From 2e6eed95fa8dd255f0886e5ca0b69c273facbe1b Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Mon, 16 Feb 2026 16:56:38 -0700 Subject: [PATCH 1/6] Use sub-chart for CRDs to reduce chart size Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- charts/gateway-helm/Chart.lock | 6 ++++++ charts/gateway-helm/Chart.yaml | 5 +++++ charts/gateway-helm/README.md | 7 +++++++ charts/gateway-helm/charts/crds/Chart.yaml | 6 ++++++ .../crds}/crds/gatewayapi-crds.yaml | 0 .../gateway.envoyproxy.io_backends.yaml | 0 ...y.envoyproxy.io_backendtrafficpolicies.yaml | 0 ...ay.envoyproxy.io_clienttrafficpolicies.yaml | 0 ...y.envoyproxy.io_envoyextensionpolicies.yaml | 0 ...teway.envoyproxy.io_envoypatchpolicies.yaml | 0 .../gateway.envoyproxy.io_envoyproxies.yaml | 0 ...gateway.envoyproxy.io_httproutefilters.yaml | 0 ...gateway.envoyproxy.io_securitypolicies.yaml | 0 charts/gateway-helm/values.tmpl.yaml | 3 +++ embed.go | 18 +++++++++--------- .../provider/kubernetes/kubernetes_test.go | 4 ++-- internal/utils/helm/package.go | 11 ++++++++--- .../en/latest/install/gateway-helm-api.md | 7 +++++++ site/content/en/latest/install/install-yaml.md | 12 +++++++----- test/cel-validation/main_test.go | 2 +- tools/make/kube.mk | 16 ++++++++++++---- 21 files changed, 73 insertions(+), 24 deletions(-) create mode 100644 charts/gateway-helm/Chart.lock create mode 100644 charts/gateway-helm/charts/crds/Chart.yaml rename charts/gateway-helm/{ => charts/crds}/crds/gatewayapi-crds.yaml (100%) rename charts/gateway-helm/{ => charts/crds}/crds/generated/gateway.envoyproxy.io_backends.yaml (100%) rename charts/gateway-helm/{ => charts/crds}/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml (100%) rename charts/gateway-helm/{ => charts/crds}/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml (100%) rename charts/gateway-helm/{ => charts/crds}/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml (100%) rename charts/gateway-helm/{ => charts/crds}/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml (100%) rename charts/gateway-helm/{ => charts/crds}/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml (100%) rename charts/gateway-helm/{ => charts/crds}/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml (100%) rename charts/gateway-helm/{ => charts/crds}/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml (100%) diff --git a/charts/gateway-helm/Chart.lock b/charts/gateway-helm/Chart.lock new file mode 100644 index 0000000000..0a9eda9661 --- /dev/null +++ b/charts/gateway-helm/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: crds + repository: "" + version: 0.0.0 +digest: sha256:16cbbceffe2a6946ae7cbb20b5a8313267bc77f4669caba20fffb3ff64a773a6 +generated: "2026-02-16T16:35:44.801809-07:00" diff --git a/charts/gateway-helm/Chart.yaml b/charts/gateway-helm/Chart.yaml index f29f1384f0..13b7263561 100644 --- a/charts/gateway-helm/Chart.yaml +++ b/charts/gateway-helm/Chart.yaml @@ -23,3 +23,8 @@ home: https://gateway.envoyproxy.io/ sources: - https://github.com/envoyproxy/gateway + +dependencies: + - name: crds + version: "0.0.0" + condition: crds.enabled diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index 19dc527bb8..417809dd56 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -17,6 +17,12 @@ The Helm chart for Envoy Gateway * +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| | crds | 0.0.0 | + ## Usage [Helm](https://helm.sh) must be installed to use the charts. @@ -62,6 +68,7 @@ helm uninstall eg -n envoy-gateway-system | certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"pod":{"annotations":{},"labels":{}},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | commonLabels | object | `{}` | Labels to apply to all resources | | config.envoyGateway | object | `{"extensionApis":{},"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. | +| crds.enabled | bool | `true` | | | createNamespace | bool | `false` | | | deployment.annotations | object | `{}` | | | deployment.envoyGateway.image.repository | string | `""` | | diff --git a/charts/gateway-helm/charts/crds/Chart.yaml b/charts/gateway-helm/charts/crds/Chart.yaml new file mode 100644 index 0000000000..d5f2790e52 --- /dev/null +++ b/charts/gateway-helm/charts/crds/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: crds +description: Envoy Gateway and Gateway API CRDs +type: application +version: 0.0.0 +appVersion: "0.0.0" diff --git a/charts/gateway-helm/crds/gatewayapi-crds.yaml b/charts/gateway-helm/charts/crds/crds/gatewayapi-crds.yaml similarity index 100% rename from charts/gateway-helm/crds/gatewayapi-crds.yaml rename to charts/gateway-helm/charts/crds/crds/gatewayapi-crds.yaml diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backends.yaml similarity index 100% rename from charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml rename to charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backends.yaml diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml similarity index 100% rename from charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml rename to charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml similarity index 100% rename from charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml rename to charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml similarity index 100% rename from charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml rename to charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml similarity index 100% rename from charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml rename to charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml similarity index 100% rename from charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml rename to charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml similarity index 100% rename from charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml rename to charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml similarity index 100% rename from charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml rename to charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 874ab0b780..da970c7510 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -148,3 +148,6 @@ certgen: topologyInjector: enabled: true annotations: {} + +crds: + enabled: true diff --git a/embed.go b/embed.go index 97f2e3bf54..f27ceda620 100644 --- a/embed.go +++ b/embed.go @@ -11,31 +11,31 @@ import ( ) var ( - //go:embed charts/gateway-helm/crds/gatewayapi-crds.yaml + //go:embed charts/gateway-helm/charts/crds/crds/gatewayapi-crds.yaml gatewayAPICRDs []byte - //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml + //go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backends.yaml backendCRD []byte - //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml + //go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml backendTrafficPolicyCRD []byte - //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml + //go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml clientTrafficPolicyCRD []byte - //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml + //go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml envoyExtensionPolicyCRD []byte - //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml + //go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml envoyPatchPolicyCRD []byte - //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml + //go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml envoyProxyCRD []byte - //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml + //go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml httpRouteFilterCRD []byte - //go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml + //go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml securityPolicyCRD []byte ) diff --git a/internal/provider/kubernetes/kubernetes_test.go b/internal/provider/kubernetes/kubernetes_test.go index e5913fd806..c8ccb9bb50 100644 --- a/internal/provider/kubernetes/kubernetes_test.go +++ b/internal/provider/kubernetes/kubernetes_test.go @@ -110,8 +110,8 @@ func TestProvider(t *testing.T) { func startEnv() (*envtest.Environment, *rest.Config, error) { log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true))) - gwAPIs := filepath.Join("..", "..", "..", "charts", "gateway-helm", "crds", "gatewayapi-crds.yaml") - egAPIs := filepath.Join("..", "..", "..", "charts", "gateway-helm", "crds", "generated") + gwAPIs := filepath.Join("..", "..", "..", "charts", "gateway-helm", "charts", "crds", "crds", "gatewayapi-crds.yaml") + egAPIs := filepath.Join("..", "..", "..", "charts", "gateway-helm", "charts", "crds", "crds", "generated") mcsAPIs := filepath.Join(".", "testdata", "crds", "multicluster-svc.yaml") env := &envtest.Environment{ diff --git a/internal/utils/helm/package.go b/internal/utils/helm/package.go index 11a2af4dae..88ab4b7487 100644 --- a/internal/utils/helm/package.go +++ b/internal/utils/helm/package.go @@ -180,11 +180,16 @@ func (pt *PackageTool) loadChart(opts *PackageOptions) (*chart.Chart, error) { return egChart, nil } -// extractCRDs Extract the CRDs part of the chart +// extractCRDs Extract the CRDs part of the chart and its sub-charts func (pt *PackageTool) extractCRDs(ch *chart.Chart) ([]*resource.Info, error) { - crdResInfo := make([]*resource.Info, 0, len(ch.CRDObjects())) + allCRDs := ch.CRDObjects() + for _, dep := range ch.Dependencies() { + allCRDs = append(allCRDs, dep.CRDObjects()...) + } + + crdResInfo := make([]*resource.Info, 0, len(allCRDs)) - for _, crd := range ch.CRDObjects() { + for _, crd := range allCRDs { resInfo, err := pt.actionConfig.KubeClient.Build(bytes.NewBufferString(string(crd.File.Data)), false) if err != nil { return nil, err diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index bd9526e9d2..e65cdd41a8 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -19,6 +19,12 @@ The Helm chart for Envoy Gateway * +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| | crds | 0.0.0 | + ## Values | Key | Type | Default | Description | @@ -26,6 +32,7 @@ The Helm chart for Envoy Gateway | certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"pod":{"annotations":{},"labels":{}},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | commonLabels | object | `{}` | Labels to apply to all resources | | config.envoyGateway | object | `{"extensionApis":{},"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. | +| crds.enabled | bool | `true` | | | createNamespace | bool | `false` | | | deployment.annotations | object | `{}` | | | deployment.envoyGateway.image.repository | string | `""` | | diff --git a/site/content/en/latest/install/install-yaml.md b/site/content/en/latest/install/install-yaml.md index 4e8b7921d9..f04a026f2e 100644 --- a/site/content/en/latest/install/install-yaml.md +++ b/site/content/en/latest/install/install-yaml.md @@ -36,15 +36,17 @@ Some manual migration steps are required to upgrade Envoy Gateway. 1. Update Gateway-API and Envoy Gateway CRDs: ```shell -helm pull oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} --untar -kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/gatewayapi-crds.yaml -kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/generated +helm template eg-crds oci://docker.io/envoyproxy/gateway-crds-helm \ + --version {{< yaml-version >}} \ + --set crds.gatewayAPI.enabled=true \ + --set crds.envoyGateway.enabled=true \ + | kubectl apply --force-conflicts --server-side -f - ``` -2. Install Envoy Gateway {{< yaml-version >}}: +2. Upgrade Envoy Gateway: ```shell -helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} -n envoy-gateway-system +helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} -n envoy-gateway-system --skip-crds ``` {{< boilerplate open-ports >}} diff --git a/test/cel-validation/main_test.go b/test/cel-validation/main_test.go index dd6f4d39fa..ac8cee31e3 100644 --- a/test/cel-validation/main_test.go +++ b/test/cel-validation/main_test.go @@ -55,7 +55,7 @@ func runTest(m *testing.M) int { func startEnv() (*envtest.Environment, *rest.Config, error) { log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true))) - egAPIs := filepath.Join("..", "..", "charts", "gateway-helm", "crds", "generated") + egAPIs := filepath.Join("..", "..", "charts", "gateway-helm", "charts", "crds", "crds", "generated") env := &envtest.Environment{ CRDDirectoryPaths: []string{egAPIs}, diff --git a/tools/make/kube.mk b/tools/make/kube.mk index dc54dfd726..1bad5334b3 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -86,8 +86,9 @@ endif .PHONY: manifests manifests: generate-gwapi-manifests ## Generate WebhookConfiguration and CustomResourceDefinition objects. @$(LOG_TARGET) - $(GO_TOOL) controller-gen crd:allowDangerousTypes=true paths="./api/..." output:crd:artifacts:config=charts/gateway-helm/crds/generated @mkdir -p charts/gateway-helm/templates/generated + @mkdir -p charts/gateway-helm/charts/crds/crds/generated + $(GO_TOOL) controller-gen crd:allowDangerousTypes=true paths="./api/..." output:crd:artifacts:config=charts/gateway-helm/charts/crds/crds/generated $(GO_TOOL) controller-gen crd:allowDangerousTypes=true paths="./api/..." output:crd:artifacts:config=charts/gateway-crds-helm/templates/generated @for file in charts/gateway-crds-helm/templates/generated/*.yaml; do \ sed -i.bak '1s/^/{{- if .Values.crds.envoyGateway.enabled }}\n/' $$file && \ @@ -102,7 +103,8 @@ generate-gwapi-manifests: ## Generate Gateway API manifests and make it consiste @mkdir -p $(OUTPUT_DIR)/ @curl -sLo $(OUTPUT_DIR)/experimental-gatewayapi-crds.yaml ${EXPERIMENTAL_GATEWAY_API_RELEASE_URL} @curl -sLo $(OUTPUT_DIR)/standard-gatewayapi-crds.yaml ${STANDARD_GATEWAY_API_RELEASE_URL} - cp $(OUTPUT_DIR)/experimental-gatewayapi-crds.yaml charts/gateway-helm/crds/gatewayapi-crds.yaml + @mkdir -p charts/gateway-helm/charts/crds/crds + cp $(OUTPUT_DIR)/experimental-gatewayapi-crds.yaml charts/gateway-helm/charts/crds/crds/gatewayapi-crds.yaml @sed -i.bak '1s/^/{{- if and .Values.crds.gatewayAPI.enabled (eq .Values.crds.gatewayAPI.channel "standard") }}\n/' $(OUTPUT_DIR)/standard-gatewayapi-crds.yaml && \ echo '{{- end }}' >> $(OUTPUT_DIR)/standard-gatewayapi-crds.yaml && \ sed -i.bak '1s/^/{{- if and .Values.crds.gatewayAPI.enabled (or (eq .Values.crds.gatewayAPI.channel "experimental") (eq .Values.crds.gatewayAPI.channel "")) }}\n/' $(OUTPUT_DIR)/experimental-gatewayapi-crds.yaml && \ @@ -406,11 +408,17 @@ generate-manifests: helm-generate.gateway-helm ## Generate Kubernetes release ma @$(LOG_TARGET) @$(call log, "Generating kubernetes manifests") mkdir -p $(OUTPUT_DIR)/ - $(GO_TOOL) helm template --set createNamespace=true eg charts/gateway-helm --include-crds --namespace envoy-gateway-system > $(OUTPUT_DIR)/install.yaml + $(GO_TOOL) helm template eg-crds charts/gateway-crds-helm \ + --set crds.gatewayAPI.enabled=true \ + --set crds.envoyGateway.enabled=true \ + > $(OUTPUT_DIR)/install.yaml + $(GO_TOOL) helm template --set createNamespace=true eg charts/gateway-helm --namespace envoy-gateway-system >> $(OUTPUT_DIR)/install.yaml @$(call log, "Added: $(OUTPUT_DIR)/install.yaml") cp examples/kubernetes/quickstart.yaml $(OUTPUT_DIR)/quickstart.yaml @$(call log, "Added: $(OUTPUT_DIR)/quickstart.yaml") - cat charts/gateway-helm/crds/generated/* >> $(OUTPUT_DIR)/envoy-gateway-crds.yaml + $(GO_TOOL) helm template eg-crds charts/gateway-crds-helm \ + --set crds.envoyGateway.enabled=true \ + > $(OUTPUT_DIR)/envoy-gateway-crds.yaml @$(call log, "Added: $(OUTPUT_DIR)/envoy-gateway-crds.yaml") .PHONY: generate-artifacts From 3139fde8fda1b3439e801a7453cd43a437ed99ee Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Mon, 16 Feb 2026 17:29:23 -0700 Subject: [PATCH 2/6] remove split install Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- tools/make/kube.mk | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/tools/make/kube.mk b/tools/make/kube.mk index 1bad5334b3..ad1394a78f 100644 --- a/tools/make/kube.mk +++ b/tools/make/kube.mk @@ -174,35 +174,21 @@ endif .PHONY: kube-deploy kube-deploy: manifests helm-generate ## Install Envoy Gateway into the Kubernetes cluster specified in ~/.kube/config. @$(LOG_TARGET) - # Install CRDs using helm template to avoid 1MB secret size limit - $(GO_TOOL) helm template eg-crds charts/gateway-crds-helm \ - --set crds.gatewayAPI.enabled=true \ - --set crds.envoyGateway.enabled=true \ - | kubectl apply --server-side -f - - # Install Envoy Gateway without CRDs $(GO_TOOL) helm install eg charts/gateway-helm \ --set deployment.envoyGateway.imagePullPolicy=$(IMAGE_PULL_POLICY) \ -n envoy-gateway-system --create-namespace \ --debug --timeout='$(WAIT_TIMEOUT)' \ --wait --wait-for-jobs \ - --skip-crds \ -f $(KUBE_DEPLOY_HELM_VALUES_FILE) .PHONY: kube-deploy-for-benchmark-test kube-deploy-for-benchmark-test: manifests helm-generate ## Install Envoy Gateway and prometheus-server for benchmark test purpose only. @$(LOG_TARGET) - # Install CRDs using helm template to avoid 1MB secret size limit - $(GO_TOOL) helm template eg-crds charts/gateway-crds-helm \ - --set crds.gatewayAPI.enabled=true \ - --set crds.envoyGateway.enabled=true \ - | kubectl apply --server-side -f - - # Install Envoy Gateway $(GO_TOOL) helm install eg charts/gateway-helm --set deployment.envoyGateway.imagePullPolicy=$(IMAGE_PULL_POLICY) \ --set deployment.envoyGateway.resources.limits.cpu=$(BENCHMARK_CPU_LIMITS) \ --set deployment.envoyGateway.resources.limits.memory=$(BENCHMARK_MEMORY_LIMITS) \ --set config.envoyGateway.admin.enablePprof=true \ - -n envoy-gateway-system --create-namespace --debug --timeout='$(WAIT_TIMEOUT)' --wait --wait-for-jobs \ - --skip-crds + -n envoy-gateway-system --create-namespace --debug --timeout='$(WAIT_TIMEOUT)' --wait --wait-for-jobs # Install Prometheus-server only $(GO_TOOL) helm install eg-addons charts/gateway-addons-helm --set loki.enabled=false \ --set tempo.enabled=false \ From a4465ba46b8c65de73f042ad14322640a0492544 Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Mon, 16 Feb 2026 17:49:31 -0700 Subject: [PATCH 3/6] cleanup Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- site/content/en/latest/install/install-yaml.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/en/latest/install/install-yaml.md b/site/content/en/latest/install/install-yaml.md index f04a026f2e..7343490faa 100644 --- a/site/content/en/latest/install/install-yaml.md +++ b/site/content/en/latest/install/install-yaml.md @@ -46,7 +46,7 @@ helm template eg-crds oci://docker.io/envoyproxy/gateway-crds-helm \ 2. Upgrade Envoy Gateway: ```shell -helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} -n envoy-gateway-system --skip-crds +helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} -n envoy-gateway-system ``` {{< boilerplate open-ports >}} From 3fc533d07396951a8a19614f19111acd4e13062b Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Mon, 16 Feb 2026 17:54:23 -0700 Subject: [PATCH 4/6] Docs cleanup Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- site/content/en/latest/install/install-yaml.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/en/latest/install/install-yaml.md b/site/content/en/latest/install/install-yaml.md index 7343490faa..71bbab53fd 100644 --- a/site/content/en/latest/install/install-yaml.md +++ b/site/content/en/latest/install/install-yaml.md @@ -43,7 +43,7 @@ helm template eg-crds oci://docker.io/envoyproxy/gateway-crds-helm \ | kubectl apply --force-conflicts --server-side -f - ``` -2. Upgrade Envoy Gateway: +2. Install Envoy Gateway {{< yaml-version >}}: ```shell helm upgrade eg oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} -n envoy-gateway-system From e6700ef562d44879c88d419be8db4447345d59c7 Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Mon, 16 Feb 2026 19:17:12 -0700 Subject: [PATCH 5/6] Release note Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- release-notes/current.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/release-notes/current.yaml b/release-notes/current.yaml index b4d0c5a0ad..c88e8bf3a2 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -30,3 +30,4 @@ deprecations: | # Other notable changes not covered by the above sections. Other changes: | + Moved Envoy Gateway CRDs into a sub-chart to avoid the Helm release secret exceeding the 1MB size limit when adding new API fields. Upgrade/Install behavior is unchanged for users. From 4d84d7e272dd0b80319101e9eb2c2214646d1abe Mon Sep 17 00:00:00 2001 From: jukie <10012479+Jukie@users.noreply.github.com> Date: Tue, 17 Feb 2026 14:38:37 -0700 Subject: [PATCH 6/6] Remove crd values param Signed-off-by: jukie <10012479+Jukie@users.noreply.github.com> --- charts/gateway-helm/Chart.lock | 4 ++-- charts/gateway-helm/Chart.yaml | 1 - charts/gateway-helm/README.md | 1 - charts/gateway-helm/values.tmpl.yaml | 3 --- site/content/en/latest/install/gateway-helm-api.md | 1 - 5 files changed, 2 insertions(+), 8 deletions(-) diff --git a/charts/gateway-helm/Chart.lock b/charts/gateway-helm/Chart.lock index 0a9eda9661..88ba8998a4 100644 --- a/charts/gateway-helm/Chart.lock +++ b/charts/gateway-helm/Chart.lock @@ -2,5 +2,5 @@ dependencies: - name: crds repository: "" version: 0.0.0 -digest: sha256:16cbbceffe2a6946ae7cbb20b5a8313267bc77f4669caba20fffb3ff64a773a6 -generated: "2026-02-16T16:35:44.801809-07:00" +digest: sha256:aeada3fbffa2565a325406ad014001fd2685f7c0c9cfc1167da4f10c75a1bd65 +generated: "2026-02-17T14:34:30.962808-07:00" diff --git a/charts/gateway-helm/Chart.yaml b/charts/gateway-helm/Chart.yaml index 13b7263561..8a516e5f58 100644 --- a/charts/gateway-helm/Chart.yaml +++ b/charts/gateway-helm/Chart.yaml @@ -27,4 +27,3 @@ sources: dependencies: - name: crds version: "0.0.0" - condition: crds.enabled diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index 417809dd56..a3d1c17dd9 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -68,7 +68,6 @@ helm uninstall eg -n envoy-gateway-system | certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"pod":{"annotations":{},"labels":{}},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | commonLabels | object | `{}` | Labels to apply to all resources | | config.envoyGateway | object | `{"extensionApis":{},"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. | -| crds.enabled | bool | `true` | | | createNamespace | bool | `false` | | | deployment.annotations | object | `{}` | | | deployment.envoyGateway.image.repository | string | `""` | | diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index da970c7510..874ab0b780 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -148,6 +148,3 @@ certgen: topologyInjector: enabled: true annotations: {} - -crds: - enabled: true diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index e65cdd41a8..961eda38e8 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -32,7 +32,6 @@ The Helm chart for Envoy Gateway | certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"pod":{"annotations":{},"labels":{}},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | commonLabels | object | `{}` | Labels to apply to all resources | | config.envoyGateway | object | `{"extensionApis":{},"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. | -| crds.enabled | bool | `true` | | | createNamespace | bool | `false` | | | deployment.annotations | object | `{}` | | | deployment.envoyGateway.image.repository | string | `""` | |