{"id":2386,"date":"2025-12-14T21:11:53","date_gmt":"2025-12-15T03:11:53","guid":{"rendered":"https:\/\/izendestudioweb.com\/articles\/?p=2386"},"modified":"2025-12-14T21:11:53","modified_gmt":"2025-12-15T03:11:53","slug":"seamless-migration-from-ingress-nginx-to-gateway-api-on-doks","status":"publish","type":"post","link":"https:\/\/izendestudioweb.com\/articles\/2025\/12\/14\/seamless-migration-from-ingress-nginx-to-gateway-api-on-doks\/","title":{"rendered":"Seamless Migration from Ingress NGINX to Gateway API on DOKS"},"content":{"rendered":"

Introduction<\/h2>\n

The digital landscape is constantly evolving, and so should your cloud architecture. With the deprecation of the Ingress NGINX controller, it\u2019s time to embrace the Gateway API<\/strong> on DigitalOcean Kubernetes (DOKS)<\/strong>. This migration can seem daunting, but fear not! This guide will walk you through a step-by-step process that ensures a smooth transition with zero downtime<\/strong> for your workloads.<\/p>\n

By leveraging the capabilities of Cilium<\/strong>, you can run both Ingress and Gateway side-by-side, validating the production readiness of your new setup before making the final switch. Understanding the nuances between these two systems is crucial, and this guide will cover everything from handling TLS certificates to configuring DigitalOcean LoadBalancer for your new gateway.<\/p>\n

Key Considerations for Your Migration<\/h2>\n

Migrating to the Gateway API is not just about switching controllers; it requires careful planning and understanding of the differences in configurations. Here are some key takeaways<\/strong> to keep in mind:<\/p>\n

    \n
  • Zero Downtime<\/strong>: Run both controllers concurrently and perform a controlled DNS cutover.<\/li>\n
  • LoadBalancer Endpoint Changes<\/strong>: Expect a new LoadBalancer with a different IP address.<\/li>\n
  • Annotation Migration<\/strong>: Different configurations between Ingress NGINX and Gateway API; pay attention to the changes.<\/li>\n
  • Explicit Certificate Management<\/strong>: Transition from annotations to separate Certificate resources.<\/li>\n<\/ul>\n

    Prerequisites for Migration<\/h3>\n

    Before starting the migration, ensure that you meet the following prerequisites:<\/p>\n

      \n
    1. A VPC-integrated DOKS cluster version 1.33+.<\/li>\n
    2. Configured kubectl for your cluster.<\/li>\n
    3. An existing Ingress NGINX deployment with cert-manager.<\/li>\n
    4. Domain name with DNS access.<\/li>\n
    5. Budget for temporary dual LoadBalancers during migration.<\/li>\n<\/ol>\n

      Step-by-Step Migration Process<\/h2>\n

      The migration process follows a blue-green deployment<\/strong> strategy, allowing you to validate your new Gateway setup without affecting your existing traffic. Here\u2019s how to go about it:<\/p>\n

      Phase 1: Prepare Your Gateway API Stack<\/h3>\n

      Start by enabling Gateway API in cert-manager. This will allow cert-manager to manage certificates for Gateway-managed routes. Execute the following Helm command:<\/p>\n

