docs(ingress-gateway): fix Gateway API supported versions for v1.5.1 and add v3.32 upgrade note#2860
Draft
electricjesus wants to merge 1 commit into
Draft
Conversation
…and note the v3.32 Envoy Gateway upgrade Calico 3.32 and Calico Enterprise 3.23 bundle Envoy Gateway v1.8, which ships Gateway API v1.5.1. There TLSRoute, ListenerSet, and BackendTLSPolicy are served at v1 and Envoy Gateway watches them at v1. The supported-resources table still listed the pre-v1.5 versions, and the release notes gave no guidance for the CRD bump. - Rebuild the supported Gateway API resources table from the v1.5.1 experimental channel (TLSRoute, BackendTLSPolicy, GRPCRoute, ReferenceGrant; add ListenerSet). - Add a 3.32.1 upgrade note covering the CRD requirement and the crdManagement / safe-upgrades admission policy steps. Signed-off-by: Seth Malaki <seth@tigera.io>
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
❌ Deploy Preview for tigera failed. Why did it fail? →Built without sensitive environment variables
|
Contributor
There was a problem hiding this comment.
Pull request overview
Updates Calico Ingress Gateway documentation to reflect Gateway API v1.5.1-served resource versions (as bundled with Envoy Gateway v1.8) and adds an upgrade note for Calico OSS 3.32 to prevent startup failures when Gateway API CRDs are still on older versions.
Changes:
- Update supported Gateway API resources/version tables for Calico OSS (next + v3.32) and Calico Enterprise (next + v3.23-2).
- Add a 3.32 upgrade note describing the Gateway API CRD v1.5.1 requirement and operator-managed reconciliation guidance.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| calico/networking/ingress-gateway/about-calico-ingress-gateway.mdx | Updates the supported Gateway API resources/versions table for OSS “next”. |
| calico-enterprise/networking/ingress-gateway/about-calico-ingress-gateway.mdx | Updates the supported Gateway API resources/versions table for Enterprise “next”. |
| calico-enterprise_versioned_docs/version-3.23-2/networking/ingress-gateway/about-calico-ingress-gateway.mdx | Updates the supported Gateway API resources/versions table for Enterprise v3.23-2. |
| calico_versioned_docs/version-3.32/networking/ingress-gateway/about-calico-ingress-gateway.mdx | Updates the supported Gateway API resources/versions table for OSS v3.32. |
| calico_versioned_docs/version-3.32/release-notes/index.mdx | Adds an upgrade note about needing Gateway API v1.5.1 CRDs for Envoy Gateway v1.8.0. |
|
|
||
| To update a previous version of Calico, see [our upgrade guides](../operations/upgrading/index.mdx). | ||
|
|
||
| If you use Calico Ingress Gateway, this release bumps the bundled Envoy Gateway to v1.8.0, which requires the Gateway API v1.5 CRDs. Envoy Gateway v1.8 watches `TLSRoute`, `ListenerSet`, and `BackendTLSPolicy` at `gateway.networking.k8s.io/v1`. If those CRDs are still served only at an older version, for example `v1alpha2`, the `envoy-gateway` pod fails to start with `no matches for kind "TLSRoute" in version "gateway.networking.k8s.io/v1"`. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Product Version(s):
Calico 3.32 (and next), Calico Enterprise 3.23.
Calico Cloud is likely affected too, but I still need to confirm its bundled Envoy Gateway version, so it is not included here yet.
Issue:
https://tigera.atlassian.net/browse/EV-6840
Link to docs preview:
Pending the Netlify preview build.
SME review:
DOCS review:
Additional information:
Calico 3.32 and Calico Enterprise 3.23 bundle Envoy Gateway v1.8, which ships Gateway API v1.5.1. In v1.5,
TLSRoute,ListenerSet, andBackendTLSPolicyare served atv1, and Envoy Gateway v1.8 watches them there. The supported-resources table still listed the older pre-v1.5 versions (for exampleTLSRouteatv1alpha2), which reads as if the newer versions are unsupported.This PR does two things:
TLSRoute,BackendTLSPolicy,GRPCRoute,ReferenceGrant, plus a newListenerSetrow.BackendLBPolicyis left as is, since it is not in the v1.5.1gateway.networking.k8s.ioset and needs a separate check.envoy-gatewaypod fails to start. The note explains how to get the CRDs to v1.5.1: operatorcrdManagement: Reconcile, clearing thesafe-upgradesadmission policy if it blocks the change, or installing the CRDs yourself.Only versions that bundle Gateway API v1.5.1 are touched. Calico 3.31 and Calico Enterprise 3.22 ship an older Gateway API, so their tables are correct and left alone.
The crash itself is fixed in code by projectcalico/calico#13242 (Envoy Gateway skips absent optional CRDs). These docs cover the released versions where that fix has not landed yet.
Merge checklist: