diff --git a/configsrc/vcluster/main/default_values.yaml b/configsrc/vcluster/main/default_values.yaml
index 07d905d6c3..5f435f4d3d 100644
--- a/configsrc/vcluster/main/default_values.yaml
+++ b/configsrc/vcluster/main/default_values.yaml
@@ -81,27 +81,27 @@ sync:
ingresses:
# Enabled defines if this option should be enabled.
enabled: false
- # GatewayAPI defines Gateway API resources created within the virtual cluster that should get synced to the host cluster.
+ # GatewayAPI defines Gateway API resources created within the tenant cluster that should get synced to the control plane cluster.
gatewayApi:
# Enabled defines if this option should be enabled.
enabled: false
- # HTTPRoutes configures HTTPRoute sync to the host cluster.
+ # HTTPRoutes configures HTTPRoute sync to the control plane cluster.
httpRoutes:
# Enabled defines if this option should be enabled.
enabled: false
- # Gateways configures tenant-created Gateway sync to the host cluster.
+ # Gateways configures tenant-created Gateway sync to the control plane cluster.
gateways:
# Enabled defines if this option should be enabled.
enabled: false
- # TLSRoutes configures TLSRoute sync to the host cluster.
+ # TLSRoutes configures TLSRoute sync to the control plane cluster.
tlsRoutes:
# Enabled defines if this option should be enabled.
enabled: false
- # BackendTLSPolicies configures BackendTLSPolicy sync to the host cluster.
+ # BackendTLSPolicies configures BackendTLSPolicy sync to the control plane cluster.
backendTLSPolicies:
# Enabled defines if this option should be enabled.
enabled: false
- # ReferenceGrants configures ReferenceGrant sync to the host cluster. Enabled may be "auto", "true", or "false".
+ # ReferenceGrants configures ReferenceGrant sync to the control plane cluster. Enabled may be "auto", "true", or "false".
referenceGrants:
# Enabled defines if this option should be enabled.
enabled: auto
@@ -151,7 +151,7 @@ sync:
resourceClaimTemplates:
# Enabled defines if this option should be enabled.
enabled: false
-
+
# Configure what resources vCluster should sync from the host cluster to the virtual cluster.
fromHost:
# Events defines if events should get synced from the host cluster to the virtual cluster, but not back.
@@ -164,21 +164,21 @@ sync:
enabled: false
# Mappings for Namespace and Object
mappings:
- # ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ # ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
# There are several wildcards supported:
- # 1. To match all objects in host namespace and sync them to different namespace in vCluster:
+ # 1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
# byName:
# "foo/*": "foo-in-virtual/*"
- # 2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+ # 2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
# byName:
# "foo/my-object": "foo/my-object"
- # 3. To match specific object in the host namespace and sync it to the same namespace with different name:
+ # 3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
# byName:
# "foo/my-object": "foo/my-virtual-object"
- # 4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+ # 4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
# byName:
# "": "my-virtual-namespace/*"
- # 5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+ # 5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
# byName:
# "/my-object": "my-virtual-namespace/my-object"
byName: {}
@@ -202,31 +202,31 @@ sync:
ingressClasses:
# Enabled defines if this option should be enabled.
enabled: false
- # GatewayClasses defines if gateway classes should get synced from the host cluster to the virtual cluster, but not back.
+ # GatewayClasses defines if gateway classes should get synced from the control plane cluster to the tenant cluster, but not back.
gatewayClasses:
# Enabled defines if this option should be enabled.
enabled: false
- # Gateways defines if selected host Gateways should get synced from the host cluster to the virtual cluster, but not back.
+ # Gateways defines if selected control plane Gateways should get synced from the control plane cluster to the tenant cluster, but not back.
gateways:
# Enabled defines if this option should be enabled.
enabled: false
- # Mappings define Host Gateway namespace/name to tenant-facing namespace/name placement.
+ # Mappings define control plane Gateway namespace/name to tenant-facing namespace/name placement.
mappings:
- # ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ # ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
# There are several wildcards supported:
- # 1. To match all objects in host namespace and sync them to different namespace in vCluster:
+ # 1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
# byName:
# "foo/*": "foo-in-virtual/*"
- # 2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+ # 2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
# byName:
# "foo/my-object": "foo/my-object"
- # 3. To match specific object in the host namespace and sync it to the same namespace with different name:
+ # 3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
# byName:
# "foo/my-object": "foo/my-virtual-object"
- # 4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+ # 4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
# byName:
# "": "my-virtual-namespace/*"
- # 5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+ # 5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
# byName:
# "/my-object": "my-virtual-namespace/my-object"
byName: {}
@@ -242,7 +242,7 @@ sync:
# Metadata configures imported Gateway metadata visibility.
metadata:
exposeSourceGateway: false
- # Sanitize configures sensitive host field sanitization.
+ # Sanitize configures sensitive control plane field sanitization.
sanitize:
certificateRefs: true
infrastructure: true
@@ -273,21 +273,21 @@ sync:
enabled: false
# Mappings for Namespace and Object
mappings:
- # ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ # ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
# There are several wildcards supported:
- # 1. To match all objects in host namespace and sync them to different namespace in vCluster:
+ # 1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
# byName:
# "foo/*": "foo-in-virtual/*"
- # 2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+ # 2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
# byName:
# "foo/my-object": "foo/my-object"
- # 3. To match specific object in the host namespace and sync it to the same namespace with different name:
+ # 3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
# byName:
# "foo/my-object": "foo/my-virtual-object"
- # 4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+ # 4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
# byName:
# "": "my-virtual-namespace/*"
- # 5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+ # 5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
# byName:
# "/my-object": "my-virtual-namespace/my-object"
byName: {}
@@ -354,7 +354,7 @@ controlPlane:
requests:
cpu: 40m
memory: 64Mi
-
+
# BackingStore defines which backing store to use for virtual cluster. If not defined will use embedded database as a default backing store.
backingStore:
# Database defines that a database backend should be used as the backend for the virtual cluster. This uses a project called kine under the hood which is a shim for bridging Kubernetes and relational databases.
@@ -503,7 +503,7 @@ controlPlane:
# HeadlessService holds options for the external etcd headless service.
headlessService:
annotations: {}
-
+
# Proxy defines options for the virtual cluster control plane proxy that is used to do authentication and intercept requests.
proxy:
# BindAddress under which vCluster will expose the proxy.
@@ -512,7 +512,7 @@ controlPlane:
port: 8443
# ExtraSANs are extra hostnames to sign the vCluster proxy certificate for.
extraSANs: []
-
+
# CoreDNS defines everything related to the coredns that is deployed and used within the vCluster.
coredns:
# Enabled defines if coredns is enabled
@@ -574,7 +574,7 @@ controlPlane:
labelSelector:
matchLabels:
k8s-app: vcluster-kube-dns
-
+
# Service defines options for vCluster service deployed by Helm.
service:
# Enabled defines if the control plane service should be enabled
@@ -588,7 +588,7 @@ controlPlane:
# Spec allows you to configure extra service options.
spec:
type: ClusterIP
-
+
# Ingress defines options for vCluster ingress deployed by Helm.
ingress:
# Enabled defines if the control plane ingress should be enabled
@@ -605,7 +605,7 @@ controlPlane:
# Spec allows you to configure extra ingress options.
spec:
tls: []
-
+
# TLSRoute defines options for vCluster TLS route deployed by Helm.
tlsRoute:
# Enabled defines if the control plane should be exposed via a gateway api tls route. Make sure to enable tls passthrough in the gateway via tls.mode to "Passthrough"
@@ -620,7 +620,7 @@ controlPlane:
spec: {}
labels: {}
annotations: {}
-
+
# Standalone holds configuration for standalone mode. Standalone mode is set automatically when no container is detected and
# also implies privateNodes.enabled.
standalone:
@@ -634,7 +634,7 @@ controlPlane:
containerd:
# Enabled defines if containerd should be installed and configured by vCluster.
enabled: true
-
+
# StatefulSet defines options for vCluster statefulSet deployed by Helm.
statefulSet:
labels: {}
@@ -779,14 +779,14 @@ controlPlane:
sidecarContainers: []
# HostAliases allows you to add custom entries to the /etc/hosts file of each Pod created.
hostAliases: []
-
+
# ServiceMonitor can be used to automatically create a service monitor for vCluster deployment itself.
serviceMonitor:
# Enabled configures if Helm should create the service monitor.
enabled: false
labels: {}
annotations: {}
-
+
# Advanced holds additional configuration for the vCluster control plane.
advanced:
# DefaultImageRegistry will be used as a prefix for all internal images deployed by vCluster or Helm. This makes it easy to
@@ -878,13 +878,13 @@ controlPlane:
privateNodes:
# Enabled defines if dedicated nodes should be enabled.
enabled: false
-
+
# Kubelet holds kubelet configuration that is used for all nodes.
kubelet:
# Config is the config for the kubelet that will be merged into the default kubelet config. More information can be found here:
# https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration
config: {}
-
+
# AutoUpgrade holds configuration for auto upgrade.
autoUpgrade:
# Enabled defines if auto upgrade should be enabled.
@@ -895,17 +895,17 @@ privateNodes:
podSecurityContext: {}
# ContainerSecurityContext specifies security context options on the container level for the upgrade container.
containerSecurityContext: {}
-
+
# JoinNode holds configuration specifically used during joining the node (see "kubeadm join").
joinNode:
# Containerd holds configuration for the containerd join process.
containerd:
# Enabled defines if containerd should be installed and configured by vCluster.
enabled: true
-
+
# AutoNodes stores auto nodes configuration.
autoNodes: []
-
+
# VPN holds configuration for the private nodes vpn. This can be used to connect the private nodes to the control plane or
# connect the private nodes to each other if they are not running in the same network. Platform connection is required for the vpn to work.
vpn:
@@ -915,7 +915,7 @@ privateNodes:
nodeToNode:
# Enabled defines if the node to node vpn should be enabled.
enabled: false
-
+
# Daemon holds configuration for the private nodes daemon that is deployed on the nodes.
daemon:
# Enabled defines if the private nodes daemon should be enabled.
@@ -936,14 +936,14 @@ deploy:
localPathProvisioner:
# Enabled defines if LocalPathProvisioner should be enabled.
enabled: true
-
+
# CNI holds dedicated CNI configuration.
cni:
# Flannel holds dedicated Flannel configuration.
flannel:
# Enabled defines if Flannel should be enabled.
enabled: true
-
+
# KubeProxy holds dedicated kube proxy configuration.
kubeProxy:
# Enabled defines if the kube proxy should be enabled.
@@ -963,7 +963,7 @@ deploy:
# Config is the config for the kube-proxy that will be merged into the default kube-proxy config. More information can be found here:
# https://kubernetes.io/docs/reference/config-api/kube-proxy-config.v1alpha1/#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration
config: {}
-
+
# Metallb holds dedicated metallb configuration.
metallb:
# Enabled defines if metallb should be enabled.
@@ -974,7 +974,7 @@ deploy:
addresses: []
# L2Advertisement defines if L2 advertisement should be enabled for the IP address pool.
l2Advertisement: true
-
+
# IngressNginx holds dedicated ingress-nginx configuration.
# Deprecated: We do not deploy ingress nginx and the project is being deprecated.
ingressNginx:
@@ -982,12 +982,12 @@ deploy:
enabled: false
# DefaultIngressClass defines if the deployed ingress class should be the default ingress class.
defaultIngressClass: true
-
+
# MetricsServer holds dedicated metrics server configuration.
metricsServer:
# Enabled defines if metrics server should be enabled.
enabled: false
-
+
# VolumeSnapshotController holds dedicated CSI snapshot-controller configuration.
volumeSnapshotController:
# Enabled defines if the CSI volumes snapshot-controller should be enabled.
@@ -1003,7 +1003,7 @@ integrations:
nodes: true
# Pods defines if metrics-server pods api should get proxied from host to virtual cluster.
pods: true
-
+
# ExternalSecrets reuses a host external secret operator and makes certain CRDs from it available inside the vCluster.
# - ExternalSecrets will be synced from the virtual cluster to the host cluster.
# - SecretStores will be synced from the virtual cluster to the host cluster and then bi-directionally.
@@ -1036,7 +1036,7 @@ integrations:
enabled: false
selector:
matchLabels: {}
-
+
# KubeVirt reuses a host kubevirt and makes certain CRDs from it available inside the vCluster
kubeVirt:
# Enabled signals if the integration should be enabled
@@ -1064,7 +1064,7 @@ integrations:
# If VirtualMachineInstanceMigrations should get synced
virtualMachineInstanceMigrations:
enabled: true
-
+
# CertManager reuses a host cert-manager and makes its CRDs from it available inside the vCluster.
# - Certificates and Issuers will be synced from the virtual cluster to the host cluster.
# - ClusterIssuers will be synced from the host cluster to the virtual cluster.
@@ -1088,7 +1088,7 @@ integrations:
# Selector defines what cluster issuers should be imported.
selector:
labels: {}
-
+
# Istio syncs DestinationRules, Gateways and VirtualServices from virtual cluster to the host.
istio:
# Enabled defines if this option should be enabled.
@@ -1112,7 +1112,7 @@ rbac:
overwriteRules: []
# ExtraRules will add rules to the role.
extraRules: []
-
+
# ClusterRole holds virtual cluster cluster role configuration
clusterRole:
# Enabled defines if the cluster role should be enabled or disabled. If auto, vCluster automatically determines whether the virtual cluster requires a cluster role.
