Gateway API

The Gateway tab is where you manage cluster traffic entry points in Edka. Envoy Gateway is the primary controller for public exposure and wildcard domain routing. MetalLB adds private VIP-backed Gateway classes on the cluster private subnet, and the Cloudflare connector advertises that subnet through Cloudflare Zero Trust so WARP users can reach those private endpoints. The deprecated ingress-nginx controller still runs for existing installs, but new workloads should use Gateway API.

With the Tailscale operator installed, you can create dedicated Envoy Gateway classes to expose your traffic privately into your tailnet.

What you can manage

• Install and upgrade Envoy Gateway from the cluster Gateway tab.
• Install MetalLB, Tailscale operator, and the Cloudflare connector from the Gateway add-ons section when you need private VIPs, tailnet exposure, or Cloudflare private routing.
• Create additional Gateway classes backed by public cloud load balancers, private cloud load balancers, MetalLB private VIPs, or published to your tailnet through Tailscale.
• Set the default request timeout for managed Envoy Gateway classes.
• Review the public endpoints or private VIPs assigned to each Gateway class.
• Inspect aggregate traffic metrics collected from Envoy proxy metrics.

Cluster Overview integration

When a cluster has Gateway API controllers available, the Overview tab’s Infrastructure Topology panel surfaces each Gateway class with:

• The primary endpoints for the primary Gateway class.
• A compact aggregate traffic readout with requests/s, 5xx, latency, and connections.

This gives you a quick read on public exposure without opening the full Gateway screen.

Gateway classes

Edka uses traffic classes to select how workloads are exposed.

• The primary Envoy Gateway class is eg.
• Additional Gateway classes can be created for:
  • dedicated public cloud load balancers
  • dedicated private cloud load balancers
  • MetalLB private VIP endpoints on the cluster private subnet
  • private tailnet traffic exposure with Tailscale tailnet (BYOD)
• Each class receives its own public IPs or private VIP once provisioning finishes.

Deployments, wildcard domains, and public hostname domains can then target the appropriate traffic class. Single hostname domains require a public Gateway API class.

Request timeouts

Envoy Proxy defaults HTTP request timeouts to 15 seconds. Some applications need longer requests for uploads, exports, report generation, or slow upstream work. For managed Envoy Gateway classes, Edka exposes this as a Gateway-class-level setting in Cluster > Gateway.

Open the inline request timeout editor on a Gateway class, enter the number of seconds, and confirm the change. Edka stores the value on the managed Envoy Gateway resources and applies it through a BackendTrafficPolicy targeted at that Gateway class. This makes the timeout a stable class default for Edka managed routes attached to that class.

Use this setting instead of manually patching Edka-managed HTTPRoute resources. Normal reconciliation can recreate managed routes, but the Gateway class timeout remains part of the managed Gateway configuration. If you own a custom HTTPRoute and need route-specific behavior, keep that override in the manifest you manage.

Private networking add-ons

The Gateway page includes a Gateway add-ons section for the supporting networking components used by private traffic flows:

• MetalLB allocates private VIPs from the cluster private subnet for Gateway classes and service-level private LoadBalancers.
• Cloudflare connector advertises that same private subnet through Cloudflare Zero Trust.
• Tailscale operator publishes selected Gateway classes into your tailnet or exposes workloads directly with the tailscale ingress class.

DNS and traffic flow

Public Gateway classes

• Point DNS records to the primary Gateway API endpoints shown in cluster overview or the full Gateway view.
• Wildcard domains and single hostname domains are both supported.
• Use this path for internet-facing workloads and HTTP-01 hostname certificates.

MetalLB private VIP Gateway classes

• Create a Gateway class with exposure mode MetalLB private VIP when you want a private Envoy entry point on the cluster private subnet.
• Attach a wildcard domain from Domains when you want private DNS names and DNS-01 managed TLS on top of that VIP.
• Route the cluster private subnet through the Cloudflare connector or your own private network if remote users need access.
• Public hostname domains are not available on this path because HTTP-01 validation requires public reachability.

Tailscale tailnet (BYOD)

• Create a Gateway class with exposure mode Tailscale tailnet (BYOD) when you want Envoy Gateway routing semantics but private exposure through your tailnet.
• Envoy stays in-cluster, and the Gateway service is published to your tailnet through the Tailscale operator.
• Because that traffic class stays private, public Let’s Encrypt HTTP-01 validation is not available on that path. If the operator is not installed yet, the Gateway page shows an install action before you create the class.

Legacy ingress support

NGINX Ingress is deprecated in Edka. Existing Ingress-based workloads continue to run, but should migrate to Gateway API with Envoy Gateway, the standard traffic path for all clusters and deployments. NGINX Ingress will be removed in a future release.

Related docs

• Cloudflare Zero Trust Private Access
• Domains and TLS
• Private Networking
• Kubernetes Clusters Overview
• Tailscale Tailnet Exposure
• Kubernetes Deployments
• Kubernetes Add-ons Management