By the end of this you will have the same production traffic that Ingress-NGINX served now flowing through a conformant Gateway API data plane on Envoy Gateway, with every annotation that couldn't translate surfaced and dealt with on purpose instead of lost in a log line. That last part is the whole point: the migration breaks on the annotations nobody checked, not on the YAML you can ask an AI to write.

On November 11, 2025, Kubernetes SIG Network announced that Ingress-NGINX retires in March 2026. No more releases, no bugfixes, and the line that gets a CISO's attention: no security patches. The repos go read-only. Your deployments keep running, but every future CVE in that controller is permanently your problem. This guide moves a real workload off it using ingress2gateway v1.0.0 (released March 20, 2026) to translate manifests, then cuts traffic over without a hard outage.

This is written for platform engineers already running Ingress-NGINX in production. It assumes you know what an Ingress is and skips the conceptual tour.

Prerequisites

A Kubernetes cluster on v1.26+ (the Gateway API v1.5 CRDs require it), with kubectl and cluster-admin.