Add gatewayDeploymentMode field to GatewayAPI spec

radixo · radixo · commit 91c091369e89 · 2026-04-13T17:02:47.000+01:00
- Add GatewayDeploymentMode type with ControllerNamespace and GatewayNamespace options
- Default to ControllerNamespace when not specified in the controller Reconcile
- Regenerate CRD manifest and deepcopy methods
diff --git a/api/v1/gatewayapi_types.go b/api/v1/gatewayapi_types.go
@@ -64,6 +64,19 @@ type GatewayAPISpec struct {
 	// +optional
 	GatewayCertgenJob *GatewayCertgenJob `json:"gatewayCertgenJob,omitempty"`
 
+	// Configures where Envoy Gateway deploys managed gateway proxy workloads.
+	//
+	// - "ControllerNamespace" deploys managed proxy workloads in the Envoy Gateway
+	// controller namespace.
+	// - "GatewayNamespace" deploys managed proxy workloads in each Gateway's
+	// namespace.
+	//
+	// If not specified, defaults to "ControllerNamespace".
+	// +kubebuilder:default=ControllerNamespace
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="gatewayDeploymentMode is immutable once set"
+	// +optional
+	GatewayDeploymentMode *GatewayDeploymentMode `json:"gatewayDeploymentMode,omitempty"`
+
 	// Configures how to manage and update Gateway API CRDs.  The default behaviour - which is
 	// used when this field is not set, or is set to "PreferExisting" - is that the Tigera
 	// operator will create the Gateway API CRDs if they do not already exist, but will not
@@ -129,6 +142,14 @@ type GatewayClassSpec struct {
 	GatewayService *GatewayService `json:"gatewayService,omitempty"`
 }
 
+// +kubebuilder:validation:Enum=ControllerNamespace;GatewayNamespace
+type GatewayDeploymentMode string
+
+const (
+	GatewayDeploymentModeControllerNamespace GatewayDeploymentMode = "ControllerNamespace"
+	GatewayDeploymentModeGatewayNamespace    GatewayDeploymentMode = "GatewayNamespace"
+)
+
 //+kubebuilder:object:root=true
 //+kubebuilder:resource:scope=Cluster
 
diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/pkg/controller/gatewayapi/gatewayapi_controller.go b/pkg/controller/gatewayapi/gatewayapi_controller.go
@@ -25,6 +25,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/ptr"
 	"k8s.io/utils/set"
 	gapi "sigs.k8s.io/gateway-api/apis/v1"
 	"sigs.k8s.io/yaml" // gopkg.in/yaml.v2 didn't parse all the fields but this package did
@@ -282,6 +283,10 @@ func (r *ReconcileGatewayAPI) Reconcile(ctx context.Context, request reconcile.R
 		CurrentGatewayClasses: set.New[string](),
 	}
 
+	if gatewayAPI.Spec.GatewayDeploymentMode == nil {
+		gatewayAPI.Spec.GatewayDeploymentMode = ptr.To(operatorv1.GatewayDeploymentModeControllerNamespace)
+	}
+
 	if gatewayAPI.Spec.EnvoyGatewayConfigRef != nil {
 		if err = r.watchEnvoyGateway(*gatewayAPI.Spec.EnvoyGatewayConfigRef); err != nil {
 			r.status.SetDegraded(operatorv1.ResourceReadError, "Error watching EnvoyGatewayConfigRef", err, log)
diff --git a/pkg/imports/crds/operator/operator.tigera.io_gatewayapis.yaml b/pkg/imports/crds/operator/operator.tigera.io_gatewayapis.yaml
@@ -5710,6 +5710,22 @@ spec:
                           type: object
                       type: object
                   type: object
+                gatewayDeploymentMode:
+                  default: ControllerNamespace
+                  description: |-
+                    Configures where Envoy Gateway deploys managed gateway proxy workloads.
+                    - "ControllerNamespace" deploys managed proxy workloads in the Envoy Gateway
+                    controller namespace.
+                    - "GatewayNamespace" deploys managed proxy workloads in each Gateway's
+                    namespace.
+                    If not specified, defaults to "ControllerNamespace".
+                  enum:
+                    - ControllerNamespace
+                    - GatewayNamespace
+                  type: string
+                  x-kubernetes-validations:
+                    - message: gatewayDeploymentMode is immutable once set
+                      rule: self == oldSelf
               type: object
           type: object
           x-kubernetes-validations:
