Migrating to Gateway API
Gateway API support in metal-stack is still in development. Changes are expected, especially around certificate management.
From version x.y.z metal-stack supports Gateway API as a replacement for Kubernetes Ingress resources.
This guide explains why we are moving to Gateway API, what changes for you as an operator, and how to migrate an existing metal-stack installation.
Motivation
ingress-nginx has been deprecated and we currently depend on it. metal-stack
has control-plane components that are not served via HTTP/GRPC. Those are
exposed as TCP Services via ingress-nginx. As a result we are going to move
all metal-stack components to Gateway API.
What will change
Certificate provisioning and TLS termination
Certificate provisioning and TLS termination will move into the Gateway resource. metal-stack deployed via metal-roles will expect TLS termination to happen on the Gateway.
Exceptions for TLS termination:
- NSQ will for now still terminate its own certificates
- The GRPC endpoint of metal-api will stay a TCPRoute and TLS termination will stay in the application. As metal-api will be superseded by metal-apiserver in the near future, we do not see the value in migrating it fully
Continued need for an Ingress Controller
For some vendor dependencies you will still require an ingress controller. Examples of services still relying on Ingress are Gardener and Thanos. As ingress-nginx is EoL we recommend switching to a different Ingress Controller implementation.
Before you begin
Familiarize yourself with Gateway API
Gateway API is more complex than Ingress and consists of multiple different resources. An introduction can be found here
Gateway API implementation requirements
metal-stack does not require one specific Gateway API implementation. You can choose any Gateway API implementation that provides the following features:
HTTPRouteTCPRoute
In our mini-lab demo environment we are running Envoy Gateway.
Migration Path decisions
- Select a Gateway API implementation, e.g. Envoy Gateway
- Certificate management: Gateway API now requires the Gateway to know
Migration steps
Create a Gateway resource
Gateway deployment
As we require TCPRoutes you will have to make changes to your existing Gateways, if applicable.
Still, we suggest you create a dedicated metal-stack gateway, like we do for mini-lab.
Certificate management
Use automated certificate management. cert-manager can handle your certificate renewal and supports Gateway API. You can use Let's Encrypt for valid public certificates or use a private CA.
As an aside: you can issue valid public TLS certs using Let's Encrypt, including for IP addresses.
Migrating HTTP/GRPC services
Migrating TCP services
Remaining ingress controller dependencies
For some vendor dependencies you will still require an ingress controller:
- Gardener
- Thanos
Verification
Rollback
Open questions
- Are we going to do TLS termination for nsq (for example) on the Gateway? This determines whether
TLSRouteis a hard requirement.