Skip to content

Add TLS guides for AWS EKS with Ingress and Gateway API #415

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
welteki wants to merge 4 commits into
base: master
Choose a base branch
from

Rewrite TLS for Functions guide to use Gateway API and HTTPRoutes

6cb1c4b
Select commit
Loading
Failed to load commit list.
Open

Add TLS guides for AWS EKS with Ingress and Gateway API #415

Rewrite TLS for Functions guide to use Gateway API and HTTPRoutes
6cb1c4b
Select commit
Loading
Failed to load commit list.
reviewfn / succeeded Apr 2, 2026 in 55s

AI Code Review Results

AI Pull Request Overview

Summary

  • Adds comprehensive TLS guides for AWS EKS using both Ingress and Gateway API approaches
  • Updates existing TLS documentation to use Gateway API instead of legacy ingress-operator for custom function domains
  • Replaces nginx-ingress references with Traefik for consistency in deployment guides
  • Expands timeout configuration documentation to include Traefik specifics
  • Updates local Kind tutorial to use Traefik instead of ingress-nginx

Approval rating (1-10)

8/10 - Strong addition of AWS EKS specific TLS documentation and modernization to Gateway API, with minor inconsistencies to address.

Summary per file

Summary per file
File path Summary
docs/architecture/production.md Updated ingress controller recommendation from nginx to Traefik
docs/deployment/kubernetes.md Changed arkade install example to use Traefik instead of nginx-ingress
docs/reference/tls-functions.md Completely rewrote to use Gateway API instead of ingress-operator for custom domains
docs/reference/tls-openfaas.md Heavily expanded with Gateway API and AWS EKS specific TLS setups
docs/tutorials/expanded-timeouts.md Added Traefik timeout configuration and deprecated nginx-ingress
docs/tutorials/local-kind-ingress.md Updated tutorial to use Traefik instead of ingress-nginx

Overall Assessment

This PR significantly enhances the OpenFaaS documentation by adding detailed AWS EKS TLS configurations and modernizing the approach from traditional Ingress to Kubernetes Gateway API. The Gateway API sections provide comprehensive coverage for both general Envoy Gateway setups and AWS-specific ALB/NLB configurations. The shift from the custom ingress-operator to standard Gateway API resources for custom function domains is a positive modernization. However, there are minor inconsistencies in timeout configurations that should be addressed for consistency and correctness.

Detailed Review

Detailed Review

docs/architecture/production.md

  • The change from recommending nginx to Traefik aligns with the broader documentation updates. No issues noted.

docs/deployment/kubernetes.md

  • Consistent update to reference Traefik in arkade install command and TLS link. Good.

docs/reference/tls-functions.md

  • Complete rewrite from ingress-operator based approach to Gateway API is appropriate for modern Kubernetes deployments.
  • The HTTPRoute configuration correctly uses URLRewrite filters to prepend /function/{name}/ to requests.
  • The workaround for Envoy Gateway's inconsistent ReplacePrefixMatch behavior is correctly implemented with regex-based rewrite.
  • Documentation clearly explains pre-requisites and how the setup works.
  • Multiple function exposure section properly describes adding listeners per function.
  • Verification steps are comprehensive.
  • No major issues, but consider cross-referencing the expanded timeouts guide for the timeouts.request field.

docs/reference/tls-openfaas.md

  • Massive expansion adding Gateway API and AWS EKS sections is valuable.
  • Gateway API with Envoy Gateway section appears technically correct with proper CRD management, cert-manager integration, and resource examples.
  • AWS EKS ALB section correctly uses AWS Load Balancer Controller with Gateway API, including TargetGroupConfiguration for ip target type.
  • AWS EKS NLB section properly configures Envoy Gateway with NLB annotations.
  • Ingress section maintains backward compatibility.
  • Issue: In the ALB HTTPRoute for the gateway (not dashboard), timeouts.request is set to 10s, but this is inconsistent with the Envoy Gateway HTTPRoute which uses 10m. Given that OpenFaaS functions can run longer than 10 seconds, this should be 10m to match the gateway's writeTimeout. The dashboard HTTPRoute correctly uses 10m.
  • cert-manager Gateway API configuration appears correct with enableGatewayAPI=true and gatewayHTTPRoute solver.
  • All YAML examples appear syntactically correct and follow best practices.

docs/tutorials/expanded-timeouts.md

  • Addition of Traefik timeout configuration is helpful and accurate.
  • Deprecation notice for ingress-nginx is appropriate.
  • Clear explanation of client-to-Traefik vs Traefik-to-app timeouts is good.

docs/tutorials/local-kind-ingress.md

  • Update to Traefik is consistent with other changes.
  • Installation instructions are correct.

General

  • The documentation now heavily favors Gateway API over traditional Ingress, which is appropriate for new deployments.
  • AWS EKS coverage is comprehensive and includes both ALB (L7) and NLB (L4) approaches.
  • No security issues identified in the configurations.
  • Consider adding version compatibility notes for Gateway API features, as they require Kubernetes 1.19+.
  • Some sections could benefit from diagrams, but the text explanations are clear.
  • The PR successfully adds the requested AWS EKS TLS guides while modernizing existing content.

AI agent details.

Agent processing time: 49.686s
Environment preparation time: 4.162s
Total time from webhook: 57.998s
View more details on reviewfn