubernetes.io/auth-response-headers: "X-User-ID, X-User-Email"
spec:
  ingressClassName: nginx
  rules:
  - host: app.example.com
    http:
      paths:
      - backend:
          service:
            name: protected-app
            port:
              number: 8080
        path: /
        pathType: Prefix
EOF

  





Convert
    



ingress2gateway print --providers=ingress-nginx --emitter=kgateway \
  --input-file external-auth-ingress.yaml > external-auth-kgateway.yaml

  





After: GatewayExtension
    



cat external-auth-kgateway.yaml

  





The tool creates a GatewayExtension that configures the external auth service:





apiVersion: gateway.kgateway.dev/v1alpha1
kind: GatewayExtension
metadata:
  name: ext-auth-demo-ext-auth
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: ext-auth-demo-app-example-com
  extAuth:
    httpService:
      serverRef:
        name: auth-service
        namespace: auth
        port: 80
      pathPrefix: /verify
      authorizationResponse:
        headersToBackend:
        - X-User-ID
        - X-User-Email

  





Apply
    



kubectl apply -f external-auth-kgateway.yaml

  





        

        

        
SSL RedirectCanary Deployments

        

  

    Was this page helpful?