@@ -1121,7 +1121,7 @@ rbac:
overwriteRules: []
# ExtraRules will add rules to the cluster role.
extraRules: []
-
+
# EnableVolumeSnapshotRules enables all required volume snapshot rules in the Role and
# ClusterRole.
enableVolumeSnapshotRules:
@@ -1132,7 +1132,7 @@ rbac:
networking:
# PodCIDR holds the pod cidr for the virtual cluster. This should only be set if privateNodes.enabled is true.
podCIDR: "10.244.0.0/16"
-
+
# ReplicateServices allows replicating services from the host within the virtual cluster or the other way around.
replicateServices:
# ToHost defines the services that should get synced from virtual cluster to the host cluster. If services are
@@ -1141,10 +1141,10 @@ networking:
toHost: []
# FromHost defines the services that should get synced from the host to the virtual cluster.
fromHost: []
-
+
# ResolveDNS allows to define extra DNS rules. This only works if embedded coredns is configured.
resolveDNS: []
-
+
# Advanced holds advanced network options.
advanced:
# ClusterDomain is the Kubernetes cluster domain to use within the virtual cluster.
@@ -1193,7 +1193,7 @@ policies:
matchExpressions: []
# Scopes are the resource quota scopes
scopes: []
-
+
# LimitRange specifies limit range options.
limitRange:
# Enabled defines if the limit range should be deployed by vCluster. "auto" means that if resourceQuota is enabled,
@@ -1215,7 +1215,7 @@ policies:
min: {}
# Max are the max limits for the limit range
max: {}
-
+
# NetworkPolicy specifies network policy options.
networkPolicy:
# Enabled defines if the network policy should be deployed by vCluster.
@@ -1252,7 +1252,7 @@ policies:
ingress: []
# Egress rules for the vCluster workloads.
egress: []
-
+
# CentralAdmission defines what validating or mutating webhooks should be enforced within the virtual cluster.
centralAdmission:
# ValidatingWebhooks are validating webhooks that should be enforced in the virtual cluster
@@ -1264,13 +1264,13 @@ policies:
exportKubeConfig:
# Context is the name of the context within the generated kubeconfig to use.
context: ""
-
+
# Override the default https://localhost:8443 and specify a custom hostname for the generated kubeconfig.
server: ""
-
+
# If tls should get skipped for the server
insecure: false
-
+
# ServiceAccount can be used to generate a service account token instead of the default certificates.
serviceAccount:
# Name of the service account to be used to generate a service account token instead of the default certificates.
@@ -1280,7 +1280,7 @@ exportKubeConfig:
namespace: ""
# ClusterRole to assign to the service account.
clusterRole: ""
-
+
# Declare in which host cluster secret vCluster should store the generated virtual cluster kubeconfig.
# If this is not defined, vCluster will create it with `vc-NAME`. If you specify another name,
# vCluster creates the config in this other secret.
@@ -1292,7 +1292,7 @@ exportKubeConfig:
# Namespace where vCluster should store the kubeconfig secret. If this is not equal to the namespace
# where you deployed vCluster, you need to make sure vCluster has access to this other namespace.
namespace: ""
-
+
# AdditionalSecrets specifies the additional host cluster secrets in which vCluster will store the
# generated virtual cluster kubeconfigs.
additionalSecrets: []
@@ -1316,17 +1316,17 @@ experimental:
# use purely local images. Only works if containerd image storage is used. For more information, see https://docs.docker.com/engine/storage/containerd
registryProxy:
enabled: true
-
+
# Proxy enables vCluster-to-vCluster proxying of resources
proxy:
# CustomResources is a map of resource keys (format: "kind.apiGroup/version") to proxy configuration
customResources: {}
-
+
# SyncSettings are advanced settings for the syncer controller.
syncSettings:
# SetOwner specifies if vCluster should set an owner reference on the synced objects to the vCluster service. This allows for easy garbage collection.
setOwner: true
-
+
# Deploy allows you to configure manifests and Helm charts to deploy within the host or virtual cluster.
deploy:
# Host defines what manifests to deploy into the host cluster
@@ -1343,7 +1343,7 @@ experimental:
manifestsTemplate: ""
# Helm are Helm charts that should get deployed into the virtual cluster
helm: []
-
+
# NodeMonitors allows you to create a service monitor for each node.
nodeMonitors: []
diff --git a/configsrc/vcluster/main/vcluster.schema.json b/configsrc/vcluster/main/vcluster.schema.json
index 605552bb86..f17b753dd0 100755
--- a/configsrc/vcluster/main/vcluster.schema.json
+++ b/configsrc/vcluster/main/vcluster.schema.json
@@ -1246,7 +1246,7 @@
"properties": {
"afterInactivity": {
"type": "string",
- "description": "AfterInactivity specifies after how long of inactivity the tenant cluster will be deleted.\nUses Go duration format (e.g., \"720h\" for 30 days).\n+optional"
+ "description": "AfterInactivity specifies after how long of inactivity the virtual cluster will be deleted.\nUses Go duration format (e.g., \"720h\" for 30 days).\n+optional"
}
},
"additionalProperties": false,
@@ -2532,7 +2532,7 @@
},
"mappings": {
"$ref": "#/$defs/FromHostMappings",
- "description": "Mappings define Host Gateway namespace/name to tenant-facing namespace/name placement."
+ "description": "Mappings define control plane Gateway namespace/name to tenant-facing namespace/name placement."
},
"allowedRoutes": {
"$ref": "#/$defs/GatewayAllowedRoutesConfig",
@@ -2548,7 +2548,7 @@
},
"sanitize": {
"$ref": "#/$defs/GatewayImportSanitize",
- "description": "Sanitize configures sensitive host field sanitization."
+ "description": "Sanitize configures sensitive control plane field sanitization."
}
},
"additionalProperties": false,
@@ -2561,7 +2561,7 @@
"type": "string"
},
"type": "object",
- "description": "ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.\nThere are several wildcards supported:\n1. To match all objects in host namespace and sync them to different namespace in vCluster:\nbyName:\n \"foo/*\": \"foo-in-virtual/*\"\n2. To match specific object in the host namespace and sync it to the same namespace with the same name:\nbyName:\n \"foo/my-object\": \"foo/my-object\"\n3. To match specific object in the host namespace and sync it to the same namespace with different name:\nbyName:\n \"foo/my-object\": \"foo/my-virtual-object\"\n4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:\nbyName:\n \"\": \"my-virtual-namespace/*\"\n5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:\nbyName:\n \"/my-object\": \"my-virtual-namespace/my-object\""
+ "description": "ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.\nThere are several wildcards supported:\n1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:\nbyName:\n \"foo/*\": \"foo-in-virtual/*\"\n2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:\nbyName:\n \"foo/my-object\": \"foo/my-object\"\n3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:\nbyName:\n \"foo/my-object\": \"foo/my-virtual-object\"\n4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:\nbyName:\n \"\": \"my-virtual-namespace/*\"\n5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:\nbyName:\n \"/my-object\": \"my-virtual-namespace/my-object\""
}
},
"additionalProperties": false,
@@ -2582,23 +2582,23 @@
},
"httpRoutes": {
"$ref": "#/$defs/EnableSwitchWithPatches",
- "description": "HTTPRoutes configures HTTPRoute sync to the host cluster."
+ "description": "HTTPRoutes configures HTTPRoute sync to the control plane cluster."
},
"gateways": {
"$ref": "#/$defs/EnableSwitchWithPatches",
- "description": "Gateways configures tenant-created Gateway sync to the host cluster."
+ "description": "Gateways configures tenant-created Gateway sync to the control plane cluster."
},
"tlsRoutes": {
"$ref": "#/$defs/EnableSwitchWithPatches",
- "description": "TLSRoutes configures TLSRoute sync to the host cluster."
+ "description": "TLSRoutes configures TLSRoute sync to the control plane cluster."
},
"backendTLSPolicies": {
"$ref": "#/$defs/EnableSwitchWithPatches",
- "description": "BackendTLSPolicies configures BackendTLSPolicy sync to the host cluster."
+ "description": "BackendTLSPolicies configures BackendTLSPolicy sync to the control plane cluster."
},
"referenceGrants": {
"$ref": "#/$defs/EnableAutoSwitchWithPatches",
- "description": "ReferenceGrants configures ReferenceGrant sync to the host cluster. Enabled may be \"auto\", \"true\", or \"false\"."
+ "description": "ReferenceGrants configures ReferenceGrant sync to the control plane cluster. Enabled may be \"auto\", \"true\", or \"false\"."
}
},
"additionalProperties": false,
@@ -4609,7 +4609,7 @@
},
"additionalProperties": false,
"type": "object",
- "description": "Sleep holds configuration for automatically putting the tenant cluster to sleep."
+ "description": "Sleep holds configuration for automatically putting the virtual cluster to sleep."
},
"SleepAuto": {
"properties": {
@@ -4824,7 +4824,7 @@
"properties": {
"schedule": {
"type": "string",
- "description": "Schedule specifies a scheduled time in Cron format, see https://en.wikipedia.org/wiki/Cron for a tenant cluster snapshot to be taken\n+optional"
+ "description": "Schedule specifies a scheduled time in Cron format, see https://en.wikipedia.org/wiki/Cron for a virtual cluster snapshot to be taken\n+optional"
},
"timezone": {
"type": "string",
@@ -5075,11 +5075,11 @@
},
"gatewayClasses": {
"$ref": "#/$defs/EnableSwitchWithPatchesAndSelector",
- "description": "GatewayClasses defines if gateway classes should get synced from the host cluster to the virtual cluster, but not back."
+ "description": "GatewayClasses defines if gateway classes should get synced from the control plane cluster to the tenant cluster, but not back."
},
"gateways": {
"$ref": "#/$defs/FromHostGateways",
- "description": "Gateways defines if selected host Gateways should get synced from the host cluster to the virtual cluster, but not back."
+ "description": "Gateways defines if selected control plane Gateways should get synced from the control plane cluster to the tenant cluster, but not back."
},
"runtimeClasses": {
"$ref": "#/$defs/EnableSwitchWithPatchesAndSelector",
@@ -5306,7 +5306,7 @@
},
"gatewayApi": {
"$ref": "#/$defs/GatewayAPIEnableSwitchWithPatches",
- "description": "GatewayAPI defines Gateway API resources created within the virtual cluster that should get synced to the host cluster."
+ "description": "GatewayAPI defines Gateway API resources created within the tenant cluster that should get synced to the control plane cluster."
},
"services": {
"$ref": "#/$defs/EnableSwitchWithPatches",
diff --git a/hack/vcluster/partials/main.go b/hack/vcluster/partials/main.go
index 200eec4441..4a4bac7293 100644
--- a/hack/vcluster/partials/main.go
+++ b/hack/vcluster/partials/main.go
@@ -61,6 +61,7 @@ var paths = []string{
"sync/toHost/services",
"sync/toHost/networkPolicies",
"sync/toHost/ingresses",
+ "sync/toHost/gatewayApi",
"sync/toHost/endpoints",
"sync/toHost/endpointSlices",
"sync/toHost/secrets",
@@ -73,6 +74,7 @@ var paths = []string{
"sync/fromHost/storageClasses",
"sync/fromHost/nodes",
"sync/fromHost/ingressClasses",
+ "sync/fromHost/gatewayClasses",
"sync/fromHost/events",
"sync/fromHost/runtimeClasses",
"sync/fromHost/priorityClasses",
diff --git a/package.json b/package.json
index 7ef99696ad..56ea845158 100644
--- a/package.json
+++ b/package.json
@@ -5,6 +5,7 @@
"scripts": {
"docusaurus": "docusaurus",
"start": "docusaurus start",
+ "start-no-open": "docusaurus start --no-open",
"prebuild": "npm run validate-glossary",
"build": "docusaurus build",
"postbuild": "node scripts/fix-llms-doubled-docs-path.js",
diff --git a/platform/reference/platform-annotations.mdx b/platform/reference/platform-annotations.mdx
index 34b94fd908..cc594ee53c 100644
--- a/platform/reference/platform-annotations.mdx
+++ b/platform/reference/platform-annotations.mdx
@@ -291,18 +291,6 @@ When `true`, the platform will not deploy or manage kiosk on this cluster.
Base64-encoded certificate authority data for verifying the regional cluster endpoint certificate.
-### sleepmode.loft.sh/request-mirror-controller-allowlist {#sleepmode-loft-sh-request-mirror-controller-allowlist}
-
-**Type:** Annotation
-
-**Example:** `sleepmode.loft.sh/request-mirror-controller-allowlist: "gateway.networking.k8s.io/istio,gateway.networking.k8s.io/traefik"`
-
-**Used on:** Cluster
-
-**Set by:** User-configurable
-
-Comma-separated list of GatewayClass.spec.controllerName values to treat as request-mirror-supporting for HTTPRoutes in tenant clusters on this connected cluster, even when the GatewayClass status does not advertise the HTTPRouteRequestMirror feature.
-
## Project management {#project-management}
These labels and annotations are used on project resources and project-owned namespaces.
@@ -1023,6 +1011,32 @@ Disables automatic wakeup from ingress traffic. When set, the namespace or vClus
Disables metrics-based activity tracking. Only API server activity is tracked.
+### sleepmode.loft.sh/request-mirror-controller-allowlist {#sleepmode-loft-sh-request-mirror-controller-allowlist}
+
+**Type:** Annotation
+
+**Example:** `sleepmode.loft.sh/request-mirror-controller-allowlist: "gateway.networking.k8s.io/istio,gateway.networking.k8s.io/traefik"`
+
+**Used on:** Cluster
+
+**Set by:** User-configurable
+
+Comma-separated list of GatewayClass.spec.controllerName values to treat as request-mirror-supporting for HTTPRoutes in tenant clusters on this connected cluster, even when the GatewayClass status does not advertise the HTTPRouteRequestMirror feature.
+
+:::note Officially supported GatewayClasses
+Beyond any GatewayClass that advertises the `HTTPRouteRequestMirror` filter feature in its status, the platform officially supports sleep mode activity detection for the following GatewayClass implementations. These are treated as request-mirror-supporting by default, without requiring an entry in the allowlist:
+
+| Implementation | Controller name |
+|----------------|-----------------|
+| Envoy Gateway | `gateway.envoyproxy.io/gatewayclass-controller` |
+| kgateway | `kgateway.dev/kgateway` |
+| agentgateway | `agentgateway.dev/agentgateway` |
+| NGINX Gateway Fabric | `gateway.nginx.org/nginx-gateway-controller` |
+| Cilium | `io.cilium/gateway-controller` |
+
+Use the allowlist only for GatewayClasses not in this list and that do not advertise the feature.
