Bridging the Gap from Ingress to the Future

Gateway API Maintainer track update

Intro

Introductions and stuff

Agenda

  • Ingress nginx is gone
  • How Gateway API makes migration easier
  • 1.5 release highlights

Ingress NGINX is gone

They’re doing a couple of final releases, mostly just security fixes. There was a CVE that needed to be fixed.

Maintainers are moving to the ingress2gateway project. People will continue to use Ingress-nginx, they will find issues and security issues. The maintainer urges to move away from Ingress-nginx.

The maintainer archived the repository live on stage :D

Ingress2gateway is a CLI tool that can covert Ingress objects to Gateway objects. It supports Ingress, but also other provider-specific implementations.

Gateway API v1.5

Released not that long ago. They do monthly releases too, useful for implementers. Aside from that, there are regular semver releases too, basically what’s there is released.

New feature: ListenerSet

TLS details are not just operator or admin responsibility. Those needed to move to a separate object. Meaning, application owners can take ownership of their TLS config, and the limit of 64 listeners on a Gateway is removed (this was an etcd limitation).

SNI Based routing

Before, HTTPRoute was the main focus - because most of the Ingress usecases used that. Now: there’s TLSRoute, supporting more flows.

Terminate Mode

TLS Sessions are terminated at the Gateway Level. Gateway provides the certificate.

Passthrough Mode

In case of high security needs. When traffic needs to be end-to-end encrypted. Application needs to terminate TLS. In this mode, the Gateway has no access to private keys or unencrypted data.

Note: this is not meant as a replacement for HTTPRoute. Using this for HTTP brings risk with it.

TLS Overview

Gateway API also supports two-way TLS:

  • Frontend TLS - Between the client and the Gateway
  • Backend TLS - Between the Gateway and a Backend

This release supports full mTLS.

It now also supports Connection coalescing, part of HTTP2 Spec (performance feature).

Backend mTLS

TLS to a Backend is easy: using BackendTLSConfig

mTLS to a Backend is harder. In tls.backend.clientCertificateRef you can provide a certificate to prove the Gateway’s identity.

HTTPRoute CORS Filter

Configure CORS Policy, and set headers automatically. Also respods to pre-flight requests (OPTIONS)

Controller Matching Wizard

How to determine what features are implemented by which vendor/implementation? Controller Matching Wizard!

You can pick what features you need, including nice to haves. Then you get a list of implementations that correspond to your needs.