Kubernetes : Migrating Ingress to Gateway Api
Notes on migrating from the (deprecated) Ingress Controller to the Gateway API.
I run a small cluster at work, I’m not in a large team, this is just what I have figured out.
I have been using the Nginx Ingress controller for a while and would continue using it – but it has been retired
So I need to switch to the recommended Gateway API
I’m hosting with Digital Ocean, and there are two tutorials
- HTTPS Traffic Routing in Kubernetes using Gateway API and Cilium
- Kubernetes Gateway API Tutorial: Replace Ingress with Cilium Gateway for HTTP Traffic
Shared vs Dedicated Gateway
My first challenge is that these tutorials introduce the fact that a Gateway can be dedicated or shared, and choose a dedicated Gateway without explaining why.
As far as I can see they choose this because it is simpler for the tutorial, but each gateway adds a (chargeable) load balancer. In addition I need to mount some services from different helm charts on different paths in the same domain and for this I’m pretty sure I need shared Gateways.
Small Team - flexibility is needed
While it’s great that the Gateway API allows for greater control of who can create routes In reality there is no difference between who manages the cluster and who deploys the apps in my projects.
I want to have a single Gateway and don’t want to have to edit it when new projects come online
So I’ll allow any namespace to add any routes
allowedRoutes:
namespaces:
from: All
HTTPS Certificates
I already have a certificate issuer setup - for this to work the Gateway has to listen on port 80 so that Let’s Encrypt can verify the HTTP-01 challenge.
That bit is easy
But
The Digital Ocean Tutorial uses Certificate resources which create secrets which only work in their example because they are using a dedicated Gateway and everything is in the same namespace
Today, there is no safe, first-class way to preserve multi-tenant TLS self-service using Gateway API.
So I could migrate by managing the hosts in my Gateway and adding but that gets messy fast.
There is no direct, stable migration path for my current setup.
Since the Nginx Ingress is so mainstream and it is being retired suddenly it seems prudent to wait for the replacement to be fully featured and stable.
Comments
Feedback Welcomed here https://mastodon.me.uk/@sean/115894076897731721