<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
    <title>Alek&#x27;s Blog - gateway-api</title>
    <subtitle>Production notes on Kubernetes, OpenShift, and OVHcloud: observability, log archiving, service mesh, LLM inference, and digital sovereignty.</subtitle>
    <link rel="self" type="application/atom+xml" href="https://blog.none.at/tags/gateway-api/atom.xml"/>
    <link rel="alternate" type="text/html" href="https://blog.none.at"/>
    <generator uri="https://www.getzola.org/">Zola</generator>
    <updated>2026-07-18T00:00:00+00:00</updated>
    <id>https://blog.none.at/tags/gateway-api/atom.xml</id>
    <entry xml:lang="en">
        <title>ingress-nginx Annotation Compatibility Matrix</title>
        <published>2026-07-18T00:00:00+00:00</published>
        <updated>2026-07-18T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-07-18-ingress-nginx-annotation-matrix/"/>
        <id>https://blog.none.at/blog/2026/2026-07-18-ingress-nginx-annotation-matrix/</id>
        
        <summary type="html">&lt;p&gt;Part 2 built the inventory. This part answers the question that inventory exists to feed: for the
annotations that actually turn out to be hard cases — not every annotation, but the ones where the
answer isn’t obvious — does migration go cleanly, or does it silently break? The honest answer
changes row by row — and, in one case in this matrix, changes depending on the &lt;em&gt;value&lt;&#x2F;em&gt; of the
annotation, not just its name.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>ingress-nginx Replacement Candidates: Envoy, HAProxy, NGINX</title>
        <published>2026-07-18T00:00:00+00:00</published>
        <updated>2026-07-18T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-07-18-ingress-nginx-candidates/"/>
        <id>https://blog.none.at/blog/2026/2026-07-18-ingress-nginx-candidates/</id>
        
        <summary type="html">&lt;p&gt;Part 3 answered which annotations survive a migration and which don’t. This part answers the
question that matrix exists to feed into: given those findings, which target do you actually move
to? Five candidates get the same source-verified depth as Part 3’s matrix here — not because the other
seven considered for this series are less real, but because “tested with the same rigor” and
“worth a mention” are different claims, and this guide tries not to blur them.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>ingress-nginx Hard Cases: Auth, Rate Limits, gRPC, Snippets</title>
        <published>2026-07-18T00:00:00+00:00</published>
        <updated>2026-07-18T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-07-18-ingress-nginx-hard-cases/"/>
        <id>https://blog.none.at/blog/2026/2026-07-18-ingress-nginx-hard-cases/</id>
        
        <summary type="html">&lt;p&gt;Every earlier part of this series was research: read the source, read the docs, verify a claim
against a repo. This one is different. A real OVH Managed Kubernetes Service (MKS) cluster, a real
domain, one deliberately nasty sample application, and the exact same 10-request test script run
against ingress-nginx, then Envoy Gateway, then HAProxy Unified Gateway. Every result below is a
real HTTP response or a real line read out of a running pod, not a docs claim.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>ingress-nginx Migration: A Field Guide</title>
        <published>2026-07-18T00:00:00+00:00</published>
        <updated>2026-07-18T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-07-18-ingress-nginx-migration-field-guide/"/>
        <id>https://blog.none.at/blog/2026/2026-07-18-ingress-nginx-migration-field-guide/</id>
        
        <summary type="html">&lt;p&gt;This is the index for a field guide to migrating away from &lt;code&gt;ingress-nginx&lt;&#x2F;code&gt;, the Kubernetes Ingress
controller that was archived and retired in March 2026. Each part stands on its own, but together
they cover the whole path: deciding whether to act, finding out what you actually depend on,
knowing which annotations translate cleanly, choosing a target, and doing the migration itself
without a flag day.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>ingress-nginx Migration Mechanics: ingress2gateway and Cutover</title>
        <published>2026-07-18T00:00:00+00:00</published>
        <updated>2026-07-18T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-07-18-ingress-nginx-migration-mechanics/"/>
        <id>https://blog.none.at/blog/2026/2026-07-18-ingress-nginx-migration-mechanics/</id>
        
        <summary type="html">&lt;p&gt;Parts 3 through 5 answered what migrates cleanly and to which target. This part answers the
question every migration guide owes its reader eventually: how do you actually move traffic without
a flag day? A converter tool, a coexistence window, a staged cutover, and — the section every
migration plan needs but few write down — an actual rollback plan.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>ingress-nginx Alternatives: Cilium, Traefik, Kong, AKS, GKE</title>
        <published>2026-07-18T00:00:00+00:00</published>
        <updated>2026-07-18T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-07-18-ingress-nginx-other-paths/"/>
        <id>https://blog.none.at/blog/2026/2026-07-18-ingress-nginx-other-paths/</id>
        
        <summary type="html">&lt;p&gt;Part 4 covered the five candidates source-verified with the same depth as the Part 3 matrix. This
part covers the rest of what this series set out to compare: three candidates this series tests but
doesn’t deep-dive — Cilium, Traefik, Kong — and a survey of what migrating off ingress-nginx looks
like on four managed Kubernetes platforms that were never part of the empirical lab at all.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>ingress-nginx Retirement: Four Ways Forward</title>
        <published>2026-07-18T00:00:00+00:00</published>
        <updated>2026-07-18T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-07-18-ingress-nginx-retirement-decision/"/>
        <id>https://blog.none.at/blog/2026/2026-07-18-ingress-nginx-retirement-decision/</id>
        
