Skip to content

docs(ingress-gateway): fix Gateway API supported versions for v1.5.1 and add v3.32 upgrade note#2860

Draft
electricjesus wants to merge 1 commit into
tigera:mainfrom
electricjesus:seth/gwapi-crd-version-docs
Draft

docs(ingress-gateway): fix Gateway API supported versions for v1.5.1 and add v3.32 upgrade note#2860
electricjesus wants to merge 1 commit into
tigera:mainfrom
electricjesus:seth/gwapi-crd-version-docs

Conversation

@electricjesus

Copy link
Copy Markdown
Member

Product Version(s):
Calico 3.32 (and next), Calico Enterprise 3.23.
Calico Cloud is likely affected too, but I still need to confirm its bundled Envoy Gateway version, so it is not included here yet.

Issue:
https://tigera.atlassian.net/browse/EV-6840

Link to docs preview:
Pending the Netlify preview build.

SME review:

  • An SME has approved this change.

DOCS review:

  • A member of the docs team has approved this change.

Additional information:

Calico 3.32 and Calico Enterprise 3.23 bundle Envoy Gateway v1.8, which ships Gateway API v1.5.1. In v1.5, TLSRoute, ListenerSet, and BackendTLSPolicy are served at v1, and Envoy Gateway v1.8 watches them there. The supported-resources table still listed the older pre-v1.5 versions (for example TLSRoute at v1alpha2), which reads as if the newer versions are unsupported.

This PR does two things:

  • Rebuilds the supported Gateway API resources table from the v1.5.1 experimental channel that the operator bundles. Changed rows: TLSRoute, BackendTLSPolicy, GRPCRoute, ReferenceGrant, plus a new ListenerSet row. BackendLBPolicy is left as is, since it is not in the v1.5.1 gateway.networking.k8s.io set and needs a separate check.
  • Adds an upgrade note to the 3.32.1 release notes. If the Gateway API CRDs are still on an older version at upgrade time, the envoy-gateway pod fails to start. The note explains how to get the CRDs to v1.5.1: operator crdManagement: Reconcile, clearing the safe-upgrades admission policy if it blocks the change, or installing the CRDs yourself.

Only versions that bundle Gateway API v1.5.1 are touched. Calico 3.31 and Calico Enterprise 3.22 ship an older Gateway API, so their tables are correct and left alone.

The crash itself is fixed in code by projectcalico/calico#13242 (Envoy Gateway skips absent optional CRDs). These docs cover the released versions where that fix has not landed yet.

Merge checklist:

  • Deploy preview inspected wherever changes were made
  • Build completed successfully
  • Test have passed

…and note the v3.32 Envoy Gateway upgrade

Calico 3.32 and Calico Enterprise 3.23 bundle Envoy Gateway v1.8, which ships
Gateway API v1.5.1. There TLSRoute, ListenerSet, and BackendTLSPolicy are served
at v1 and Envoy Gateway watches them at v1. The supported-resources table still
listed the pre-v1.5 versions, and the release notes gave no guidance for the CRD
bump.

- Rebuild the supported Gateway API resources table from the v1.5.1 experimental
  channel (TLSRoute, BackendTLSPolicy, GRPCRoute, ReferenceGrant; add ListenerSet).
- Add a 3.32.1 upgrade note covering the CRD requirement and the crdManagement /
  safe-upgrades admission policy steps.

Signed-off-by: Seth Malaki <seth@tigera.io>
Copilot AI review requested due to automatic review settings July 17, 2026 20:29
@netlify

netlify Bot commented Jul 17, 2026

Copy link
Copy Markdown

Deploy Preview for calico-docs-preview-next ready!

Name Link
🔨 Latest commit 444228e
🔍 Latest deploy log https://app.netlify.com/projects/calico-docs-preview-next/deploys/6a5a90c7ceda660008c064d6
😎 Deploy Preview https://deploy-preview-2860--calico-docs-preview-next.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify

netlify Bot commented Jul 17, 2026

Copy link
Copy Markdown

Deploy Preview for tigera failed. Why did it fail? →

Built without sensitive environment variables

Name Link
🔨 Latest commit 444228e
🔍 Latest deploy log https://app.netlify.com/projects/tigera/deploys/6a5a90c79ce8b700081f0945

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Calico Ingress Gateway documentation to reflect Gateway API v1.5.1-served resource versions (as bundled with Envoy Gateway v1.8) and adds an upgrade note for Calico OSS 3.32 to prevent startup failures when Gateway API CRDs are still on older versions.

Changes:

  • Update supported Gateway API resources/version tables for Calico OSS (next + v3.32) and Calico Enterprise (next + v3.23-2).
  • Add a 3.32 upgrade note describing the Gateway API CRD v1.5.1 requirement and operator-managed reconciliation guidance.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
calico/networking/ingress-gateway/about-calico-ingress-gateway.mdx Updates the supported Gateway API resources/versions table for OSS “next”.
calico-enterprise/networking/ingress-gateway/about-calico-ingress-gateway.mdx Updates the supported Gateway API resources/versions table for Enterprise “next”.
calico-enterprise_versioned_docs/version-3.23-2/networking/ingress-gateway/about-calico-ingress-gateway.mdx Updates the supported Gateway API resources/versions table for Enterprise v3.23-2.
calico_versioned_docs/version-3.32/networking/ingress-gateway/about-calico-ingress-gateway.mdx Updates the supported Gateway API resources/versions table for OSS v3.32.
calico_versioned_docs/version-3.32/release-notes/index.mdx Adds an upgrade note about needing Gateway API v1.5.1 CRDs for Envoy Gateway v1.8.0.


To update a previous version of Calico, see [our upgrade guides](../operations/upgrading/index.mdx).

If you use Calico Ingress Gateway, this release bumps the bundled Envoy Gateway to v1.8.0, which requires the Gateway API v1.5 CRDs. Envoy Gateway v1.8 watches `TLSRoute`, `ListenerSet`, and `BackendTLSPolicy` at `gateway.networking.k8s.io/v1`. If those CRDs are still served only at an older version, for example `v1alpha2`, the `envoy-gateway` pod fails to start with `no matches for kind "TLSRoute" in version "gateway.networking.k8s.io/v1"`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants