Add support for Gateway API within Cilium

Squashed commit of the following:
Update documentation and CRDs
Update pkg/model/components/cilium.go
Remove gateway API managed addon
Update CRDs
Fix RBAC and update docs
Fix up files that shouldn't of been touched
Remove namespace from cluster RBAC resources

docs/networking/cilium.md

@@ -249,6 +249,32 @@ EOF
 
 Note that you can create an ingress resource for Hubble UI by configuring the `hubble.ui.ingress` stanza. See [Cilium Helm chart documentation](https://artifacthub.io/packages/helm/cilium/cilium/1.11.1) for more information.
 
+## Gateway API Support
+
+{{ kops_feature_table(kops_added_default='1.32') }}
+
+Cilium supports the Kubernetes Gateway API, which provides a more expressive and extensible way to configure ingress traffic. To enable Gateway API support in Cilium, you need to:
+
+1. Enable the cluster-wide Gateway API feature in your cluster spec
+2. Enable Cilium's Gateway API support
+
+Here's how to configure it:
+
+```yaml
+spec:
+  networking:
+    cilium:
+      gatewayAPI:
+        enabled: true
+```
+
+Note that enabling Cilium's Gateway API support requires having the Gateway API custom resources definitions (CRDs) deployed manually or through a custom addon first. The current version of Cilium requires the experimental channel. To install it manually, simply run:
+```bash
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml
+```
+
+For more information about using the Gateway API with Cilium, see the [Cilium Gateway API documentation](https://docs.cilium.io/en/stable/network/servicemesh/gateway-api/).
+
 ## Getting help
 
 For problems with deploying Cilium please post an issue to Github:

k8s/crds/kops.k8s.io_clusters.yaml

@@ -5495,6 +5495,20 @@ spec:
                           The cluster is operated by cilium-etcd-operator.
                           Default: false
                         type: boolean
+                      gatewayAPI:
+                        description: GatewayAPI specifies the configuration for Cilium
+                          Gateway API settings.
+                        properties:
+                          enableSecretsSync:
+                            description: |-
+                              EnableSecretsSync specifies whether synchronization of secrets is enabled.
+                              Default: true
+                            type: boolean
+                          enabled:
+                            description: Enabled specifies whether Cilium Gateway
+                              API is enabled.
+                            type: boolean
+                        type: object
                       hubble:
                         description: Hubble configures the Hubble service on the Cilium
                           agent.

pkg/apis/kops/networking.go

@@ -525,6 +525,9 @@ type CiliumNetworkingSpec struct {
 
 	// Ingress specifies the configuration for Cilium Ingress settings.
 	Ingress *CiliumIngressSpec `json:"ingress,omitempty"`
+
+	// GatewayAPI specifies the configuration for Cilium Gateway API settings.
+	GatewayAPI *CiliumGatewayAPISpec `json:"gatewayAPI,omitempty"`
 }
 
 // CiliumIngressSpec configures Cilium Ingress settings.
@@ -554,6 +557,16 @@ type CiliumIngressSpec struct {
 	SharedLoadBalancerServiceName string `json:"sharedLoadBalancerServiceName,omitempty"`
 }
 
+// CiliumGatewayAPISpec configures Cilium Gateway API settings.
+type CiliumGatewayAPISpec struct {
+	// Enabled specifies whether Cilium Gateway API is enabled.
+	Enabled *bool `json:"enabled,omitempty"`
+
+	// EnableSecretsSync specifies whether synchronization of secrets is enabled.
+	// Default: true
+	EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"`
+}
+
 // HubbleSpec configures the Hubble service on the Cilium agent.
 type HubbleSpec struct {
 	// Enabled decides if Hubble is enabled on the agent or not

pkg/apis/kops/v1alpha2/networking.go

@@ -642,6 +642,9 @@ type CiliumNetworkingSpec struct {
 
 	// Ingress specifies the configuration for Cilium Ingress settings.
 	Ingress *CiliumIngressSpec `json:"ingress,omitempty"`
+
+	// GatewayAPI specifies the configuration for Cilium Gateway API settings.
+	GatewayAPI *CiliumGatewayAPISpec `json:"gatewayAPI,omitempty"`
 }
 
