Migrating from Ingress-NGINX Controller to NGINX Ingress Controller

This document describes how to migrate from the community-maintained Ingress-NGINX Controller to the F5 NGINX Ingress Controller.

Overview

This page explains two different ways to migrate from the community-maintained Ingress-NGINX Controller project to NGINX Ingress Controller: using NGINX’s Ingress Resources or with Kubernetes’s built-in Ingress Resources. This is typically because of implementation differences, and to take advantage of features such as NGINX Plus integration.

The information in this guide is extracted from a free eBook called “Kubernetes Ingress Controller Deployment and Security with NGINX”, which can be downloaded from the NGINX Library.

Before you begin

To complete the instructions in this guide, you need the following:

A working knowledge of Ingress Controllers.
An NGINX Ingress Controller installation on the same host as an existing Ingress-NGINX Controller.

There are two primary paths for migrating between the community Ingress-NGINX Controller to NGINX Ingress Controller:

Using NGINX Ingress Resources
Using Kubernetes Ingress Resources.

Migration with NGINX Ingress resources

This path uses Kubernetes Ingress Resources to set root permissions, then NGINX Ingress Resources for configuration using custom resource definitions (CRDs):

Configuring SSL termination and HTTP path-based routing

The following two code examples correspond to a Kubernetes Ingress Resource and an NGINX VirtualServer Resource. Although the syntax and indentation is different, they accomplish the same basic Ingress functions, used for SSL termination and Layer 7 path-based routing.

Kubernetes Ingress Resource

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-test
spec:
  tls:
    - hosts:
      - foo.bar.com
      secretName: tls-secret
  rules:
    - host: foo.bar.com
      http:
        paths:
        - path: /login
          backend:
            serviceName: login-svc
            servicePort: 80
        - path: /billing
            serviceName: billing-svc
            servicePort: 80

NGINX VirtualServer Resource

apiVersion: networking.k8s.io/v1
kind: VirtualServer
metadata:
  name: nginx-test
spec:
  host: foo.bar.com
  tls:
    secret: tls-secret
  upstreams:
    - name: login
      service: login-svc
      port: 80
    - name: billing
      service: billing-svc
      port: 80
  routes:
  - path: /login
    action:
      pass: login
  - path: /billing
    action:
      pass: billing

Configuring TCP/UDP load balancing and TLS passthrough

NGINX Ingress Controller exposes TCP and UDP services using TransportServer and GlobalConfiguration resources. These resources provide a broad range of options for TCP/UDP and TLS Passthrough load balancing. By contrast, the community Ingress-NGINX Controller exposes TCP/UDP services by using a Kubernetes ConfigMap object.

Convert Ingress-NGINX Controller annotations to NGINX Ingress resources

Kubernetes deployments often need to extend basic Ingress rules for advanced use cases such as canary and blue-green deployments, traffic throttling, and ingress-egress traffic manipulation. The community Ingress-NGINX Controller implements many of these using Kubernetes annotations with custom Lua extensions.

These custom Lua extensions are intended for specific NGINX Ingress resource definitions and may not be as granular as required for advanced use cases. The following examples show how to convert these annotations into NGINX Ingress Controller Resources.

Canary deployments

Canary and blue-green deployments allow you to push code changes to production environments without disrupting existing users. NGINX Ingress Controller runs them on the data plane: to migrate from the community Ingress-NGINX Controller, you must map the latter’s annotations to VirtualServer and VirtualServerRoute resources.

The Ingress-NGINX Controller evaluates canary annotations in the following order:

nginx.ingress.kubernetes.io/canary-by-header
nginx.ingress.kubernetes.io/canary-by-cookie
nginx.ingress.kubernetes.io/canary-by-weight

For NGINX Ingress Controller to evalute them the same way, they must appear in the same order in the VirtualServer or VirtualServerRoute Manifest.

