Add TLS guides for AWS EKS with Ingress and Gateway API by welteki · Pull Request #415 · openfaas/docs

welteki · 2026-02-16T17:24:15Z

Description

Add comprehensive TLS documentation for AWS EKS deployments covering both traditional Ingress and modern Gateway API approaches.

Motivation and Context

I have raised an issue to propose this change (required)

How Has This Been Tested?

Documentation updates - verified rendering and link structure.

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

My code follows the code style of this project.
My change requires a change to the documentation.
I have updated the documentation accordingly.
I've read the CONTRIBUTION guide
I have signed-off my commits with git commit -s

Update documentation across multiple pages to recommend Traefik as the default ingress controller instead of ingress-nginx: - Switch ingress controller references from nginx to Traefik - Update installation commands to use arkade install traefik2 - Replace nginx-specific annotations with Traefik equivalents - Update ingressClassName from nginx to traefik - Add Traefik timeout configuration guide Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>

- Document how to use AWS Load Balancer Controller with Traefik on EKS - Add required annotation for internet-facing NLB provisioning - Fix typo in main TLS guide Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>

Reorganise the TLS reference page to cover both Ingress and Gateway API approaches. Add sections for Envoy Gateway with cert-manager and AWS EKS with the AWS Load Balancer Controller. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>

Replace the FunctionIngress/ingress-operator approach with Kubernetes Gateway API. The updated guide covers adding Gateway listeners per function domain, creating HTTPRoutes that rewrite paths to /function/NAME/, and cert-manager integration for TLS. Includes implementation-specific tabs for Envoy Gateway (regex rewrite workaround) and standard Gateway API (ReplacePrefixMatch). Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>

reviewfn · 2026-02-18T18:23:06Z

AI Pull Request Overview

Summary

Restructured TLS documentation to prioritize Gateway API over Ingress for new installations
Replaced deprecated ingress-nginx references with Traefik as the recommended Ingress controller
Added comprehensive AWS EKS-specific TLS guides using AWS Load Balancer Controller with both ALB and NLB approaches
Rewrote TLS for Functions guide to use Gateway API HTTPRoutes with proper path rewriting
Updated timeout configurations to include Gateway API and Traefik specifics
Modernized local development guides to use Traefik instead of ingress-nginx

Approval rating (1-10)

9

The PR significantly improves the documentation by providing modern, production-ready TLS configurations and removing deprecated components. The technical accuracy is high, and the guides are comprehensive.

Summary per file

File path	Summary
docs/architecture/production.md	Minor updates to TLS references, no major changes
docs/deployment/kubernetes.md	Updated to reference Gateway API TLS guides alongside existing Ingress options
docs/reference/tls-functions.md	Completely rewritten to focus on Gateway API with HTTPRoutes, added path rewrite workarounds for Envoy Gateway
docs/reference/tls-openfaas.md	Major restructure prioritizing Gateway API, added comprehensive AWS EKS guides with ALB/NLB, updated Ingress section to use Traefik
docs/tutorials/expanded-timeouts.md	Updated to include Gateway API timeout configurations, replaced ingress-nginx with Traefik examples
docs/tutorials/local-kind-ingress.md	Updated to use Traefik instead of ingress-nginx for local development

Overall Assessment

This PR modernizes OpenFaaS TLS documentation by transitioning from legacy Ingress-based approaches to the more robust Gateway API standard, while providing comprehensive cloud-native guidance for AWS EKS deployments. The changes remove deprecated components (ingress-nginx) and introduce best practices for production TLS configurations.

Detailed Review

Technical Accuracy

Gateway API resource definitions are correct and follow current standards
HTTPRoute configurations properly handle TLS termination and path routing
AWS Load Balancer Controller integration is accurately documented with appropriate feature gates
cert-manager Gateway API integration flags are properly configured
TargetGroupConfiguration for ALB ip targeting is correctly implemented to avoid NodePort requirements

Security Considerations

HTTPS listeners are properly configured with TLS termination
Certificate management via cert-manager is secure and follows best practices
HTTP-01 challenges are correctly routed through Gateway API
No secrets or credentials are exposed in documentation

Completeness

Comprehensive coverage of both Gateway API and Ingress approaches
Clear prerequisites and step-by-step instructions
AWS EKS specific configurations for both ALB and NLB scenarios
Timeout configuration guidance for all components
Verification steps included for each setup

Consistency

Consistent use of Traefik as the Ingress controller example
Uniform formatting and code block usage
Proper cross-references between related guides
Consistent environment variable naming

Potential Improvements

Consider adding Gateway API support detection in prerequisites (check for Gateway API CRDs)
Envoy Gateway version (v1.7.0) may become outdated; consider using latest stable or adding version flexibility
For multi-function deployments, consider documenting wildcard certificate patterns more prominently
Add monitoring/verification commands for certificate renewal status
Consider adding migration guide for users upgrading from Ingress to Gateway API

Minor Issues

In docs/reference/tls-functions.md, the Envoy Gateway regex workaround could be better explained as a known limitation
Timeout values in examples (e.g., 10m) should align with default OpenFaaS configurations or be parameterized
AWS Load Balancer Controller version requirements could be more specific in prerequisites

Positive Aspects

Excellent structure with clear separation of approaches
Practical AWS EKS configurations that work in real-world scenarios
Proper handling of path rewriting complexities in Gateway API
Good balance between simplicity and completeness
Forward-looking adoption of Gateway API standard