        <summary type="html">&lt;p&gt;The &lt;code&gt;ingress-nginx&lt;&#x2F;code&gt; Kubernetes controller is not “retiring soon.” It already has. The GitHub
repository was archived and made read-only on 2026-03-24, and its own description now reads in the
past tense: it &lt;em&gt;was&lt;&#x2F;em&gt; an Ingress controller. For a piece of software that reportedly still runs in
front of roughly half of all cloud-native workloads, that is a completed fact, not a countdown.&lt;&#x2F;p&gt;
&lt;p&gt;This is Part 1 of a field guide to migrating away from it. This part is deliberately
non-technical — it is for whoever has to decide &lt;em&gt;what to do&lt;&#x2F;em&gt;, not yet for whoever will do the
migration work. Parts 2 onward get concrete: inventorying what you actually depend on, an
annotation compatibility matrix, migration mechanics, and a reproducible lab.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>Istio AuthorizationPolicy &amp; HTTP&#x2F;2 Coalescing</title>
        <published>2026-07-13T00:00:00+00:00</published>
        <updated>2026-07-13T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-07-13-istio-authorizationpolicy-http2-coalescing/"/>
        <id>https://blog.none.at/blog/2026/2026-07-13-istio-authorizationpolicy-http2-coalescing/</id>
        
        <summary type="html">&lt;p&gt;Isolating an admin surface behind its own hostname and an IP-restricted
&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;istio.io&quot;&gt;Istio&lt;&#x2F;a&gt; &lt;code&gt;AuthorizationPolicy&lt;&#x2F;code&gt; sounds like a Tuesday-afternoon change: add a
second &lt;code&gt;HTTPRoute&lt;&#x2F;code&gt;, add a &lt;code&gt;DENY&lt;&#x2F;code&gt; policy with an allowlist, done. Two non-obvious Envoy behaviors
turned it into a two-day debugging exercise instead — one in how &lt;code&gt;AuthorizationPolicy&lt;&#x2F;code&gt; resolves
“the client’s IP,” and one in how browsers reuse HTTP&#x2F;2 connections across hostnames that share a
certificate. Neither is specific to Keycloak or to this particular setup; both apply to any Istio
or Envoy Gateway API ingress sitting behind a cloud load balancer with a shared wildcard
certificate.&lt;&#x2F;p&gt;
&lt;p&gt;This post walks through both bugs, how they were root-caused, and the fix for each — so the next
person hitting either symptom can skip straight to the cause.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>Istio vs. Envoy Gateway: Gateway API on Kubernetes</title>
        <published>2026-04-30T00:00:00+00:00</published>
        <updated>2026-06-25T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-04-30-istio-vs-envoy-gateway/"/>
        <id>https://blog.none.at/blog/2026/2026-04-30-istio-vs-envoy-gateway/</id>
        
        <summary type="html">&lt;p&gt;Both &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;istio.io&quot;&gt;Istio&lt;&#x2F;a&gt; and &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;gateway.envoyproxy.io&quot;&gt;Envoy Gateway&lt;&#x2F;a&gt; implement the
&lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;gateway-api.sigs.k8s.io&quot;&gt;Kubernetes Gateway API&lt;&#x2F;a&gt; and use Envoy as their data plane.
That is roughly where the similarity ends. Istio is a full service mesh that happens to
implement Gateway API; Envoy Gateway is a dedicated Gateway API controller with no mesh
ambitions. Choosing between them is mostly a question of scope.&lt;&#x2F;p&gt;
&lt;p&gt;This post starts with that comparison — architecture, mTLS, egress control, and resource
overhead — then broadens to cover &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;cilium.io&quot;&gt;Cilium&lt;&#x2F;a&gt; as a lighter alternative for
East-West security, how the choice plays out on managed Kubernetes offerings (AKS, GKE, and
OVH MKS including their cloud-native ingress and egress options), and finally how to get
the real client IP through a cloud load balancer to your application.&lt;&#x2F;p&gt;</summary>
        
    </entry>
    <entry xml:lang="en">
        <title>Envoy Gateway v1.7: Global Rate Limiting with a Custom ratelimit Service</title>
        <published>2026-04-19T00:00:00+00:00</published>
        <updated>2026-04-19T00:00:00+00:00</updated>
        
        <author>
          <name>
            
              aleks
            
          </name>
        </author>
        
        <link rel="alternate" type="text/html" href="https://blog.none.at/blog/2026/2026-04-19-envoy-gateway-global-ratelimit/"/>
        <id>https://blog.none.at/blog/2026/2026-04-19-envoy-gateway-global-ratelimit/</id>
        
        <summary type="html">&lt;p&gt;Global rate limiting in &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;gateway.envoyproxy.io&#x2F;&quot;&gt;Envoy Gateway (EG)&lt;&#x2F;a&gt; can be set up in two ways:
the easy path (EG manages its own &lt;code&gt;envoy-ratelimit&lt;&#x2F;code&gt; container) and the flexible path
(you bring your own &lt;a rel=&quot;noopener external&quot; target=&quot;_blank&quot; href=&quot;https:&#x2F;&#x2F;github.com&#x2F;envoyproxy&#x2F;ratelimit&quot;&gt;envoyproxy&#x2F;ratelimit&lt;&#x2F;a&gt; service).
This post covers the flexible path — &lt;strong&gt;Option B&lt;&#x2F;strong&gt; — and documents the three xDS patches
required to wire it up, the EG v1.7 breaking changes that affect the approach,
and a namespace-admin self-service deployment model.&lt;&#x2F;p&gt;</summary>
        
    </entry>
</feed>
