Use sub-chart for CRDs to reduce chart size

charts/gateway-helm/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: crds
+  repository: ""
+  version: 0.0.0
+digest: sha256:aeada3fbffa2565a325406ad014001fd2685f7c0c9cfc1167da4f10c75a1bd65
+generated: "2026-02-17T14:34:30.962808-07:00"

charts/gateway-helm/Chart.yaml

@@ -23,3 +23,7 @@ home: https://gateway.envoyproxy.io/
 
 sources:
   - https://github.com/envoyproxy/gateway
+
+dependencies:
+  - name: crds
+    version: "0.0.0"

charts/gateway-helm/README.md

@@ -17,6 +17,12 @@ The Helm chart for Envoy Gateway
 
 * <https://github.com/envoyproxy/gateway>
 
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+|  | crds | 0.0.0 |
+
 ## Usage
 
 [Helm](https://helm.sh) must be installed to use the charts.

charts/gateway-helm/charts/crds/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: crds
+description: Envoy Gateway and Gateway API CRDs
+type: application
+version: 0.0.0
+appVersion: "0.0.0"

embed.go

@@ -11,31 +11,31 @@ import (
 )
 
 var (
-	//go:embed charts/gateway-helm/crds/gatewayapi-crds.yaml
+	//go:embed charts/gateway-helm/charts/crds/crds/gatewayapi-crds.yaml
 	gatewayAPICRDs []byte
 
-	//go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backends.yaml
+	//go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backends.yaml
 	backendCRD []byte
 
-	//go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
+	//go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
 	backendTrafficPolicyCRD []byte
 
-	//go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
+	//go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
 	clientTrafficPolicyCRD []byte
 
-	//go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
+	//go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
 	envoyExtensionPolicyCRD []byte
 
-	//go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml
+	//go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml
 	envoyPatchPolicyCRD []byte
 
-	//go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
+	//go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
 	envoyProxyCRD []byte
 
-	//go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml
+	//go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml
 	httpRouteFilterCRD []byte
 
-	//go:embed charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+	//go:embed charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
 	securityPolicyCRD []byte
 )
 

internal/provider/kubernetes/kubernetes_test.go

@@ -110,8 +110,8 @@ func TestProvider(t *testing.T) {
 
 func startEnv() (*envtest.Environment, *rest.Config, error) {
 	log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true)))
-	gwAPIs := filepath.Join("..", "..", "..", "charts", "gateway-helm", "crds", "gatewayapi-crds.yaml")
-	egAPIs := filepath.Join("..", "..", "..", "charts", "gateway-helm", "crds", "generated")
+	gwAPIs := filepath.Join("..", "..", "..", "charts", "gateway-helm", "charts", "crds", "crds", "gatewayapi-crds.yaml")
+	egAPIs := filepath.Join("..", "..", "..", "charts", "gateway-helm", "charts", "crds", "crds", "generated")
 	mcsAPIs := filepath.Join(".", "testdata", "crds", "multicluster-svc.yaml")
 
 	env := &envtest.Environment{

internal/utils/helm/package.go

@@ -180,11 +180,16 @@ func (pt *PackageTool) loadChart(opts *PackageOptions) (*chart.Chart, error) {
 	return egChart, nil
 }
 
-// extractCRDs Extract the CRDs part of the chart
+// extractCRDs Extract the CRDs part of the chart and its sub-charts
 func (pt *PackageTool) extractCRDs(ch *chart.Chart) ([]*resource.Info, error) {
-	crdResInfo := make([]*resource.Info, 0, len(ch.CRDObjects()))
+	allCRDs := ch.CRDObjects()
+	for _, dep := range ch.Dependencies() {
+		allCRDs = append(allCRDs, dep.CRDObjects()...)
+	}
+
+	crdResInfo := make([]*resource.Info, 0, len(allCRDs))
 
-	for _, crd := range ch.CRDObjects() {
+	for _, crd := range allCRDs {
 		resInfo, err := pt.actionConfig.KubeClient.Build(bytes.NewBufferString(string(crd.File.Data)), false)
 		if err != nil {
 			return nil, err

release-notes/current.yaml

@@ -30,3 +30,4 @@ deprecations: |
 
 # Other notable changes not covered by the above sections.
 Other changes: |
+  Moved Envoy Gateway CRDs into a sub-chart to avoid the Helm release secret exceeding the 1MB size limit when adding new API fields. Upgrade/Install behavior is unchanged for users.