+:::
+
## Auto sleep status annotations {#sleep-mode-status-annotations}
These annotations are set by the platform to indicate auto sleep status. They are read-only.
diff --git a/vcluster/_fragments/patches.mdx b/vcluster/_fragments/patches.mdx
index 86bfd49212..2f35eac2de 100644
--- a/vcluster/_fragments/patches.mdx
+++ b/vcluster/_fragments/patches.mdx
@@ -41,17 +41,17 @@ You can define a path for {props.path} field in `vcluster.yaml` usi
- path: ${props.path}
expression: '"my-prefix-"+value'
# optional reverseExpression to reverse the change from the Control Plane Cluster
- # reverseExpression: 'value.slice("my-prefix".length)'`}
+ # reverseExpression: 'value.slice("my-prefix-".length)'`}
In the example:
- - The path targets the {props.path} field to override when syncing to the Control Plane Cluster. The `*` wildcard applies the patch to each container individually.
- - `"'my-prefix-' + value"` defines a JavaScript expression that prepends `"my-prefix-"` to the {props.path} field in the Control Plane Cluster.
+- The path targets the {props.path} field to override when syncing to the Control Plane Cluster. The `*` wildcard applies the patch to each matching value individually.
+- `"'my-prefix-' + value"` defines a JavaScript expression that prepends `"my-prefix-"` to the {props.path} field in the Control Plane Cluster.
:::note Reverse sync
You can use the `reverseExpression` field to define how to revert changes when syncing from the Control Plane Cluster back to the tenant cluster.
-For example, add `reverseExpression: {"value.slice('my-prefix'.length)"}` to `vcluster.yaml` to remove the `"my-prefix-"` prefix when syncing back from the Control Plane Cluster to the tenant cluster in the previous example.
+For example, add `reverseExpression: 'value.slice("my-prefix-".length)'` to `vcluster.yaml` to remove the `"my-prefix-"` prefix when syncing back from the Control Plane Cluster to the tenant cluster in the previous example.
:::
To replace value with a hardcoded one, put the desired value in the quotation marks:
@@ -115,12 +115,11 @@ To prevent unintended modifications of the synced objects in either direction, d
```yaml title="Use expression and reverseExpression together"
sync:
toHost:
- secrets:
+ :
enabled: true
patches:
- path: metadata.annotations["encoded-value"]
expression: 'btoa(value)'
- - path: metadata.annotations["encoded-value"]
reverseExpression: 'atob(value)'
```
:::
@@ -146,7 +145,7 @@ For example, if the Control Plane Cluster contains a secret named `"my-example-s
Workloads in the tenant cluster can then use the secret without manual syncing.
-You can sync between the tenant cluster and the Control Plane Cluster by mapping `spec.secretName` to a secret in the Control Plane Cluster:
+You can sync between the tenant cluster and the Control Plane Cluster by treating a field value as a Secret reference:
{`sync:
@@ -162,8 +161,8 @@ You can sync between the tenant cluster and the Control Plane Cluster by mapping
In the example:
-- The code uses a patch to add `metadata.annotations["my-secret-ref"]`
-- It references a Secret in the Control Plane Cluster using the patch and ensures {props.resource} in the Control Plane Cluster links to the correct Secret.
+- The patch treats `metadata.annotations["my-secret-ref"]` as the name of a Secret reference.
+- vCluster rewrites the field to the corresponding Secret name in the target cluster and syncs or imports the referenced Secret when the resource is configured for syncing.
:::note Reference Patches with Namespace Syncing
If you have enabled syncing namespaces, reference patches are only required if the namespace is part of the patch. You can use the `namespacePath` option to specify the path of the namespace of the reference.
diff --git a/vcluster/_partials/config/sync.mdx b/vcluster/_partials/config/sync.mdx
index 60e9bf5083..2eed0a08b8 100755
--- a/vcluster/_partials/config/sync.mdx
+++ b/vcluster/_partials/config/sync.mdx
@@ -1185,7 +1185,7 @@ Labels treats the path value as a labels selector.
#### `gatewayApi` required object {#sync-toHost-gatewayApi}
-GatewayAPI defines Gateway API resources created within the virtual cluster that should get synced to the host cluster.
+GatewayAPI defines Gateway API resources created within the tenant cluster that should get synced to the control plane cluster.
@@ -1395,7 +1395,7 @@ Labels treats the path value as a labels selector.
##### `httpRoutes` required object {#sync-toHost-gatewayApi-httpRoutes}
-HTTPRoutes configures HTTPRoute sync to the host cluster.
+HTTPRoutes configures HTTPRoute sync to the control plane cluster.
@@ -1608,7 +1608,7 @@ Labels treats the path value as a labels selector.
##### `gateways` required object {#sync-toHost-gatewayApi-gateways}
-Gateways configures tenant-created Gateway sync to the host cluster.
+Gateways configures tenant-created Gateway sync to the control plane cluster.
@@ -1821,7 +1821,7 @@ Labels treats the path value as a labels selector.
##### `tlsRoutes` required object {#sync-toHost-gatewayApi-tlsRoutes}
-TLSRoutes configures TLSRoute sync to the host cluster.
+TLSRoutes configures TLSRoute sync to the control plane cluster.
@@ -2034,7 +2034,7 @@ Labels treats the path value as a labels selector.
##### `backendTLSPolicies` required object {#sync-toHost-gatewayApi-backendTLSPolicies}
-BackendTLSPolicies configures BackendTLSPolicy sync to the host cluster.
+BackendTLSPolicies configures BackendTLSPolicy sync to the control plane cluster.
@@ -2247,7 +2247,7 @@ Labels treats the path value as a labels selector.
##### `referenceGrants` required object {#sync-toHost-gatewayApi-referenceGrants}
-ReferenceGrants configures ReferenceGrant sync to the host cluster. Enabled may be "auto", "true", or "false".
+ReferenceGrants configures ReferenceGrant sync to the control plane cluster. Enabled may be "auto", "true", or "false".
@@ -5470,21 +5470,21 @@ Mappings for Namespace and Object
##### `byName` required object {#sync-toHost-namespaces-mappings-byName}
-ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
-1. To match all objects in host namespace and sync them to different namespace in vCluster:
+1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/*": "foo-in-virtual/*"
-2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
-3. To match specific object in the host namespace and sync it to the same namespace with different name:
+3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
-4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
-5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
@@ -6782,7 +6782,7 @@ Selector defines the selector to use for the resource. If not set, all resources
#### `gatewayClasses` required object {#sync-fromHost-gatewayClasses}
-GatewayClasses defines if gateway classes should get synced from the host cluster to the virtual cluster, but not back.
+GatewayClasses defines if gateway classes should get synced from the control plane cluster to the tenant cluster, but not back.
@@ -7085,7 +7085,7 @@ Selector defines the selector to use for the resource. If not set, all resources
#### `gateways` required object {#sync-fromHost-gateways}
-Gateways defines if selected host Gateways should get synced from the host cluster to the virtual cluster, but not back.
+Gateways defines if selected control plane Gateways should get synced from the control plane cluster to the tenant cluster, but not back.
@@ -7385,7 +7385,7 @@ Selector defines the selector to use for the resource. If not set, all resources
##### `mappings` required object {#sync-fromHost-gateways-mappings}
-Mappings define Host Gateway namespace/name to tenant-facing namespace/name placement.
+Mappings define control plane Gateway namespace/name to tenant-facing namespace/name placement.
@@ -7397,21 +7397,21 @@ Mappings define Host Gateway namespace/name to tenant-facing namespace/name plac
##### `byName` required object {} {#sync-fromHost-gateways-mappings-byName}
-ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
-1. To match all objects in host namespace and sync them to different namespace in vCluster:
+1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/*": "foo-in-virtual/*"
-2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
-3. To match specific object in the host namespace and sync it to the same namespace with different name:
+3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
-4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
-5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
@@ -7806,7 +7806,7 @@ Metadata configures imported Gateway metadata visibility.
##### `sanitize` required object {#sync-fromHost-gateways-sanitize}
-Sanitize configures sensitive host field sanitization.
+Sanitize configures sensitive control plane field sanitization.
@@ -9639,21 +9639,21 @@ Mappings for Namespace and Object
##### `byName` required object {#sync-fromHost-customResources-mappings-byName}
-ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
-1. To match all objects in host namespace and sync them to different namespace in vCluster:
+1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/*": "foo-in-virtual/*"
-2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
-3. To match specific object in the host namespace and sync it to the same namespace with different name:
+3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
-4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
-5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
@@ -10111,21 +10111,21 @@ Mappings for Namespace and Object
##### `byName` required object {} {#sync-fromHost-configMaps-mappings-byName}
-ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
-1. To match all objects in host namespace and sync them to different namespace in vCluster:
+1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/*": "foo-in-virtual/*"
-2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
-3. To match specific object in the host namespace and sync it to the same namespace with different name:
+3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
-4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
-5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
@@ -10370,21 +10370,21 @@ Mappings for Namespace and Object
##### `byName` required object {} {#sync-fromHost-secrets-mappings-byName}
-ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
-1. To match all objects in host namespace and sync them to different namespace in vCluster:
+1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/*": "foo-in-virtual/*"
-2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
-3. To match specific object in the host namespace and sync it to the same namespace with different name:
+3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
-4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
-5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
diff --git a/vcluster/_partials/config/sync/fromHost.mdx b/vcluster/_partials/config/sync/fromHost.mdx
index 24af1e80b3..0abfa82b5c 100755
--- a/vcluster/_partials/config/sync/fromHost.mdx
+++ b/vcluster/_partials/config/sync/fromHost.mdx
@@ -820,7 +820,7 @@ Selector defines the selector to use for the resource. If not set, all resources
### `gatewayClasses` required object {#fromHost-gatewayClasses}
-GatewayClasses defines if gateway classes should get synced from the host cluster to the virtual cluster, but not back.
+GatewayClasses defines if gateway classes should get synced from the control plane cluster to the tenant cluster, but not back.
@@ -1123,7 +1123,7 @@ Selector defines the selector to use for the resource. If not set, all resources
### `gateways` required object {#fromHost-gateways}
-Gateways defines if selected host Gateways should get synced from the host cluster to the virtual cluster, but not back.
+Gateways defines if selected control plane Gateways should get synced from the control plane cluster to the tenant cluster, but not back.
@@ -1423,7 +1423,7 @@ Selector defines the selector to use for the resource. If not set, all resources
#### `mappings` required object {#fromHost-gateways-mappings}
-Mappings define Host Gateway namespace/name to tenant-facing namespace/name placement.
+Mappings define control plane Gateway namespace/name to tenant-facing namespace/name placement.
@@ -1435,21 +1435,21 @@ Mappings define Host Gateway namespace/name to tenant-facing namespace/name plac
##### `byName` required object {} {#fromHost-gateways-mappings-byName}
-ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
-1. To match all objects in host namespace and sync them to different namespace in vCluster:
+1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/*": "foo-in-virtual/*"
-2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
-3. To match specific object in the host namespace and sync it to the same namespace with different name:
+3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
-4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
-5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
@@ -1844,7 +1844,7 @@ Metadata configures imported Gateway metadata visibility.
#### `sanitize` required object {#fromHost-gateways-sanitize}
-Sanitize configures sensitive host field sanitization.
+Sanitize configures sensitive control plane field sanitization.
@@ -3677,21 +3677,21 @@ Mappings for Namespace and Object
##### `byName` required object {#fromHost-customResources-mappings-byName}
-ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
-1. To match all objects in host namespace and sync them to different namespace in vCluster:
+1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/*": "foo-in-virtual/*"
-2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
-3. To match specific object in the host namespace and sync it to the same namespace with different name:
+3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
-4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
-5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
@@ -4149,21 +4149,21 @@ Mappings for Namespace and Object
##### `byName` required object {} {#fromHost-configMaps-mappings-byName}
-ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
-1. To match all objects in host namespace and sync them to different namespace in vCluster:
+1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/*": "foo-in-virtual/*"
-2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
-3. To match specific object in the host namespace and sync it to the same namespace with different name:
+3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
-4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
-5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
@@ -4408,21 +4408,21 @@ Mappings for Namespace and Object
##### `byName` required object {} {#fromHost-secrets-mappings-byName}
-ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
-1. To match all objects in host namespace and sync them to different namespace in vCluster:
+1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/*": "foo-in-virtual/*"
-2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
-3. To match specific object in the host namespace and sync it to the same namespace with different name:
+3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
-4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
-5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
diff --git a/vcluster/_partials/config/sync/fromHost/configMaps.mdx b/vcluster/_partials/config/sync/fromHost/configMaps.mdx
index 2dc13b2b0c..ed48d599a4 100755
--- a/vcluster/_partials/config/sync/fromHost/configMaps.mdx
+++ b/vcluster/_partials/config/sync/fromHost/configMaps.mdx
@@ -226,21 +226,21 @@ Mappings for Namespace and Object
#### `byName` required object {} {#configMaps-mappings-byName}
-ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
-1. To match all objects in host namespace and sync them to different namespace in vCluster:
+1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/*": "foo-in-virtual/*"
-2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
-3. To match specific object in the host namespace and sync it to the same namespace with different name:
+3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
-4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
-5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
diff --git a/vcluster/_partials/config/sync/fromHost/customResources.mdx b/vcluster/_partials/config/sync/fromHost/customResources.mdx
index e5e7d51f0f..292b365f6c 100755
--- a/vcluster/_partials/config/sync/fromHost/customResources.mdx
+++ b/vcluster/_partials/config/sync/fromHost/customResources.mdx
@@ -241,21 +241,21 @@ Mappings for Namespace and Object
#### `byName` required object {#customResources-mappings-byName}
-ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
-1. To match all objects in host namespace and sync them to different namespace in vCluster:
+1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/*": "foo-in-virtual/*"
-2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
-3. To match specific object in the host namespace and sync it to the same namespace with different name:
+3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
-4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
-5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
diff --git a/vcluster/_partials/config/sync/fromHost/gatewayClasses.mdx b/vcluster/_partials/config/sync/fromHost/gatewayClasses.mdx
new file mode 100755
index 0000000000..cdb384faf5
--- /dev/null
+++ b/vcluster/_partials/config/sync/fromHost/gatewayClasses.mdx
@@ -0,0 +1,301 @@
+
+
+
+
+## `gatewayClasses` required object {#gatewayClasses}
+
+GatewayClasses defines if gateway classes should get synced from the control plane cluster to the tenant cluster, but not back.
