Skip to content

Docs jwt release note example#772

Open
anvithagowda098 wants to merge 1 commit into
kgateway-dev:mainfrom
anvithagowda098:docs-jwt-release-note-example
Open

Docs jwt release note example#772
anvithagowda098 wants to merge 1 commit into
kgateway-dev:mainfrom
anvithagowda098:docs-jwt-release-note-example

Conversation

@anvithagowda098

Copy link
Copy Markdown
Contributor

Summary

This PR improves the upgrade guidance for the TrafficPolicy API in the v2.2 release notes by adding a clear migration example for renamed authentication fields.

The current release notes mention that:

  • jwtjwtAuth
  • apiKeyAuthenticationapiKeyAuth

However, they do not include an actionable example showing how to update existing TrafficPolicy resources.

This PR addresses that gap by adding:

  • A warning callout about potential unexpected behavior when old fields are used after upgrade
  • Before/After YAML examples for both JWT and API key authentication fields

Motivation

Users upgrading from v2.1 → v2.2 may not realize they need to manually update existing TrafficPolicy resources. Without migration examples, the change is easy to miss and can lead to misconfigured authentication policies after upgrade.

Change Type

/ kind documentation

Changelog

docs: add migration example for TrafficPolicy jwt/apiKey rename

Signed-off-by: Anvitha <anvitha.gowda098@gmail.com>
@anvithagowda098 anvithagowda098 force-pushed the docs-jwt-release-note-example branch from f701c51 to e00ee00 Compare May 19, 2026 07:09
- name: my-api-key-provider
```

**After (v2.2+):**

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The callout makes sense and the jwt → jwtAuth and apiKeyAuthentication → apiKeyAuth are correct. But the YAML is not accurate.

  • JWTAuth (the type of jwtAuth) has only two fields: extensionRef and disable. The providers (NamedJWTProvider array) field belongs to the JWT type, which appears in GatewayExtensionSpec, not in TrafficPolicy. So in v2.2 you wire JWT providers via jwtAuth.extensionRef → a GatewayExtension whose spec.jwt.providers holds the list. jwtAuth.providers is invalid.
  • APIKeyAuth has no providers field at all — it uses keySources, secretRef/secretSelector, forwardCredential, clientIdHeader, disable. So apiKeyAuth.providers (and the "before" apiKeyAuthentication.providers) is not correct.

* The `apiKeyAuthentication` field is renamed to `apiKeyAuth`

Update your TrafficPolicy resources accordingly when upgrading.
{{< callout type="warning" >}}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Callouts need a blank line before them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants