Skip to content

feat(helm): add CRDs dependency toggle#8850

Merged
zhaohuabing merged 3 commits into
envoyproxy:mainfrom
cilindrox:crds-toggle
Jun 22, 2026
Merged

feat(helm): add CRDs dependency toggle#8850
zhaohuabing merged 3 commits into
envoyproxy:mainfrom
cilindrox:crds-toggle

Conversation

@cilindrox

Copy link
Copy Markdown
Contributor

Allow skipping installation of the crds dependency on the gateway-helm chart by providing a conditional crds.enabled variable. This boolean defaults to true and toggles the inclusion of the dependency on the parent chart.

ref: #8560

Release Notes: Yes

@cilindrox cilindrox requested a review from a team as a code owner April 24, 2026 17:11
@netlify

netlify Bot commented Apr 24, 2026

Copy link
Copy Markdown

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit 35eaa03
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/6a389beaac8ea70008f88ef1
😎 Deploy Preview https://deploy-preview-8850--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@bacterik

Copy link
Copy Markdown

Excellent PR. Looking forward to merge soon :).

Since I bulid/template everything to targets, and point applications to manifests, Argo for exmaple dosnt know shit about helm, so can't use --skip-crds today. And also deloy the standard channel seprate.

👍👍👍

@cnvergence

Copy link
Copy Markdown
Member

@cilindrox let's resolve the conflicts

@cilindrox

Copy link
Copy Markdown
Contributor Author

@cnvergence PR rebased and conflicts solved

@zirain

zirain commented May 22, 2026

Copy link
Copy Markdown
Member

@cnvergence PR rebased and conflicts solved

can you run make -k gen-check locally, and commit the changes to make CI happy?

@codecov

codecov Bot commented May 23, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.16%. Comparing base (139de99) to head (35eaa03).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8850      +/-   ##
==========================================
- Coverage   75.16%   75.16%   -0.01%     
==========================================
  Files         252      252              
  Lines       41047    41047              
==========================================
- Hits        30854    30852       -2     
- Misses       8094     8095       +1     
- Partials     2099     2100       +1     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@cilindrox

Copy link
Copy Markdown
Contributor Author

@zirain pr updated!

@cilindrox cilindrox force-pushed the crds-toggle branch 2 times, most recently from 45f7e04 to e78563f Compare June 8, 2026 14:48
zirain
zirain previously approved these changes Jun 8, 2026
@cilindrox

Copy link
Copy Markdown
Contributor Author

Any ideas as to what the codecov signature issues might be about?

@zhaohuabing

zhaohuabing commented Jun 9, 2026

Copy link
Copy Markdown
Member

Excellent PR. Looking forward to merge soon :).

Since I bulid/template everything to targets, and point applications to manifests, Argo for exmaple dosnt know shit about helm, so can't use --skip-crds today. And also deloy the standard channel seprate.

👍👍👍

Hi @bacterik @cilindrox for the Argo CD case, I think spec.source.helm.skipCrds: true is the recommended/native way to handle this.

Argo CD documents skipCrds: true as its declarative equivalent of Helm’s --skip-crds: https://argo-cd.readthedocs.io/en/latest/user-guide/helm/#helm-skip-crds

#8560 (comment)

cc @jukie

@zhaohuabing zhaohuabing requested a review from jukie June 9, 2026 04:24
@cilindrox

Copy link
Copy Markdown
Contributor Author

@zhaohuabing see this comment on the other thread (#8560 (comment)) - the argo and helm builtins do not cover all use-cases. Namely umbrella charts.

@zhaohuabing

Copy link
Copy Markdown
Member

@codex review

@zhaohuabing zhaohuabing requested a review from Copilot June 10, 2026 02:41
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a Helm dependency toggle so the gateway-helm chart can optionally omit the bundled crds subchart, enabling workflows where CRDs are installed separately (e.g., via gateway-crds-helm) and the controller chart is installed without CRDs.

