Product update
Goodbye Ingress NGINX, hello Envoy Gateway
Wodby cluster infrastructure 2.0.0 moves the public edge from Ingress NGINX to Envoy Gateway. New clusters use Envoy Gateway by default, and existing clusters can upgrade from the Wodby dashboard.
Ingress NGINX served us well, but it is no longer the right foundation for Wodby infrastructure. Kubernetes SIG Network and the Security Response Committee announced Ingress NGINX retirement. Best-effort maintenance continued until March 2026, and after that there are no further releases, bug fixes, or security updates.
That upstream retirement gave us a clear reason to move now. At the same time, Wodby's edge layer had already grown past a model based on arbitrary Ingress annotations. We need one consistent way to manage HTTP routes, HTTPS redirects, TCP and UDP published ports, route-level behavior, and future gateway features across Wodby Cloud, managed Kubernetes, and K3S clusters.
Envoy Gateway gives us that foundation through Kubernetes Gateway API resources such as Gateway, HTTPRoute, TCPRoute, and UDPRoute. In Wodby, that shows up as a cleaner endpoint model: routes and ports with explicit settings, instead of a growing list of Ingress NGINX annotations.
How Gateway API replaces the old ingress model
This is not a one-to-one controller swap. Ingress NGINX concentrated routing, TLS, redirects, auth, and controller-specific behavior into an Ingress plus annotations. Envoy Gateway splits those concerns into Gateway API resources and Envoy Gateway policies, so Wodby can expose them as typed route and port settings.
| Ingress NGINX side | Envoy Gateway side | How Wodby uses it |
|---|---|---|
| Ingress NGINX controller and IngressClass | EnvoyProxy, GatewayClass, and Gateway | Wodby installs Envoy Gateway as the edge controller, configures the eg GatewayClass, and creates Gateway listeners for HTTP, HTTPS, TCP, and UDP entrypoints. |
| Ingress resources | Gateway and HTTPRoute | Each Wodby HTTP or HTTPS route now renders a Gateway for the host and an HTTPRoute that matches the route path and forwards traffic to the Kubernetes Service. |
| Ingress TLS sections | Gateway HTTPS listener and TLS Secret | TLS still uses Kubernetes Secrets, including Let's Encrypt certificates, but termination is attached to the Gateway listener instead of an Ingress spec. |
| Redirect annotations and custom redirect snippets | HTTPRoute RequestRedirect filters | Redirects are explicit Wodby routes. Envoy Gateway renders them as HTTPRoute redirects with scheme, host, path, and status code support. |
| Ingress NGINX annotations | Route settings, HTTPRoute filters, and Envoy policies | Settings such as no_index, path_rewrite, session_affinity, and request_body_size become typed Wodby settings rendered as Gateway API filters or Envoy Gateway policies. |
| Basic auth annotations | SecurityPolicy | Wodby HTTP basic auth now renders an Envoy Gateway SecurityPolicy that targets the HTTPRoute instead of adding auth annotations to an Ingress. |
| TCP/UDP publishing through controller configuration | Gateway, TCPRoute, UDPRoute, and ClientTrafficPolicy | Published TCP and UDP ports now get dedicated Gateway listeners and TCPRoute or UDPRoute resources. TCP listener settings render through ClientTrafficPolicy. |
What changes in Wodby
The Endpoints screen now centers on routes for HTTP and HTTPS traffic, and ports for manually published TCP and UDP traffic. Technical routes, custom routes, main and primary route flags, Let's Encrypt certificates, and HTTP basic auth keep the same product intent, but Envoy Gateway clusters render them through Gateway API objects.
Redirects are now first-class routes. A redirect route can set the target scheme, host, path, and status code. Wodby supports 301 and 302 redirects. When omitted, the redirect scheme defaults to https and the status code defaults to 301.
Route settings
Envoy Gateway clusters use predefined route settings instead of free-form ingress annotations. Settings can be configured as app instance defaults or route-specific overrides. New Envoy Gateway app instances default to HTTPS redirect and cookie session affinity, and generated technical routes default to no-index headers.
| Setting | Value | What it controls |
|---|---|---|
| https_redirect | true or false | Redirect HTTP traffic to HTTPS when TLS is enabled. |
| no_index | true or false | Set X-Robots-Tag: noindex, nofollow for generated routes. |
| request_body_size | Size with Ki, Mi, or Gi, for example 64Mi | Limit request body size through Envoy Gateway policy. |
| session_affinity | cookie or header | Keep repeat requests attached to the same backend. |
| path_rewrite | Path starting with / | Rewrite the matched route path before forwarding traffic. |
Port settings
Published TCP ports also get a small, typed settings surface. These settings apply to published TCP ports on Envoy Gateway clusters; unpublished ports and UDP ports are not affected.
| Setting | Value | What it controls |
|---|---|---|
| idle_timeout | Duration such as 30s, 5m, or 1h | Set the TCP idle timeout for a published port. |
| connection_limit | Positive integer | Limit concurrent downstream TCP connections. |
| tcp_keepalive | true or false | Enable TCP keepalive on the published port listener. |
Upgrading existing clusters
Existing clusters can be upgraded from the Wodby dashboard. When you start the infrastructure upgrade, Wodby deploys Envoy Gateway, updates the cluster endpoint, migrates supported ingress settings, redeploys application instances, and then removes the obsolete Ingress NGINX infrastructure after the migration path is complete.
Existing HTTP endpoints are preserved as Wodby routes, and supported Ingress NGINX annotations are translated into the new route setting model:
| Old Ingress NGINX annotation | New route setting |
|---|---|
| affinity: cookie | session_affinity = cookie |
| ssl-redirect or force-ssl-redirect | https_redirect = true or false |
| configuration-snippet with X-Robots-Tag noindex | no_index = true |
| rewrite-target | path_rewrite |
| proxy-body-size | request_body_size |
| affinity-mode: balanced and affinity-canary-behavior: sticky | recognized as legacy cookie-affinity defaults |
Unsupported legacy annotations are left visible for review instead of being silently discarded. That gives teams a clear follow-up list for custom Ingress NGINX behavior that does not have a direct Envoy Gateway route setting.
Infrastructure version 2.0.0
Wodby infrastructure 2.0.0 is the version that replaces Ingress NGINX with Envoy Gateway for public HTTP, HTTPS, TCP, and UDP entrypoints. Infrastructure upgrades are manual today, so existing clusters move when you start the upgrade from the dashboard.
Read the docs
For the current endpoint model, see Apps: Endpoints. For cluster infrastructure versions and upgrades, see Kubernetes cluster infrastructure and Kubernetes cluster updates.