Skip to main content

Gateway API & Ingress NGINX

Purpose: For platform engineers and developers, shows how to configure Gateway listeners, HTTPRoutes, TLS termination, and cert-manager integration.

What Gateway API Does

Gateway API is the successor to the Ingress resource, providing a more expressive and role-oriented model for routing traffic into Kubernetes clusters. It uses Gateway, HTTPRoute, and GRPCRoute resources to define how external traffic reaches services. In openCenter, Envoy Gateway implements the Gateway API specification.

The model separates concerns: platform engineers manage Gateway resources (listeners, TLS, IP allocation), while application developers manage HTTPRoute resources (path matching, backend services).

How It's Deployed

Gateway API is deployed as two components via FluxCD from openCenter-gitops-base:

  1. gateway-api — Installs the Gateway API CRDs (HTTPRoute, GRPCRoute, Gateway, GatewayClass).
  2. gateway — Deploys Envoy Gateway as the implementation controller.
openCenter-gitops-base/applications/base/services/gateway-api/   # CRDs
openCenter-gitops-base/applications/base/services/gateway/        # Envoy Gateway

Both are referenced via FluxCD Kustomizations in the customer overlay:

# applications/overlays/<cluster>/services/fluxcd/gateway-api.yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: gateway-api-base
  namespace: flux-system
spec:
  sourceRef:
    kind: GitRepository
    name: opencenter-gateway-api
  path: applications/base/services/gateway-api

Key Configuration

Creating a Gateway

Platform engineers define Gateway resources that bind to a GatewayClass and configure listeners:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: platform-gateway
  namespace: gateway-system
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  gatewayClassName: envoy
  listeners:
    - name: http
      protocol: HTTP
      port: 80
    - name: https
      protocol: HTTPS
      port: 443
      tls:
        mode: Terminate
        certificateRefs:
          - name: platform-tls
            kind: Secret

MetalLB assigns an external IP to the Gateway's LoadBalancer service. The cert-manager.io/cluster-issuer annotation triggers automatic certificate provisioning.

Defining HTTPRoutes

Application developers create HTTPRoute resources to route traffic to their services:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: my-app-route
  namespace: my-app
spec:
  parentRefs:
    - name: platform-gateway
      namespace: gateway-system
  hostnames:
    - "app.example.com"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /api
      backendRefs:
        - name: api-service
          port: 8080
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: frontend-service
          port: 80

GRPCRoute

For gRPC services, use GRPCRoute instead of HTTPRoute:

apiVersion: gateway.networking.k8s.io/v1
kind: GRPCRoute
metadata:
  name: grpc-route
  namespace: my-app
spec:
  parentRefs:
    - name: platform-gateway
      namespace: gateway-system
  hostnames:
    - "grpc.example.com"
  rules:
    - matches:
        - method:
            service: myapp.v1.MyService
      backendRefs:
        - name: grpc-backend
          port: 9090

TLS with cert-manager

When the Gateway has a cert-manager.io/cluster-issuer annotation, cert-manager automatically provisions and renews TLS certificates for each listener. The certificate is stored in the Secret referenced by certificateRefs.

Verification

# Check Gateway status and assigned IP
kubectl get gateways -A

# Verify HTTPRoutes are accepted by the Gateway
kubectl get httproutes -A

# Check Envoy Gateway controller pods
kubectl get pods -n gateway-system

# Inspect a specific route's status
kubectl describe httproute my-app-route -n my-app

# Test connectivity
curl -v https://app.example.com/api

Common Customizations

  • Multiple Gateways: Create separate Gateway resources for internal vs. external traffic, each with different listeners and IP pools.
  • Rate limiting: Envoy Gateway supports BackendTrafficPolicy for rate limiting on a per-route basis.
  • Header manipulation: Use HTTPRoute filters to add, remove, or modify request/response headers.
  • Cross-namespace routing: Grant HTTPRoute access to a Gateway in another namespace using ReferenceGrant resources.
  • Override values: Adjust Envoy Gateway resource limits or replica count in applications/overlays/<cluster>/services/gateway/override-values.yaml.