Tetrate AI Agent AcceleratorsVersion: LatestSupported NGINX Annotations
The following NGINX annotations are automatically translated to their TEG equivalents:
Traffic Management
| NGINX Annotation | Description | TEG Resource Generated |
|---|---|---|
nginx.ingress.kubernetes.io/ssl-redirect | Redirect HTTP to HTTPS | HTTPRoute with redirect filter |
nginx.ingress.kubernetes.io/force-ssl-redirect | Force HTTPS redirect | HTTPRoute with redirect filter |
nginx.ingress.kubernetes.io/rewrite-target | URL path rewriting | HTTPRoute with URLRewrite filter |
nginx.ingress.kubernetes.io/use-regex | Enable regex path matching | HTTPRoute with RegularExpression path type |
nginx.ingress.kubernetes.io/app-root | Redirect root path | HTTPRoute with redirect filter |
Rate Limiting
| NGINX Annotation | Description | TEG Resource Generated |
|---|---|---|
nginx.ingress.kubernetes.io/limit-rps | Requests per second | SecurityPolicy with rateLimit |
nginx.ingress.kubernetes.io/limit-rpm | Requests per minute | SecurityPolicy with rateLimit |
nginx.ingress.kubernetes.io/limit-connections | Connection limit | ClientTrafficPolicy |
CORS
| NGINX Annotation | Description | TEG Resource Generated |
|---|---|---|
nginx.ingress.kubernetes.io/enable-cors | Enable CORS | SecurityPolicy with cors |
nginx.ingress.kubernetes.io/cors-allow-origin | Allowed origins | SecurityPolicy cors.allowOrigin |
nginx.ingress.kubernetes.io/cors-allow-methods | Allowed methods | SecurityPolicy cors.allowMethods |
nginx.ingress.kubernetes.io/cors-allow-headers | Allowed headers | SecurityPolicy cors.allowHeaders |
nginx.ingress.kubernetes.io/cors-expose-headers | Exposed headers | SecurityPolicy cors.exposeHeaders |
nginx.ingress.kubernetes.io/cors-allow-credentials | Allow credentials | SecurityPolicy cors.allowCredentials |
nginx.ingress.kubernetes.io/cors-max-age | Preflight cache duration | SecurityPolicy cors.maxAge |
Authentication
| NGINX Annotation | Description | TEG Resource Generated |
|---|---|---|
nginx.ingress.kubernetes.io/auth-url | External auth URL | SecurityPolicy with extAuth |
nginx.ingress.kubernetes.io/auth-response-headers | Headers from auth service | SecurityPolicy extAuth.headersToBackend |
nginx.ingress.kubernetes.io/auth-type | Auth type (basic) | SecurityPolicy with basicAuth |
nginx.ingress.kubernetes.io/auth-secret | Basic auth secret | SecurityPolicy basicAuth.users |
nginx.ingress.kubernetes.io/auth-tls-secret | Client mTLS CA | ClientTrafficPolicy with clientValidation |
Backend Configuration
| NGINX Annotation | Description | TEG Resource Generated |
|---|---|---|
nginx.ingress.kubernetes.io/backend-protocol | Backend protocol (HTTP/HTTPS/GRPC) | BackendTrafficPolicy or GRPCRoute |
nginx.ingress.kubernetes.io/proxy-ssl-secret | Backend TLS CA | BackendTrafficPolicy with TLS |
nginx.ingress.kubernetes.io/proxy-ssl-verify | Verify backend cert | BackendTrafficPolicy tls.insecureSkipVerify |
nginx.ingress.kubernetes.io/proxy-body-size | Max request body size | BackendTrafficPolicy requestBuffer |
Timeouts & Retries
| NGINX Annotation | Description | TEG Resource Generated |
|---|---|---|
nginx.ingress.kubernetes.io/proxy-connect-timeout | TCP connection timeout | BackendTrafficPolicy timeout.tcp |
nginx.ingress.kubernetes.io/proxy-read-timeout | Read timeout | BackendTrafficPolicy timeout.http |
nginx.ingress.kubernetes.io/proxy-send-timeout | Send timeout | BackendTrafficPolicy timeout.http |
nginx.ingress.kubernetes.io/proxy-next-upstream | Retry conditions | BackendTrafficPolicy retry |
nginx.ingress.kubernetes.io/proxy-next-upstream-tries | Retry attempts | BackendTrafficPolicy retry.numRetries |
nginx.ingress.kubernetes.io/proxy-next-upstream-timeout | Per-retry timeout | BackendTrafficPolicy retry.perRetryTimeout |
Session Affinity
| NGINX Annotation | Description | TEG Resource Generated |
|---|---|---|
nginx.ingress.kubernetes.io/affinity | Session affinity type | BackendTrafficPolicy loadBalancer |
nginx.ingress.kubernetes.io/session-cookie-name | Cookie name | BackendTrafficPolicy consistentHash.cookie |
nginx.ingress.kubernetes.io/session-cookie-expires | Cookie TTL | BackendTrafficPolicy consistentHash.cookie.ttl |
nginx.ingress.kubernetes.io/session-cookie-max-age | Cookie max age | BackendTrafficPolicy consistentHash.cookie.ttl |
nginx.ingress.kubernetes.io/session-cookie-samesite | Cookie SameSite | BackendTrafficPolicy consistentHash.cookie.attributes |
Canary Deployments
| NGINX Annotation | Description | TEG Resource Generated |
|---|---|---|
nginx.ingress.kubernetes.io/canary | Enable canary | HTTPRoute with weighted backends |
nginx.ingress.kubernetes.io/canary-weight | Traffic percentage | HTTPRoute backendRef.weight |
nginx.ingress.kubernetes.io/canary-weight-total | Weight total (default: 100) | HTTPRoute weight calculation |
nginx.ingress.kubernetes.io/canary-by-header | Header-based routing | HTTPRoute with header match |
nginx.ingress.kubernetes.io/canary-by-header-value | Header value to match | HTTPRoute header match value |
nginx.ingress.kubernetes.io/canary-by-cookie | Cookie-based routing | HTTPRoute with cookie match |
TLS
| NGINX Annotation | Description | TEG Resource Generated |
|---|---|---|
nginx.ingress.kubernetes.io/ssl-passthrough | TLS passthrough | TLSRoute instead of HTTPRoute |
Un-Supported NGINX Annotations
Will Not Implement (Security Risk)
These annotations will never be implemented due to security concerns:
| NGINX Annotation | Reason |
|---|---|
configuration-snippet | Arbitrary nginx config injection |
server-snippet | Arbitrary server block injection |
stream-snippet | Arbitrary stream config injection |
modsecurity-snippet | Arbitrary WAF rules |
Not Supported
| NGINX Annotation | Reason |
|---|---|
auth-method | ExtAuth doesn't support specifying HTTP method |
auth-signin | Use OIDC authentication for redirects |
canary-by-header-pattern | Regex header match not supported in Envoy Gateway |
session-cookie-path | No Envoy Gateway equivalent |
session-cookie-change-on-failure | Re-route on backend failure not supported |
limit-burst-multiplier | Envoy uses token bucket, not burst multiplier |