Announcing Tetrate Agent Operations Director for GenAI Runtime Visibility and Governance

Learn more
< Back

Migrating from ingress-nginx to Envoy Gateway

Matt Turner
Migrating from ingress-nginx to Envoy Gateway

This blog aims to help users currently relying on ingress-nginx to adopt Envoy Gateway and the Gateway API. We’ll walk through the motivation for migration, provide a hands-on Minikube-based demo, and showcase how tools like ingress2gateway simplify the transition.

Why Migrate?

Ingress controllers are foundational to Kubernetes networking, and many teams initially adopt ingress-nginx because it’s widely available and easy to get started with. However, as production requirements grow, the limitations of the traditional Ingress API and nginx controller become more apparent, from confusing annotation-based configurations to traffic disruptions during updates. More critically, recent security issues such as CVE-2025-1974 have highlighted the risks of continuing to rely on ingress-nginx. The maintainers have also announced that ingress-nginx will enter maintenance mode in 18 months, making it essential to explore modern, extensible alternatives like Envoy Gateway, which offers native support for the Kubernetes Gateway API, better observability, and robust extensibility.

Enter Envoy Gateway and the Gateway API

Envoy Proxy is a modern, cloud-native proxy, designed for observability, hot-reload, and extensibility. Envoy Gateway (EG) builds on Envoy to offer a powerful ingress solution using the new Kubernetes Gateway API.

Unlike the legacy Ingress API, the Gateway API provides typed resources like Gateway, HTTPRoute, and GatewayClass, enabling structured, annotation-free configuration. EG supports features such as:

These capabilities often eliminate the need for separate API Gateway products. EG is fully open source and governed under the CNCF.

Migration Workflow: From nginx to Envoy Gateway

Before diving into the hands-on migration steps, it’s important to understand how the ingress2gateway tool works. This CLI utility scans existing Kubernetes Ingress resources—specifically those configured for controllers like ingress-nginx—and converts them into Gateway API resources, namely Gateway and HTTPRoute. While it does not generate the GatewayClass, it expects one to be pre-created and referenced. This makes it easier for users to incrementally adopt the Gateway API and modern ingress controllers such as Envoy Gateway, without rewriting everything from scratch.

Figure 1: ingress2gateway workflow

We’ll walk through a practical migration using Minikube on macOS, starting with ingress-nginx and migrating to Envoy Gateway.

Step 1: Start Minikube and Enable NGINX Ingress

minikube start
minikube addons enable ingress

Step 2: Deploy httpbin and Ingress Resources

kubectl apply -f - << EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
  labels:
    app: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
  template:
    metadata:
      labels:
        app: httpbin
    spec:
      containers:
      - name: httpbin
        image: kennethreitz/httpbin
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
spec:
  selector:
    app: httpbin
  ports:
  - port: 80
    targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: httpbin
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: nginx
  rules:
  - host: httpbin.local
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: httpbin
            port:
              number: 80
EOF

Step 3: Expose LoadBalancer via Tunnel

minikube tunnel

Step 4: Test NGINX Ingress

curl -H "Host: httpbin.local" http://127.0.0.1/get

Step 5: Install Envoy Gateway

helm install eg oci://docker.io/envoyproxy/gateway-helm \
  --version v1.3.2 \
  -n envoy-gateway-system --create-namespace

Step 6: Apply GatewayClass for nginx

kubectl apply -f - << EOF
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: nginx
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
EOF

Step 7: Convert Ingress to Gateway API

Install conversion tool:

go install github.com/kubernetes-sigs/ingress2gateway@latest

Convert config:

ingress2gateway print --providers ingress-nginx | kubectl apply -f -

Optionally specify --namespace if Ingress resources are not in default.

Step 8: Validate Migration

Test the route:

curl --header 'Host: httpbin.local' http://127.0.0.1/get

Step 9: Cleanup nginx (Optional)

Terminate the minikube tunnel and then disable the ingress:

minikube addons disable ingress

Summary

By migrating to Envoy Gateway, you gain access to a more expressive, robust ingress configuration backed by the CNCF community. Features like rate limiting, WAF, and identity integration come built-in and standards-based.

Further Reading

Matt Turner
Product background Product background for tablets
New to service mesh?

Get up to speed with free online courses at Tetrate Academy and quickly learn Istio and Envoy.

Learn more
Using Kubernetes?

Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed via the Kubernetes Gateway API.

Learn more
Getting started with Istio?

Tetrate Istio Subscription (TIS) is the most reliable path to production, providing a complete solution for running Istio and Envoy securely in mission-critical environments. It includes:

  • Tetrate Istio Distro – A 100% upstream distribution of Istio and Envoy.
  • Compliance-ready – FIPS-verified and FedRAMP-ready for high-security needs.
  • Enterprise-grade support – The ONLY enterprise support for 100% upstream Istio, ensuring no vendor lock-in.
    • Learn more
    Need global visibility for Istio?

    TIS+ is a hosted Day 2 operations solution for Istio designed to streamline workflows for platform and support teams. It offers:

  • A global service dashboard
  • Multi-cluster visibility
  • Service topology visualization
  • Workspace-based access control
    • Learn more
    Decorative CTA background pattern background background
    Tetrate logo in the CTA section Tetrate logo in the CTA section for mobile

    Ready to enhance your
    network
    with more
    intelligence?