 // CiliumIngressSpec configures Cilium Ingress settings.
@@ -671,6 +674,16 @@ type CiliumIngressSpec struct {
 	SharedLoadBalancerServiceName string `json:"sharedLoadBalancerServiceName,omitempty"`
 }
 
+// CiliumGatewayAPISpec configures Cilium Gateway API settings.
+type CiliumGatewayAPISpec struct {
+	// Enabled specifies whether Cilium Gateway API is enabled.
+	Enabled *bool `json:"enabled,omitempty"`
+
+	// EnableSecretsSync specifies whether synchronization of secrets is enabled.
+	// Default: true
+	EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"`
+}
+
 // HubbleSpec configures the Hubble service on the Cilium agent.
 type HubbleSpec struct {
 	// Enabled decides if Hubble is enabled on the agent or not

pkg/apis/kops/v1alpha2/zz_generated.conversion.go

@@ -214,6 +214,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*CiliumGatewayAPISpec)(nil), (*kops.CiliumGatewayAPISpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha2_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(a.(*CiliumGatewayAPISpec), b.(*kops.CiliumGatewayAPISpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*kops.CiliumGatewayAPISpec)(nil), (*CiliumGatewayAPISpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_kops_CiliumGatewayAPISpec_To_v1alpha2_CiliumGatewayAPISpec(a.(*kops.CiliumGatewayAPISpec), b.(*CiliumGatewayAPISpec), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*CiliumIngressSpec)(nil), (*kops.CiliumIngressSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha2_CiliumIngressSpec_To_kops_CiliumIngressSpec(a.(*CiliumIngressSpec), b.(*kops.CiliumIngressSpec), scope)
 	}); err != nil {
@@ -1953,6 +1963,28 @@ func Convert_kops_CertManagerConfig_To_v1alpha2_CertManagerConfig(in *kops.CertM
 	return autoConvert_kops_CertManagerConfig_To_v1alpha2_CertManagerConfig(in, out, s)
 }
 
+func autoConvert_v1alpha2_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(in *CiliumGatewayAPISpec, out *kops.CiliumGatewayAPISpec, s conversion.Scope) error {
+	out.Enabled = in.Enabled
+	out.EnableSecretsSync = in.EnableSecretsSync
+	return nil
+}
+
+// Convert_v1alpha2_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec is an autogenerated conversion function.
+func Convert_v1alpha2_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(in *CiliumGatewayAPISpec, out *kops.CiliumGatewayAPISpec, s conversion.Scope) error {
+	return autoConvert_v1alpha2_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(in, out, s)
+}
+
+func autoConvert_kops_CiliumGatewayAPISpec_To_v1alpha2_CiliumGatewayAPISpec(in *kops.CiliumGatewayAPISpec, out *CiliumGatewayAPISpec, s conversion.Scope) error {
+	out.Enabled = in.Enabled
+	out.EnableSecretsSync = in.EnableSecretsSync
+	return nil
+}
+
+// Convert_kops_CiliumGatewayAPISpec_To_v1alpha2_CiliumGatewayAPISpec is an autogenerated conversion function.
+func Convert_kops_CiliumGatewayAPISpec_To_v1alpha2_CiliumGatewayAPISpec(in *kops.CiliumGatewayAPISpec, out *CiliumGatewayAPISpec, s conversion.Scope) error {
+	return autoConvert_kops_CiliumGatewayAPISpec_To_v1alpha2_CiliumGatewayAPISpec(in, out, s)
+}
+
 func autoConvert_v1alpha2_CiliumIngressSpec_To_kops_CiliumIngressSpec(in *CiliumIngressSpec, out *kops.CiliumIngressSpec, s conversion.Scope) error {
 	out.Enabled = in.Enabled
 	out.EnforceHttps = in.EnforceHttps
@@ -2105,6 +2137,15 @@ func autoConvert_v1alpha2_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *
 	} else {
 		out.Ingress = nil
 	}
+	if in.GatewayAPI != nil {
+		in, out := &in.GatewayAPI, &out.GatewayAPI
+		*out = new(kops.CiliumGatewayAPISpec)
+		if err := Convert_v1alpha2_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.GatewayAPI = nil
+	}
 	return nil
 }
 
