Skip to content

feat: Migrate from ingress-nginx to Kubernetes Gateway API #1486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
skrobul wants to merge 18 commits into
base: main
Choose a base branch
from
Open

feat: Migrate from ingress-nginx to Kubernetes Gateway API #1486

skrobul wants to merge 18 commits into from

Conversation

@skrobul
Copy link
Collaborator

@skrobul skrobul commented Dec 9, 2025
edited
Loading

Summary

This PR migrates UnderStack from the legacy Ingress API with ingress-nginx controller to the Kubernetes Gateway API with Envoy Gateway. This migration is necessary due to the ingress-nginx project retirement with a March 2026 deadline.

Motivation

  • ingress-nginx is being retired by the Kubernetes community
  • Gateway API is the modern, standardized approach for ingress traffic management
  • Better separation of concerns between cluster operators (Gateway) and application developers (Routes)
  • More expressive routing capabilities and native support for multiple protocols

Changes

Infrastructure Components

Envoy Gateway Deployment (components/envoy-gateway/)

  • New component for Envoy Gateway controller
  • Configured with Backend API and EnvoyPatchPolicy support
  • Deployed via ArgoCD in apps/infra/envoy-gateway.yaml

envoy-configs Helm Chart (components/envoy-configs/)

  • Centralized configuration for Gateway and Route resources
  • Templates for Gateway (external/internal), HTTPRoute, and TLSRoute
  • JSON schema validation for configuration
  • Supports TLS termination, passthrough, and HTTPS backends
  • Cross-namespace route references with label selectors

cert-manager Updates

  • Enabled Gateway API support via Helm installation
  • Bootstrap script now installs cert-manager with enableGatewayApi: true
  • Removed kustomize-based installation in favor of Helm

OpenStack Helm Charts

Updated all OpenStack service components to disable Ingress generation:

  • network.use_external_ingress_controller: true
  • manifests.ingress_api: false
  • manifests.service_ingress_api: false

Application Updates

ArgoCD, Argo Workflows, Dex

  • Removed standalone Ingress manifests
  • Routing now managed via envoy-configs

external-dns

  • Upgraded to support Gateway API resources

Architecture

The new architecture uses:

  • Shared Gateways: Two cluster-wide Gateways (external, internal) in envoy-gateway namespace
  • Distributed Routes: HTTPRoute/TLSRoute resources in application namespaces
  • Centralized Configuration: All routes defined in site-specific envoy-configs.yaml
  • Automatic TLS: cert-manager provisions certificates at Gateway level

Documentation

Migration Path for Deployments

Existing deployments need to update their deploy/<site>/ repository:

  1. Add skip: true for ingress-nginx in apps.yaml
  2. Create GatewayClass resource in manifests/envoy-gateway/
  3. Create helm-configs/envoy-configs.yaml with Gateway and route definitions
  4. Remove old Ingress manifests
  5. Disable Ingress in Helm charts (monitoring, etc.)
  6. Update Cilium L2 policies to match Envoy Gateway
  7. Update load balancer IP sharing annotations
  8. Manually remove old ingress-nginx namespace if it blocks Service IP assignment

See docs/operator-guide/gateway-api.md for detailed instructions.

Breaking Changes

⚠️ This is a breaking change for existing deployments

Deployments must update their site-specific configuration to:

  • Define routes and gateways iin helm-configs/envoy-configs.yaml
  • Remove old Ingress resources
  • Potentially manually clean up ingress-nginx namespace

Related Links

@skrobul skrobul requested a review from a team December 9, 2025 12:05
@skrobul skrobul changed the title Migrate from ingress-nginx to Kubernetes Gateway API feat: Migrate from ingress-nginx to Kubernetes Gateway API Dec 9, 2025
skrobul added 18 commits December 10, 2025 13:24
@skrobul
cert-manager: enable Gatway API, install with helm
3fcca7d 
We no longer do "static" install of the cert-manager, because custom
configuration needs to be provided to enable the Gateway API
functionality.
@skrobul
gateway: add templates for gateways and httproutes
bad59ef 
Includes cert-manager integration.
@skrobul
gateway: add support for non-default namespace services
30719d3
@skrobul
gateway: convention for route names
dd4a08c 
For HTTPRoute, if the name is not explicitly set, default to first part
of the hostname/FQDN.
@skrobul
gateway: allow injecting HTTPRoutes for ArgoCD
f157856
@skrobul
gateway: allow cross-namespace listeners
b4f3606 
Technically, this gives user a way to configure which routes is the
listener going to accept.
@skrobul
gateway: add support for TLSRoutes
4af5cdf 
Some of the services require passthrough TLS instead of termination.
@skrobul
add Envoy Gateway deployment
5a59bc8
@skrobul
gateway: add support for annotations on Service
0e9cc6c
@skrobul
gw-external: set externalTrafficPolicy
fce40cf
@skrobul
gateway: add support for https routes
5aa04b2 
This adds ability to direct traffic over https without doing cert
verification.
@skrobul
envoy: enable Backend API
b88635d 
So that we can disable TLS validation...
@skrobul
envoy: enable debug logging
c7e1642
@skrobul
extract envoy-configs helm chart
5d5b911
@skrobul
external-dns: upgrade for GW API support
cc57e39
@skrobul
OSH: disable Ingress generation
f96fe49 
These have been replaced by HTTPRoutes
@skrobul
disable argocd, workflows and dex ingress
504f825
@skrobul
add Gateway API docs
cd454e1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skrobul