Changes:

  • Adds a dependency condition (condition: crds.enabled) for the crds subchart in charts/gateway-helm/Chart.yaml.
  • Introduces a new values flag crds.enabled (default true) in charts/gateway-helm/values.tmpl.yaml.
  • Updates generated docs and release notes to reflect the new value.

Review Findings

Required fixes:

  • crds.enabled is user-facing but currently has an empty/blank description in generated docs, which makes the new toggle unclear to users:
    • charts/gateway-helm/values.tmpl.yaml:38-40
    • charts/gateway-helm/README.md:92
    • site/content/en/latest/install/gateway-helm-api.md:35

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
site/content/en/latest/install/gateway-helm-api.md Documents the new crds.enabled value in the published Helm values table.
release-notes/current.yaml Adds a release note entry for the new crds.enabled toggle.
charts/gateway-helm/values.tmpl.yaml Introduces the crds.enabled values flag (default true).
charts/gateway-helm/README.md Adds the crds.enabled row to the chart’s values table.
charts/gateway-helm/Chart.yaml Adds condition: crds.enabled to the crds dependency.
charts/gateway-helm/Chart.lock Regenerates the dependency lockfile after updating the dependency metadata.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread charts/gateway-helm/values.tmpl.yaml
Comment thread charts/gateway-helm/README.md Outdated
Comment thread site/content/en/latest/install/gateway-helm-api.md Outdated
@zhaohuabing

zhaohuabing commented Jun 10, 2026

Copy link
Copy Markdown
Member

Could we also update the installation docs to recommend using the crds.enabled toggle instead of --skip-crds and crds.gatewayAPI.safeUpgradePolicy.enabled? It's simpler(just one field instead of two) and covers all use cases.

@cilindrox

Copy link
Copy Markdown
Contributor Author

@zhaohuabing updated the latest version of the docs - not sure if there's any other template that needs to be updated instead.

zhaohuabing
zhaohuabing previously approved these changes Jun 18, 2026
@cilindrox cilindrox dismissed stale reviews from zhaohuabing and jukie via ea0d308 June 19, 2026 18:00
cilindrox and others added 2 commits June 20, 2026 20:39
Allow skipping installation of the `crds` dependency on the gateway-helm
chart by providing a conditional `crds.enabled` variable. This boolean
defaults to `true` and toggles the inclusion of the dependency on the
parent chart.

ref: envoyproxy#8560
Signed-off-by: Gaston Festari <[email protected]>
Use the `crds.enabled` variable in the examples instead of the
`--skip-crds` flag.

Update crds.enabled variable description.

Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Gaston Festari <[email protected]>
zhaohuabing
zhaohuabing previously approved these changes Jun 22, 2026
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
@zhaohuabing

Copy link
Copy Markdown
Member

@codex review

@zhaohuabing zhaohuabing requested a review from jukie June 22, 2026 02:30
@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Chef's kiss.

Reviewed commit: 35eaa03ea7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@jukie

jukie commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

@jukie

jukie commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

/retest

1 similar comment
@jukie

jukie commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

/retest

@zhaohuabing zhaohuabing merged commit 62e01ce into envoyproxy:main Jun 22, 2026
88 of 94 checks passed
cleman95 pushed a commit to cleman95/gateway that referenced this pull request Jun 25, 2026
* feat(helm): add CRDs dependency toggle

Allow skipping installation of the `crds` dependency on the gateway-helm
chart by providing a conditional `crds.enabled` variable. This boolean
defaults to `true` and toggles the inclusion of the dependency on the
parent chart.

ref: envoyproxy#8560
Signed-off-by: Gaston Festari <[email protected]>

* docs: update Helm installation steps

Use the `crds.enabled` variable in the examples instead of the
`--skip-crds` flag.

Update crds.enabled variable description.

Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Gaston Festari <[email protected]>

---------

Signed-off-by: Gaston Festari <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
zac-nixon pushed a commit to zac-nixon/gateway that referenced this pull request Jun 29, 2026
* feat(helm): add CRDs dependency toggle

Allow skipping installation of the `crds` dependency on the gateway-helm
chart by providing a conditional `crds.enabled` variable. This boolean
defaults to `true` and toggles the inclusion of the dependency on the
parent chart.

ref: envoyproxy#8560
Signed-off-by: Gaston Festari <[email protected]>

* docs: update Helm installation steps

Use the `crds.enabled` variable in the examples instead of the
`--skip-crds` flag.

Update crds.enabled variable description.

Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Gaston Festari <[email protected]>

---------

Signed-off-by: Gaston Festari <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
guydc pushed a commit to guydc/gateway that referenced this pull request Jun 30, 2026
* feat(helm): add CRDs dependency toggle

Allow skipping installation of the `crds` dependency on the gateway-helm
chart by providing a conditional `crds.enabled` variable. This boolean
defaults to `true` and toggles the inclusion of the dependency on the
parent chart.

ref: envoyproxy#8560
Signed-off-by: Gaston Festari <[email protected]>

* docs: update Helm installation steps

Use the `crds.enabled` variable in the examples instead of the
`--skip-crds` flag.

Update crds.enabled variable description.

Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Gaston Festari <[email protected]>

---------

Signed-off-by: Gaston Festari <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
jukie added a commit that referenced this pull request Jul 1, 2026
* fix rate limit validation on K8s 1.36 (#9166)

fixi: rate limit validation on K8s 1.36

Starting with K8s 1.36 the int range and maximum are validated
against each other, which breaks the BTP tests.

This can be fixed validating the field as uint32.

Signed-off-by: Clemens Beck <[email protected]>
Co-authored-by: Clemens Beck <[email protected]>
(cherry picked from commit a21fd29)
Signed-off-by: jukie <[email protected]>

* fix(validation): allow IPv6 to be specific in loadBalancerSourceRanges (#9050)

* fix(validation): allow IPv6 to be specific in loadBalancerSourceRanges and loadBalancerIP

Signed-off-by: Marc 'risson' Schmitt <[email protected]>
(cherry picked from commit 3c1d7b9)
Signed-off-by: jukie <[email protected]>

* fix: allow Backend TLS  to disable ALPN with an empty list (#9162)

* Fixed Backend TLS  to disable upstream ALPN instead of inheriting EnvoyProxy BackendTLS defaults.

Signed-off-by: Huabing Zhao <[email protected]>

* add test case for envoyproxy without tls

Signed-off-by: Huabing Zhao <[email protected]>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* address comments

Signed-off-by: Huabing Zhao <[email protected]>

---------

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
(cherry picked from commit 21eb101)
Signed-off-by: jukie <[email protected]>

* fix(gatewayapi): sort api key auth credentials (#9042)

* fix(gatewayapi): sort api key auth credentials

Signed-off-by: Alexej Disterhoft <[email protected]>

* docs(release-notes): add api key auth fix note

Signed-off-by: Alexej Disterhoft <[email protected]>

---------

Signed-off-by: Alexej Disterhoft <[email protected]>
Signed-off-by: Alexej Disterhoft <[email protected]>
Signed-off-by: zirain <[email protected]>
Co-authored-by: Arko Dasgupta <[email protected]>
Co-authored-by: zirain <[email protected]>
(cherry picked from commit b96a2d3)
Signed-off-by: jukie <[email protected]>

* fix(status): separate listener programmed state from HTTPRoute Accepted condition (#9129)

* fix(status): separate listener programmed state from HTTPRoute Accepted condition
  Remove the NoReadyListeners block that set Accepted: False on routes when
  no listeners were programmed. Route acceptance reflects binding validity;
  listener programmed state is already tracked by the listener's own conditions.

Signed-off-by: apkatsikas <[email protected]>

* fix(status): separate listener programmed state from TCPRoute/UDPRoute Accepted condition
  Routes with a valid binding to an unprogrammed listener now correctly reach
  Accepted=True regardless of listener readiness. Moves accepted=true and
  IncrementAttachedRoutes before the IsReady check so the Accepted condition
  reflects binding validity only, consistent with the HTTPRoute fix and the
  Gateway API spec.