      helm upgrade cert-manager jetstack\/cert-manager --namespace cert-manager --reuse-values --set extraArgs=\"{--enable-gateway-api=true}\"<\/code><\/pre>\n
      Next, create a Gateway resource using a manifest file (gateway.yaml) that defines your Gateway settings, including the annotations for your DigitalOcean LoadBalancer.<\/p>\n
      Once created, ensure the Gateway is ready by applying the configuration:<\/p>\n
      kubectl apply -f gateway.yaml<\/code><\/pre>\n
      Then verify that the Gateway is programmed correctly and has an assigned address:<\/p>\n
      kubectl get gateway my-gateway<\/code><\/pre>\n
      Phase 2: Validate Your Gateway Setup<\/h3>\n
      Before cutting over DNS records, you need to validate that your Gateway is functioning correctly. Test the setup using the Gateway LoadBalancer IP:<\/p>\n
      GATEWAY_IP=$(kubectl get gateway my-gateway -o jsonpath='{.status.addresses[0].value}')<\/code><\/pre>\n
      Use curl<\/strong> to check both HTTP and HTTPS traffic:<\/p>\n
      curl -I --resolve www.example.com:80:$GATEWAY_IP http:\/\/www.example.com<\/code><\/pre>\n
      If all tests return the expected results, you are ready for the next phase.<\/p>\n
      Phase 3: Execute the DNS Cutover<\/h3>\n
      The final step is to update your DNS records to point to the new Gateway LoadBalancer IP. If you’re using manual DNS updates, ensure to lower the TTL beforehand:<\/p>\n
      doctl compute domain records update example.com --record-id  --record-ttl 60<\/code><\/pre>\n
      After updating the A record, monitor the propagation of DNS changes to ensure a smooth transition.<\/p>\n
      Post-Migration Best Practices<\/h2>\n
      After successfully migrating to the Gateway API, it\u2019s essential to establish proper certificate management to ensure your certificates do not expire. Create a Certificate resource that references your ClusterIssuer:<\/p>\n
      apiVersion: cert-manager.io\/v1\nkind: Certificate\nmetadata:\n  name: www-tls-gateway\nspec:\n  secretName: www-tls\n  issuerRef:\n    name: letsencrypt-prod-gateway\n    kind: ClusterIssuer\n  dnsNames:\n  - www.example.com<\/code><\/pre>\n
      Monitor the stability of your new setup for at least 24-48 hours before removing the old Ingress. Keep an eye on traffic volume, error rates, and response times to ensure everything is functioning as expected.<\/p>\n
      Conclusion<\/h2>\n
      Successfully migrating from Ingress NGINX to Gateway API on DOKS with zero downtime is a significant achievement that positions your workloads for enhanced performance and security. By following the outlined steps, you can harness the modern features of the Gateway API, leading to better traffic management and simplified configurations. As you settle into your new Gateway setup, consider exploring additional features like advanced routing and observability to further enhance your cloud architecture.<\/p>\n","protected":false},"excerpt":{"rendered":"
      Learn how to seamlessly migrate from Ingress NGINX to Gateway API on DOKS without downtime, ensuring your cloud architecture is modern and efficient.<\/p>\n","protected":false},"author":2,"featured_media":2385,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[105,113,108],"class_list":["post-2386","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security","tag-cloud","tag-content","tag-security"],"jetpack_featured_media_url":"https:\/\/izendestudioweb.com\/articles\/wp-content\/uploads\/2025\/12\/img-Dl72uf0JZivsrZcI35hJkJa4.png","_links":{"self":[{"href":"https:\/\/izendestudioweb.com\/articles\/wp-json\/wp\/v2\/posts\/2386","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/izendestudioweb.com\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/izendestudioweb.com\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/izendestudioweb.com\/articles\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/izendestudioweb.com\/articles\/wp-json\/wp\/v2\/comments?post=2386"}],"version-history":[{"count":1,"href":"https:\/\/izendestudioweb.com\/articles\/wp-json\/wp\/v2\/posts\/2386\/revisions"}],"predecessor-version":[{"id":2400,"href":"https:\/\/izendestudioweb.com\/articles\/wp-json\/wp\/v2\/posts\/2386\/revisions\/2400"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/izendestudioweb.com\/articles\/wp-json\/wp\/v2\/media\/2385"}],"wp:attachment":[{"href":"https:\/\/izendestudioweb.com\/articles\/wp-json\/wp\/v2\/media?parent=2386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/izendestudioweb.com\/articles\/wp-json\/wp\/v2\/categories?post=2386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/izendestudioweb.com\/articles\/wp-json\/wp\/v2\/tags?post=2386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}