+
+
+
+
+
+
+
+
+
+### `enabled` required boolean false {#gatewayClasses-enabled}
+
+Enabled defines if this option should be enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+### `patches` required object[] {#gatewayClasses-patches}
+
+Patches patch the resource according to the provided specification.
+
+
+
+
+
+
+
+
+
+#### `path` required string {#gatewayClasses-patches-path}
+
+Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
+
+
+
+
+
+
+
+
+
+
+
+
+#### `expression` required string {#gatewayClasses-patches-expression}
+
+Expression transforms the value according to the given JavaScript expression.
+
+
+
+
+
+
+
+
+
+
+
+
+#### `reverseExpression` required string {#gatewayClasses-patches-reverseExpression}
+
+ReverseExpression transforms the value according to the given JavaScript expression.
+
+
+
+
+
+
+
+
+
+
+
+
+#### `reference` required object {#gatewayClasses-patches-reference}
+
+Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
+automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
+other names, in multi-namespace mode this will not translate the name.
+
+
+
+
+
+
+
+
+
+##### `apiVersion` required string {#gatewayClasses-patches-reference-apiVersion}
+
+APIVersion is the apiVersion of the referenced object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `apiVersionPath` required string {#gatewayClasses-patches-reference-apiVersionPath}
+
+APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `kind` required string {#gatewayClasses-patches-reference-kind}
+
+Kind is the kind of the referenced object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `kindPath` required string {#gatewayClasses-patches-reference-kindPath}
+
+KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `namePath` required string {#gatewayClasses-patches-reference-namePath}
+
+NamePath is the optional relative path to the reference name within the object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `namespacePath` required string {#gatewayClasses-patches-reference-namespacePath}
+
+NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
+metadata.namespace path of the object.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+#### `labels` required object {#gatewayClasses-patches-labels}
+
+Labels treats the path value as a labels selector.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+### `selector` required object {#gatewayClasses-selector}
+
+Selector defines the selector to use for the resource. If not set, all resources of that type will be synced.
+
+
+
+
+
+
+
+
+
+#### `matchLabels` required object {#gatewayClasses-selector-matchLabels}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+#### `matchExpressions` required object[] {#gatewayClasses-selector-matchExpressions}
+
+
+
+
+
+
+
+
+
+
+
+##### `key` required string {#gatewayClasses-selector-matchExpressions-key}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+##### `operator` required string {#gatewayClasses-selector-matchExpressions-operator}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+##### `values` required string[] {#gatewayClasses-selector-matchExpressions-values}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/vcluster/_partials/config/sync/fromHost/secrets.mdx b/vcluster/_partials/config/sync/fromHost/secrets.mdx
index 4da785a8a6..ac73dd66ac 100755
--- a/vcluster/_partials/config/sync/fromHost/secrets.mdx
+++ b/vcluster/_partials/config/sync/fromHost/secrets.mdx
@@ -226,21 +226,21 @@ Mappings for Namespace and Object
#### `byName` required object {} {#secrets-mappings-byName}
-ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
-1. To match all objects in host namespace and sync them to different namespace in vCluster:
+1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/*": "foo-in-virtual/*"
-2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
-3. To match specific object in the host namespace and sync it to the same namespace with different name:
+3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
-4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
-5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
diff --git a/vcluster/_partials/config/sync/toHost.mdx b/vcluster/_partials/config/sync/toHost.mdx
index a24297b696..398a15109a 100755
--- a/vcluster/_partials/config/sync/toHost.mdx
+++ b/vcluster/_partials/config/sync/toHost.mdx
@@ -1173,7 +1173,7 @@ Labels treats the path value as a labels selector.
### `gatewayApi` required object {#toHost-gatewayApi}
-GatewayAPI defines Gateway API resources created within the virtual cluster that should get synced to the host cluster.
+GatewayAPI defines Gateway API resources created within the tenant cluster that should get synced to the control plane cluster.
@@ -1383,7 +1383,7 @@ Labels treats the path value as a labels selector.
#### `httpRoutes` required object {#toHost-gatewayApi-httpRoutes}
-HTTPRoutes configures HTTPRoute sync to the host cluster.
+HTTPRoutes configures HTTPRoute sync to the control plane cluster.
@@ -1596,7 +1596,7 @@ Labels treats the path value as a labels selector.
#### `gateways` required object {#toHost-gatewayApi-gateways}
-Gateways configures tenant-created Gateway sync to the host cluster.
+Gateways configures tenant-created Gateway sync to the control plane cluster.
@@ -1809,7 +1809,7 @@ Labels treats the path value as a labels selector.
#### `tlsRoutes` required object {#toHost-gatewayApi-tlsRoutes}
-TLSRoutes configures TLSRoute sync to the host cluster.
+TLSRoutes configures TLSRoute sync to the control plane cluster.
@@ -2022,7 +2022,7 @@ Labels treats the path value as a labels selector.
#### `backendTLSPolicies` required object {#toHost-gatewayApi-backendTLSPolicies}
-BackendTLSPolicies configures BackendTLSPolicy sync to the host cluster.
+BackendTLSPolicies configures BackendTLSPolicy sync to the control plane cluster.
@@ -2235,7 +2235,7 @@ Labels treats the path value as a labels selector.
#### `referenceGrants` required object {#toHost-gatewayApi-referenceGrants}
-ReferenceGrants configures ReferenceGrant sync to the host cluster. Enabled may be "auto", "true", or "false".
+ReferenceGrants configures ReferenceGrant sync to the control plane cluster. Enabled may be "auto", "true", or "false".
@@ -5458,21 +5458,21 @@ Mappings for Namespace and Object
##### `byName` required object {#toHost-namespaces-mappings-byName}
-ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
+ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
-1. To match all objects in host namespace and sync them to different namespace in vCluster:
+1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/*": "foo-in-virtual/*"
-2. To match specific object in the host namespace and sync it to the same namespace with the same name:
+2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
-3. To match specific object in the host namespace and sync it to the same namespace with different name:
+3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
-4. To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
-5. To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
+5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
diff --git a/vcluster/_partials/config/sync/toHost/gatewayApi.mdx b/vcluster/_partials/config/sync/toHost/gatewayApi.mdx
new file mode 100755
index 0000000000..cb36b4a84f
--- /dev/null
+++ b/vcluster/_partials/config/sync/toHost/gatewayApi.mdx
@@ -0,0 +1,1276 @@
+
+
+
+
+## `gatewayApi` required object {#gatewayApi}
+
+GatewayAPI defines Gateway API resources created within the tenant cluster that should get synced to the control plane cluster.
+
+
+
+
+
+
+
+
+
+### `enabled` required boolean false {#gatewayApi-enabled}
+
+Enabled defines if this option should be enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+### `patches` required object[] {#gatewayApi-patches}
+
+Patches patch the resource according to the provided specification.
+
+
+
+
+
+
+
+
+
+#### `path` required string {#gatewayApi-patches-path}
+
+Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
+
+
+
+
+
+
+
+
+
+
+
+
+#### `expression` required string {#gatewayApi-patches-expression}
+
+Expression transforms the value according to the given JavaScript expression.
+
+
+
+
+
+
+
+
+
+
+
+
+#### `reverseExpression` required string {#gatewayApi-patches-reverseExpression}
+
+ReverseExpression transforms the value according to the given JavaScript expression.
+
+
+
+
+
+
+
+
+
+
+
+
+#### `reference` required object {#gatewayApi-patches-reference}
+
+Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
+automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
+other names, in multi-namespace mode this will not translate the name.
+
+
+
+
+
+
+
+
+
+##### `apiVersion` required string {#gatewayApi-patches-reference-apiVersion}
+
+APIVersion is the apiVersion of the referenced object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `apiVersionPath` required string {#gatewayApi-patches-reference-apiVersionPath}
+
+APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `kind` required string {#gatewayApi-patches-reference-kind}
+
+Kind is the kind of the referenced object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `kindPath` required string {#gatewayApi-patches-reference-kindPath}
+
+KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `namePath` required string {#gatewayApi-patches-reference-namePath}
+
+NamePath is the optional relative path to the reference name within the object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `namespacePath` required string {#gatewayApi-patches-reference-namespacePath}
+
+NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
+metadata.namespace path of the object.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+#### `labels` required object {#gatewayApi-patches-labels}
+
+Labels treats the path value as a labels selector.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+### `httpRoutes` required object {#gatewayApi-httpRoutes}
+
+HTTPRoutes configures HTTPRoute sync to the control plane cluster.
+
+
+
+
+
+
+
+
+
+#### `enabled` required boolean false {#gatewayApi-httpRoutes-enabled}
+
+Enabled defines if this option should be enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+#### `patches` required object[] {#gatewayApi-httpRoutes-patches}
+
+Patches patch the resource according to the provided specification.
+
+
+
+
+
+
+
+
+
+##### `path` required string {#gatewayApi-httpRoutes-patches-path}
+
+Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `expression` required string {#gatewayApi-httpRoutes-patches-expression}
+
+Expression transforms the value according to the given JavaScript expression.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `reverseExpression` required string {#gatewayApi-httpRoutes-patches-reverseExpression}
+
+ReverseExpression transforms the value according to the given JavaScript expression.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `reference` required object {#gatewayApi-httpRoutes-patches-reference}
+
+Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
+automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
+other names, in multi-namespace mode this will not translate the name.
+
+
+
+
+
+
+
+
+
+##### `apiVersion` required string {#gatewayApi-httpRoutes-patches-reference-apiVersion}
+
+APIVersion is the apiVersion of the referenced object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `apiVersionPath` required string {#gatewayApi-httpRoutes-patches-reference-apiVersionPath}
+
+APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `kind` required string {#gatewayApi-httpRoutes-patches-reference-kind}
+
+Kind is the kind of the referenced object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `kindPath` required string {#gatewayApi-httpRoutes-patches-reference-kindPath}
+
+KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `namePath` required string {#gatewayApi-httpRoutes-patches-reference-namePath}
+
+NamePath is the optional relative path to the reference name within the object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `namespacePath` required string {#gatewayApi-httpRoutes-patches-reference-namespacePath}
+
+NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
+metadata.namespace path of the object.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+##### `labels` required object {#gatewayApi-httpRoutes-patches-labels}
+
+Labels treats the path value as a labels selector.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+### `gateways` required object {#gatewayApi-gateways}
+
+Gateways configures tenant-created Gateway sync to the control plane cluster.
+
+
+
+
+
+
+
+
+
+#### `enabled` required boolean false {#gatewayApi-gateways-enabled}
+
+Enabled defines if this option should be enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+#### `patches` required object[] {#gatewayApi-gateways-patches}
+
+Patches patch the resource according to the provided specification.
+
+
+
+
+
+
+
+
+
+##### `path` required string {#gatewayApi-gateways-patches-path}
+
+Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `expression` required string {#gatewayApi-gateways-patches-expression}
+
+Expression transforms the value according to the given JavaScript expression.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `reverseExpression` required string {#gatewayApi-gateways-patches-reverseExpression}
+
+ReverseExpression transforms the value according to the given JavaScript expression.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `reference` required object {#gatewayApi-gateways-patches-reference}
+
+Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
+automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
+other names, in multi-namespace mode this will not translate the name.
+
+
+
+
+
+
+
+
+
+##### `apiVersion` required string {#gatewayApi-gateways-patches-reference-apiVersion}
+
+APIVersion is the apiVersion of the referenced object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `apiVersionPath` required string {#gatewayApi-gateways-patches-reference-apiVersionPath}
+
+APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `kind` required string {#gatewayApi-gateways-patches-reference-kind}
+
+Kind is the kind of the referenced object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `kindPath` required string {#gatewayApi-gateways-patches-reference-kindPath}
+
+KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `namePath` required string {#gatewayApi-gateways-patches-reference-namePath}
+
+NamePath is the optional relative path to the reference name within the object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `namespacePath` required string {#gatewayApi-gateways-patches-reference-namespacePath}
+
+NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
+metadata.namespace path of the object.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+##### `labels` required object {#gatewayApi-gateways-patches-labels}
+
+Labels treats the path value as a labels selector.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+### `tlsRoutes` required object {#gatewayApi-tlsRoutes}
+
+TLSRoutes configures TLSRoute sync to the control plane cluster.
+
+
+
+
+
+
+
+
+
+#### `enabled` required boolean false {#gatewayApi-tlsRoutes-enabled}
+
+Enabled defines if this option should be enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+#### `patches` required object[] {#gatewayApi-tlsRoutes-patches}
+
+Patches patch the resource according to the provided specification.
+
+
+
+
+
+
+
+
+
+##### `path` required string {#gatewayApi-tlsRoutes-patches-path}
+
+Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `expression` required string {#gatewayApi-tlsRoutes-patches-expression}
+
+Expression transforms the value according to the given JavaScript expression.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `reverseExpression` required string {#gatewayApi-tlsRoutes-patches-reverseExpression}
+
+ReverseExpression transforms the value according to the given JavaScript expression.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `reference` required object {#gatewayApi-tlsRoutes-patches-reference}
+
+Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
+automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
+other names, in multi-namespace mode this will not translate the name.
