Migrating from F5 NGINX Ingress Controller to the F5 NGINX Gateway Fabric

The Kubernetes ecosystem is undergoing a significant transformation in how it handles networking, shifting from traditional Ingress API and annotations to the more advanced Gateway API. This change is driven by the growing complexity of modern applications and the need for more sophisticated traffic management. NGINX, a leader in application delivery, is at the forefront of this transition, offering both the F5 NGINX Ingress Controller (NIC) for current and future needs and F5 NGINX Gateway Fabric (NGF) for advanced deployments.

The Current State: F5 NGINX Ingress Controller

For years, Kubernetes has relied on Ingress controllers to manage external traffic. The open source NGINX Ingress Controller has been a popular choice due to its high performance, reliability, and extensive feature set. It excels at HTTP/HTTPS routing, SSL termination, and load balancing. While NGINX Ingress Controller continues to innovate and evolve, Kubernetes deployments are dealing with ever-advancing traffic management needs, requiring a new approach.

Benefits of NGINX Ingress Controller

• Maturity and Stability: NGINX Ingress Controller is a well-established solution with a strong track record of performance and reliability.
• Advanced Features: It offers sophisticated traffic management capabilities, including Layer 4 and Layer 7 load balancing, rate limiting, and circuit breaking.
• Security: Integrated Web Application Firewall (WAF) via NGINX App Protect, DDoS protection, and robust authentication mechanisms.
• Operational Visibility: Detailed logging and integrations with cloud-native observability tools like Prometheus and Grafana.

The Future: Gateway API and F5 NGINX Gateway Fabric

The Gateway API represents a significant evolution in Kubernetes networking, addressing the limitations of the Ingress API with a more flexible, extensible, and powerful framework. NGINX has embraced this shift with its open source NGINX Gateway Fabric, an implementation of the Gateway API.

Overview of  the NGINX Gateway Fabric

Built on the open source NGINX data plane, NGINX Gateway Fabric is a Kubernetes Gateway API implementation that provides connectivity for your Kubernetes apps. It has a native role-based API model that enables self-service governance across the infrastructure for multi-tenant teams. It also allows the use of the same data and control planes across any hybrid or multi-cloud Kubernetes environment while keeping the two planes separate for better security, flexibility and reliability.

The control plane is a Kubernetes controller built with the controller-runtime library. It runs as a Deployment that manages NGINX data plane resources. By watching for changes to Gateway API resources, Services, Endpoints, and Secrets, it automatically handles resource provisioning and configuration.

NGINX data plane pods can be provisioned as either an independent Deployment or a DaemonSet. Each pod contains an NGINX container, which runs both the NGINX process and the open source NGINX Agent.

Here’s a diagram showing the NGINX Gateway Fabric design and architecture.

Some Key Benefits of Using NGINX Gateway Fabric

• Flexibility and Extensibility: The NGINX Gateway Fabric provides support for multiple protocols (HTTP, TCP, gRPC, etc.) and offers built-in support for advanced deployment patterns like blue-green and canary releases.
• Role-Oriented Design: It provides distinct roles for infrastructure providers, cluster operators, and app developers, improving manageability and security.
• Future-Proofing: As the Kubernetes community shifts focus towards the Gateway API, adopting NGINX Gateway Fabric now positions organizations for long-term success.
• Portability and Standardization: As a standardized API, it promotes portability across different Gateway API implementations and vendors, reducing vendor lock-in and simplifies migration between controllers, as configurations are largely consistent.
• Enhanced Expressiveness and advanced functionality: The API offers more expressive capabilities for traffic routing and management, supporting advanced features like header-based matching, traffic weighting, and more complex routing rules natively, reducing reliance on vendor-specific annotations.

Tools to Aid Migration

Migration between ingress controllers is challenging as different vendors use different annotations. Moving from an ingress controller to a Gateway API like NGF may pose similar challenges, though migration between Gateway API implementations is not difficult.

A great place to start is with ingress2gateway, an open source project developed by the  Kubernetes community. A subproject of the Gateway API SIG-Network, ingress2gateway is designed to simplify the migration from the Kubernetes Ingress to the flexibility of the Kubernetes Gateway API. The tool automatically converts existing Ingress resources, including many provider-specific annotations and configurations, into the corresponding Gateway API resources like Gateway, GRPCRoute, HTTPRoute, and BackendTLSPolicy.

F5 NGINX has created a provider for the NGINX Kubernetes projects (NGINX Ingress Controller and NGINX Gateway Fabric). Specifically, the NGINX provider within ingress2gateway enables the conversion of NGINX Ingress Controller resources to Gateway API resources for deployment with NGINX Gateway Fabric.

