Migrate from Ingress NGINX
This page describes the step-by-step migration from Ingress NGINX to Airlock Microgateway using the Kubernetes Gateway API. It focuses on the practical migration steps, converting the Ingress NGINX resources to Gateway API resources with the ingress2gateway tool.
Prerequisites
- Airlock Microgateway is installed in the Community or Premium Edition (see Installation and Upgrade)
- ingress2gateway is installed
- yq is installed
General conversion approach
Converting Ingress NGINX resources follows the following approach:
- Convert manifest files
- Convert a single manifest file
Run the conversion against your existing Ingress manifest and write the output to a new file:
- Convert a directory of manifests
To convert all Ingress manifests in a directory at once:
- Review the conversion report
The tool prints a warning for every annotation or field it could not translate to a standard Gateway API resource. Review these carefully before proceeding. Each warning requires a manual decision.
Example output:
- Example
┌─ WARN ──────────────────────────────────────── │ Gateway API does not support configuring URL normalization (RFC 3986, Section 6). Please check if this matters for your use case and consult implementation-specific details. │ source: STANDARD_EMITTER └─
- Validate before applying
Before applying the generated resources to the cluster, run a dry-run to catch any syntax or API errors:
- Notice
A successful dry-run validates the resource structure but does not confirm that your routes behave identically to the original Ingress. Always test connectivity after applying.
Example migration
The following example shows a typical multi-path Ingress resource and its equivalent Gateway API configuration.
Ingress NGINX configuration
The Ingress NGINX configuration to be migrated looks as follow:
Convert the configuration
Run the following command to convert the Ingress NGINX configuration:
You may have noticed the yq command used to update the GatewayClassName, Gateway and parentRefs[].name values.
Generated Gateway API configuration
The ingress2gateway tool generates a Gateway and an HTTPRoute, which looks as follow:
Deploy and test
Apply the Gateway API resources
Before applying the generated resources to the cluster, run a dry-run to catch any syntax or API errors:
After the dry-run has completed successfully, you can apply the generated resources alongside your existing Ingress. Both can run in parallel during the transition.
Verify the Gateway status
Confirm the Gateway has been accepted and programmed by the Airlock Microgateway Operator before sending any traffic to it:
Example output:
NAMESPACE NAME CLASS ADDRESSES PORTS PROGRAMMED AGE POLICIES HTTPROUTES default my-ingress airlock-microgateway 192.168.64.2 80,443 True 6m9s 0 2
A Programmed condition set to False, or an unexpected number of listed policies or accepted HTTPRoutes, indicates that something is wrong.
Use gwctl describe gateway my-ingress for detailed information on the status of the gateway, its listeners, the attached routes, and their back-ends. Refer to the troubleshooting guide Analyze Configuration Issues to investigate further what went wrong.
Test connectivity
Use gwctl get gateway my-ingress to obtain Gateway's external IP address and verify that requests are routed correctly:
Example output:
NAMESPACE NAME CLASS ADDRESSES PORTS PROGRAMMED AGE default my-ingress airlock-microgateway 192.168.64.2 80,443 True 6m53s
Use curl to send test requests to your application:
Further information and links
External links: