This is urgent as lots of ingress-nginx users are wondering what's the current state of things with cert-manager and Gateway API. Especially since we have seen lots of questions in different places:
Reddit: Does anyone else feel the Gateway API design is awkward for multi-tenancy?
This was the biggest thing I noticed evaluating a migration to Gateway over Ingress (EKS with cert-manager/LE) followed by the strategy, how many Gateways to HTTPRoutes etc.
Before with ingress-nginx or Traefik as my ingress controllers, Infra admins just had to worry about deploying and configuring the controllers. Devs can deploy an ingress, give it the host and cert-manager handles the TLS secret part of it automatically. Ezpz done deal.
With Gateway that responsibility is delegated between two different resources and now my dev teams need to be concerned about both. If I deploy one central Gateway, now I have to throw a star cert on it if I want it to be shared between different subdomains and they're SOL if they wanted two levels, so maybe this was designed with path based routing in mind rather than subdomains. Since we use cert-manager we can throw certs around like candy, so I could let devs deploy a Gateway themselves, and now I have o(N) gateway resources where on EKS with LBC that is a brand new load balancer being brought up + those controller pods are scheduled + now our costs and complexity goes up.
There are some good comments and insights from contributors here, and it seems like ListenerSets could solve that problem, but now we have another CR in that loop where one single Ingress before had everything we needed in a couple lines. Maybe I just haven't encountered the complex scenarios where the power of decoupled HTTPRoutes come into play, Ingress still feels like the mature and simpler option for now, at least in my case.
Reddit: My number one issue with Gateway API
When I took a look at gateway yesterday, the certificate management was such a regression I gave up. Bone heads.
I much preferred when tls could be defined in an httproute in the early days. Then I can create the gateway and any hostnames the app devs want they can use.
Now a dev will need to create a listener set and a httproute as two separate objects to do the same thing that was simple with ingress.
We need to address the community's concerns ASAP.
Erik and I have talked about what we could do to address the fact that cert-manager isn't yet ready for people willing to migrate off ingress-nginx + Ingress to Gateway API. The idea would be to publish a blog post on cert-manager.io that would indicate what the problem is and what the timeline is for cert-manager to accommodate multi-tenant Gateway resources.
Relates to:
CyberArk tracker: VC-47200
This is urgent as lots of ingress-nginx users are wondering what's the current state of things with cert-manager and Gateway API. Especially since we have seen lots of questions in different places:
Reddit: Does anyone else feel the Gateway API design is awkward for multi-tenancy?
Reddit: My number one issue with Gateway API
We need to address the community's concerns ASAP.
Erik and I have talked about what we could do to address the fact that cert-manager isn't yet ready for people willing to migrate off ingress-nginx + Ingress to Gateway API. The idea would be to publish a blog post on cert-manager.io that would indicate what the problem is and what the timeline is for cert-manager to accommodate multi-tenant Gateway resources.
Relates to:
CyberArk tracker: VC-47200