Even if you are using the community project ingress-nginx, once you have migrated to the Gateway API using the specific provider, you can move to the NGINX Gateway Fabric. After all, one of the goals for the Gateway API is portability.

It is not a complete end-to-end migration solution. You will need to manually review the converted resources, test functionality, and make additional configuration changes as needed for your specific environment.

Key Features and Capabilities of ingress2gateway

• Resource Conversion: ingress2gateway can convert core Kubernetes Ingress resources and associated Services into their Gateway API equivalents.

• Annotation Support: The tool supports various NGINX-specific annotations, translating them into appropriate Gateway API resources.

Some of the supported annotations include:

• nginx.org/ssl-services for SSL/TLS backend connections, mapped to BackendTLSPolicy.
• nginx.org/grpc-services for gRPC backend connections, mapped to GRPCRoute.
• nginx.org/websocket-services for WebSocket backend connections, providing an informational notification.
• nginx.org/proxy-hide-headers and nginx.org/proxy-set-headers for modifying headers, mapped to HTTPRoute ResponseHeaderModifier and RequestHeaderModifier respectively.
• nginx.org/rewrites for URL rewriting, mapped to HTTPRoute URLRewrite filter.
• nginx.org/redirect-to-https and ingress.kubernetes.io/ssl-redirect for SSL/HTTPS redirects, mapped to HTTPRoute RequestRedirect filter.

You can find a more detailed list of annotations and Gateway API mappings in the NGINX provider repo on GitHub. Some resources are not yet available, like virtualServer, VirtualServerRoute and transport server, but are planned to be supported in the future.

Usage and Benefits

Using ingress2gateway with the NGINX provider primarily consists of two parts:

• Conversion from Cluster:

Run ingress2gateway print --providers=nginx to convert NGINX Ingress Controller resources directly from the Kubernetes cluster.

• Conversion from File:

Use ingress2gateway print --providers=nginx --input-file=nginx-ingress.yaml to convert resources from a YAML file.

For detailed use directions, check out the README on the main project page.

The benefits of using ingress2gateway include:

• Simplified Migration: By automating the conversion process, ingress2gateway reduces the complexity and effort required to migrate to the Gateway API.
• Consistency and Accuracy: The tool ensures that the conversion is consistent and accurate, minimizing manual errors.
• Support for Advanced Features: ingress2gateway handles the translation of advanced NGINX Ingress Controller features, such as SSL/TLS configurations and header modifications, into their Gateway API counterparts.

Migrating from Ingress Controller to Gateway API

Even with using tools like ingress2gateway with the NGINX provider, migrating to the Gateway API requires careful planning. The process involves several steps:

1. Pre-Migration Planning: Document the current setup, including Ingress objects and annotations. Define migration goals and success criteria.
2. Installation and Configuration: Deploy NGINX Gateway Fabric alongside the existing Ingress controller. Convert Ingress configurations to Gateway API resources.
3. Testing and Validation: Conduct thorough functional and performance testing. Validate security features and monitor performance metrics.
4. Traffic Cutover: Gradually shift traffic to NGINX Gateway Fabric using strategies like canary releases.
5. Post-Migration Cleanup: Decommission the old Ingress controller after confirming stability.

Contributing and Extensibility

The ingress2gateway project is open to contributions, especially for adding support for new NGINX Ingress Controller annotations. Contributors can follow the guidelines provided in the repository to implement conversion logic, add tests, and update the documentation.

By leveraging ingress2gateway, organizations can streamline their transition to the Gateway API, taking advantage of its flexibility, extensibility, and advanced traffic management capabilities. This tool is a valuable asset for those looking to modernize their Kubernetes networking infrastructure with NGINX Ingress Controller and NGINX Gateway Fabric.

Conclusion

The shift from Ingress controllers to the Gateway API is a significant step in the evolution of Kubernetes networking. NGINX is committed to supporting this transition with both NGINX Ingress Controller for current needs and NGINX Gateway Fabric for future requirements. By leveraging ingress2gateway, organizations can streamline their transition to the Gateway API, taking advantage of its flexibility, extensibility, and advanced traffic management capabilities. This tool is a valuable asset for those looking to modernize their Kubernetes networking infrastructure with NGINX Ingress Controller and NGINX Gateway Fabric.

Whether you’re currently using NGINX Ingress Controller or planning to adopt the Gateway API, NGINX provides the tools, support, and innovation needed to navigate this evolving landscape. As Kubernetes continues to mature, NGINX remains a trusted partner in delivering robust, secure, and scalable application delivery solutions.

Getting Started

• Learn more about NGINX Ingress Controller and its capabilities.
• Explore NGINX Gateway Fabric and its role in future Kubernetes networking.
• Join the NGINX Community Forum to discuss your Kubernetes networking challenges and strategies.