@@ -2178,6 +2219,15 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha2_CiliumNetworkingSpec(in *
 	} else {
 		out.Ingress = nil
 	}
+	if in.GatewayAPI != nil {
+		in, out := &in.GatewayAPI, &out.GatewayAPI
+		*out = new(CiliumGatewayAPISpec)
+		if err := Convert_kops_CiliumGatewayAPISpec_To_v1alpha2_CiliumGatewayAPISpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.GatewayAPI = nil
+	}
 	return nil
 }
 

pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go

@@ -527,6 +527,32 @@ func (in *CertManagerConfig) DeepCopy() *CertManagerConfig {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CiliumGatewayAPISpec) DeepCopyInto(out *CiliumGatewayAPISpec) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableSecretsSync != nil {
+		in, out := &in.EnableSecretsSync, &out.EnableSecretsSync
+		*out = new(bool)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumGatewayAPISpec.
+func (in *CiliumGatewayAPISpec) DeepCopy() *CiliumGatewayAPISpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CiliumGatewayAPISpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CiliumIngressSpec) DeepCopyInto(out *CiliumIngressSpec) {
 	*out = *in
@@ -689,6 +715,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) {
 		*out = new(CiliumIngressSpec)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.GatewayAPI != nil {
+		in, out := &in.GatewayAPI, &out.GatewayAPI
+		*out = new(CiliumGatewayAPISpec)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 

pkg/apis/kops/v1alpha3/networking.go

@@ -473,6 +473,9 @@ type CiliumNetworkingSpec struct {
 
 	// Ingress specifies the configuration for Cilium Ingress settings.
 	Ingress *CiliumIngressSpec `json:"ingress,omitempty"`
+
+	// GatewayAPI specifies the configuration for Cilium Gateway API settings.
+	GatewayAPI *CiliumGatewayAPISpec `json:"gatewayAPI,omitempty"`
 }
 
 // CiliumIngressSpec configures Cilium Ingress settings.
@@ -502,6 +505,16 @@ type CiliumIngressSpec struct {
 	SharedLoadBalancerServiceName string `json:"sharedLoadBalancerServiceName,omitempty"`
 }
 
+// CiliumGatewayAPISpec configures Cilium Gateway API settings.
+type CiliumGatewayAPISpec struct {
+	// Enabled specifies whether Cilium Gateway API is enabled.
+	Enabled *bool `json:"enabled,omitempty"`
+
+	// EnableSecretsSync specifies whether synchronization of secrets is enabled.
+	// Default: true
+	EnableSecretsSync *bool `json:"enableSecretsSync,omitempty"`
+}
+
 // HubbleSpec configures the Hubble service on the Cilium agent.
 type HubbleSpec struct {
 	// Enabled decides if Hubble is enabled on the agent or not

pkg/apis/kops/v1alpha3/zz_generated.conversion.go

@@ -234,6 +234,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*CiliumGatewayAPISpec)(nil), (*kops.CiliumGatewayAPISpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha3_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(a.(*CiliumGatewayAPISpec), b.(*kops.CiliumGatewayAPISpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*kops.CiliumGatewayAPISpec)(nil), (*CiliumGatewayAPISpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_kops_CiliumGatewayAPISpec_To_v1alpha3_CiliumGatewayAPISpec(a.(*kops.CiliumGatewayAPISpec), b.(*CiliumGatewayAPISpec), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*CiliumIngressSpec)(nil), (*kops.CiliumIngressSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha3_CiliumIngressSpec_To_kops_CiliumIngressSpec(a.(*CiliumIngressSpec), b.(*kops.CiliumIngressSpec), scope)
 	}); err != nil {
@@ -2135,6 +2145,28 @@ func Convert_kops_CertManagerConfig_To_v1alpha3_CertManagerConfig(in *kops.CertM
 	return autoConvert_kops_CertManagerConfig_To_v1alpha3_CertManagerConfig(in, out, s)
 }
 