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-by-header: "httpHeader"

NGINX Ingress Controller

matches:
- conditions:
  - header: httpHeader
      value: never
  action:
    pass: echo
  - header: httpHeader
      value: always
  action:
    pass: echo-canary
action:
  pass: echo

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-by-header: "httpHeader"
nginx.ingress.kubernetes.io/canary-by-header-value: "my-value"

NGINX Ingress Controller

matches:
- conditions:
  - header: httpHeader
      value: my-value
  action:
    pass: echo-canary
action:
  pass: echo

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-by-cookie: "cookieName"

NGINX Ingress Controller

matches:
- conditions:
  - cookie: cookieName
      value: never
  action:
    pass: echo
  - cookie: cookieName
      value: always
  action:
    pass: echo-canary
action:
  pass: echo

Traffic control

Environments using microservices tend to use extensive traffic-control policies to manage ephemeral applications using circuit breaking and rate and connection limiting to prevent error conditions due to unhealthy states or abnormal behavior.

The following examples map Ingress-NGINX Controller annotations to NGINX VirtualServer and VirtualServerRoute resources for rate limiting, custom HTTP errors, custom default backend and URI rewriting.

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/custom-http-errors: "code"

nginx.ingress.kubernetes.io/default-backend: "default-svc"

NGINX Ingress Controller

errorPages:
- codes: [code]
    redirect:
      code: 301
      url: default-svc

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/limit-connections: "number"

NGINX Ingress Controller

http-snippets: |
    limit_conn_zone $binary_remote_addr zone=zone_name:size;    
routes:
- path: /path
    location-snippets: |
      limit_conn zone_name number;

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/limit-rate: "number"
nginx.ingress.kubernetes.io/limit-rate-after: "number"

NGINX Ingress Controller

location-snippets: |
    limit_rate number;

    limit_rate_after number;

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/limit-rpm: "number"
nginx.ingress.kubernetes.io/limit-burst-multiplier: "multiplier"

NGINX Ingress Controller

rateLimit:
    rate: numberr/m

    burst: number * multiplier
    key: ${binary_remote_addr}
    zoneSize: size

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/limit-rps: "number"
nginx.ingress.kubernetes.io/limit-burst-multiplier: "multiplier"

NGINX Ingress Controller

rateLimit:
    rate: numberr/s

    burst: number * multiplier
    key: ${binary_remote_addr}
    zoneSize: size

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/limit-whitelist: "CIDR"

NGINX Ingress Controller

http-snippets: |
server-snippets: |

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/rewrite-target: "URI"

NGINX Ingress Controller

rewritePath: "URI"

There are four Ingress-NGINX Controller annotations without NGINX Ingress resource fields yet: they must be handled using snippets.

nginx.ingress.kubernetes.io/limit-connections
nginx.ingress.kubernetes.io/limit-rate
nginx.ingress.kubernetes.io/limit-rate-after
nginx.ingress.kubernetes.io/limit-whitelist

Header manipulation

Manipulating HTTP headers is useful in many cases, as they contain information that is important and relevant to systems involved in HTTP transactions. The community Ingress-NGINX Controller supports enabling and configuring cross-origin resource sharing (CORS) headings used by AJAX applications, where front-end Javascript code interacts with backend applications or web servers.

These code blocks show how the Ingress-NGINX annotations correspond to NGINX Ingress Controller VirtualServer and VirtualServerRoute resources.

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"

nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"

nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"

nginx.ingress.kubernetes.io/cors-allow-origin: "*"

nginx.ingress.kubernetes.io/cors-max-age: "seconds"

NGINX Ingress Controller

responseHeaders:
  add:
    - name: Access-Control-Allow-Credentials
      value: "true"
    - name: Access-Control-Allow-Headers
      value: "X-Forwarded-For"
    - name: Access-Control-Allow-Methods
      value: "PUT, GET, POST, OPTIONS"
    - name: Access-Control-Allow-Origin
      value: "*"
    - name: Access-Control-Max-Age
      value: "seconds"

Proxying and load balancing

NGINX Ingress Controller has multiple proxy and load balancing functionalities you may want to configure based on the use case, such as configuring the load balancing algorithm and the timeout and buffering settings for proxied connections.

