Add TLS guides for AWS EKS with Ingress and Gateway API

[welteki]

Description

Add comprehensive TLS documentation for AWS EKS deployments covering both traditional Ingress and modern Gateway API approaches.

Motivation and Context

• I have raised an issue to propose this change (required)

How Has This Been Tested?

Documentation updates - verified rendering and link structure.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have signed-off my commits with git commit -s

[reviewfn]

AI Pull Request Overview

Summary

• Adds comprehensive TLS guides for AWS EKS using both Ingress and Gateway API approaches
• Updates existing TLS documentation to use Gateway API instead of legacy ingress-operator for custom function domains
• Replaces nginx-ingress references with Traefik for consistency in deployment guides
• Expands timeout configuration documentation to include Traefik specifics
• Updates local Kind tutorial to use Traefik instead of ingress-nginx

Approval rating (1-10)

8/10 - Strong addition of AWS EKS specific TLS documentation and modernization to Gateway API, with minor inconsistencies to address.

Summary per file

Summary per file

File path	Summary
docs/architecture/production.md	Updated ingress controller recommendation from nginx to Traefik
docs/deployment/kubernetes.md	Changed arkade install example to use Traefik instead of nginx-ingress
docs/reference/tls-functions.md	Completely rewrote to use Gateway API instead of ingress-operator for custom domains
docs/reference/tls-openfaas.md	Heavily expanded with Gateway API and AWS EKS specific TLS setups
docs/tutorials/expanded-timeouts.md	Added Traefik timeout configuration and deprecated nginx-ingress
docs/tutorials/local-kind-ingress.md	Updated tutorial to use Traefik instead of ingress-nginx

Overall Assessment

This PR significantly enhances the OpenFaaS documentation by adding detailed AWS EKS TLS configurations and modernizing the approach from traditional Ingress to Kubernetes Gateway API. The Gateway API sections provide comprehensive coverage for both general Envoy Gateway setups and AWS-specific ALB/NLB configurations. The shift from the custom ingress-operator to standard Gateway API resources for custom function domains is a positive modernization. However, there are minor inconsistencies in timeout configurations that should be addressed for consistency and correctness.

Detailed Review

Detailed Review

docs/architecture/production.md

• The change from recommending nginx to Traefik aligns with the broader documentation updates. No issues noted.

docs/deployment/kubernetes.md

• Consistent update to reference Traefik in arkade install command and TLS link. Good.

docs/reference/tls-functions.md

• Complete rewrite from ingress-operator based approach to Gateway API is appropriate for modern Kubernetes deployments.
• The HTTPRoute configuration correctly uses URLRewrite filters to prepend /function/{name}/ to requests.
• The workaround for Envoy Gateway's inconsistent ReplacePrefixMatch behavior is correctly implemented with regex-based rewrite.
• Documentation clearly explains pre-requisites and how the setup works.
• Multiple function exposure section properly describes adding listeners per function.
• Verification steps are comprehensive.
• No major issues, but consider cross-referencing the expanded timeouts guide for the timeouts.request field.

docs/reference/tls-openfaas.md

• Massive expansion adding Gateway API and AWS EKS sections is valuable.
• Gateway API with Envoy Gateway section appears technically correct with proper CRD management, cert-manager integration, and resource examples.
• AWS EKS ALB section correctly uses AWS Load Balancer Controller with Gateway API, including TargetGroupConfiguration for ip target type.
• AWS EKS NLB section properly configures Envoy Gateway with NLB annotations.
• Ingress section maintains backward compatibility.
• Issue: In the ALB HTTPRoute for the gateway (not dashboard), timeouts.request is set to 10s, but this is inconsistent with the Envoy Gateway HTTPRoute which uses 10m. Given that OpenFaaS functions can run longer than 10 seconds, this should be 10m to match the gateway's writeTimeout. The dashboard HTTPRoute correctly uses 10m.
• cert-manager Gateway API configuration appears correct with enableGatewayAPI=true and gatewayHTTPRoute solver.
• All YAML examples appear syntactically correct and follow best practices.

docs/tutorials/expanded-timeouts.md

• Addition of Traefik timeout configuration is helpful and accurate.
• Deprecation notice for ingress-nginx is appropriate.
• Clear explanation of client-to-Traefik vs Traefik-to-app timeouts is good.

docs/tutorials/local-kind-ingress.md

• Update to Traefik is consistent with other changes.
• Installation instructions are correct.

General

• The documentation now heavily favors Gateway API over traditional Ingress, which is appropriate for new deployments.
• AWS EKS coverage is comprehensive and includes both ALB (L7) and NLB (L4) approaches.
• No security issues identified in the configurations.
• Consider adding version compatibility notes for Gateway API features, as they require Kubernetes 1.19+.
• Some sections could benefit from diagrams, but the text explanations are clear.
• The PR successfully adds the requested AWS EKS TLS guides while modernizing existing content.

AI agent details.

Agent processing time: 49.686s
Environment preparation time: 4.162s
Total time from webhook: 57.998s