Signed-off-by: apkatsikas <[email protected]>
(cherry picked from commit e9c3ac5)
Signed-off-by: jukie <[email protected]>

* fix: reject  ExternalName Service as a route backend (#9190)

fix: reject  Service as a route backend

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
(cherry picked from commit ee16b3f)
Signed-off-by: jukie <[email protected]>

* fix(status): fall back to service externalIPs for Gateway addresses (#9209)

When the Envoy service is of type LoadBalancer but no load balancer
controller assigns an ingress address (e.g. bare-metal clusters), the
Gateway status had no addresses and stayed Programmed=False with reason
AddressNotAssigned, even when reachable addresses were configured via
spec.externalIPs (e.g. through an EnvoyProxy service patch).

Use spec.externalIPs as a fallback when the load balancer ingress list
is empty. Ingress addresses keep priority when present, so behavior is
unchanged for clusters with a working load balancer controller.

Fixes #8987

Signed-off-by: Jules Dutel <[email protected]>
(cherry picked from commit f2c0921)
Signed-off-by: jukie <[email protected]>

* fix: don't duplicate ValidatingAdmissionPolicy in install.yaml (#9182)

* Fix duplicate VAP in install.yaml

Signed-off-by: jukie <[email protected]>

* Add regression check and release notes

Signed-off-by: jukie <[email protected]>

---------

Signed-off-by: jukie <[email protected]>
(cherry picked from commit 332081c)
Signed-off-by: jukie <[email protected]>

* fix(listenerset): implement hostname conflict listener precedence (#9192)

* fix(listenerset): implement hostname conflict listener precedence

- In Gateway, multiple listeners with the same hostname all get marked
  Conflicted (no winner). In ListenerSet, a Gateway-owned listener
  wins over ListenerSet listeners; among ListenerSet listeners the first
  in processing order wins.

- Conflicted ListenerSet listeners now get Accepted=False and
  Programmed=False with the conflict reason (HostnameConflict or
  ProtocolConflict), matching the Gateway API conformance expectation.

- AttachedListenerSets on the Gateway status is now incremented only for
  ListenerSets that have at least one accepted listener, aligning with
  the spec definition of "successfully attached".

Signed-off-by: zirain <[email protected]>

* ListenerSet conflict

Signed-off-by: zirain <[email protected]>

* fix and improve message

Signed-off-by: zirain <[email protected]>

* better display gateway listener

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: zirain <[email protected]>
(cherry picked from commit 9271654)
Signed-off-by: jukie <[email protected]>

* fix: correct the config hot reload validation order (#9214)

Co-authored-by: Nimisha Mehta <[email protected]>
(cherry picked from commit 7e4492d)
Signed-off-by: jukie <[email protected]>

* feat(helm): add CRDs dependency toggle (#8850)

* feat(helm): add CRDs dependency toggle

Allow skipping installation of the `crds` dependency on the gateway-helm
chart by providing a conditional `crds.enabled` variable. This boolean
defaults to `true` and toggles the inclusion of the dependency on the
parent chart.

ref: #8560
Signed-off-by: Gaston Festari <[email protected]>

* docs: update Helm installation steps

Use the `crds.enabled` variable in the examples instead of the
`--skip-crds` flag.

Update crds.enabled variable description.

Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Gaston Festari <[email protected]>

---------

Signed-off-by: Gaston Festari <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
(cherry picked from commit 62e01ce)
Signed-off-by: jukie <[email protected]>

* fix: validate API Key auth ExtractFrom (#9250)

* fix: validate API Key auth ExtractFrom

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* add test

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* update

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* update

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* update

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

---------

Signed-off-by: Huabing (Robin) Zhao <[email protected]>
(cherry picked from commit 50b1339)
Signed-off-by: jukie <[email protected]>

* fix: XRateLimitHeadersOptionDisabled constant value must match CRD enum (#9224)

* fix: XRateLimitHeadersOptionDisabled constant value must match CRD enum
The constant held "Disabled" but the CRD enum specifies "Off", causing
xRateLimitHeaders: "Off" to silently fall through the translator switch
and always emit X-RateLimit headers.

Fixes #9223

Signed-off-by: gianniskt <[email protected]>

* fix: XRateLimitHeadersOptionDisabled constant value must match CRD enum
The constant held "Disabled" but the CRD enum specifies "Off", causing
xRateLimitHeaders: "Off" to silently fall through the translator switch
and always emit X-RateLimit headers.

Fixes #9223

Signed-off-by: gianniskt <[email protected]>

* fix: add release note for XRateLimitHeadersOptionDisabled fix

Signed-off-by: gianniskt <[email protected]>

---------

Signed-off-by: gianniskt <[email protected]>
Signed-off-by: Ioannis Koutroumpis <[email protected]>
(cherry picked from commit 43c9d8e)
Signed-off-by: jukie <[email protected]>

* fix(ratelimit): shared global ratelimit with cost not working (#9245)

* fix(ratelimit): shared global ratelimit with cost not working

Signed-off-by: zirain <[email protected]>

* fix

Signed-off-by: zirain <[email protected]>

* fix mixed shared rule

Signed-off-by: zirain <[email protected]>

* add e2e

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: zirain <[email protected]>
(cherry picked from commit 7997791)
Signed-off-by: jukie <[email protected]>

* fix(gatewayapi): http retry without backoff (#9238)

* fix http retry without backoff

Signed-off-by: zirain <[email protected]>

* release notes

Signed-off-by: zirain <[email protected]>

---------

Signed-off-by: zirain <[email protected]>
(cherry picked from commit 4872e53)
Signed-off-by: jukie <[email protected]>

* fix: panic with empty deploy (#9365)

Signed-off-by: zirain <[email protected]>
(cherry picked from commit 42a0c2c)
Signed-off-by: jukie <[email protected]>

* chore: restore current.yaml after cherry-picks

The cherry-picked bug-fix commits appended their release-note entries to
release-notes/current.yaml. Those notes are already finalized in
release-notes/v1.8.2.yaml, so restore current.yaml to its prior state to
avoid duplicating them in the next release cycle.

Signed-off-by: jukie <[email protected]>

* [release-1.8] bump ratelimit image to 1e50889b

Bump the Envoy Ratelimit image from ff287602 to 1e50889b in source and
the gateway-helm chart, and note the bump under security updates in the
v1.8.2 release notes.

Signed-off-by: jukie <[email protected]>

* testdata

Signed-off-by: jukie <[email protected]>

* fix: use int64 format for ratelimit Requests field (#9377)

Signed-off-by: jukie <[email protected]>

---------

Signed-off-by: Clemens Beck <[email protected]>
Signed-off-by: jukie <[email protected]>
Signed-off-by: Marc 'risson' Schmitt <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Alexej Disterhoft <[email protected]>
Signed-off-by: Alexej Disterhoft <[email protected]>
Signed-off-by: zirain <[email protected]>
Signed-off-by: apkatsikas <[email protected]>
Signed-off-by: Jules Dutel <[email protected]>
Signed-off-by: Gaston Festari <[email protected]>
Signed-off-by: gianniskt <[email protected]>
Signed-off-by: Ioannis Koutroumpis <[email protected]>
Co-authored-by: Clemens Beck <[email protected]>
Co-authored-by: Clemens Beck <[email protected]>
Co-authored-by: Marc 'risson' Schmitt <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Co-authored-by: Alexej Disterhoft <[email protected]>
Co-authored-by: Arko Dasgupta <[email protected]>
Co-authored-by: zirain <[email protected]>
Co-authored-by: Andrew Katsikas <[email protected]>
Co-authored-by: jvlxz <[email protected]>
Co-authored-by: Mengjia Liang <[email protected]>
Co-authored-by: Nimisha Mehta <[email protected]>
Co-authored-by: Gaston Festari <[email protected]>
Co-authored-by: Ioannis Koutroumpis <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants