Seamless Migration from Nginx Ingress to Gateway API (DOKS)
What Will You Learn in This Guide?
This guide covers the zero-downtime migration process to Gateway API after Nginx Ingress is deprecated.
It teaches you to complete DNS migration safely by running Ingress and Gateway structures simultaneously.
Protecting TLS certificates, HTTP → HTTPS redirects, and Load Balancer configurations are detailed.
Technical Summary
This content covers migrating the Nginx Ingress infrastructure running on DigitalOcean Managed Kubernetes (DOKS) to the Cilium-based Gateway API.
Aim; without interrupting production traffic, protecting TLS certificates and performing DNS migration in a controlled manner.
Period; It consists of preparation, Gateway installation, certificate management, testing and DNS forwarding steps.
Key Differences Between Gateway API and Ingress
Gateway API offers a more modular and open traffic management model compared to Ingress.
| Feature | Ingress NGINX | Gateway API (Cilium) |
|---|---|---|
| Class Description | kubernetes.io/ingress.class | spec.gatewayClassName |
| TLS Management | Annotation based | Separate Certificate source |
| HTTP → HTTPS | Nginx redirect annotation | RequestRedirect filter |
| Load Balancer Settings | metadata.annotations | spec.infrastructure.annotations |
DigitalOcean Load Balancer settings should only be defined under spec.infrastructure.annotations.
Seamless Transition Step by Step
1. Preparing cert-manager for Gateway API
helm upgrade cert-manager jetstack/cert-manager \
--namespace cert-manager \
--reuse-values \
--set extraArgs="{--enable-gateway-api=true}"
- This command enables cert-manager to support Gateway API resources.
2. Creating the Gateway Resource
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: tr1-gateway
spec:
gatewayClassName: cilium
infrastructure:
annotations:
service.beta.kubernetes.io/do-loadbalancer-name: "tr1-gateway-lb"
service.beta.kubernetes.io/do-loadbalancer-size-unit: "2"
listeners:
- name: http
protocol: HTTP
port: 80
hostname: "ornek.com"
- name: https
protocol: HTTPS
port: 443
hostname: "ornek.com"
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: genixnode-tls-secret
- This configuration creates a new Load Balancer for the Gateway API.
3. Copying Existing TLS Certificate
- Since DNS has not yet been directed to the new Gateway IP, the existing Ingress certificate is used temporarily.
kubectl get secret eski-tls-secret -o yaml | \
sed "s/name: eski-tls-secret/name: genixnode-tls-secret/" | \
kubectl apply -f -
- This step is for transition time only.
4. Defining HTTPRoute Rules
- HTTP → HTTPS redirection is filter-based in the Gateway API.
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-redirect
spec:
parentRefs:
- name: tr1-gateway
sectionName: http
hostnames:
- "ornek.com"
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
- This definition permanently redirects all HTTP requests to HTTPS.
5. Testing and DNS Migration
- Gateway IP address is obtained:
kubectl get gateway tr1-gateway
- First, testing is done over IP. After verification, the DNS A record is directed to the Gateway IP.
Frequently Asked Questions? (FAQ)
1. When should Ingress be removed? 24–48 hours of monitoring is recommended after DNS migration.
2. Will there be additional costs during migration? Yes, short-term double Load Balancer costs will occur.
3. Are certificates automatically renewed? If the Certificate source is created after DNS, it is renewed.
4. Is rollback possible? It is sufficient to redirect the DNS record to the old Load Balancer IP.
Conclusion
With this guide, the transition from Nginx Ingress to Gateway API has been completed with zero interruption. Gateway API provides a more scalable and manageable traffic infrastructure. This framework is the recommended standard for modern Kubernetes environments.