+
+
+
+
+
+
+
+
+
+##### `apiVersion` required string {#gatewayApi-tlsRoutes-patches-reference-apiVersion}
+
+APIVersion is the apiVersion of the referenced object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `apiVersionPath` required string {#gatewayApi-tlsRoutes-patches-reference-apiVersionPath}
+
+APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `kind` required string {#gatewayApi-tlsRoutes-patches-reference-kind}
+
+Kind is the kind of the referenced object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `kindPath` required string {#gatewayApi-tlsRoutes-patches-reference-kindPath}
+
+KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `namePath` required string {#gatewayApi-tlsRoutes-patches-reference-namePath}
+
+NamePath is the optional relative path to the reference name within the object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `namespacePath` required string {#gatewayApi-tlsRoutes-patches-reference-namespacePath}
+
+NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
+metadata.namespace path of the object.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+##### `labels` required object {#gatewayApi-tlsRoutes-patches-labels}
+
+Labels treats the path value as a labels selector.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+### `backendTLSPolicies` required object {#gatewayApi-backendTLSPolicies}
+
+BackendTLSPolicies configures BackendTLSPolicy sync to the control plane cluster.
+
+
+
+
+
+
+
+
+
+#### `enabled` required boolean false {#gatewayApi-backendTLSPolicies-enabled}
+
+Enabled defines if this option should be enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+#### `patches` required object[] {#gatewayApi-backendTLSPolicies-patches}
+
+Patches patch the resource according to the provided specification.
+
+
+
+
+
+
+
+
+
+##### `path` required string {#gatewayApi-backendTLSPolicies-patches-path}
+
+Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `expression` required string {#gatewayApi-backendTLSPolicies-patches-expression}
+
+Expression transforms the value according to the given JavaScript expression.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `reverseExpression` required string {#gatewayApi-backendTLSPolicies-patches-reverseExpression}
+
+ReverseExpression transforms the value according to the given JavaScript expression.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `reference` required object {#gatewayApi-backendTLSPolicies-patches-reference}
+
+Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
+automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
+other names, in multi-namespace mode this will not translate the name.
+
+
+
+
+
+
+
+
+
+##### `apiVersion` required string {#gatewayApi-backendTLSPolicies-patches-reference-apiVersion}
+
+APIVersion is the apiVersion of the referenced object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `apiVersionPath` required string {#gatewayApi-backendTLSPolicies-patches-reference-apiVersionPath}
+
+APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `kind` required string {#gatewayApi-backendTLSPolicies-patches-reference-kind}
+
+Kind is the kind of the referenced object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `kindPath` required string {#gatewayApi-backendTLSPolicies-patches-reference-kindPath}
+
+KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `namePath` required string {#gatewayApi-backendTLSPolicies-patches-reference-namePath}
+
+NamePath is the optional relative path to the reference name within the object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `namespacePath` required string {#gatewayApi-backendTLSPolicies-patches-reference-namespacePath}
+
+NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
+metadata.namespace path of the object.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+##### `labels` required object {#gatewayApi-backendTLSPolicies-patches-labels}
+
+Labels treats the path value as a labels selector.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+### `referenceGrants` required object {#gatewayApi-referenceGrants}
+
+ReferenceGrants configures ReferenceGrant sync to the control plane cluster. Enabled may be "auto", "true", or "false".
+
+
+
+
+
+
+
+
+
+#### `enabled` required string|boolean auto {#gatewayApi-referenceGrants-enabled}
+
+Enabled defines if this option should be enabled.
+
+
+
+
+
+
+
+
+
+
+
+
+#### `patches` required object[] {#gatewayApi-referenceGrants-patches}
+
+Patches patch the resource according to the provided specification.
+
+
+
+
+
+
+
+
+
+##### `path` required string {#gatewayApi-referenceGrants-patches-path}
+
+Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `expression` required string {#gatewayApi-referenceGrants-patches-expression}
+
+Expression transforms the value according to the given JavaScript expression.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `reverseExpression` required string {#gatewayApi-referenceGrants-patches-reverseExpression}
+
+ReverseExpression transforms the value according to the given JavaScript expression.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `reference` required object {#gatewayApi-referenceGrants-patches-reference}
+
+Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
+automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
+other names, in multi-namespace mode this will not translate the name.
+
+
+
+
+
+
+
+
+
+##### `apiVersion` required string {#gatewayApi-referenceGrants-patches-reference-apiVersion}
+
+APIVersion is the apiVersion of the referenced object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `apiVersionPath` required string {#gatewayApi-referenceGrants-patches-reference-apiVersionPath}
+
+APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `kind` required string {#gatewayApi-referenceGrants-patches-reference-kind}
+
+Kind is the kind of the referenced object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `kindPath` required string {#gatewayApi-referenceGrants-patches-reference-kindPath}
+
+KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `namePath` required string {#gatewayApi-referenceGrants-patches-reference-namePath}
+
+NamePath is the optional relative path to the reference name within the object.
+
+
+
+
+
+
+
+
+
+
+
+
+##### `namespacePath` required string {#gatewayApi-referenceGrants-patches-reference-namespacePath}
+
+NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
+metadata.namespace path of the object.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+##### `labels` required object {#gatewayApi-referenceGrants-patches-labels}
+
+Labels treats the path value as a labels selector.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/vcluster/configure/vcluster-yaml/sync/from-host/gateway-classes.mdx b/vcluster/configure/vcluster-yaml/sync/from-host/gateway-classes.mdx
new file mode 100644
index 0000000000..5db47d7252
--- /dev/null
+++ b/vcluster/configure/vcluster-yaml/sync/from-host/gateway-classes.mdx
@@ -0,0 +1,78 @@
+---
+title: Gateway classes
+sidebar_label: gatewayClasses
+sidebar_position: 14
+description: Configuration for syncing GatewayClass resources from the control plane cluster to the tenant cluster.
+sidebar_class_name: host-nodes
+---
+
+import EnableSwitch from '../../../../_partials/config/sync/fromHost/gatewayClasses.mdx'
+import ClassSyncing from '../../../../_fragments/sync/class-syncing.mdx'
+import TenancySupport from '../../../../_fragments/tenancy-support.mdx';
+
+
+
+
+
+By default, this is disabled.
+
+`GatewayClass` syncing lets tenant clusters use Gateway API controllers that run on the control plane cluster. Normally, each tenant cluster would need its own Gateway controller to program traffic. With `GatewayClass` syncing enabled, tenants reference host-controller `GatewayClass` resources by name instead.
+
+Add labels to `GatewayClass` resources in the control plane cluster and configure vCluster to sync only those that match a label selector. When a tenant creates a `Gateway` that references a synced `GatewayClass`, the control plane cluster's Gateway controller handles the data plane.
+
+This saves resources because you don't need a Gateway controller in every tenant cluster, and it gives you centralized control over which controllers and listener capabilities tenants can use.
+
+Common use cases:
+
+- **Development environments**: Sync only the `GatewayClass` resources required for development tenants to reduce noise and avoid unnecessary exposure.
+- **Tenant isolation**: Let teams use their own `GatewayClass` resources while sharing a single control plane cluster.
+- **Security**: Restrict which `GatewayClass` resources are available in each tenant cluster to enforce access control and prevent unintended configurations.
+
+
+
+## Example: select specific `GatewayClass` resources by label
+
+In the control plane cluster, label the `GatewayClass` resources you want exposed:
+
+```yaml title="GatewayClass in the control plane cluster"
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+ name: gw-demo-11-allowed
+ labels:
+ gateway-demo.loft.sh/sync: "yes"
+spec:
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+```
+
+Then point vCluster at that label in `vcluster.yaml`:
+
+```yaml title="vcluster.yaml"
+sync:
+ fromHost:
+ gatewayClasses:
+ enabled: true
+ selector:
+ matchLabels:
+ gateway-demo.loft.sh/sync: "yes"
+```
+
+`GatewayClass` resources without the matching label remain only in the control plane cluster. If a tenant creates a `Gateway` that references an unsynced class, vCluster records a `SyncWarning` event on the tenant `Gateway`:
+
+```text title="Tenant event for an unselected GatewayClass"
+Warning SyncWarning Gateway "filtered-edge" sync skipped. The GatewayClass "gw-demo-11-filtered" does not match the selector under 'sync.fromHost.gatewayClasses.selector'
+```
+
+Inspect with:
+
+```bash title="Confirm which GatewayClasses reached the tenant"
+kubectl get gatewayclass
+kubectl describe gateway -n
+kubectl get events --field-selector type=Warning
+```
+
+
+
+## Config reference
+
+
diff --git a/vcluster/configure/vcluster-yaml/sync/to-host/advanced/custom-resources.mdx b/vcluster/configure/vcluster-yaml/sync/to-host/advanced/custom-resources.mdx
index 8f5b2b101d..8124ac1dca 100644
--- a/vcluster/configure/vcluster-yaml/sync/to-host/advanced/custom-resources.mdx
+++ b/vcluster/configure/vcluster-yaml/sync/to-host/advanced/custom-resources.mdx
@@ -173,13 +173,17 @@ spec:
- other-server.example.com # the patch removed the prod- prefix
```
-## Configure Kubernetes Gateway API sync
+## Configure Istio waypoint Gateway via custom resources
-To use the Kubernetes Gateway API with custom resources, install the Gateway API CRDs in the control plane cluster and then create the waypoint gateway.
+:::tip Use native Gateway API sync for core Gateway API resources
+For syncing core Kubernetes Gateway API resources (`Gateway`, `HTTPRoute`, `TLSRoute`, `ReferenceGrant`, `BackendTLSPolicy`), use [native Gateway API sync](../networking/gateway-api.mdx) instead of custom-resource syncing. The example below covers Istio waypoint Gateways using the `HBONE` listener, which is outside the standard Gateway API channel and still requires the custom-resource path.
+:::
+
+To use Istio waypoint Gateways with custom resources, install the Gateway API CRDs in the control plane cluster and then create the waypoint Gateway.
### Install Gateway CRD in the host
-To create gateway resources, install the Gateway API CustomResourceDefinition in the control plane cluster if it's not already present:
+To create Gateway resources, install the Gateway API CustomResourceDefinition in the control plane cluster if it's not already present:
```bash title="Install Gateway CRD"
kubectl --context="${HOST_CTX}" get crd gateways.gateway.networking.k8s.io &> /dev/null || \
@@ -211,7 +215,7 @@ Apply it to your control plane cluster:
kubectl --context="${HOST_CTX}" create -f waypoint-gateway.yaml --namespace="${VCLUSTER_HOST_NAMESPACE}"
```
-After it is configured, you can configure your custom resources to sync Gateway API resources between the tenant and control plane clusters.
+After it is configured, you can configure your custom resources to sync the waypoint Gateway between the tenant and control plane clusters.
## Config reference
diff --git a/vcluster/configure/vcluster-yaml/sync/to-host/networking/gateway-api.mdx b/vcluster/configure/vcluster-yaml/sync/to-host/networking/gateway-api.mdx
index d1a54f072a..0811230d74 100644
--- a/vcluster/configure/vcluster-yaml/sync/to-host/networking/gateway-api.mdx
+++ b/vcluster/configure/vcluster-yaml/sync/to-host/networking/gateway-api.mdx
@@ -3,40 +3,1182 @@ title: Gateway API
sidebar_label: gatewayApi
sidebar_position: 6
sidebar_class_name: host-nodes
-description: Configure Gateway API resources that sync from the tenant cluster to the Control Plane Cluster.
+description: Configuration for syncing Gateway API resources from the tenant cluster to the control plane cluster.
---
+import GatewayApi from '../../../../../_partials/config/sync/toHost/gatewayApi.mdx'
import TenancySupport from '../../../../../_fragments/tenancy-support.mdx';
+import InterpolatedCodeBlock from '@site/src/components/InterpolatedCodeBlock';
-Use `sync.toHost.gatewayApi` when tenants create Gateway API resources inside a tenant cluster. vCluster syncs those resources to the Control Plane Cluster.
+By default, Gateway API sync is disabled.
-This is different from exposing the tenant cluster API server with `controlPlane.tlsRoute`. For API server exposure, see [Access and expose vCluster](../../../../../manage/accessing-vcluster.mdx#expose-vcluster).
+vCluster can sync the following [Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/) resources from the tenant cluster to the control plane cluster:
-## Resources
+- `HTTPRoute` resources with `sync.toHost.gatewayApi.httpRoutes`
+- `TLSRoute` resources with `sync.toHost.gatewayApi.tlsRoutes`
+- `ReferenceGrant` resources with `sync.toHost.gatewayApi.referenceGrants`
+- `BackendTLSPolicy` resources with `sync.toHost.gatewayApi.backendTLSPolicies`
-Gateway API sync can cover:
+vCluster can also import selected control plane `Gateway` resources into the tenant cluster with `sync.fromHost.gateways`, so tenants can attach routes to platform-managed infrastructure without creating Gateways directly. `sync.toHost.gatewayApi.gateways` exists for tenant-created Gateway sync, but the examples on this page use imported, control plane-owned Gateways. `GRPCRoute`, `TCPRoute`, and `UDPRoute` are not synced.
-- `HTTPRoute` resources for HTTP application routing.
-- `Gateway` resources when tenants are allowed to create Gateway infrastructure objects.
-- `TLSRoute` resources for TLS passthrough routing.
-- `BackendTLSPolicy` and `ReferenceGrant` resources when required by the selected Gateway controller and route topology.
+vCluster also enforces Gateway API reference authorization before sync. Cross-namespace `allowedRoutes`, `ReferenceGrant`, and unsupported `parentRef`/`backendRef` group+kind combinations are validated in the tenant cluster, and rejected resources surface a `RefNotPermitted` or `SyncError` event on the tenant object.
-The Control Plane Cluster must have the corresponding Gateway API CRDs installed. The Gateway controller must support the resource kinds and filters that tenants use.
+:::info Prerequisites
+Before enabling Gateway API sync, review the [Gateway API prerequisites](../../../../../key-features/gateway-api.mdx#prerequisites). To import a control plane `GatewayClass` into the tenant cluster, also enable [`sync.fromHost.gatewayClasses`](../../from-host/gateway-classes.mdx).
+:::
-## Tenant-created routes
+:::note Version requirement
+Gateway API sync requires a vCluster chart version that includes the resource-specific `sync.toHost.gatewayApi` fields and the `sync.fromHost.gatewayClasses` or `sync.fromHost.gateways` configuration fields. If Helm rejects any field as an additional property, upgrade vCluster before using these examples.
+:::
-For the common shared-infrastructure model, platform administrators create a Gateway in the Control Plane Cluster. Tenants create `HTTPRoute` resources that attach to that Gateway.
+:::tip Replaces the custom-resource workaround
+For native Gateway API sync, use this configuration instead of [custom-resource syncing](../advanced/custom-resources.mdx). The custom-resource path is now only needed for Gateway API extensions outside the supported set (for example, Istio waypoint Gateways using the `HBONE` listener).
+:::
-In that model, use [Imported Gateways and GatewayClasses](../../from-host/gateways.mdx) so the approved Gateway is visible inside the tenant cluster as a read-only resource.
+## Enable Gateway API sync
-If tenants are allowed to create their own Gateway resources, enable Gateway sync for tenant-created Gateways and apply policy through templates, RBAC, admission control, and Gateway controller configuration.
+Enable sync for tenant-created route and policy resources. Do not enable `sync.toHost.gatewayApi.gateways` for these examples: the platform-owned `Gateway` resources are created in the control plane cluster and imported into the tenant cluster with `sync.fromHost.gateways`.
-## Auto sleep
+```yaml title="vcluster.yaml"
+sync:
+ toHost:
+ gatewayApi:
+ httpRoutes:
+ enabled: true
+ tlsRoutes:
+ enabled: true
+ backendTLSPolicies:
+ enabled: true
+ referenceGrants:
+ enabled: auto
+ fromHost:
+ gatewayClasses:
+ enabled: true
+ selector:
+ matchLabels:
+ gateway-demo.loft.sh/sync: "yes"
+ gateways:
+ enabled: true
+ selector:
+ matchLabels:
+ gateway-demo.loft.sh/sync: "yes"
+ mappings:
+ byName:
+ "gw-demo-01/edge": "gw-demo-01/edge"
+ "gw-demo-02/edge": "gw-demo-02/edge"
+ "gw-demo-03-edge/shared": "gw-demo-03-edge/shared"
+ "gw-demo-05-routes/edge": "gw-demo-05-routes/edge"
+ "gw-demo-07-edge/edge": "gw-demo-07-edge/edge"
+ "gw-demo-09/edge": "gw-demo-09/edge"
+ allowedRoutes:
+ overrides:
+ - hostNamespace: gw-demo-01
+ name: edge
+ virtualNamespacePolicy:
+ from: Same
+ - hostNamespace: gw-demo-02
+ name: edge
+ virtualNamespacePolicy:
+ from: Same
+ - hostNamespace: gw-demo-03-edge
+ name: shared
+ virtualNamespacePolicy:
+ from: Selector
+ selector:
+ matchLabels:
+ gateway-demo.loft.sh/route-access: demo-03
+ - hostNamespace: gw-demo-05-routes
+ name: edge
+ virtualNamespacePolicy:
+ from: Same
+ - hostNamespace: gw-demo-07-edge
+ name: edge
+ virtualNamespacePolicy:
+ from: Same
+ - hostNamespace: gw-demo-09
+ name: edge
+ virtualNamespacePolicy:
+ from: Same
+```
-Gateway-backed auto sleep for HTTP traffic depends on `HTTPRoute` request mirroring support. A controller can serve `HTTPRoute` traffic without supporting the request mirror filter that Platform needs for automatic wakeup. For details, see [Gateway API HTTPRoute activity detection](../../../../../key-features/sleep.mdx#gateway-api-httproute-activity-detection).
+The examples on this page use `GatewayClass` names such as `gw-demo-01` and `gw-demo-02`, and create platform-managed Gateways in matching namespaces in the control plane cluster. Create those control plane namespaces and `GatewayClass` resources before applying the example Gateways, or change each `gatewayClassName` to an existing imported `GatewayClass`. Replace `GATEWAY_CONTROLLER_NAME` with the `controllerName` for your Gateway API controller.
+
+
+
+:::note LoadBalancer behavior on single-node clusters
+Most examples create a `Gateway` with listener ports `80` or `443`. On single-node clusters, only one LoadBalancer service can usually bind each host port at a time. Run the examples one at a time, or use controller-specific settings such as NodePort or custom listener ports.
+:::
+
+## Import platform-managed Gateways
+
+Use `sync.fromHost.gateways` when the platform team owns the control plane `Gateway` and tenants should only attach routes to a tenant-facing mirror. `mappings.byName` maps the control plane `namespace/name` to the tenant-facing `namespace/name`. `allowedRoutes` controls the route policy shown on the imported `Gateway` and enforced during route sync.
+
+```yaml title="vcluster.yaml"
+sync:
+ fromHost:
+ gateways:
+ enabled: true
+ mappings:
+ byName:
+ "platform-gateways/public-web": "shared-gateways/shared-web"
+ allowedRoutes:
+ overrides:
+ - hostNamespace: platform-gateways
+ name: public-web
+ allowedHostnames:
+ - "*.team.example.com"
+ virtualNamespacePolicy:
+ from: All
+ toHost:
+ gatewayApi:
+ httpRoutes:
+ enabled: true
+```
+
+With this configuration, tenants reference the imported `Gateway` from routes instead of creating a `Gateway` themselves:
+
+```yaml title="HTTPRoute attached to an imported Gateway"
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: web
+ namespace: app
+spec:
+ hostnames:
+ - api.team.example.com
+ parentRefs:
+ - namespace: shared-gateways
+ name: shared-web
+ rules:
+ - backendRefs:
+ - name: web-svc
+ port: 8080
+```
+
+By default, imported Gateway mirrors hide sensitive control plane fields such as `infrastructure` and listener `certificateRefs`. Set `sync.fromHost.gateways.status.exposeAddresses` or `sync.fromHost.gateways.metadata.exposeSourceGateway` only when tenants need that information.
+
+## Example: HTTP route
+
+The platform team creates the `Gateway` with an HTTP listener in the control plane cluster. vCluster imports that `Gateway` into the tenant cluster, and the tenant creates an `HTTPRoute` that attaches to the imported Gateway and points at a same-namespace Service backend.
+
+Apply the namespace and backend resources first:
+
+```yaml title="HTTP backend in the tenant cluster"
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: gw-demo-01
+ labels:
+ gateway-demo.loft.sh/case: "01-http-route-basic"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: basic-echo-html
+ namespace: gw-demo-01
+data:
+ index.html: |
+ gateway demo 01 basic http route
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: basic-echo
+ namespace: gw-demo-01
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: basic-echo
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: basic-echo
+ spec:
+ containers:
+ - name: nginx
+ image: nginx:1.27-alpine
+ ports:
+ - name: http
+ containerPort: 80
+ volumeMounts:
+ - name: html
+ mountPath: /usr/share/nginx/html/index.html
+ subPath: index.html
+ readOnly: true
+ volumes:
+ - name: html
+ configMap:
+ name: basic-echo-html
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: basic-echo
+ namespace: gw-demo-01
+spec:
+ selector:
+ app.kubernetes.io/name: basic-echo
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+```
+
+Create the platform-managed Gateway in the control plane cluster. vCluster imports this Gateway into the tenant cluster as `gw-demo-01/edge`; tenants attach routes to the imported copy but do not create the Gateway directly.
+
+```yaml title="HTTP Gateway in the control plane cluster"
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+ name: edge
+ namespace: gw-demo-01
+ labels:
+ gateway-demo.loft.sh/sync: "yes"
+spec:
+ gatewayClassName: gw-demo-01
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ kinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ namespaces:
+ from: Same
+```
+
+Then create only the route in the tenant cluster:
+
+```yaml title="HTTPRoute in the tenant cluster"
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: basic
+ namespace: gw-demo-01
+spec:
+ parentRefs:
+ - name: edge
+ sectionName: http
+ hostnames:
+ - basic.gw-demo.test
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ backendRefs:
+ - name: basic-echo
+ port: 80
+```
+
+Inspect the synced status from the tenant context:
+
+```bash title="Check Gateway and HTTPRoute status"
+kubectl get gateway edge -n gw-demo-01 -o yaml
+kubectl get httproute basic -n gw-demo-01 -o yaml
+```
+
+The `Gateway` should report `Accepted=True` and usually `Programmed=True`. The `HTTPRoute` should report a parent for `edge` with `Accepted=True` and `ResolvedRefs=True`. The control plane-assigned address mirrors back to `status.addresses` on the tenant Gateway.
+
+```bash title="Send traffic through the control plane data plane"
+ADDR=$(kubectl get gateway edge -n gw-demo-01 -o jsonpath='{.status.addresses[0].value}')
+curl -H 'Host: basic.gw-demo.test' "http://${ADDR}:80/"
+```
+
+## Example: TLS passthrough route
+
+`TLSRoute` is supported when the Gateway controller implements it. The platform team defines a `Gateway` with a TLS listener in passthrough mode in the control plane cluster, and the tenant creates a `TLSRoute` that selects the backend by SNI. Because the listener is passthrough, the backend itself terminates TLS. It must present a certificate for the route's hostname.
+
+Apply the namespace first:
+
+```yaml title="TLS passthrough namespace"
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: gw-demo-02
+ labels:
+ gateway-demo.loft.sh/case: "02-tls-route-passthrough"
+```
+
+Create a self-signed certificate for the backend hostname and a synced TLS Secret:
+
+```bash title="Create the backend TLS Secret"
+openssl req -x509 -newkey rsa:2048 -nodes -days 365 \
+ -subj "/CN=tls.gw-demo.test" \
+ -addext "subjectAltName=DNS:tls.gw-demo.test" \
+ -keyout tls-echo.key \
+ -out tls-echo.crt
+
+kubectl -n gw-demo-02 create secret tls tls-echo-cert \
+ --cert=tls-echo.crt \
+ --key=tls-echo.key
+kubectl -n gw-demo-02 annotate secret tls-echo-cert vcluster.loft.sh/force-sync=true
+```
+
+Then create the TLS-terminating backend Service:
+
+```yaml title="TLS backend in the tenant cluster"
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: tls-echo-config
+ namespace: gw-demo-02
+data:
+ Caddyfile: |
+ {
+ auto_https off
+ }
+
+ :8443 {
+ tls /etc/certs/tls.crt /etc/certs/tls.key
+ respond "gateway demo 02 tls passthrough\n"
+ }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: tls-echo
+ namespace: gw-demo-02
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: tls-echo
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: tls-echo
+ spec:
+ containers:
+ - name: caddy
+ image: caddy:2.8-alpine
+ ports:
+ - name: https
+ containerPort: 8443
+ volumeMounts:
+ - name: caddy-config
+ mountPath: /etc/caddy
+ readOnly: true
+ - name: tls-echo-cert
+ mountPath: /etc/certs
+ readOnly: true
+ volumes:
+ - name: caddy-config
+ configMap:
+ name: tls-echo-config
+ - name: tls-echo-cert
+ secret:
+ secretName: tls-echo-cert
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: tls-echo
+ namespace: gw-demo-02
+spec:
+ selector:
+ app.kubernetes.io/name: tls-echo
+ ports:
+ - name: https
+ port: 443
+ targetPort: https
+```
+
+Create the platform-managed TLS Gateway in the control plane cluster. vCluster imports it into the tenant cluster as `gw-demo-02/edge`.
+
+```yaml title="TLS passthrough Gateway in the control plane cluster"
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+ name: edge
+ namespace: gw-demo-02
+ labels:
+ gateway-demo.loft.sh/sync: "yes"
+spec:
+ gatewayClassName: gw-demo-02
+ listeners:
+ - name: tls
+ protocol: TLS
+ port: 443
+ hostname: tls.gw-demo.test
+ tls:
+ mode: Passthrough
+ allowedRoutes:
+ kinds:
+ - group: gateway.networking.k8s.io
+ kind: TLSRoute
+ namespaces:
+ from: Same
+```
+
+Then create only the route in the tenant cluster:
+
+```yaml title="TLSRoute in the tenant cluster"
+apiVersion: gateway.networking.k8s.io/v1
+kind: TLSRoute
+metadata:
+ name: passthrough
+ namespace: gw-demo-02
+spec:
+ parentRefs:
+ - name: edge
+ sectionName: tls
+ hostnames:
+ - tls.gw-demo.test
+ rules:
+ - name: tls-echo
+ backendRefs:
+ - name: tls-echo
+ port: 443
+```
+
+```bash title="Verify TLSRoute end-to-end"
+ADDR=$(kubectl get gateway edge -n gw-demo-02 -o jsonpath='{.status.addresses[0].value}')
+curl -k --connect-to "tls.gw-demo.test:443:${ADDR}:443" "https://tls.gw-demo.test:443/"
+```
+
+:::note Controller support varies
+TLSRoute is not part of the Gateway API standard channel. Confirm support in the Gateway controller before relying on this example.
+:::
+
+## Cross-namespace routing
+
+Gateway API distinguishes three cross-namespace references: route attachment to a Gateway, backend references from a route, and TLS certificate references on a Gateway listener. vCluster mirrors the upstream rules: routes must be allowed by the Gateway's `allowedRoutes`, and cross-namespace backend or certificate references must be granted by a `ReferenceGrant` in the target namespace.
+
+### Route attachment by namespace selector
+
+The platform-managed Gateway lives in one namespace in the control plane cluster and is imported into the tenant cluster. Its tenant-facing route policy accepts routes from tenant namespaces whose label matches the selector.
