Add Gateway API (HTTPRoute) support to Console Helm chart and CRD

[david-yu]

Summary

Adds support for Kubernetes Gateway API HTTPRoute resources to the Console chart and operator, allowing users to expose Console via Gateway API controllers (e.g. Envoy Gateway, Istio, Cilium) as an alternative to classic Ingress.

Closes #1308
Supersedes #1309 (recreated from upstream branch for CI)

Original chart work by @w1ndhunter.

Prerequisites

Gateway API CRDs must be installed in your cluster before enabling this feature. The CRDs are not bundled with the Redpanda Helm chart or operator — they are maintained by the Kubernetes Gateway API project.

Install Gateway API CRDs

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml

Install a Gateway controller

You also need a Gateway API-compatible controller running in your cluster. Common options include:

• Envoy Gateway
• Istio
• Cilium
• NGINX Gateway Fabric

Create a Gateway resource that the HTTPRoute will attach to:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: my-gateway
  namespace: gateway-system
spec:
  gatewayClassName: eg  # varies by controller
  listeners:
    - name: https
      protocol: HTTPS
      port: 443
      tls:
        mode: Terminate
        certificateRefs:
          - name: my-tls-cert

Changes

Console Helm Chart

• New gateway values block alongside existing ingress block
• New gateway.go with HTTPRoute() rendering function
• HTTPRoute added to Render() manifest list and Types() scheme registration
• gatewayv1.Install(Scheme) for Gateway API type serialization
• Updated notes.go to show Gateway URLs (mutually exclusive with Ingress)
• Validation in NewRenderState rejects both gateway and ingress enabled simultaneously
• New test cases: gateway-only, mutual exclusion validation, gateway removal/switch scenarios
• Regenerated schema, golden files, and templates

Operator (Console CRD)

• New GatewayConfig and GatewayParentReference types in console_types.go
• Gateway field added to ConsoleValues and RedpandaConsole structs
• Auto-generated conversion (goverter) from CRD types → chart partial values
• RBAC: added gateway.networking.k8s.io/httproutes permissions
• Registered gatewayv1 types in V2 scheme
• Bumped sigs.k8s.io/gateway-api from v1.4.1 → v1.5.1
• Regenerated deepcopy, conversion, and CRD manifests
• HTTPRoute watch is skipped gracefully when Gateway API CRDs are not installed

Console Controller Tests — Gateway API CRD Loading ⚠️

Reviewer note: The console controller test (operator/internal/controller/console/controller_test.go) now loads Gateway API CRDs from the sigs.k8s.io/gateway-api Go module cache at test time. This is needed because envtest must have the HTTPRoute CRD installed for the controller to reconcile gateway-enabled Console objects (list HTTPRoutes, create/delete them).

The loadGatewayAPICRDs helper resolves the module directory via go list -m -f {{.Dir}} sigs.k8s.io/gateway-api, reads all standard CRD YAMLs from config/crd/standard/, and parses them. Non-CRD files (e.g. ValidatingAdmissionPolicy) are skipped gracefully.

This approach avoids vendoring the ~7K-line HTTPRoute CRD YAML into testdata while keeping the CRD version in sync with go.mod.

Bug Fix: InUseServerCerts external TLS cert mounting

• Fixed InUseServerCerts in charts/redpanda/values.go (and operator/multicluster/values.go) where a continue statement on the internal listener's TLS check would skip registering external sub-listener certs. External certs are now checked independently of internal TLS state.

Usage Examples

Helm Chart — Gateway API

# 1. Install Gateway API CRDs (if not already installed)
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml

# 2. Install Console with gateway enabled
helm install console redpanda/console -f values.yaml

# values.yaml
gateway:
  enabled: true
  annotations:
    example.com/owner: my-team
  parentRefs:
    - name: my-gateway
      namespace: gateway-system
      sectionName: https
  hostnames:
    - console.example.com
  path: /
  pathType: PathPrefix

Helm Chart — Classic Ingress (unchanged)

# values.yaml
ingress:
  enabled: true
  hosts:
    - host: console.example.com
      paths:
        - path: /
          pathType: Prefix

Note: Enabling both ingress.enabled: true and gateway.enabled: true will fail with: ingress and gateway cannot both be enabled; use one or the other

Console CRD (Operator) — Gateway API

# 1. Install Gateway API CRDs (if not already installed)
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml

# 2. Apply the Console CR with gateway enabled
kubectl apply -f console.yaml

# console.yaml
apiVersion: cluster.redpanda.com/v1alpha2
kind: Console
metadata:
  name: my-console
  namespace: redpanda
spec:
  clusterSource:
    clusterRef:
      name: my-cluster
  gateway:
    enabled: true
    annotations:
      example.com/owner: my-team
    parentRefs:
      - name: my-gateway
        namespace: gateway-system
        sectionName: https
    hostnames:
      - console.example.com
    path: /
    pathType: PathPrefix

Console CRD (Operator) — Switching from Gateway to Ingress

To switch, remove the gateway stanza and add ingress:

apiVersion: cluster.redpanda.com/v1alpha2
kind: Console
metadata:
  name: my-console
  namespace: redpanda
spec:
  clusterSource:
    clusterRef:
      name: my-cluster
  ingress:
    enabled: true
    hosts:
      - host: console.example.com
        paths:
          - path: /
            pathType: Prefix

The operator will remove the HTTPRoute and create an Ingress instead.

Test plan

• go build ./... passes in operator/ and charts/console/
• go test ./... passes in charts/console/ — includes:
  • TestIngressGatewayMutualExclusion — both enabled → error
  • TestGatewayRemoval/gateway_removed_from_config — no gateway stanza → no HTTPRoute
  • TestGatewayRemoval/gateway_explicitly_disabled — enabled: false → no HTTPRoute
  • TestGatewayRemoval/switch_from_gateway_to_ingress — gateway→ingress produces Ingress, no HTTPRoute
  • TestTemplate golden tests (gateway-templating case)
• Console controller tests pass with Gateway API CRDs loaded into envtest
  • TestController/gateway-enabled — basic gateway with parentRefs
  • TestController/gateway-custom-path — custom path and multiple parentRefs
• CRD schema includes gateway field with correct OpenAPI validation
• Deploy Console CRD with gateway.enabled: true → HTTPRoute created
• Deploy via Helm with gateway.enabled: true → HTTPRoute created
• Enabling both ingress and gateway → validation error

🤖 Generated with Claude Code

[github-actions]

This PR is stale because it has been open 5 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions]

This PR is stale because it has been open 5 days with no activity. Remove stale label or comment or this will be closed in 5 days.