Migrate from NGINX Ingress to Envoy Gateway

core/helm-charts/genai-gateway/templates/ingress.yaml

@@ -1,34 +1,24 @@
 # Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 {{- if .Values.ingress.enabled }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
 metadata:
-  annotations:
-    kubernetes.io/ingress.class: nginx        
-    nginx.ingress.kubernetes.io/proxy-body-size: 10m
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"  
-  generation: 1
   labels:
     app.kubernetes.io/managed-by: Helm
-  name: genai-gateway-ingress    
+  name: genai-gateway-httproute
 spec:
-  ingressClassName: nginx
-  rules:
-  - host: {{ .Values.ingress.host }}
-    http:
-      paths:
-      - backend:
-          service:
-            name: genai-gateway-service
-            port:
-              number: 4000
-        path: /
-        pathType: ImplementationSpecific
-  tls:
-  - hosts:
+  parentRefs:
+    - name: enterprise-edge-gateway
+      namespace: envoy-gateway-system
+  hostnames:
     - {{ .Values.ingress.host }}
-    secretName: {{ .Values.ingress.secretname }}
-status:
-  loadBalancer: {}
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: genai-gateway-service
+          port: 4000
 {{- end }}

core/helm-charts/genai-gateway/templates/ingress_eks.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.ingress.enabled }}
+{{- if and .Values.ingress.enabled (eq .Values.platform "eks") }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:

core/helm-charts/istio/peer-auth-ingress.yaml

@@ -4,11 +4,11 @@ apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
   name: peer-auth-ingress
-  namespace: ingress-nginx
+  namespace: envoy-gateway-system
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: ingress-nginx
+      app.kubernetes.io/name: envoy
   mtls:
     mode: STRICT
   portLevelMtls:

core/helm-charts/keycloak/templates/ingress.yaml

@@ -1,31 +1,23 @@
 # Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 {{- if not .Values.apisixRoute.enabled }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
 metadata:
-  name: {{ .Release.Name }}-keycloak-apisix
+  name: {{ .Release.Name }}-keycloak-apisix-httproute
   namespace: auth-apisix
-  annotations:
-    kubernetes.io/ingress.class: "nginx"
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
-    nginx.ingress.kubernetes.io/proxy-pass-headers: "Content-Type, Authorization"
 spec:
-  ingressClassName: nginx
+  parentRefs:
+    - name: enterprise-edge-gateway
+      namespace: envoy-gateway-system
+  hostnames:
+    - {{ .Values.ingress.host }}
   rules:
-    - host: {{ .Values.ingress.host }}
-      http:
-        paths:
-          - path: /token
-            pathType: Exact
-            backend:
-              service:
-                name: {{ .Values.ingress.serviceName }}
-                port:
-                  number: {{ .Values.ingress.servicePort }}
-  tls:
-    - hosts:
-      - {{ .Values.ingress.host }}
-      secretName: {{ .Values.ingress.secretName }}
+    - matches:
+        - path:
+            type: Exact
+            value: /token
+      backendRefs:
+        - name: {{ .Values.ingress.serviceName }}
+          port: {{ .Values.ingress.servicePort }}
 {{- end }}

core/helm-charts/keycloak/templates/ingress_eks.yaml

@@ -1,5 +1,6 @@
 # Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
+{{- if eq .Values.platform "eks" }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -32,3 +33,4 @@ spec:
     - hosts:
       - {{ .Values.ingress.host }}
       secretName: {{ .Values.ingress.secretName }}
+{{- end }}

core/helm-charts/mcp-server-template/templates/ingress.yaml

@@ -1,46 +1,32 @@
 {{- if .Values.ingress.enabled }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
 metadata:
-  name: {{ include "mcp-demo.fullname" . }}
+  name: {{ include "mcp-demo.fullname" . }}-httproute
   namespace: {{ .Values.apisix.enabled | ternary "auth-apisix" (.Values.ingress.namespace | default .Release.Namespace) }}
   labels:
     {{- include "mcp-demo.labels" . | nindent 4 }}
-  annotations:
-    kubernetes.io/ingress.class: {{ .Values.ingress.className }}
-    nginx.ingress.kubernetes.io/use-regex: "true"
-    nginx.ingress.kubernetes.io/proxy-buffering: "off"
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
-  {{- with .Values.ingress.annotations }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
 spec:
-  ingressClassName: {{ .Values.ingress.className }}
-  {{- if .Values.ingress.tls.enabled }}
-  tls:
-  - hosts:
+  parentRefs:
+    - name: enterprise-edge-gateway
+      namespace: envoy-gateway-system
+  hostnames:
     - {{ .Values.ingress.host }}
-    secretName: {{ .Values.ingress.tls.secretName }}
-  {{- end }}
   {{- $svcName := ternary "auth-apisix-gateway" (include "mcp-demo.fullname" .) .Values.apisix.enabled }}
   {{- $svcPort := ternary 80 .Values.service.port .Values.apisix.enabled }}
   rules:
-  - host: {{ .Values.ingress.host }}
-    http:
-      paths:
-      - backend:
-          service:
-            name: {{ $svcName }}
-            port:
-              number: {{ $svcPort }}
-        path: /health
-        pathType: Prefix
-      - backend:
-          service:
-            name: {{ $svcName }}
-            port:
-              number: {{ $svcPort }}
-        path: {{ .Values.ingress.path }}
-        pathType: Prefix
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /health
+      backendRefs:
+        - name: {{ $svcName }}
+          port: {{ $svcPort }}
+    - matches:
+        - path:
+            type: PathPrefix
+            value: {{ .Values.ingress.path }}
+      backendRefs:
+        - name: {{ $svcName }}
+          port: {{ $svcPort }}
 {{- end }}

core/helm-charts/ovms/templates/ingress.yaml

@@ -2,32 +2,33 @@
 # SPDX-License-Identifier: Apache-2.0
 
 {{- if and .Values.ingress.enabled .Values.modelSource }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
 metadata:
-  name: {{ include "ovms-model-server.fullname" . }}
+  name: {{ include "ovms-model-server.fullname" . }}-httproute
   namespace: {{ .Values.ingress.namespace }}
   labels:
     {{- include "ovms-model-server.labels" . | nindent 4 }}
-  annotations:
-    nginx.ingress.kubernetes.io/rewrite-target: /{{ .Values.modelName }}-ovms/$1
 spec:
-  ingressClassName: {{ .Values.ingress.className }}
-  {{- if .Values.ingress.secretname }}
-  tls:
-  - hosts:
+  parentRefs:
+    - name: enterprise-edge-gateway
+      namespace: envoy-gateway-system
+  hostnames:
     - {{ .Values.ingress.host }}
-    secretName: {{ .Values.ingress.secretname }}
-  {{- end }}
   rules:
-  - host: {{ .Values.ingress.host }}
-    http:
-      paths:
-      - path: /{{ .Values.modelName }}-ovms/(.*)
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: {{- if .Values.apisixRoute.enabled }} auth-apisix-gateway{{- else }} {{ include "ovms-model-server.fullname" . }}{{- end }}
-            port:
-              number: 80
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /{{ .Values.modelName }}-ovms
+      {{- if not .Values.apisixRoute.enabled }}
+      filters:
+        - type: URLRewrite
+          urlRewrite:
+            path:
+              type: ReplacePrefixMatch
+              replacePrefixMatch: /
+      {{- end }}
+      backendRefs:
+        - name: {{- if .Values.apisixRoute.enabled }} auth-apisix-gateway{{- else }} {{ include "ovms-model-server.fullname" . }}{{- end }}
+          port: 80
 {{- end }}