+
+Apply the edge namespace, route namespace, and backend resources first:
+
+```yaml title="Selected namespace and backend resources"
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: gw-demo-03-edge
+ labels:
+ gateway-demo.loft.sh/case: "03-cross-namespace-route-selector"
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: gw-demo-03-apps
+ labels:
+ gateway-demo.loft.sh/case: "03-cross-namespace-route-selector"
+ gateway-demo.loft.sh/route-access: demo-03
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: selected-echo-html
+ namespace: gw-demo-03-apps
+data:
+ index.html: |
+ gateway demo 03 selected namespace route
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: selected-echo
+ namespace: gw-demo-03-apps
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: selected-echo
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: selected-echo
+ spec:
+ containers:
+ - name: nginx
+ image: nginx:1.27-alpine
+ ports:
+ - name: http
+ containerPort: 80
+ volumeMounts:
+ - name: html
+ mountPath: /usr/share/nginx/html/index.html
+ subPath: index.html
+ readOnly: true
+ volumes:
+ - name: html
+ configMap:
+ name: selected-echo-html
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: selected-echo
+ namespace: gw-demo-03-apps
+spec:
+ selector:
+ app.kubernetes.io/name: selected-echo
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+```
+
+Create the platform-managed Gateway in the control plane cluster. vCluster imports it into the tenant cluster as `gw-demo-03-edge/shared`; the `sync.fromHost.gateways.allowedRoutes` override exposes the tenant-facing namespace selector.
+
+```yaml title="Gateway accepting selected tenant namespaces in the control plane cluster"
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+ name: shared
+ namespace: gw-demo-03-edge
+ labels:
+ gateway-demo.loft.sh/sync: "yes"
+spec:
+ gatewayClassName: gw-demo-03
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ kinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ namespaces:
+ from: Selector
+ selector:
+ matchLabels:
+ gateway-demo.loft.sh/route-access: demo-03
+```
+
+The tenant route then targets the imported Gateway by name and namespace:
+
+```yaml title="HTTPRoute in an allowed namespace"
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: selected
+ namespace: gw-demo-03-apps
+spec:
+ parentRefs:
+ - name: shared
+ namespace: gw-demo-03-edge
+ sectionName: http
+ hostnames:
+ - selector.gw-demo.test
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ backendRefs:
+ - name: selected-echo
+ port: 80
+```
+
+If the route's namespace does not match the selector, vCluster does not sync the route and emits a `RefNotPermitted` event on the tenant object. See [Reference authorization](#reference-authorization).
+
+### Backend reference via `ReferenceGrant`
+
+When an `HTTPRoute` or `TLSRoute` points at a Service in a different namespace, that target namespace must contain a `ReferenceGrant` permitting the route's namespace.
+
+Apply the route namespace, backend namespace, and backend resources first:
+
+```yaml title="Cross-namespace backend resources"
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: gw-demo-05-routes
+ labels:
+ gateway-demo.loft.sh/case: "05-cross-namespace-backend-referencegrant"
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: gw-demo-05-backends
+ labels:
+ gateway-demo.loft.sh/case: "05-cross-namespace-backend-referencegrant"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: backend-echo-html
+ namespace: gw-demo-05-backends
+data:
+ index.html: |
+ gateway demo 05 cross namespace backend allowed
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: backend-echo
+ namespace: gw-demo-05-backends
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: backend-echo
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: backend-echo
+ spec:
+ containers:
+ - name: nginx
+ image: nginx:1.27-alpine
+ ports:
+ - name: http
+ containerPort: 80
+ volumeMounts:
+ - name: html
+ mountPath: /usr/share/nginx/html/index.html
+ subPath: index.html
+ readOnly: true
+ volumes:
+ - name: html
+ configMap:
+ name: backend-echo-html
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: backend-echo
+ namespace: gw-demo-05-backends
+spec:
+ selector:
+ app.kubernetes.io/name: backend-echo
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+```
+
+Create the platform-managed Gateway in the control plane cluster. vCluster imports it into the tenant cluster as `gw-demo-05-routes/edge`.
+
+```yaml title="HTTP Gateway in the control plane cluster"
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+ name: edge
+ namespace: gw-demo-05-routes
+ labels:
+ gateway-demo.loft.sh/sync: "yes"
+spec:
+ gatewayClassName: gw-demo-05
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ allowedRoutes:
+ kinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ namespaces:
+ from: Same
+```
+
+Then create the tenant `ReferenceGrant` and `HTTPRoute`:
+
+```yaml title="HTTPRoute referencing a backend in another tenant namespace"
+apiVersion: gateway.networking.k8s.io/v1
+kind: ReferenceGrant
+metadata:
+ name: allow-routes-to-echo
+ namespace: gw-demo-05-backends
+spec:
+ from:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ namespace: gw-demo-05-routes
+ to:
+ - group: ""
+ kind: Service
+ name: backend-echo
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: backend-grant
+ namespace: gw-demo-05-routes
+spec:
+ parentRefs:
+ - name: edge
+ sectionName: http
+ hostnames:
+ - backend-grant.gw-demo.test
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ backendRefs:
+ - name: backend-echo
+ namespace: gw-demo-05-backends
+ port: 80
+```
+
+:::note How `ReferenceGrant` is enforced
+vCluster validates `ReferenceGrant` differently depending on the tenancy mode:
+
+- **Single-namespace target mode (default)**: vCluster evaluates the tenant `ReferenceGrant` itself. If the grant authorizes the reference, vCluster syncs the route; if not, it emits `RefNotPermitted` on the tenant object and does not sync. The `ReferenceGrant` is not synced to the control plane cluster: every tenant namespace collapses into the configured target namespace, so the cross-namespace backend reference becomes a same-namespace request that the Gateway controller does not need a grant for.
+- **Multi-namespace target mode** (`sync.toHost.namespaces.enabled: true` with `mappings.byName`): vCluster syncs the `ReferenceGrant` to the control plane cluster alongside the route, and the Gateway controller performs the authorization check.
+
+Either mode supports cross-namespace `ReferenceGrant`. Choose multi-namespace mode if you want the Gateway controller to enforce the check itself, or to keep per-namespace status visibility in the control plane cluster.
+:::
+
+### TLS certificate via `ReferenceGrant`
+
+An HTTPS `Gateway` listener can reference a TLS Secret in a separate namespace if that namespace contains a `ReferenceGrant` for the Gateway. Because the Gateway is platform-managed in these examples, create the certificate Secret and certificate `ReferenceGrant` in the control plane cluster, not in the tenant cluster.
+
+Create the Gateway and certificate namespaces in the control plane cluster first:
+
+```yaml title="HTTPS Gateway namespaces in the control plane cluster"
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: gw-demo-07-edge
+ labels:
+ gateway-demo.loft.sh/case: "07-cross-namespace-certificate-referencegrant"
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: gw-demo-07-certs
+ labels:
+ gateway-demo.loft.sh/case: "07-cross-namespace-certificate-referencegrant"
+```
+
+Create the TLS Secret for the HTTPS listener in the control plane cluster:
+
+
+
+
+Then create the tenant namespace and backend resources for the HTTPS route:
+
+```yaml title="HTTPS route backend resources in the tenant cluster"
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: gw-demo-07-edge
+ labels:
+ gateway-demo.loft.sh/case: "07-cross-namespace-certificate-referencegrant"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: https-echo-html
+ namespace: gw-demo-07-edge
+data:
+ index.html: |
+ gateway demo 07 cross namespace certificate allowed
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: https-echo
+ namespace: gw-demo-07-edge
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: https-echo
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: https-echo
+ spec:
+ containers:
+ - name: nginx
+ image: nginx:1.27-alpine
+ ports:
+ - name: http
+ containerPort: 80
+ volumeMounts:
+ - name: html
+ mountPath: /usr/share/nginx/html/index.html
+ subPath: index.html
+ readOnly: true
+ volumes:
+ - name: html
+ configMap:
+ name: https-echo-html
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: https-echo
+ namespace: gw-demo-07-edge
+spec:
+ selector:
+ app.kubernetes.io/name: https-echo
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+```
+
+Create the certificate `ReferenceGrant` and platform-managed Gateway in the control plane cluster. vCluster imports the Gateway into the tenant cluster as `gw-demo-07-edge/edge`.
+
+```yaml title="HTTPS Gateway with cross-namespace certificate in the control plane cluster"
+apiVersion: gateway.networking.k8s.io/v1
+kind: ReferenceGrant
+metadata:
+ name: allow-edge-cert
+ namespace: gw-demo-07-certs
+spec:
+ from:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ namespace: gw-demo-07-edge
+ to:
+ - group: ""
+ kind: Secret
+ name: edge-cert
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+ name: edge
+ namespace: gw-demo-07-edge
+ labels:
+ gateway-demo.loft.sh/sync: "yes"
+spec:
+ gatewayClassName: gw-demo-07
+ listeners:
+ - name: https
+ protocol: HTTPS
+ port: 443
+ hostname: cert-grant.gw-demo.test
+ tls:
+ mode: Terminate
+ certificateRefs:
+ - kind: Secret
+ name: edge-cert
+ namespace: gw-demo-07-certs
+ allowedRoutes:
+ kinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ namespaces:
+ from: Same
+```
+
+Then create only the route in the tenant cluster:
+
+```yaml title="HTTPRoute through the HTTPS listener in the tenant cluster"
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: https-app
+ namespace: gw-demo-07-edge
+spec:
+ parentRefs:
+ - name: edge
+ sectionName: https
+ hostnames:
+ - cert-grant.gw-demo.test
+ rules:
+ - backendRefs:
+ - name: https-echo
+ port: 80
+```
+
+## Reference authorization
+
+vCluster validates tenant-owned Gateway API references before syncing them to the control plane cluster. Resources with missing grants, unresolved references, or unsupported groups and kinds are not synced. Instead, vCluster records a Warning event on the tenant object so the reason stays close to the user.
+
+| Misconfiguration | Tenant event reason | Inspect |
+| -------------------------------------------------------------------------------------- | --------------------- | ------------------------------------------------------------------------------------ |
+| Route attaches to a Gateway whose `allowedRoutes` does not permit its namespace | `RefNotPermitted` | `kubectl describe httproute -n ` |
+| Route references a Service in another namespace without a matching `ReferenceGrant` | `RefNotPermitted` | `kubectl describe httproute -n ` |
+| A tenant-owned route or policy references another namespace without a matching `ReferenceGrant` | `RefNotPermitted` | `kubectl describe httproute -n ` |
+| `BackendTLSPolicy` references a CA ConfigMap that has no synced control plane object | `SyncError` | `kubectl describe backendtlspolicy -n ` |
+| Route uses an unsupported `parentRef` or `backendRef` group+kind | `SyncError` | `kubectl describe httproute -n ` |
+
+For deeper recipes (including how to recover from each event), see [Gateway API sync troubleshooting](../../../../../troubleshoot/gateway-api-sync.mdx).
+
+## Example: `BackendTLSPolicy`
+
+`BackendTLSPolicy` tells the Gateway controller to originate TLS to a backend and validate it against a CA bundle. vCluster syncs the policy and translates the CA ConfigMap reference for the control plane cluster. The policy is only effective if the Gateway controller implements `BackendTLSPolicy`.
+
+Apply the namespace first:
+
+```yaml title="BackendTLSPolicy namespace"
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: gw-demo-09
+ labels:
+ gateway-demo.loft.sh/case: "09-backend-tls-policy"
+```
+
+Create a backend certificate and synced CA bundle:
+
+```bash title="Create backend TLS material"
+openssl req -x509 -newkey rsa:2048 -nodes -days 365 \
+ -subj "/CN=backend.gw-demo.test" \
+ -addext "subjectAltName=DNS:backend.gw-demo.test" \
+ -keyout backend.key \
+ -out backend.crt
+
+kubectl -n gw-demo-09 create secret tls backend-cert \
+ --cert=backend.crt \
+ --key=backend.key
+kubectl -n gw-demo-09 annotate secret backend-cert vcluster.loft.sh/force-sync=true
+
+kubectl -n gw-demo-09 create configmap backend-ca --from-file=ca.crt=backend.crt
+kubectl -n gw-demo-09 annotate configmap backend-ca vcluster.loft.sh/force-sync=true
+```
+
+Then create the TLS-speaking backend Service:
+
+```yaml title="TLS backend resources"
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: backend-caddy-config
+ namespace: gw-demo-09
+data:
+ Caddyfile: |
+ {
+ auto_https off
+ }
+
+ :8443 {
+ tls /etc/certs/tls.crt /etc/certs/tls.key
+ respond "gateway demo 09 backend tls policy\n"
+ }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: secure-backend
+ namespace: gw-demo-09
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: secure-backend
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: secure-backend
+ spec:
+ containers:
+ - name: caddy
+ image: caddy:2.8-alpine
+ ports:
+ - name: https
+ containerPort: 8443
+ volumeMounts:
+ - name: caddy-config
+ mountPath: /etc/caddy
+ readOnly: true
+ - name: backend-cert
+ mountPath: /etc/certs
+ readOnly: true
+ volumes:
+ - name: caddy-config
+ configMap:
+ name: backend-caddy-config
+ - name: backend-cert
+ secret:
+ secretName: backend-cert
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: secure-backend
+ namespace: gw-demo-09
+spec:
+ selector:
+ app.kubernetes.io/name: secure-backend
+ ports:
+ - name: https
+ port: 443
+ targetPort: https
+ appProtocol: https
+```
+
+Create the platform-managed Gateway in the control plane cluster. vCluster imports it into the tenant cluster as `gw-demo-09/edge`.
+
+```yaml title="HTTP Gateway in the control plane cluster"
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+ name: edge
+ namespace: gw-demo-09
+ labels:
+ gateway-demo.loft.sh/sync: "yes"
+spec:
+ gatewayClassName: gw-demo-09
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ hostname: backend-tls.gw-demo.test
+ allowedRoutes:
+ kinds:
+ - group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ namespaces:
+ from: Same
+```
+
+Then create the route and `BackendTLSPolicy` in the tenant cluster:
+
+```yaml title="HTTPRoute with BackendTLSPolicy in the tenant cluster"
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: backend-tls
+ namespace: gw-demo-09
+spec:
+ parentRefs:
+ - name: edge
+ sectionName: http
+ hostnames:
+ - backend-tls.gw-demo.test
+ rules:
+ - backendRefs:
+ - name: secure-backend
+ port: 443
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+ name: secure-backend
+ namespace: gw-demo-09
+spec:
+ targetRefs:
+ - group: ""
+ kind: Service
+ name: secure-backend
+ validation:
+ hostname: backend.gw-demo.test
+ caCertificateRefs:
+ - group: ""
+ kind: ConfigMap
+ name: backend-ca
+```
+
+A successful policy reports an `ancestor` condition with `Accepted=True` against the route's parent `Gateway`. If the referenced CA ConfigMap is not synced to the control plane cluster, vCluster emits a `SyncError` event instead. See [`SyncError: referenced ConfigMap has no synced control plane object`](../../../../../troubleshoot/gateway-api-sync.mdx#syncerror-missing-ca-configmap).
+
+## CLI guidance
+
+### Connect to the tenant cluster
+
+Tenant-owned Gateway API resources such as routes and policies live in the tenant cluster. Imported `Gateway` resources also appear in the tenant cluster, but their source of truth is the control plane cluster. Connect to the tenant with the vCluster CLI before issuing tenant-side `kubectl` commands:
+
+
+
+`vcluster connect` writes a context entry to your kubeconfig and switches the current context. To run side-by-side checks against the control plane cluster, export both contexts explicitly:
+
+
+
+There is no separate `vcluster` verb for Gateway API resources. Inspect imported Gateways and tenant-created routes with `kubectl` against the tenant context; the control plane data plane is reached using the address from `status.addresses` on the imported tenant `Gateway`.
+
+### Inspect Gateway API resources
+
+```bash title="List Gateway API resources across all tenant namespaces"
+kubectl --context "$TENANT_CONTEXT" get gateway,httproute,tlsroute,backendtlspolicy -A
+```
+
+
+
+
+
+`ReferenceGrant` has no status, so confirm it by checking that the dependent route, Gateway, or `BackendTLSPolicy` reaches `Accepted=True` and `ResolvedRefs=True`.
+
+### Discover the control plane-assigned address
+
+
+
+The address is whatever the Gateway controller assigned (LoadBalancer IP, NodePort, or controller-published hostname). Tenant clients curl that address directly; vCluster does not proxy data-plane traffic.
+
+## Patches
+
+Patch lists are resource-specific. For these examples, use `sync.fromHost.gateways.patches` for imported control plane `Gateway` resources and `sync.toHost.gatewayApi.httpRoutes.patches`, `tlsRoutes.patches`, `backendTLSPolicies.patches`, or `referenceGrants.patches` for tenant-created resources. Each list accepts the same expression and reference patch shapes.
+
+```yaml title="Patch imported Gateway hostnames during sync"
+sync:
+ fromHost:
+ gateways:
+ enabled: true
+ patches:
+ - path: spec.listeners[*].hostname
+ expression: '"tenant-" + value'
+ reverseExpression: 'value.replace(/^tenant-/, "")'
+```
## Config reference
-See the generated [`sync.toHost.gatewayApi`](../README.mdx#toHost-gatewayApi) config reference for exact YAML fields, including `httpRoutes`, `gateways`, `tlsRoutes`, `backendTlsPolicies`, and `referenceGrants`.
+
diff --git a/vcluster/configure/vcluster-yaml/sync/to-host/networking/ingresses.mdx b/vcluster/configure/vcluster-yaml/sync/to-host/networking/ingresses.mdx
index bf9a494d7f..f042d53c0c 100644
--- a/vcluster/configure/vcluster-yaml/sync/to-host/networking/ingresses.mdx
+++ b/vcluster/configure/vcluster-yaml/sync/to-host/networking/ingresses.mdx
@@ -22,6 +22,10 @@ By default, this is disabled.
When enabled, sync all [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) resources from the tenant cluster to the control plane cluster. Use this option to make a tenant cluster service available via a hostname/domain without having to configure DNS for each tenant cluster. You do, however, need to install a separate Ingress controller for each vCluster instance.
+:::tip Prefer Gateway API for new workloads
+For tenant traffic served by a Gateway controller on the control plane cluster, [Gateway API sync](./gateway-api.mdx) is the modern alternative. It syncs `Gateway`, `HTTPRoute`, `TLSRoute`, `ReferenceGrant`, and `BackendTLSPolicy`, and lets tenants import host `GatewayClass` resources via [`sync.fromHost.gatewayClasses`](../../from-host/gateway-classes.mdx). Ingress sync remains supported for workloads that still depend on `networking.k8s.io/v1` Ingress resources.
+:::
+
When enabled, vCluster automatically tries to detect the supported ingress version (`networking.k8s.io/v1` or `networking.k8s.io/v1beta1`).
### Sync Ingresses from the tenant to control plane cluster
diff --git a/vcluster/troubleshoot/gateway-api-sync.mdx b/vcluster/troubleshoot/gateway-api-sync.mdx
new file mode 100644
index 0000000000..722dde31f0
--- /dev/null
+++ b/vcluster/troubleshoot/gateway-api-sync.mdx
@@ -0,0 +1,152 @@
+---
+title: Resolve Gateway API sync errors
+sidebar_label: Gateway API sync
+description: Troubleshoot RefNotPermitted, SyncError, and SyncWarning events emitted by vCluster while syncing Gateway API resources to the host.
+---
+
+# Resolve Gateway API sync errors
+
+vCluster validates Gateway API references in the tenant cluster before syncing them to the control plane cluster. When a `Gateway`, `HTTPRoute`, `TLSRoute`, `ReferenceGrant`, or `BackendTLSPolicy` is misconfigured or depends on an object that has no synced host counterpart, vCluster does not sync the resource and records a Warning event on the tenant object.
+
+This page covers the most common events. For the feature overview and full examples, see [Gateway API sync](../configure/vcluster-yaml/sync/to-host/networking/gateway-api.mdx).
+
+## `RefNotPermitted` on a route {#refnotpermitted-route}
+
+### Symptoms
+
+A tenant `HTTPRoute` or `TLSRoute` has no `Accepted` parent in its status, the host data plane returns the controller's no-route response, and `kubectl describe` on the tenant route shows:
+
+```text
+Warning RefNotPermitted Gateway API reference not permitted: authorize parentRefs[0]: HTTPRoute in namespace "" is not permitted by Gateway "" in namespace "" allowedRoutes
+```
+
+### Cause
+
+The tenant `Gateway` listener's `allowedRoutes.namespaces` does not permit the route's namespace. Either `allowedRoutes.namespaces.from: Same` is set and the route lives in a different namespace, or `from: Selector` is set and the route's namespace does not match the selector.
+
+### Resolution
+
+Either move the route into a permitted namespace, label the route's namespace so it matches the listener selector, or relax the listener's `allowedRoutes.namespaces`. See [Route attachment by namespace selector](../configure/vcluster-yaml/sync/to-host/networking/gateway-api.mdx#route-attachment-by-namespace-selector) for the selector pattern.
+
+## `RefNotPermitted` on a cross-namespace backend reference {#refnotpermitted-backend}
+
+### Symptoms
+
+A tenant `HTTPRoute` or `TLSRoute` references a Service in a different namespace, has no `Accepted` parent in its status, and `kubectl describe` shows:
+
+```text
+Warning RefNotPermitted Gateway API reference not permitted: translate rules[0]: translate backendRefs[0]: HTTPRoute in namespace "" is not permitted to reference Service "" in namespace ""
+```
+
+### Cause
+
+Gateway API requires a `ReferenceGrant` in the target namespace whenever a route references a backend Service in a different namespace. vCluster enforces the same rule before sync.
+
+### Resolution
+
+This event means the tenant `ReferenceGrant` did not authorize the reference at the time vCluster evaluated the route. Add a matching `ReferenceGrant` to the backend namespace that names the route's namespace, group, and kind. The grant pattern is in [Backend reference via ReferenceGrant](../configure/vcluster-yaml/sync/to-host/networking/gateway-api.mdx#backend-reference-via-referencegrant).
+
+## `RefNotPermitted` on a cross-namespace certificate reference {#refnotpermitted-cert}
+
+### Symptoms
+
+A tenant HTTPS `Gateway` references a TLS Secret in a different namespace, the listener does not become `Accepted`, and `kubectl describe` on the tenant `Gateway` shows:
+
+```text
+Warning RefNotPermitted Gateway API reference not permitted: authorize listeners[0].tls.certificateRefs[0]: Gateway in namespace "" is not permitted to reference Secret "" in namespace ""
+```
+
+### Cause
+
+Same Gateway API rule as backend references: a `ReferenceGrant` in the certificate namespace must permit the `Gateway` to reference the Secret. vCluster enforces it before sync.
+
+### Resolution
+
+Add a `ReferenceGrant` to the certificate namespace that names the Gateway's namespace, group (`gateway.networking.k8s.io`), and kind (`Gateway`). The full pattern is in [TLS certificate via ReferenceGrant](../configure/vcluster-yaml/sync/to-host/networking/gateway-api.mdx#tls-certificate-via-referencegrant).
+
+
+## `SyncError: referenced ConfigMap has no synced host object` {#syncerror-missing-ca-configmap}
+
+
+### Symptoms
+
+A `BackendTLSPolicy` has empty status, the host Gateway controller reports no policy, and `kubectl describe` shows:
+
+```text
+Warning SyncError Error syncing: translate validation.caCertificateRefs[0]: referenced ConfigMap "" in namespace "" has no synced host object
+```
+
+### Cause
+
+vCluster cannot translate the `BackendTLSPolicy`'s `validation.caCertificateRefs` because the referenced ConfigMap either does not exist in the tenant cluster or is not synced to the host. The same class of error occurs for Secret references that have not been synced.
+
+### Resolution
+
+1. Confirm the tenant ConfigMap exists:
+ ```bash
+ kubectl get configmap -n
+ ```
+2. Make sure `sync.toHost.configMaps` is enabled and includes the CA ConfigMap. Default config syncing is opt-in, so either set `sync.toHost.configMaps.all: true` or label the ConfigMap so it matches the configured selector.
+3. Re-apply the `BackendTLSPolicy` and confirm the event clears.
+
+Timing tip: while the dependent Service is still being synced for the first time, the first emitted warning may name the Service instead of the CA. After the Service is synced, the stable error names the missing ConfigMap.
+
+## `SyncError: unsupported parentRef or backendRef` {#syncerror-unsupported-ref}
+
+### Symptoms
+
+An `HTTPRoute` or `TLSRoute` has empty status and `kubectl describe` shows one of:
+
+```text
+Warning SyncError Error syncing: translate parentRefs[0]: parentRef group "" kind "" is not supported
+Warning SyncError Error syncing: translate rules[0]: translate backendRefs[0]: backendRef group "" kind "" is not supported
+```
+
+### Cause
+
+vCluster's native Gateway API sync only translates core Gateway API kinds: `Gateway` for `parentRef`, and core Service for `backendRef`. Custom resource `parentRef` and `backendRef` kinds (such as Istio waypoints or service-mesh overlays) cannot be translated.
+
+### Resolution
+
+Either move the unsupported reference to a supported kind, or sync the custom resource separately using [`sync.toHost.customResources`](../configure/vcluster-yaml/sync/to-host/advanced/custom-resources.mdx). The custom-resource path still works for non-core Gateway API extensions; native sync is for core Gateway, HTTPRoute, TLSRoute, ReferenceGrant, and BackendTLSPolicy.
+
+## `SyncWarning: Gateway sync skipped (GatewayClass not selected)` {#syncwarning-gatewayclass-not-selected}
+
+### Symptoms
+
+A tenant `Gateway` is not visible on the host, its status is empty, and `kubectl describe` shows:
+
+```text
+Warning SyncWarning Gateway "" sync skipped. The GatewayClass "" does not match the selector under 'sync.fromHost.gatewayClasses.selector'
+```
+
+### Cause
+
+`sync.fromHost.gatewayClasses` is enabled with a selector, and the referenced `GatewayClass` does not have the required labels in the control plane cluster. vCluster did not sync the class into the tenant cluster, so the tenant `Gateway` has no valid `gatewayClassName`.
+
+### Resolution
+
+1. Confirm the host `GatewayClass` carries the expected labels:
+ ```bash
+ kubectl --context "$HOST_CONTEXT" get gatewayclass --show-labels
+ ```
+2. Either label the host `GatewayClass` so it matches the selector, or change the tenant `Gateway` to reference a class that does. See [Gateway classes](../configure/vcluster-yaml/sync/from-host/gateway-classes.mdx) for the selector pattern.
+
+## Tenant Gateway has no host address {#no-host-address}
+
+### Symptoms
+
+The tenant `Gateway` reports `Accepted=True` but `status.addresses` stays empty, and `curl` to a discovered address fails.
+
+### Cause
+
+The host Gateway controller has not yet assigned an address, or the host platform does not provide one. For some controllers, an address only appears once a corresponding LoadBalancer Service is provisioned by the cloud provider. On clusters without LoadBalancer support, the host controller may publish a NodePort or require manual port-forwarding to the controller's Envoy/data-plane Service.
+
+### Resolution
+
+1. Inspect the host Gateway and its generated Service:
+ ```bash
+ kubectl --context "$HOST_CONTEXT" -n get gateway -o wide
+ kubectl --context "$HOST_CONTEXT" -n get svc
+ ```
+2. If the host platform does not provide LoadBalancer addresses, port-forward the controller's data-plane Service and curl that address directly. The tenant `Gateway` only mirrors what the host controller publishes; vCluster does not synthesize an address.