This table shows how Ingress-NGINX Controller annotations map to statements in the upstream field for VirtualServer and VirtualServerRoute resources, covering load balancing, proxy timeout, proxy buffering and connection routing for a services’ ClusterIP address and port.

Ingress-NGINX Controller	NGINX Ingress Controller
nginx.ingress.kubernetes.io/load-balance	lb-method
nginx.ingress.kubernetes.io/proxy-buffering	buffering
nginx.ingress.kubernetes.io/proxy-buffers-number	buffers
nginx.ingress.kubernetes.io/proxy-buffer-size	buffers
nginx.ingress.kubernetes.io/proxy-connect-timeout	connect-timeout
nginx.ingress.kubernetes.io/proxy-next-upstream	next-upstream
nginx.ingress.kubernetes.io/proxy-next-upstream-timeout	next-upstream-timeout
nginx.ingress.kubernetes.io/proxy-read-timeout	read-timeout
nginx.ingress.kubernetes.io/proxy-send-timeout	send-timeout
nginx.ingress.kubernetes.io/service-upstream	use-cluster-ip

mTLS authentication

mTLS authentication is a way of enforcing mutual authentication on traffic entering and exiting a cluster (north-sourth traffic). This secure form of communication is common within a service mesh, commonly used in strict zero-trust environments.

NGINX Ingress Controller layer can handle mTLS authentication for end systems through the presentation of valid certificates for external connections. It accomplishes this through Policy resources, which correspond to Ingress-NGINX Controller annotations for client certificate authentication and backend certificate authentication.

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/auth-tls-secret: secretName
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"

NGINX Ingress Controller

ingressMTLS:
   clientCertSecret: secretName
   verifyClient: "on"

   verifyDepth: 1

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/proxy-ssl-secret: "secretName"
nginx.ingress.kubernetes.io/proxy-ssl-verify: "on|off"
nginx.ingress.kubernetes.io/proxy-ssl-verify-depth: "1"
nginx.ingress.kubernetes.io/proxy-ssl-protocols: "TLSv1.2"
nginx.ingress.kubernetes.io/proxy-ssl-ciphers: "DEFAULT"
nginx.ingress.kubernetes.io/proxy-ssl-name: "server-name"
nginx.ingress.kubernetes.io/proxy-ssl-server-name: "on|off"

NGINX Ingress Controller

egressMTLS:
   tlsSecret: secretName

   verifyServer: true|false

   verifyDepth: 1

   protocols: TLSv1.2

   ciphers: DEFAULT

   sslName: server-name

   serverName: true|false

Session persistence with NGINX Plus

With NGINX Plus, you can use Policy resources for session persistence, which have corresponding annotations for the community Ingress-NGINX Controller.

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "cookieName"
nginx.ingress.kubernetes.io/session-cookie-expires: "x"
nginx.ingress.kubernetes.io/session-cookie-path: "/route"
nginx.ingress.kubernetes.io/session-cookie-secure: "true"

NGINX Ingress Controller

sessionCookie:
  enable: true

  name: cookieName

  expires: xh

  path: /route

  secure: true

Migration with Kubernetes Ingress resources

The other option for migrating from the community Ingress-NGINX Controller to NGINX Ingress Controller is using only annotations and ConfigMaps from standard Kubernetes resources, potentially relying on mergeable Ingress types.

This ensures that all configuration is kept in the Ingress object.

Warning:
You should avoid altering the spec field of the Ingress resource when taking this option. Ingress-NGINX Controller and NGINX Ingress Controller differ slightly in their implementations: changing the Kubernetes Ingress can create incompatibility issues.

Advanced configuration with annotations

This table maps the Ingress-NGINX Controller annotations to NGINX Ingress Controller’s equivalent annotations, and the respective NGINX Directive.