core/helm-charts/tei/templates/ingress.yaml

@@ -1,60 +1,48 @@
 # Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
-# Please edit the object below. Lines beginning with a '#' will be ignored,
-# and an empty file will abort the edit. If an error occurs while saving this file will be
-# reopened with the relevant failures.
 {{- if or .Values.ingress.enabled .Values.apisix.enabled }}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
+{{- $modelName := .Values.EMBEDDING_MODEL_ID | splitList "/" | last }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
 metadata:
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    # nginx.ingress.kubernetes.io/rewrite-target: /{{ .Values.EMBEDDING_MODEL_ID | splitList "/" | last }}/$1
-    nginx.ingress.kubernetes.io/rewrite-target: {{- if and .Values.apisix.enabled .Values.accelDevice }}
-      /{{ .Values.EMBEDDING_MODEL_ID | splitList "/" | last }}/$1
-      {{- else if and .Values.apisix.enabled (not .Values.accelDevice) }}
-      /{{ .Values.EMBEDDING_MODEL_ID | splitList "/" | last }}-teicpu/$1
-      {{- else if not .Values.apisix.enabled }}
-      /$1
-      {{- end }}   
-  creationTimestamp: "2024-11-22T03:27:37Z"
-  generation: 1
   labels:
     {{- include "tei.labels" . | nindent 4 }}
-  name: {{ include "tei.fullname" . }}-ingress
+  name: {{ include "tei.fullname" . }}-httproute
   namespace: {{- if .Values.apisix.enabled }}
                 auth-apisix
               {{- else }}
                 default
               {{- end }}
-  resourceVersion: "244487"
-  uid: df2b31a1-6653-4d71-9de0-4df33cb93ad1
 spec:
-  ingressClassName: nginx
+  parentRefs:
+    - name: enterprise-edge-gateway
+      namespace: envoy-gateway-system
+  hostnames:
+    - {{ .Values.ingress.host }}
   rules:
-  - host: {{ .Values.ingress.host }}
-    http:
-      paths:
-      - backend:
-          service:
-            name: {{- if .Values.apisix.enabled }}
-              auth-apisix-gateway
-            {{- else }}
-              {{ include "tei.fullname" . }}-service
-            {{- end }}
-            port:
-              number: 80
-        # path: /{{ .Values.EMBEDDING_MODEL_ID | splitList "/" | last }}/(.*)
-        path: {{- if and .Values.apisix.enabled .Values.accelDevice }}
-          /{{ .Values.EMBEDDING_MODEL_ID | splitList "/" | last }}/(.*)
-          {{- else if and .Values.apisix.enabled (not .Values.accelDevice) }}
-          /{{ .Values.EMBEDDING_MODEL_ID | splitList "/" | last }}-teicpu/(.*)
-          {{- else if not .Values.apisix.enabled }}
-          /{{ .Values.EMBEDDING_MODEL_ID | splitList "/" | last }}/(.*)
+    - matches:
+        - path:
+            type: PathPrefix
+            value: {{- if and .Values.apisix.enabled .Values.accelDevice }}
+              /{{ $modelName }}
+              {{- else if and .Values.apisix.enabled (not .Values.accelDevice) }}
+              /{{ $modelName }}-teicpu
+              {{- else }}
+              /{{ $modelName }}
+              {{- end }}
+      {{- if not .Values.apisix.enabled }}
+      filters:
+        - type: URLRewrite
+          urlRewrite:
+            path:
+              type: ReplacePrefixMatch
+              replacePrefixMatch: /
+      {{- end }}
+      backendRefs:
+        - name: {{- if .Values.apisix.enabled }}
+            auth-apisix-gateway
+          {{- else }}
+            {{ include "tei.fullname" . }}-service
           {{- end }}
-        pathType: ImplementationSpecific
-  tls:
-  - hosts:
-    - {{ .Values.ingress.host }}
-    secretName: {{ .Values.ingress.secretname }}
+          port: 80
 {{- end }}

core/helm-charts/tei/templates/ingress_eks.yaml

@@ -1,6 +1,6 @@
 # Copyright (C) 2025-2026 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
-{{- if or .Values.ingress.enabled .Values.apisix.enabled }}
+{{- if and (or .Values.ingress.enabled .Values.apisix.enabled) (eq .Values.platform "eks") }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata: