Don’t bundle Gateway API CRDs

[genebean]

Welcome!

• [x] Yes, I've searched similar issues on GitHub and didn't find any.
• [x] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you expect to see?

I’m doing some greenfield work and trying to take advantage of all the Gateway API goodness Traefik, Argo CD, Argo Rollouts, Linkerd, and others are doing, but have found that Traefik bundling in the Gateway API CRDs in the helm charts is both an anti pattern and problematic. The other projects I’ve looked at all seem to have you pull them in as a prerequisite. This allows the end user to pull in whatever works best for the combination of tools deployed.

For example, here’s what prompted this issue: I have a cluster with

• Traefik + external-dns + cert-manager for north/south traffic and
• Linkerd + cert-manager for east/west traffic and
• Argo CD managing everything

Traefik & Argo CD both have Gateways that use certs from cert-manager, and Argo CD is using HTTPRoutes.

I’m also working to deploy an application stack that will utilize Linkerd + GRPCRoutes inside the cluster for observability and gRPC load balancing.

The problem with the bundled CRDs is that Linkerd still uses Gateway API v1alpha2 for compatibility with Google Kubernetes Engine (GKE).

Thus, to get a version of Linkerd with the features I need (including support for Native Sidecars so that Jobs like the ones in Argo CD itself work correctly) and Traefik to work together, I am currently forced to use a custom build of the Traefik helm chart with the Gateway API manifest replaced with the experimental 1.1.0 version as the stable version doesn’t expose the v1alpha2 variant (just beta and stable ones).

https://github.com/traefik/traefik-helm-chart/issues/1141 is one possible solution to this if setup like https://github.com/linkerd/linkerd2/tree/main/charts/linkerd-crds as they allow toggling off the bundled Gateway API CRDs by setting enableHttpRoutes: false like mentioned at https://linkerd.io/2.16/features/httproute/

Lastly, for reference, I posted about this at https://community.traefik.io/t/install-traefik-w-o-gateway-api-crds/24712/ too.

[mloiseleur]

Thanks for this detailed report 👍

[PurseChicken]

I also ran into this issue in GKE. In my opinion, there should be an option to turn off the gateway-api CRD's, have them tied to enabling kubernetesGateway: in values, or have them as a separate install.

Currently if you enable gateway-api support in GKE it is still v1Beta1 and not v1+. Installing traefik now tries to overwrite those CRD's which causes conflicts and plenty of invalid value errors.

I had to roll back to v28.3.0 of the chart

[paul-at-cybr]

Same issue here. I'd like to continue applying future Traefik security updates despite being on GKE, please.