site/content/en/latest/install/gateway-helm-api.md

@@ -19,6 +19,12 @@ The Helm chart for Envoy Gateway
 
 * <https://github.com/envoyproxy/gateway>
 
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+|  | crds | 0.0.0 |
+
 ## Values
 
 | Key | Type | Default | Description |

site/content/en/latest/install/install-yaml.md

@@ -36,9 +36,11 @@ Some manual migration steps are required to upgrade Envoy Gateway.
 1. Update Gateway-API and Envoy Gateway CRDs:
 
 ```shell
-helm pull oci://docker.io/envoyproxy/gateway-helm --version {{< yaml-version >}} --untar
-kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/gatewayapi-crds.yaml
-kubectl apply --force-conflicts --server-side -f ./gateway-helm/crds/generated
+helm template eg-crds oci://docker.io/envoyproxy/gateway-crds-helm \
+  --version {{< yaml-version >}} \
+  --set crds.gatewayAPI.enabled=true \
+  --set crds.envoyGateway.enabled=true \
+  | kubectl apply --force-conflicts --server-side -f -
 ```
 
 2. Install Envoy Gateway {{< yaml-version >}}:

test/cel-validation/main_test.go

@@ -55,7 +55,7 @@ func runTest(m *testing.M) int {
 
 func startEnv() (*envtest.Environment, *rest.Config, error) {
 	log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true)))
-	egAPIs := filepath.Join("..", "..", "charts", "gateway-helm", "crds", "generated")
+	egAPIs := filepath.Join("..", "..", "charts", "gateway-helm", "charts", "crds", "crds", "generated")
 
 	env := &envtest.Environment{
 		CRDDirectoryPaths: []string{egAPIs},

tools/make/kube.mk

@@ -86,8 +86,9 @@ endif
 .PHONY: manifests
 manifests: generate-gwapi-manifests ## Generate WebhookConfiguration and CustomResourceDefinition objects.
 	@$(LOG_TARGET)
-	$(GO_TOOL) controller-gen crd:allowDangerousTypes=true paths="./api/..." output:crd:artifacts:config=charts/gateway-helm/crds/generated
 	@mkdir -p charts/gateway-helm/templates/generated
+	@mkdir -p charts/gateway-helm/charts/crds/crds/generated
+	$(GO_TOOL) controller-gen crd:allowDangerousTypes=true paths="./api/..." output:crd:artifacts:config=charts/gateway-helm/charts/crds/crds/generated
 	$(GO_TOOL) controller-gen crd:allowDangerousTypes=true paths="./api/..." output:crd:artifacts:config=charts/gateway-crds-helm/templates/generated
 	@for file in charts/gateway-crds-helm/templates/generated/*.yaml; do \
 		sed -i.bak '1s/^/{{- if .Values.crds.envoyGateway.enabled }}\n/' $$file && \
@@ -102,7 +103,8 @@ generate-gwapi-manifests: ## Generate Gateway API manifests and make it consiste
 	@mkdir -p $(OUTPUT_DIR)/
 	@curl -sLo $(OUTPUT_DIR)/experimental-gatewayapi-crds.yaml ${EXPERIMENTAL_GATEWAY_API_RELEASE_URL}
 	@curl -sLo $(OUTPUT_DIR)/standard-gatewayapi-crds.yaml ${STANDARD_GATEWAY_API_RELEASE_URL}
-	cp $(OUTPUT_DIR)/experimental-gatewayapi-crds.yaml charts/gateway-helm/crds/gatewayapi-crds.yaml
+	@mkdir -p charts/gateway-helm/charts/crds/crds
+	cp $(OUTPUT_DIR)/experimental-gatewayapi-crds.yaml charts/gateway-helm/charts/crds/crds/gatewayapi-crds.yaml
 	@sed -i.bak '1s/^/{{- if and .Values.crds.gatewayAPI.enabled (eq .Values.crds.gatewayAPI.channel "standard") }}\n/' $(OUTPUT_DIR)/standard-gatewayapi-crds.yaml && \
 	echo '{{- end }}' >> $(OUTPUT_DIR)/standard-gatewayapi-crds.yaml && \
 	sed -i.bak '1s/^/{{- if and .Values.crds.gatewayAPI.enabled (or (eq .Values.crds.gatewayAPI.channel "experimental") (eq .Values.crds.gatewayAPI.channel "")) }}\n/' $(OUTPUT_DIR)/experimental-gatewayapi-crds.yaml && \
@@ -172,35 +174,21 @@ endif
 .PHONY: kube-deploy
 kube-deploy: manifests helm-generate ## Install Envoy Gateway into the Kubernetes cluster specified in ~/.kube/config.
 	@$(LOG_TARGET)
-	# Install CRDs using helm template to avoid 1MB secret size limit
-	$(GO_TOOL) helm template eg-crds charts/gateway-crds-helm \
-		--set crds.gatewayAPI.enabled=true \
-		--set crds.envoyGateway.enabled=true \
-		| kubectl apply --server-side -f -
-	# Install Envoy Gateway without CRDs
 	$(GO_TOOL) helm install eg charts/gateway-helm \
 		--set deployment.envoyGateway.imagePullPolicy=$(IMAGE_PULL_POLICY) \
 		-n envoy-gateway-system --create-namespace \
 		--debug --timeout='$(WAIT_TIMEOUT)' \
 		--wait --wait-for-jobs \
-		--skip-crds \
 		-f $(KUBE_DEPLOY_HELM_VALUES_FILE)
 
 .PHONY: kube-deploy-for-benchmark-test
 kube-deploy-for-benchmark-test: manifests helm-generate ## Install Envoy Gateway and prometheus-server for benchmark test purpose only.
 	@$(LOG_TARGET)
-	# Install CRDs using helm template to avoid 1MB secret size limit
-	$(GO_TOOL) helm template eg-crds charts/gateway-crds-helm \
-		--set crds.gatewayAPI.enabled=true \
-		--set crds.envoyGateway.enabled=true \
-		| kubectl apply --server-side -f -
-	# Install Envoy Gateway
 	$(GO_TOOL) helm install eg charts/gateway-helm --set deployment.envoyGateway.imagePullPolicy=$(IMAGE_PULL_POLICY) \
 		--set deployment.envoyGateway.resources.limits.cpu=$(BENCHMARK_CPU_LIMITS) \
 		--set deployment.envoyGateway.resources.limits.memory=$(BENCHMARK_MEMORY_LIMITS) \
 		--set config.envoyGateway.admin.enablePprof=true \
-		-n envoy-gateway-system --create-namespace --debug --timeout='$(WAIT_TIMEOUT)' --wait --wait-for-jobs \
-		--skip-crds
+		-n envoy-gateway-system --create-namespace --debug --timeout='$(WAIT_TIMEOUT)' --wait --wait-for-jobs
 	# Install Prometheus-server only
 	$(GO_TOOL) helm install eg-addons charts/gateway-addons-helm --set loki.enabled=false \
 		--set tempo.enabled=false \
@@ -406,11 +394,17 @@ generate-manifests: helm-generate.gateway-helm ## Generate Kubernetes release ma
 	@$(LOG_TARGET)
 	@$(call log, "Generating kubernetes manifests")
 	mkdir -p $(OUTPUT_DIR)/
-	$(GO_TOOL) helm template --set createNamespace=true eg charts/gateway-helm --include-crds --namespace envoy-gateway-system > $(OUTPUT_DIR)/install.yaml
+	$(GO_TOOL) helm template eg-crds charts/gateway-crds-helm \
+		--set crds.gatewayAPI.enabled=true \
+		--set crds.envoyGateway.enabled=true \
+		> $(OUTPUT_DIR)/install.yaml
+	$(GO_TOOL) helm template --set createNamespace=true eg charts/gateway-helm --namespace envoy-gateway-system >> $(OUTPUT_DIR)/install.yaml
 	@$(call log, "Added: $(OUTPUT_DIR)/install.yaml")
 	cp examples/kubernetes/quickstart.yaml $(OUTPUT_DIR)/quickstart.yaml
 	@$(call log, "Added: $(OUTPUT_DIR)/quickstart.yaml")
-	cat charts/gateway-helm/crds/generated/* >> $(OUTPUT_DIR)/envoy-gateway-crds.yaml
+	$(GO_TOOL) helm template eg-crds charts/gateway-crds-helm \
+		--set crds.envoyGateway.enabled=true \
+		> $(OUTPUT_DIR)/envoy-gateway-crds.yaml
 	@$(call log, "Added: $(OUTPUT_DIR)/envoy-gateway-crds.yaml")
 
 .PHONY: generate-artifacts