+func autoConvert_v1alpha3_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(in *CiliumGatewayAPISpec, out *kops.CiliumGatewayAPISpec, s conversion.Scope) error {
+	out.Enabled = in.Enabled
+	out.EnableSecretsSync = in.EnableSecretsSync
+	return nil
+}
+
+// Convert_v1alpha3_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec is an autogenerated conversion function.
+func Convert_v1alpha3_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(in *CiliumGatewayAPISpec, out *kops.CiliumGatewayAPISpec, s conversion.Scope) error {
+	return autoConvert_v1alpha3_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(in, out, s)
+}
+
+func autoConvert_kops_CiliumGatewayAPISpec_To_v1alpha3_CiliumGatewayAPISpec(in *kops.CiliumGatewayAPISpec, out *CiliumGatewayAPISpec, s conversion.Scope) error {
+	out.Enabled = in.Enabled
+	out.EnableSecretsSync = in.EnableSecretsSync
+	return nil
+}
+
+// Convert_kops_CiliumGatewayAPISpec_To_v1alpha3_CiliumGatewayAPISpec is an autogenerated conversion function.
+func Convert_kops_CiliumGatewayAPISpec_To_v1alpha3_CiliumGatewayAPISpec(in *kops.CiliumGatewayAPISpec, out *CiliumGatewayAPISpec, s conversion.Scope) error {
+	return autoConvert_kops_CiliumGatewayAPISpec_To_v1alpha3_CiliumGatewayAPISpec(in, out, s)
+}
+
 func autoConvert_v1alpha3_CiliumIngressSpec_To_kops_CiliumIngressSpec(in *CiliumIngressSpec, out *kops.CiliumIngressSpec, s conversion.Scope) error {
 	out.Enabled = in.Enabled
 	out.EnforceHttps = in.EnforceHttps
@@ -2235,6 +2267,15 @@ func autoConvert_v1alpha3_CiliumNetworkingSpec_To_kops_CiliumNetworkingSpec(in *
 	} else {
 		out.Ingress = nil
 	}
+	if in.GatewayAPI != nil {
+		in, out := &in.GatewayAPI, &out.GatewayAPI
+		*out = new(kops.CiliumGatewayAPISpec)
+		if err := Convert_v1alpha3_CiliumGatewayAPISpec_To_kops_CiliumGatewayAPISpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.GatewayAPI = nil
+	}
 	return nil
 }
 
@@ -2313,6 +2354,15 @@ func autoConvert_kops_CiliumNetworkingSpec_To_v1alpha3_CiliumNetworkingSpec(in *
 	} else {
 		out.Ingress = nil
 	}
+	if in.GatewayAPI != nil {
+		in, out := &in.GatewayAPI, &out.GatewayAPI
+		*out = new(CiliumGatewayAPISpec)
+		if err := Convert_kops_CiliumGatewayAPISpec_To_v1alpha3_CiliumGatewayAPISpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.GatewayAPI = nil
+	}
 	return nil
 }
 

pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go

@@ -588,6 +588,32 @@ func (in *CertManagerConfig) DeepCopy() *CertManagerConfig {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CiliumGatewayAPISpec) DeepCopyInto(out *CiliumGatewayAPISpec) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableSecretsSync != nil {
+		in, out := &in.EnableSecretsSync, &out.EnableSecretsSync
+		*out = new(bool)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumGatewayAPISpec.
+func (in *CiliumGatewayAPISpec) DeepCopy() *CiliumGatewayAPISpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CiliumGatewayAPISpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CiliumIngressSpec) DeepCopyInto(out *CiliumIngressSpec) {
 	*out = *in
@@ -711,6 +737,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) {
 		*out = new(CiliumIngressSpec)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.GatewayAPI != nil {
+		in, out := &in.GatewayAPI, &out.GatewayAPI
+		*out = new(CiliumGatewayAPISpec)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 

pkg/apis/kops/validation/validation_test.go

@@ -1221,6 +1221,15 @@ func Test_Validate_Cilium(t *testing.T) {
 				},
 			},
 		},
+		{
+			Cilium: kops.CiliumNetworkingSpec{
+				Version: "v1.16.0",
+				GatewayAPI: &kops.CiliumGatewayAPISpec{
+					Enabled:           fi.PtrTo(true),
+					EnableSecretsSync: fi.PtrTo(true),
+				},
+			},
+		},
 		{
 			Cilium: kops.CiliumNetworkingSpec{
 				Version: "v1.16.0",
@@ -1236,9 +1245,7 @@ func Test_Validate_Cilium(t *testing.T) {
 		},
 	}
 	for _, g := range grid {
-		g.Spec.Networking = kops.NetworkingSpec{
+		g.Spec.Networking.Cilium = &g.Cilium
-			Cilium: &g.Cilium,
-		}
 		if g.Spec.KubernetesVersion == "" {
 			g.Spec.KubernetesVersion = "1.17.0"
 		}

pkg/apis/kops/zz_generated.deepcopy.go

@@ -669,6 +669,32 @@ func (in *ChannelSpec) DeepCopy() *ChannelSpec {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CiliumGatewayAPISpec) DeepCopyInto(out *CiliumGatewayAPISpec) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableSecretsSync != nil {
+		in, out := &in.EnableSecretsSync, &out.EnableSecretsSync
+		*out = new(bool)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumGatewayAPISpec.
+func (in *CiliumGatewayAPISpec) DeepCopy() *CiliumGatewayAPISpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CiliumGatewayAPISpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CiliumIngressSpec) DeepCopyInto(out *CiliumIngressSpec) {
 	*out = *in
@@ -792,6 +818,11 @@ func (in *CiliumNetworkingSpec) DeepCopyInto(out *CiliumNetworkingSpec) {
 		*out = new(CiliumIngressSpec)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.GatewayAPI != nil {
+		in, out := &in.GatewayAPI, &out.GatewayAPI
+		*out = new(CiliumGatewayAPISpec)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 

pkg/model/components/cilium.go

@@ -187,5 +187,16 @@ func (b *CiliumOptionsBuilder) BuildOptions(o *kops.Cluster) error {
 		}
 	}
 
+	gatewayAPI := c.GatewayAPI
+	if gatewayAPI != nil {
+		if gatewayAPI.Enabled == nil {
+			gatewayAPI.Enabled = fi.PtrTo(true)
+		}
+	} else {
+		c.GatewayAPI = &kops.CiliumGatewayAPISpec{
+			Enabled: fi.PtrTo(false),
+		}
+	}
+
 	return nil
 }

tests/integration/update_cluster/minimal-ipv6-cilium/data/aws_s3_object_cluster-completed.spec_content

@@ -201,6 +201,8 @@ spec:
       enableLocalRedirectPolicy: false
       enableRemoteNodeIdentity: true
       enableUnreachableRoutes: false
+      gatewayAPI:
+        enabled: false
       hubble:
         enabled: false
       identityAllocationMode: crd

tests/integration/update_cluster/minimal-warmpool/data/aws_s3_object_cluster-completed.spec_content

@@ -193,6 +193,8 @@ spec:
       enableLocalRedirectPolicy: false
       enableRemoteNodeIdentity: true
       enableUnreachableRoutes: false
+      gatewayAPI:
+        enabled: false
       hubble:
         enabled: false
       identityAllocationMode: crd

tests/integration/update_cluster/minimal_scaleway/data/aws_s3_object_cluster-completed.spec_content

