traefik-helm-chart icon indicating copy to clipboard operation
traefik-helm-chart copied to clipboard
verified publisher icon traefik

Don’t bundle Gateway API CRDs

Open genebean opened this issue 1 year ago • 1 comments

Welcome!

  • [x] Yes, I've searched similar issues on GitHub and didn't find any.
  • [x] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you expect to see?

I’m doing some greenfield work and trying to take advantage of all the Gateway API goodness Traefik, Argo CD, Argo Rollouts, Linkerd, and others are doing, but have found that Traefik bundling in the Gateway API CRDs in the helm charts is both an anti pattern and problematic. The other projects I’ve looked at all seem to have you pull them in as a prerequisite. This allows the end user to pull in whatever works best for the combination of tools deployed.

For example, here’s what prompted this issue: I have a cluster with

  • Traefik + external-dns + cert-manager for north/south traffic and
  • Linkerd + cert-manager for east/west traffic and
  • Argo CD managing everything

Traefik & Argo CD both have Gateways that use certs from cert-manager, and Argo CD is using HTTPRoutes.

I’m also working to deploy an application stack that will utilize Linkerd + GRPCRoutes inside the cluster for observability and gRPC load balancing.

The problem with the bundled CRDs is that Linkerd still uses Gateway API v1alpha2 for compatibility with Google Kubernetes Engine (GKE).

Thus, to get a version of Linkerd with the features I need (including support for Native Sidecars so that Jobs like the ones in Argo CD itself work correctly) and Traefik to work together, I am currently forced to use a custom build of the Traefik helm chart with the Gateway API manifest replaced with the experimental 1.1.0 version as the stable version doesn’t expose the v1alpha2 variant (just beta and stable ones).

https://github.com/traefik/traefik-helm-chart/issues/1141 is one possible solution to this if setup like https://github.com/linkerd/linkerd2/tree/main/charts/linkerd-crds as they allow toggling off the bundled Gateway API CRDs by setting enableHttpRoutes: false like mentioned at https://linkerd.io/2.16/features/httproute/

Lastly, for reference, I posted about this at https://community.traefik.io/t/install-traefik-w-o-gateway-api-crds/24712/ too.

genebean avatar Oct 08 '24 02:10 genebean

Thanks for this detailed report 👍

mloiseleur avatar Oct 08 '24 14:10 mloiseleur

I also ran into this issue in GKE. In my opinion, there should be an option to turn off the gateway-api CRD's, have them tied to enabling kubernetesGateway: in values, or have them as a separate install.

Currently if you enable gateway-api support in GKE it is still v1Beta1 and not v1+. Installing traefik now tries to overwrite those CRD's which causes conflicts and plenty of invalid value errors.

I had to roll back to v28.3.0 of the chart

PurseChicken avatar Oct 30 '24 16:10 PurseChicken

Same issue here. I'd like to continue applying future Traefik security updates despite being on GKE, please.

paul-at-cybr avatar Nov 04 '24 13:11 paul-at-cybr

Maybe I'm missing something, but aren't the CRDs still bundled in the main chart? Should there be an option to say you're bringing your own CRDs maybe?

EDIT: Never mind. Found the answer in the README 😅

FredrikAugust avatar Jan 17 '25 12:01 FredrikAugust

I think the expectation is to use --skip-crds however if you are not installing directly with helm (E.G. with ArgoCD application sets) then I feel like we need another way to not include CRD's with the main traefik chart. It would be awesome if we could just set a key value pair in values like:

skipCRDs: true

PurseChicken avatar Jan 17 '25 21:01 PurseChicken

100% agree that it needs to work when using ArgoCD - ideally via a yaml setting. The initial ask of this issue explicitly calls out the need for this too, fwiw

genebean avatar Jan 17 '25 21:01 genebean

100% agree that it needs to work when using ArgoCD - ideally via a yaml setting. The initial ask of this issue explicitly calls out the need for this too, fwiw

If that's the case, then I think this issue should be reopened. Its honestly trivial to just add a {{- if .Values.skipCRDs }} block to the CRD manifests which would accomplish this.

PurseChicken avatar Jan 17 '25 22:01 PurseChicken

@genebean I actually use ArgoCD and managed to avoid the CRDs by setting .spec.source.helm.skipCrds: true in the Application.

@PurseChicken I agree. When configuring this that was what I was looking for as I feel like it's the most standard solution to the problem. And as you say, it's trivial to add a skipCRD option.

FredrikAugust avatar Jan 20 '25 08:01 FredrikAugust

.spec.source.helm.skipCrds: true

I personally would love to use this with my ArgoCD deployment of traefik, however I use ApplicationSets which deploy many other applications. In order to have this apply I would have to modify the applicationset template and that would then apply to every application deployed by that application set. The only other option would be to remove traefik from the applicationset and have its own applicationset which then would apply the skipCrds helm option. Its the equivalent of using --skip-crds if you are using helm directly.

This is why having an option in values for skipping CRDs is so important to have. Another option could be to use a subchart that applies only if crds.enabled. Then you could use the following in chart.yaml:

dependencies:
    - name: crds
      version: "0.0.0"
      condition: crds.enabled

If no one addresses this soon I will just submit a PR likely using {{- if .Values.skipCRDs }} or similar.

PurseChicken avatar Jan 20 '25 20:01 PurseChicken

I created a new issue based on the discussion above since this issue is still closed:

https://github.com/traefik/traefik-helm-chart/issues/1315

PurseChicken avatar Jan 20 '25 21:01 PurseChicken