Ingress-NGINX Controller	NGINX Ingress Controller	NGINX Directive
nginx.ingress.kubernetes.io/configuration-snippet	nginx.org/location-snippets	N/A
nginx.ingress.kubernetes.io/load-balance (1)	nginx.org/lb-method	random two least_conn
nginx.ingress.kubernetes.io/proxy-buffering	nginx.org/proxy-buffering	proxy_buffering
nginx.ingress.kubernetes.io/proxy-buffers-number	nginx.org/proxy-buffers	proxy_buffers
nginx.ingress.kubernetes.io/proxy-buffer-size	nginx.org/proxy-buffer-size	proxy_buffer_size
nginx.ingress.kubernetes.io/proxy-connect-timeout	nginx.org/proxy-connect-timeout	proxy_connect_timeout
nginx.ingress.kubernetes.io/proxy-read-timeout	nginx.org/proxy-read-timeout	proxy_read_timeout
nginx.ingress.kubernetes.io/proxy-send-timeout	nginx.org/proxy-send-timeout	proxy_send_timeout
nginx.ingress.kubernetes.io/rewrite-target	nginx.org/rewrites	rewrite
nginx.ingress.kubernetes.io/server-snippet	nginx.org/server-snippets	N/A
nginx.ingress.kubernetes.io/ssl-redirect	ingress.kubernetes.io/ssl-redirect	N/A (2)

Ingress-NGINX Controller implements some of its load balancing algorithms with Lua, which may not have an equivalent in NGINX Ingress Controller.
To redirect HTTP (80) traffic to HTTPS (443), NGINX Ingress Controller uses native NGINX if conditions while Ingress-NGINX Controller uses Lua.

The following two snippets outline Ingress-NGINX Controller annotations that correspond to annotations for NGINX Ingress Controller with NGINX Plus.

Ingress-NGINX Controller

nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "cookie_name"
nginx.ingress.kubernetes.io/session-cookie-expires: "seconds"
nginx.ingress.kubernetes.io/session-cookie-path: "/route"

NGINX Ingress Controller (with NGINX Plus)

nginx.com/sticky-cookie-services: "serviceName=example-svc cookie_name expires=time path=/route"

Note:
NGINX Ingress Controller has additional annotations for features using NGINX Plus that have no Ingress-NGINX Controller equivalent, such as active health checks and authentication using JSON Web Tokens (JWTs).

Global configuration with ConfigMaps

This table maps the Ingress-NGINX Controller ConfigMap keys to NGINX Ingress Controller’s equivalent ConfigMap keys.

Ingress-NGINX Controller	NGINX Ingress Controller
disable-access-log	access-log-off
error-log-level	error-log-level
hsts	hsts
hsts-include-subdomains	hsts-include-subdomains
hsts-max-age	hsts-max-age
http-snippet	http-snippets
keep-alive	keepalive-timeout
keep-alive-requests	keepalive-requests
load-balance	lb-method
location-snippet	location-snippets
log-format-escape-json	log-format-escaping: “json”
log-format-stream	stream-log-format
log-format-upstream	log-format
main-snippet	main-snippets
max-worker-connections	worker-connections
max-worker-open-files	worker-rlimit-nofile
proxy-body-size	client-max-body-size
proxy-buffering	proxy-buffering
proxy-buffers-number	proxy-buffers: number size
proxy-buffer-size	proxy-buffers: number size
proxy-connect-timeout	proxy-connect-timeout
proxy-read-timeout	proxy-read-timeout
proxy-send-timeout	proxy-send-timeout
server-name-hash-bucket-size	server-names-hash-bucket-size
proxy-headers-hash-max-size	server-names-hash-max-size
server-snippet	server-snippets
_server-tokens _	server-tokens
ssl-ciphers	ssl-ciphers
ssl-dh-param	ssl-dhparam-file
ssl-protocols	ssl-protocols
ssl-redirect	ssl-redirect
upstream-keepalive-connections	keepalive
use-http2	http2
use-proxy-protocol	proxy-protocol
variables-hash-bucket-size	variables-hash-bucket-size
worker-cpu-affinity	worker-cpu-affinity
worker-processes	worker-processes
worker-shutdown-timeout	worker-shutdown-timeole