## Summary Cloud Native GitLab uses NGINX Ingress to expose GitLab via HTTP(S) and SSH (for Git). NGINX Ingress was announced to be retires in March 2026. After this date, no bug or security fixes will be available for NGINX Ingress. >>> Best-effort maintenance will continue until March 2026. Afterward, there will be no further releases, no bugfixes, and no updates to resolve any security vulnerabilities that may be discovered. Existing deployments of Ingress NGINX will continue to function and installation artifacts will remain available. We recommend migrating to one of the many alternatives. Consider migrating to Gateway API, the modern replacement for Ingress. >>> https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/ Gateway API is an Kubernetes project focused on superseding the Ingress API and GA since [October 2023](https://kubernetes.io/blog/2023/10/31/gateway-api-ga/). To accommodate the sudden retirement of NGINX Ingress, Cloud Native GitLab should support Gateway API and make it the new default. Cloud Native GitLab can continue to support Ingress, but should not ship/enable a deprecated Ingress controller (like NGINX Ingress) by default. ### **WiP** Roadmap #### Stage 1: Initial Gateway API support * [x] Initial support for Gateway API in GitLab chart * [x] Basic validation of Gateway API with QA in CI * [x] Certificate automation with certmanager. * [x] Decide if we should bundle a Gateway API controller (e.g. Envoy Gateway) #### Stage 2: NGINX Ingress Deprecation and full Gateway support * [x] Support and validation of Gateway API in advanced scenarios like: * [x] [Multiple webservice deployments](https://docs.gitlab.com/charts/charts/gitlab/webservice/#deployments-settings). * [x] [Smartcard traffic](https://docs.gitlab.com/administration/auth/smartcard/). * [x] GitLab Geo * [x] GRPC for KAS (see https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/issues/766) * [x] Support Gateway API with GitLab Operator * [x] Document transition from (NGINX) Ingress to Gateway API * [x] Announce GitLab's deprecation of NGINX Ingress * [ ] Assist GitLab owned infrastructure to migrate to Gateway API * [x] Investigate FIPS options (Dedicated for Gov) * [ ] Assist migrating .com infrastructure * [ ] Assist migrating Dedicated infrastructure #### Stage 3: Make Gateway API the default * [ ] Change Cloud Native GitLab to default to Gateway API. * [ ] Drop all bundled Ingress controllers (NGINX, HAProxy, Traefik) ### References * NGINX Ingress retirement: https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/ * https://gitlab.com/gitlab-com/gl-infra/software-delivery/operate/team-tasks/-/issues/13+ * Gateway API docs: https://gateway-api.sigs.k8s.io/ ### Notes * .com mainly uses HAProxy and only a portion of the traffic goes through NGINX Ingress: https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/4637#note_2912169290 * rollout to .com should be evaluated in `preprod` which is networking very similar to gstg and prod: https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/4637#note_2912868937 * Dedicates uses NGINX Ingress only: https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/4637#note_2913610109 --- <!-- STATUS NOTE START --> ## Status 2026-03-31 :clock1: **total hours spent this week by all contributors**: 38 _Note: This update covers the past two weeks as I forgot to hit sent on the previous weeks update._ :tada: **achievements**: * Last MR blocking GET integration has merged. * GET intgreation is ready for review. * KAS can now be exposed via GRPC in a Envoy Gateway setup. * Smartcard support tested and merged into both Rails and charts. * Final NGINX Ingress patch tested and applied into GitLab chart and Operator. That project is now officially retired. :arrow_forward: **next**: * Complete GET work, which is the last major piece of work for this epic. * Coordinate and implement new requirements specific to Dedicated for Gov. _Copied from https://gitlab.com/groups/gitlab-com/gl-infra/software-delivery/operate/-/epics/5#note_3205763415_ <!-- STATUS NOTE END -->