Choosing an Ingress Controller After Nginx-ingress Deprecation

Migrating from nginx-ingress requires evaluating Traefik, Envoy Gateway.

JR

2 minute read

Migrating from nginx-ingress requires evaluating Traefik, Envoy Gateway, or AWS Load Balancer Controller based on routing complexity, ecosystem integration, and operational overhead.

Diagnosis: Current State and Requirements

If you’re running complex nginx routing configurations (e.g., Lua scripts, custom rewrites), prioritize solutions with equivalent flexibility. Traefik’s Middleware CRDs or Envoy’s route configuration options are viable. For AWS-native teams, the AWS Load Balancer Controller (ALB) simplifies integration with ACM and VPC resources but has a hard limit of 100 backend targets per ingress.

Repair Steps: Migration Workflow

  1. Audit Existing Configs: Document all nginx ingress annotations, rewrite rules, and TLS settings. Use kubectl get ingress -o yaml to export current configurations.
  2. Test Alternatives in Staging: Deploy a parallel ingress controller (e.g., Traefik or ALB) in a non-production cluster. Validate routing behavior matches expectations.
  3. Deploy with Fallback: Roll out the new controller incrementally using canary deployments. Monitor metrics (latency, error rates) and keep nginx-ingress as a backup until validated.

Policy Example: Routing Configuration Standards

Adopt a policy requiring all ingress rules to use standardized Middleware CRDs (Traefik) or IngressClass annotations (ALB). Example Traefik policy snippet:

apiVersion: traefik.io/v1alpha1  
kind: Middleware  
metadata:  
  name: custom-rewrite  
spec:  
  redirectRegex:  
    - source: ^/(.*)  
      replacement: /app/$1  
      permanent: true

For AWS ALB, enforce annotations like alb.ingress.kubernetes.io/target-type: ip to align with instance vs. IP-based routing.

Tooling Options

Tool Use Case Pros Cons
Traefik Complex routing, non-AWS clouds Middleware CRDs, active community Steeper learning curve
Envoy Gateway Cloud-native, service mesh hybrid Tight Envoy integration Less mature ingress features
AWS ALB Controller EKS-native, AWS-managed TLS Seamless ACM/VPC integration 100 backend limit, AWS-only

Prevention: Monitoring and Maintenance

  • Monitor Limits: For ALB, track backend target counts to avoid hitting the 100-target cap. Use Prometheus alerts on ingress metrics.
  • Update Strategy: Regularly test new versions of your chosen controller in staging. Automate rollback if health checks fail.
  • Documentation: Maintain a playbook for common issues (e.g., 502 errors, TLS misconfigurations) specific to your chosen tool.

Choose based on your team’s expertise and ecosystem lock-in tolerance. For AWS-heavy shops, ALB reduces operational toil. For custom routing needs, Traefik offers flexibility at the cost of complexity.

Source thread: With nginx-ingress being archived, which would be sufficient for my needs?

comments powered by Disqus