Gateway API: cool, but what about my certs? - HackMD

**Gateway API: cool, but why can't I configure TLS myself?** <img src="https://hackmd.io/_uploads/BJoZAEsbll.png" width="300"/> Maël Valais, 21 May 2025 --- **Why care about Gateway API?** 1. Gateway API = role-aware version of Ingress API + many more knobs and less annotations 2. Ingress API not well defined, e.g., one team may silently be claiming traffic from another team's hostname 3. nginx-ingress obsolescent: no new feature, will be deprecated by 2026 --- **Today:** no more TLS self-service with Gateway API | | | |--|--| | **Ingress** | dev configures routes + TLS | | **Gateway** | costly shared resources owned by cluster operator = dev can't configure TLS | **Tomorrow:** ListenerSet + cert-manager = back to self-service TLS ([GEP 1713](https://gateway-api.sigs.k8s.io/geps/gep-1713/)) --- ![gateway-with-manifests.excalidraw-fs8](https://hackmd.io/_uploads/H1iL9yc-lg.png) --- ![gateway-listenerset-manifests.excalidraw-fs8](https://hackmd.io/_uploads/HyWT91cZle.png) --- **tl;dr:** - Thousands of users stuck with Ingress due to cert-manager - Work with sigs-network on a good migration (implement ListenerSet + improve `ingress2gateway`) ![qrcode_hackmd.io-fs8](https://hackmd.io/_uploads/Hkm93Jqbxx.png)

{"description":"Gateway API = role-aware version of Ingress API + many more knobs (e.g., lets you to fine-tune the load balancer)","slideOptions":"{\"theme\":\"white\"}","title":"Gateway API: cool, but what about my certs?","contributors":"[{\"id\":\"e67e2764-40c1-4315-969f-44487ef63c68\",\"add\":5215,\"del\":3801}]"}

197 views