feat: add native NGINX Ingress migration tool#2623
feat: add native NGINX Ingress migration tool#2623electricjesus wants to merge 1 commit intotigera:mainfrom
Conversation
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview succeeded!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
electricjesus
force-pushed
the
feat/ing2gw-native-component
branch
from
9a03ad3 to
2336d43
Compare
There was a problem hiding this comment.
Pull request overview
Adds a native, in-browser NGINX Ingress → Gateway API migration experience to the Calico docs site by embedding a React-based converter (via @tigera/ingress-to-gateway-web) and wiring up the required docs, dependencies, and CI auth for GitHub Packages.
Changes:
- Introduces a new
IngressConverterwrapper component that renders the converter UI and outputs (playbook + YAML) on the docs page. - Adds new “Migrating from NGINX” docs pages (current + Calico v3.31) and links them in the Calico sidebars.
- Configures Yarn + GitHub Actions to authenticate to GitHub Packages for
@tigera/*dependency installation.
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
src/___new___/components/IngressConverter/index.tsx |
New wrapper component integrating @tigera/ingress-to-gateway-web and rendering playbook markdown + YAML output. |
src/___new___/components/index.ts |
Exposes IngressConverter via the shared components barrel export for MDX imports. |
calico/networking/ingress-gateway/migrate-from-nginx.mdx |
New “Migrating from NGINX” doc page that embeds <IngressConverter />. |
calico_versioned_docs/version-3.31/networking/ingress-gateway/migrate-from-nginx.mdx |
Versioned v3.31 equivalent of the new migration page. |
sidebars-calico.js |
Adds the new migration page to the Calico sidebar navigation. |
calico_versioned_sidebars/version-3.31-sidebars.json |
Adds the new migration page to the Calico v3.31 sidebar navigation. |
package.json |
Adds @tigera/ingress-to-gateway-web and marked dependencies. |
yarn.lock |
Locks new dependencies (@tigera/ingress-to-gateway-*, marked, and yaml range change). |
.yarnrc.yml |
Configures @tigera scope to use GitHub Packages with NODE_AUTH_TOKEN. |
.github/workflows/validate.yml |
Sets NODE_AUTH_TOKEN during installs to allow fetching from GitHub Packages. |
.github/workflows/vale.yml |
Sets NODE_AUTH_TOKEN during installs to allow fetching from GitHub Packages. |
|
|
||
| function MarkdownRenderer({ children }: { children: string }) { | ||
| const html = marked.parse(children, { async: false }) as string; | ||
| // biome-ignore lint/security/noDangerouslySetInnerHtml: markdown is generated by our own report engine, not user input |
There was a problem hiding this comment.
marked will render raw HTML by default, and conversion.output.report is derived (directly/indirectly) from user-pasted YAML. Rendering it via dangerouslySetInnerHTML without sanitization creates an XSS risk. Consider sanitizing the generated HTML (e.g., reuse the repo’s existing sanitize-html dependency) or configure the markdown pipeline to disallow embedded HTML before injecting it.
| function MarkdownRenderer({ children }: { children: string }) { | |
| const html = marked.parse(children, { async: false }) as string; | |
| // biome-ignore lint/security/noDangerouslySetInnerHtml: markdown is generated by our own report engine, not user input | |
| import sanitizeHtml from 'sanitize-html'; | |
| function MarkdownRenderer({ children }: { children: string }) { | |
| const rawHtml = marked.parse(children, { async: false }) as string; | |
| const html = sanitizeHtml(rawHtml, { | |
| allowedTags: sanitizeHtml.defaults.allowedTags, | |
| allowedAttributes: sanitizeHtml.defaults.allowedAttributes, | |
| }); |
| export default function IngressConverter() { | ||
| const conversion = useConversion(); | ||
| const [step, setStep] = useState<Step>('input'); | ||
|
|
||
| const handleConvert = useCallback(() => { | ||
| const result = conversion.handleConvert(); |
There was a problem hiding this comment.
This new React component doesn’t appear to have a Jest test alongside it, while other components under src/___new___/components/* commonly have snapshot tests in __test__/ (e.g., src/___new___/components/Explore/__test__/index.test.tsx). Adding at least a basic render/snapshot test would help prevent regressions when updating @tigera/ingress-to-gateway-web or the wrapper logic.
| cache: yarn | ||
| - name: Authenticate GitHub Packages | ||
| run: yarn config set --home npmScopes.tigera.npmAuthToken "${{ secrets.GITHUB_TOKEN }}" | ||
| - name: Install dependencies | ||
| run: yarn install --immutable |
There was a problem hiding this comment.
Using NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} for GitHub Packages typically requires explicit workflow/job permissions (at least packages: read). Without setting permissions: packages: read, installs from npm.pkg.github.com can fail depending on repo/org default token permissions. Consider adding an explicit permissions block to ensure deterministic installs.
| - name: Authenticate GitHub Packages | ||
| if: steps.changed.outputs.skip == 'false' | ||
| run: yarn config set --home npmScopes.tigera.npmAuthToken "${{ secrets.GITHUB_TOKEN }}" | ||
| - name: Install dependencies | ||
| if: steps.changed.outputs.skip == 'false' |
There was a problem hiding this comment.
This workflow now authenticates to GitHub Packages during yarn install, but it doesn’t declare permissions: packages: read. If the repository’s default GITHUB_TOKEN permissions don’t include packages access, dependency installation from npm.pkg.github.com will fail. Consider adding explicit packages: read permissions (workflow- or job-level).
electricjesus
force-pushed
the
feat/ing2gw-native-component
branch
6 times, most recently
from
342990a to
268266a
Compare
Replace the iframe embed with a native React component from @tigera/ingress-to-gateway-web. The converter runs entirely in-browser — paste NGINX Ingress YAML and get a personalised migration playbook for Envoy Gateway. - Add IngressConverter wrapper component - Configure @tigera npm scope for GitHub Packages - Add NODE_AUTH_TOKEN to CI workflows for package auth - Remove CLI tool section (internal only for now)
electricjesus
force-pushed
the
feat/ing2gw-native-component
branch
from
268266a to
02d7b30
Compare
Summary
@tigera/ingress-to-gateway-web@0.7.0data-themeattributeChanges
src/___new___/components/IngressConverter/— wrapper component importing bare components from@tigera/ingress-to-gateway-webcalico/networking/ingress-gateway/migrate-from-nginx.mdx(current + v3.31) — uses native<IngressConverter />instead of iframe.yarnrc.yml— configures@tigeranpm scope to pull from GitHub PackagesNODE_AUTH_TOKENfor GitHub Packages authDependencies
@tigera/ingress-to-gateway-web@0.7.0— fromtigera/ing2gwvia GitHub Packagesmarked— for rendering the migration playbook markdownTest plan
/calico/latest/networking/ingress-gateway/migrate-from-nginxPreview
Standalone preview: https://ing2gw.seth.ie
🤖 Generated with Claude Code