Skip to content

Comments

Add TLS guides for AWS EKS with Ingress and Gateway API#415

Open
welteki wants to merge 4 commits intoopenfaas:masterfrom
welteki:aws-load-balancer-controller
Open

Add TLS guides for AWS EKS with Ingress and Gateway API#415
welteki wants to merge 4 commits intoopenfaas:masterfrom
welteki:aws-load-balancer-controller

Conversation

@welteki
Copy link
Member

@welteki welteki commented Feb 16, 2026

Description

Add comprehensive TLS documentation for AWS EKS deployments covering both traditional Ingress and modern Gateway API approaches.

Motivation and Context

  • I have raised an issue to propose this change (required)

How Has This Been Tested?

Documentation updates - verified rendering and link structure.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have signed-off my commits with git commit -s

Update documentation across multiple pages to recommend Traefik
as the default ingress controller instead of ingress-nginx:

- Switch ingress controller references from nginx to Traefik
- Update installation commands to use arkade install traefik2
- Replace nginx-specific annotations with Traefik equivalents
- Update ingressClassName from nginx to traefik
- Add Traefik timeout configuration guide

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
- Document how to use AWS Load Balancer Controller with Traefik on EKS
- Add required annotation for internet-facing NLB provisioning
- Fix typo in main TLS guide

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
@reviewfn

This comment has been minimized.

@welteki welteki force-pushed the aws-load-balancer-controller branch from c824b40 to 6d2f377 Compare February 16, 2026 23:13
@reviewfn

This comment has been minimized.

@welteki welteki force-pushed the aws-load-balancer-controller branch from 6d2f377 to 52423cc Compare February 17, 2026 12:49
@reviewfn

This comment has been minimized.

@welteki welteki force-pushed the aws-load-balancer-controller branch from 52423cc to a321d9b Compare February 17, 2026 15:14
@reviewfn

This comment has been minimized.

@welteki welteki force-pushed the aws-load-balancer-controller branch from a321d9b to 804f36c Compare February 17, 2026 15:19
@reviewfn

This comment has been minimized.

@welteki welteki force-pushed the aws-load-balancer-controller branch from 804f36c to b36d169 Compare February 17, 2026 16:22
@reviewfn

This comment has been minimized.

Reorganise the TLS reference page to cover both Ingress and Gateway API
approaches. Add sections for Envoy Gateway with cert-manager and AWS EKS
with the AWS Load Balancer Controller.

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
@welteki welteki force-pushed the aws-load-balancer-controller branch from b36d169 to 5880f91 Compare February 17, 2026 18:00
@reviewfn

This comment has been minimized.

@welteki welteki marked this pull request as ready for review February 18, 2026 09:14
Replace the FunctionIngress/ingress-operator approach with
Kubernetes Gateway API. The updated guide covers adding Gateway
listeners per function domain, creating HTTPRoutes that rewrite
paths to /function/NAME/, and cert-manager integration for TLS.

Includes implementation-specific tabs for Envoy Gateway (regex
rewrite workaround) and standard Gateway API (ReplacePrefixMatch).

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
@reviewfn
Copy link

reviewfn bot commented Feb 18, 2026

AI Pull Request Overview

Summary

  • Restructured TLS documentation to prioritize Gateway API over Ingress for new installations
  • Replaced deprecated ingress-nginx references with Traefik as the recommended Ingress controller
  • Added comprehensive AWS EKS-specific TLS guides using AWS Load Balancer Controller with both ALB and NLB approaches
  • Rewrote TLS for Functions guide to use Gateway API HTTPRoutes with proper path rewriting
  • Updated timeout configurations to include Gateway API and Traefik specifics
  • Modernized local development guides to use Traefik instead of ingress-nginx

Approval rating (1-10)

9

The PR significantly improves the documentation by providing modern, production-ready TLS configurations and removing deprecated components. The technical accuracy is high, and the guides are comprehensive.

Summary per file

Summary per file
File path Summary
docs/architecture/production.md Minor updates to TLS references, no major changes
docs/deployment/kubernetes.md Updated to reference Gateway API TLS guides alongside existing Ingress options
docs/reference/tls-functions.md Completely rewritten to focus on Gateway API with HTTPRoutes, added path rewrite workarounds for Envoy Gateway
docs/reference/tls-openfaas.md Major restructure prioritizing Gateway API, added comprehensive AWS EKS guides with ALB/NLB, updated Ingress section to use Traefik
docs/tutorials/expanded-timeouts.md Updated to include Gateway API timeout configurations, replaced ingress-nginx with Traefik examples
docs/tutorials/local-kind-ingress.md Updated to use Traefik instead of ingress-nginx for local development

Overall Assessment

This PR modernizes OpenFaaS TLS documentation by transitioning from legacy Ingress-based approaches to the more robust Gateway API standard, while providing comprehensive cloud-native guidance for AWS EKS deployments. The changes remove deprecated components (ingress-nginx) and introduce best practices for production TLS configurations.

Detailed Review

Detailed Review

Technical Accuracy

  • Gateway API resource definitions are correct and follow current standards
  • HTTPRoute configurations properly handle TLS termination and path routing
  • AWS Load Balancer Controller integration is accurately documented with appropriate feature gates
  • cert-manager Gateway API integration flags are properly configured
  • TargetGroupConfiguration for ALB ip targeting is correctly implemented to avoid NodePort requirements

Security Considerations

  • HTTPS listeners are properly configured with TLS termination
  • Certificate management via cert-manager is secure and follows best practices
  • HTTP-01 challenges are correctly routed through Gateway API
  • No secrets or credentials are exposed in documentation

Completeness

  • Comprehensive coverage of both Gateway API and Ingress approaches
  • Clear prerequisites and step-by-step instructions
  • AWS EKS specific configurations for both ALB and NLB scenarios
  • Timeout configuration guidance for all components
  • Verification steps included for each setup

Consistency

  • Consistent use of Traefik as the Ingress controller example
  • Uniform formatting and code block usage
  • Proper cross-references between related guides
  • Consistent environment variable naming

Potential Improvements

  • Consider adding Gateway API support detection in prerequisites (check for Gateway API CRDs)
  • Envoy Gateway version (v1.7.0) may become outdated; consider using latest stable or adding version flexibility
  • For multi-function deployments, consider documenting wildcard certificate patterns more prominently
  • Add monitoring/verification commands for certificate renewal status
  • Consider adding migration guide for users upgrading from Ingress to Gateway API

Minor Issues

  • In docs/reference/tls-functions.md, the Envoy Gateway regex workaround could be better explained as a known limitation
  • Timeout values in examples (e.g., 10m) should align with default OpenFaaS configurations or be parameterized
  • AWS Load Balancer Controller version requirements could be more specific in prerequisites

Positive Aspects

  • Excellent structure with clear separation of approaches
  • Practical AWS EKS configurations that work in real-world scenarios
  • Proper handling of path rewriting complexities in Gateway API
  • Good balance between simplicity and completeness
  • Forward-looking adoption of Gateway API standard

AI agent details.

Agent processing time: 34.922s
Environment preparation time: 6.184s
Total time from webhook: 45.938s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant