Description
The gateway-helm chart hardcodes experimental Gateway API CRDs in crds/gatewayapi-crds.yaml
with no values flag to disable or filter them. This is problematic for clusters that enforce
standard-channel-only Gateway API CRDs via policy.
Environment
- Chart:
oci://docker.io/envoyproxy/gateway-helm:1.7.1
- Separate CRD chart:
oci://docker.io/envoyproxy/gateway-crds-helm:1.7.1
Problem
gateway-crds-helm correctly supports crds.gatewayAPI.channel: standard to install only
standard channel CRDs. However, gateway-helm independently bundles experimental CRDs
unconditionally in its crds/ directory:
tcproutes.gateway.networking.k8s.iotlsroutes.gateway.networking.k8s.ioudproutes.gateway.networking.k8s.io
These are not controlled by any Helm values. Setting crds.gatewayAPI.enabled: false
or crds.gatewayAPI.channel: standard in gateway-helm values has no effect on the
contents of the crds/ directory.
Use Case
Many organizations (especially on GKE) enforce a ValidatingAdmissionPolicy that blocks
experimental Gateway API CRDs cluster-wide. The recommended pattern is to:
- Install CRDs separately using
gateway-crds-helm with channel: standard
- Install the controller using
gateway-helm with CRDs skipped
Step 2 is currently impossible because gateway-helm always bundles experimental CRDs
in crds/ regardless of values, and there is no supported mechanism to exclude specific
CRDs from the crds/ directory at sync time.
Expected behavior
gateway-helm should respect the same crds.gatewayAPI.channel values flag that
gateway-crds-helm supports, and should not bundle experimental CRDs in crds/ when
channel: standard is set — or at minimum when crds.gatewayAPI.enabled: false is set.
Suggested Fix
Either:
- Move the Gateway API CRDs from the static
crds/ directory into a templated
templates/ structure that respects crds.gatewayAPI.channel and crds.gatewayAPI.enabled
- Or split the
crds/ directory into crds/standard/ and crds/experimental/ and
only include the appropriate set based on the channel value
Workaround
If you are facing the same issue and have found a workaround, please share it here.
We have tried the following without success:
SkipCrds=true in ArgoCD syncOptions — CRDs in crds/ are still applied for OCI chartscrds.gatewayAPI.enabled: false in values — no effect on crds/ directorycrds.gatewayAPI.channel: standard in values — no effect on crds/ directoryignoreDifferences in ArgoCD — only suppresses drift, does not prevent creation attemptsresource.exclusions in ArgoCD argocd-cm — names field is not supported,
making it impossible to exclude specific CRDs without excluding all CRDs of that kind
The only known solutions are:
- Manually patch the chart to remove the experimental CRDs and host it in a private registry
- Use a global
resource.exclusions in ArgoCD that excludes ALL CRDs on target clusters (too broad)
Neither is acceptable for production use. Is there a supported way to install
gateway-helm on a cluster that enforces standard-channel-only Gateway API CRDs?
Description
The
gateway-helmchart hardcodes experimental Gateway API CRDs incrds/gatewayapi-crds.yamlwith no values flag to disable or filter them. This is problematic for clusters that enforce
standard-channel-only Gateway API CRDs via policy.
Environment
oci://docker.io/envoyproxy/gateway-helm:1.7.1oci://docker.io/envoyproxy/gateway-crds-helm:1.7.1Problem
gateway-crds-helmcorrectly supportscrds.gatewayAPI.channel: standardto install onlystandard channel CRDs. However,
gateway-helmindependently bundles experimental CRDsunconditionally in its
crds/directory:tcproutes.gateway.networking.k8s.iotlsroutes.gateway.networking.k8s.ioudproutes.gateway.networking.k8s.ioThese are not controlled by any Helm values. Setting
crds.gatewayAPI.enabled: falseor
crds.gatewayAPI.channel: standardingateway-helmvalues has no effect on thecontents of the
crds/directory.Use Case
Many organizations (especially on GKE) enforce a
ValidatingAdmissionPolicythat blocksexperimental Gateway API CRDs cluster-wide. The recommended pattern is to:
gateway-crds-helmwithchannel: standardgateway-helmwith CRDs skippedStep 2 is currently impossible because
gateway-helmalways bundles experimental CRDsin
crds/regardless of values, and there is no supported mechanism to exclude specificCRDs from the
crds/directory at sync time.Expected behavior
gateway-helmshould respect the samecrds.gatewayAPI.channelvalues flag thatgateway-crds-helmsupports, and should not bundle experimental CRDs incrds/whenchannel: standardis set — or at minimum whencrds.gatewayAPI.enabled: falseis set.Suggested Fix
Either:
crds/directory into a templatedtemplates/structure that respectscrds.gatewayAPI.channelandcrds.gatewayAPI.enabledcrds/directory intocrds/standard/andcrds/experimental/andonly include the appropriate set based on the channel value
Workaround
If you are facing the same issue and have found a workaround, please share it here.
We have tried the following without success:
SkipCrds=truein ArgoCD syncOptions — CRDs incrds/are still applied for OCI chartscrds.gatewayAPI.enabled: falsein values — no effect oncrds/directorycrds.gatewayAPI.channel: standardin values — no effect oncrds/directoryignoreDifferencesin ArgoCD — only suppresses drift, does not prevent creation attemptsresource.exclusionsin ArgoCDargocd-cm—namesfield is not supported,making it impossible to exclude specific CRDs without excluding all CRDs of that kind
The only known solutions are:
resource.exclusionsin ArgoCD that excludes ALL CRDs on target clusters (too broad)Neither is acceptable for production use. Is there a supported way to install
gateway-helmon a cluster that enforces standard-channel-only Gateway API CRDs?