How To
Summary
Upcoming retirement of Ingress NGINX was announced by Kubernetes. License Service is planned to deliver the capability to use Gateway API instead. However, before a version that contains this functionality is delivered, you can make manual adjustments to use Gateway API with your current version of License Service.
Environment
- Support for Gateway API is introduced in License Service 4.2.21. If you are using this version of License Service, you do not need to follow the procedure that is described in this technote. For more information, see: Enabling the use of Gateway API.
- Gateway API is supported from Kubernetes 1.26.
- Examples that are used in the following procedure assume that:
- License Service is installed in the 'ibm-licensing' namespace.
- The ingress-nginx controller is installed in the 'ingress-nginx' namespace.
If these items are installed in different namespaces in your environments, adjust the examples accordingly.
Steps
- Deploy Gateway API with Envoy Gateway.
- Install Gateway API CRDs. For more information, see: Getting started with Gateway API.
- Install Envoy Gateway from OCI registry, for example by using Helm. See the gateway repository on the Envoy Proxy github project.
Note: If you use the Helm installation, you can skip the CRDs installation during the Envoy deployment because you already deployed CRDs in step 1. You can use the --skip-crds parameter, for example in the Helm execution command.
For information about other installation options, see: Installation.
Create the default GatewayClass on the cluster. Use 'ibm-licensing' as the Envoy name.
cat <<EOF | kubectl apply -f - apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: ibm-licensing spec: controllerName: gateway.envoyproxy.io/gatewayclass-controller EOFCreate a ConfigMap for BackendTLSPolicy.
By default, BackendTLSPolicy expects the certificate to be present under the ca.crt key. However, in the existing ConfigMap, the certificate is stored under the crt.pem key.
Create a copy of the new 'ibm-licensing-upload-config' ConfigMap and call it 'ibm-licensing-gateway-api-config'. The new map should contain the certificate under the required ca.crt key.
LIC_NS="ibm-licensing" kubectl get configmap ibm-licensing-upload-config -n "$LIC_NS" -o yaml 2>/dev/null | \ awk '/crt.pem:/{flag=1; next} /^[^ ]/{flag=0} flag{print}' | \ sed 's/^[[:space:]]*//' | \ kubectl create configmap ibm-licensing-gateway-api-config -n "$LIC_NS" \ --from-file=ca.crt=/dev/stdin \ --dry-run=client -o yaml | kubectl apply -f - echo "Verifying CA certificate ConfigMap..." kubectl get configmap ibm-licensing-gateway-api-config -n ibm-licensing -o jsonpath='{.data.ca\.crt}'- Deploy Gateway, HTTPRoute, and BackendTLSPolicy for License Service. Use the following YAMLs to deploy the new resources.
Note: The examples use the default namespace ('ibm-licensing'). If License Service is in a different namespace, adjust namespace definition in the YAML examples.Deploy Gateway deployment.
Note: Adapt the port numbers in the YAML example to the values that you prefer using for external communication.cat <<EOF | kubectl apply -f - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: ibm-licensing-service-gateway namespace: ibm-licensing spec: gatewayClassName: ibm-licensing # must be the same as the one in the GatewayClass listeners: - name: http protocol: HTTP port: 80 allowedRoutes: namespaces: from: All - name: https protocol: HTTPS port: 8080 tls: mode: Terminate certificateRefs: - kind: Secret name: ibm-license-service-cert-internal EOFDeploy HTTPRoute.
cat <<EOF | kubectl apply -f - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: ibm-licensing-route namespace: ibm-licensing spec: # Attach to your existing Gateway (fill in the actual names) parentRefs: - name: ibm-licensing-service-gateway namespace: ibm-licensing # Optionally pin to HTTPS listener: # sectionName: https rules: - matches: - path: type: PathPrefix value: /ibm-licensing-service-instance filters: - type: URLRewrite urlRewrite: path: type: ReplacePrefixMatch replacePrefixMatch: / backendRefs: - kind: Service name: ibm-licensing-service-instance port: 8080 EOFDeploy BackendTLSPolicy.
cat <<EOF | kubectl apply -f - apiVersion: gateway.networking.k8s.io/v1 kind: BackendTLSPolicy metadata: name: licensing-backend-tls namespace: ibm-licensing spec: targetRefs: - group: "" kind: Service name: ibm-licensing-service-instance validation: hostname: ibm-licensing-service-instance.ibm-licensing.svc.cluster.local caCertificateRefs: - group: "" kind: ConfigMap name: ibm-licensing-gateway-api-config EOF
Validate the installation. Check whether:
- A new namespace for Envoy (for example, 'envoy-gateway-system') with GatewayClass is created. For other validation points, see: Testing the configuration.
- Gateway, HTTPRoute, and BackendTLSPolicy exist.
Retrieve the new host name. To retrieve the new host name from the Gateway created in the 'ibm-licensing' namespace, run the following command.
LIC_NS="ibm-licensing" kubectl get gateway ibm-licensing-service-gateway -n "$LIC_NS" -o jsonpath='{.status.addresses[?(@.type=="Hostname")].value}{"\n"}'- Optional: Delete the old ingress-nginx controller. Perform this step only if the controller is not used by other applications.
If Helm was used to install the ingress-nginx controller, use the following command:
helm uninstall ingress-nginx --namespace ingress-nginx kubectl delete namespace ingress-nginxAlternatively, delete the existing resources from the ingress-nginx namespace. Then, delete the namespace.
- Test again whether the route from step 6 is working.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
10 April 2026
UID
ibm17260641