Blog post to address concerns about ingress-nginx's EOL coming in March 2026#1857
Conversation
Signed-off-by: Maël Valais <mael@vls.dev>
…ession" Signed-off-by: Maël Valais <mael@vls.dev>
✅ Deploy Preview for cert-manager ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
Signed-off-by: Maël Valais <mael@vls.dev>
7fa8c48 to
f476543
Compare
content/announcements/2025-11-26-ingress-nginx-eol-and-gateway-api.md
Outdated
Show resolved
Hide resolved
9b2e80c to
41d91ec
Compare
Context around 1.20: the page https://cert-manager.io/docs/releases/ says that we should be spelling release branches (also called 'releases') without the 'v' prefix. Signed-off-by: Maël Valais <mael@vls.dev>
41d91ec to
f168bc8
Compare
content/announcements/2025-11-26-ingress-nginx-eol-and-gateway-api.md
Outdated
Show resolved
Hide resolved
content/announcements/2025-11-26-ingress-nginx-eol-and-gateway-api.md
Outdated
Show resolved
Hide resolved
content/announcements/2025-11-26-ingress-nginx-eol-and-gateway-api.md
Outdated
Show resolved
Hide resolved
content/announcements/2025-11-26-ingress-nginx-eol-and-gateway-api.md
Outdated
Show resolved
Hide resolved
content/announcements/2025-11-26-ingress-nginx-eol-and-gateway-api.md
Outdated
Show resolved
Hide resolved
content/announcements/2025-11-26-ingress-nginx-eol-and-gateway-api.md
Outdated
Show resolved
Hide resolved
| This restores the separation of concerns while preserving the security | ||
| improvements of Gateway API's design: |
There was a problem hiding this comment.
Something should really explain why it works. Namely that a given something becomes first come first served and as long as no one accidentally deletes it, it's committed to that resource. At least, I think that's why it works. As a non expert, I can't really be sure. And I don't want to have to read all of the other docs (I will, because I'm more or less committed to reviewing them, but everyone else shouldn't have to, especially not yet, as they aren't in great shape).
There was a problem hiding this comment.
By "why it works", what are you referring to? Preserving the improvements of Gateway API's design? I'd love to add more details to this paragraph, but I'm a little short on time.
There was a problem hiding this comment.
Why listenersets ensures that if one team claims a domain a second team can't steal traffic for it.
content/announcements/2025-11-26-ingress-nginx-eol-and-gateway-api.md
Outdated
Show resolved
Hide resolved
content/announcements/2025-11-26-ingress-nginx-eol-and-gateway-api.md
Outdated
Show resolved
Hide resolved
|
|
||
| - ingress-nginx and InGate will reach EOL in March 2026, but it is unclear to | ||
| cert-manager users what's possible today and what will only be possible once | ||
| `XListenerSet` is supported. |
There was a problem hiding this comment.
At this point in the article you have not mentioned GatewayAPI at all - I would not expect a reader to know what an XListenerSet is.
TBH, I think this point is redundant, you cover the fact cert-manager is waiting on XListenerSet support and that our support is not ready yet in the next two bullet points.
If we don't want to drop this bullet point entirely, I would:
- Move it to the end of the list so they have context from the other bullet points what an
XListenerSetis - Reword it from
but it is unclear to cert-manager userstowe want to clarify to cert-manager users
There was a problem hiding this comment.
Fair point, it did feel off to talk about XListenerSet upfront... thank you for pointing that out. Also, I don't like these bullet points as they feel a bit too much ChatGPT-esque, so I've rephrased the paragraph to:
cert-manager users who migrate from Ingress to Gateway API will realize that
they not have the same TLS self-service experience due to Gateway being owned by
Cluster Operators. The community brought up this concern in various forums.The missing piece is Gateway API's experimental XListenerSet resource, which
aims to restore per-team TLS configuration on a shared Gateway. cert-manager
will add experimental XListenerSet support in 1.20, targeted for 10 February
2026, with alpha builds in January 2026.And since ingress-nginx and InGate will reach EOL in March 2026, we want to
clarify to cert-manager users what's possible today and what will only be
possible once cert-manager supports XListenerSet.
WDYT?
There was a problem hiding this comment.
I don't really like the cert-manager users will realise format. We the cert-manager devs realise, thats why we are making the post.
Maybe something like this
Since the announcement that ingress-nginx and InGate will reach EOL in March 2026 we have seen more questions about the Ingres to GatewayAPI migration path. Currently cert-manager does not have the same TLS self-service experience due to design differences between Ingress and GatewayAPI.
Whereas Ingress was a single resource, GatewayAPI breaks the resource down into cluster operator owned Gateway resources, and team owned HTTPRoute resources, with certificates being configured on the cluster operator owned Gateway resources.
The missing piece is Gateway API's experimental XListenerSet resource, which aims to restore per-team TLS configuration on a shared Gateway. cert-manager will add experimental XListenerSet support in 1.20, targeted for 10 February 2026, with alpha builds in January 2026.
There was a problem hiding this comment.
I like what you wrote. I'll use that, is that OK? I've fixed a few things, but it's mostly the same:
Since the announcement that ingress-nginx and InGate will reach end of life in March 2026, we have seen more questions about the migration path from Ingress to Gateway API. Today, cert-manager cannot offer the same TLS self-service experience because of design differences between the two APIs.
Whereas Ingress was a single resource, Gateway API breaks the resource down into cluster-operator-owned Gateway resources and team-owned HTTPRoute resources, with certificates configured on cluster-operator-owned Gateways.
The missing piece is Gateway API's experimental XListenerSet resource, which aims to restore per-team TLS configuration on a shared Gateway. cert-manager plans to add experimental XListenerSet support in 1.20, targeted for 10 February 2026, with alpha builds in January 2026.
There was a problem hiding this comment.
Only nit is the comma here: reach end of life in March 2026, we have seen
It leaves a weird spacing when reading it, I think it reads better without that comma.
Other then that very minor nit, it looks good to me 🙂
There was a problem hiding this comment.
I'd probably reorder it to:
We have seen questions about migrating from Ingress to Gateway API since the announcement that ingress-nginx and InGate will reach end of life in March 2026.
-- drop more and replace migration path, etc. to simplify
There was a problem hiding this comment.
[The comma] leaves a weird spacing when reading it, I think it reads better without that comma.
I can feel that weird spacing your are talking about. The reason I've added that comma is because of the long introductory clause ("Since..."). This writing guide explains why the comma is warranted.
I like Josh's suggestion to reorder the sentence: it works around my very long introductory clause and avoids any confusion.
c284d0b to
48b32e5
Compare
Signed-off-by: Maël Valais <mael@vls.dev>
48b32e5 to
97dc339
Compare
Signed-off-by: Maël Valais <mael@vls.dev>
content/announcements/2025-11-26-ingress-nginx-eol-and-gateway-api.md
Outdated
Show resolved
Hide resolved
Moved to: https://github.com/cert-manager/cert-manager/pull/7839/files#r2568524589 Signed-off-by: Maël Valais <mael@vls.dev>
content/announcements/2025-11-26-ingress-nginx-eol-and-gateway-api.md
Outdated
Show resolved
Hide resolved
| cert-manager users who migrate from Ingress to Gateway API will realize that | ||
| they do not have the same TLS self-service experience due to Gateway being owned by | ||
| Cluster Operators. The community brought up this concern in various forums. |
There was a problem hiding this comment.
I agree with @ThatsMrTalbot about "cert-manager users ... will realize".
There was a problem hiding this comment.
I've gone with Adam's proposed paragraph, does it look better?
wallrj-cyberark
left a comment
There was a problem hiding this comment.
Nice post @maelvls
But I don't like the opening paragraph. I feel like you should start with what you've got in the third paragraph
Ingress-nginx and InGate will reach EOL in March 2026, and we want to
reassure cert-manager users that we're on it!
In this blog post you will learn about the options available to you today and what we have planned for the next versions of cert-manager.
... or something like that.
Also suggest add cross-links to this blog post from the relevant reference docs and tutorials.
4591829 to
27e7cac
Compare
|
I think this is good to go. @wallrj-cyberark can you give me a LGTM? Thanks |
hi.mladen
Outdated
There was a problem hiding this comment.
Made me think of this video from the Primagen: https://www.youtube.com/watch?v=YFkeOBqfQBw
db0e4d9 to
bcbb743
Compare
| --- | ||
|
|
||
| > **Upcoming change:** ingress-nginx is scheduled for end of life in March 2026. See [Ingress-nginx End-of-Life: What cert-manager Supports Today and What's Coming](/announcements/2025-11-26-ingress-nginx-eol-and-gateway-api) for migration guidance and Gateway API plans. | ||
|
|
There was a problem hiding this comment.
Link doesn't work. Did you check it? Is it just me?
https://deploy-preview-1857--cert-manager.netlify.app/announcements/2025-11-26-ingress-nginx-eol-and-gateway-api/
vs
https://deploy-preview-1857--cert-manager.netlify.app/announcements/2025/11/26/ingress-nginx-eol-and-gateway-api/
The automated link checker only works for relative markdown links to the raw markdown.md file, I think.
There was a problem hiding this comment.
You are right. I pushed the commit to verify (didn't build locally) but haven't had time to test and fix yet (had to run to the hospital).
I'll finish this tomorrow
There was a problem hiding this comment.
I'm back.
I made a mistake in the backlinks. I fixed them and checked the links in each of the pages:
| Description of the change | Preview link |
|---|---|
| Added note in tutorial | docs/tutorials/acme/nginx-ingress |
| Added note in tutorial | docs/tutorials/venafi/venafi |
| Added note in tutorial | docs/tutorials/zerossl/zerossl |
| Added note in Ingress page | docs/usage/ingress |
| Added note in the Gateway page to warn people that cert-manager doesn't support yet self-service for folks coming from Ingresses | docs/usage/gateway |
fc51d0a to
fbb48f2
Compare
Signed-off-by: Maël Valais <mael@vls.dev>
ee3eb7f to
79f0d89
Compare
Signed-off-by: Maël Valais <mael@vls.dev>
79f0d89 to
9ef28ad
Compare
|
/approve |
|
@maelvls Not sure why this isn't merging. Do you need to rebase it on latest master? Is that a new rule? I don't remember having to in the past. |
|
New changes are detected. LGTM label has been removed. |
|
Not sure. Sounds like something new? I've pressed "Update branch"... which removed the LGTM label. |
|
Do you need to dismiss the requested change? |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wallrj, wallrj-cyberark The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I've addressed the feedback I got on Slack.
Note that the diagrams and most of the blog post come from cert-manager/cert-manager#7839.
Fixes cert-manager/cert-manager#8278.
CyberArk tracker: VC-47740