Skip to main content

Ingress vs Gateway API

We recommend using the Kubernetes Gateway API for ingress management. The Gateway API is the official successor to Ingress resources and is actively developed by the Kubernetes community. One of the key benefits is that it has a better separation of concerns: a clean split between infrastructure configuration (Gateway) and application routing (HTTPRoute)

We use Istio Gateway's implementation of Kubernetes Gateway API (not to be confused with Istio's implementation of Ingress )

Having mentioned the Gateway, it's worth noting that you can only specify one host or wildcard domain per Gateway listener. This a bit of a paradigm shift if you rely heavily on per ingress certificate management using the HTTP01 Challenge Provider. In our examples we suggest using wildcard domains in the Gateway listeners which requires the DNS01 Challenge Provider.

We understand that a lot of organizations are still using Ingress and a lot of Helm charts still only provide in Ingress implementation. Therefore, we also provide an Ingress implementation using ingress-nginx. Do be aware that ingress-nginx is migrating to Gateway API: https://github.com/kubernetes/ingress-nginx/issues/13002.

We did look at Istio Ingress for native Ingress, but we found that it requires to store the TLS secrets in the Istio namespace as opposed to ingress-nginx allowing it to be stored in the same namespace as the Ingress resource.

For completeness, these are the most important resources needed to run Istio Gateway:

---
kind: HelmRepository
metadata:
  name: istio
  namespace: set-in-overlay
spec:
  interval: 24h
  url: https://istio-release.storage.googleapis.com/charts
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: istiod
spec:
  interval: 30m
  chart:
    spec:
      chart: istiod
      version: 1.26.3
      sourceRef:
        kind: HelmRepository
        name: istio
      interval: 12h
  values:
    meshConfig:
      ingressSelector: gateway # see https://github.com/istio/istio/blob/master/manifests/charts/gateway/templates/_helpers.tpl#L20
      ingressService: istio-gateway
    pilot:
      env:
        K8S_INGRESS_NS: istio-gateway
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: istio-gateway
spec:
  chart:
    spec:
      chart: gateway
      version: 1.26.3
      sourceRef:
        kind: HelmRepository
        name: istio
      interval: 12h
  values:
    service:
      type: LoadBalancer
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: istio
spec:
  controller: istio.io/ingress-controller