@@ -189,6 +189,8 @@ spec:
       enableNodePort: true
       enableRemoteNodeIdentity: true
       enableUnreachableRoutes: false
+      gatewayAPI:
+        enabled: false
       hubble:
         enabled: false
       identityAllocationMode: crd

tests/integration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content

@@ -195,6 +195,8 @@ spec:
       enableLocalRedirectPolicy: false
       enableRemoteNodeIdentity: true
       enableUnreachableRoutes: false
+      gatewayAPI:
+        enabled: false
       hubble:
         enabled: false
       identityAllocationMode: crd

tests/integration/update_cluster/privatecilium/data/aws_s3_object_cluster-completed.spec_content

@@ -199,6 +199,8 @@ spec:
       enableLocalRedirectPolicy: false
       enableRemoteNodeIdentity: true
       enableUnreachableRoutes: false
+      gatewayAPI:
+        enabled: false
       hubble:
         enabled: false
       identityAllocationMode: crd

tests/integration/update_cluster/privatecilium2/data/aws_s3_object_cluster-completed.spec_content

@@ -208,6 +208,8 @@ spec:
       enableLocalRedirectPolicy: false
       enableRemoteNodeIdentity: true
       enableUnreachableRoutes: false
+      gatewayAPI:
+        enabled: false
       hubble:
         enabled: true
         metrics:

tests/integration/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content

@@ -207,6 +207,8 @@ spec:
       enableRemoteNodeIdentity: true
       enableUnreachableRoutes: false
       etcdManaged: true
+      gatewayAPI:
+        enabled: false
       hubble:
         enabled: false
       identityAllocationMode: crd

upup/models/cloudup/resources/addons/networking.cilium.io/k8s-1.16-v1.15.yaml.template

@@ -317,6 +317,15 @@ data:
   {{ end }}
   {{ end }}
 
+  {{ if WithDefaultBool .GatewayAPI.Enabled false }}
+  enable-gateway-api: "true"
+  gateway-api-secrets-namespace: kube-system
+
+  {{ if .GatewayAPI.EnableSecretsSync }}
+  enable-gateway-api-secrets-sync: "{{ .GatewayAPI.EnableSecretsSync }}"
+  {{ end }}
+  {{ end }}
+
   # Tell the agent to generate and write a CNI configuration file
   write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
   cni-exclusive: "{{ .CniExclusive }}"
@@ -735,6 +744,54 @@ rules:
   verbs:
   - update
 {{ end }}
+{{ if WithDefaultBool .GatewayAPI.Enabled false }}
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - gatewayclasses
+  - gateways
+  - tlsroutes
+  - httproutes
+  - grpcroutes
+  - referencegrants
+  - referencepolicies
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - gatewayclasses
+  verbs:
+  - patch
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - gatewayclasses/status
+  - gateways/status
+  - httproutes/status
+  - grpcroutes/status
+  - tlsroutes/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumgatewayclassconfigs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumgatewayclassconfigs/status
+  verbs:
+  - update
+  - patch
+{{ end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -913,6 +970,86 @@ subsets:
   - port: 9999
 {{ end }}
 {{ end }}
+{{ if WithDefaultBool .GatewayAPI.Enabled false }}
+---
+# Source: cilium/templates/cilium-agent/role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cilium-gateway-secrets
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
+# Source: cilium/templates/cilium-operator/rolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cilium-gateway-secrets
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cilium-gateway-secrets
+subjects:
+  - kind: ServiceAccount
+    name: "cilium"
+    namespace: kube-system
+---
+# Source: cilium/templates/cilium-operator/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cilium-operator-gateway-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - update
+  - patch
+---
+# Source: cilium/templates/cilium-operator/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cilium-operator-gateway-secrets
+  labels:
+    app.kubernetes.io/part-of: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cilium-operator-gateway-secrets
+subjects:
+  - kind: ServiceAccount
+    name: "cilium-operator"
+    namespace: kube-system
+---
+# Source: cilium/templates/cilium-gateway-api-class.yaml
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: cilium
+spec:
+  controllerName: io.cilium/gateway-controller
+  description: The default Cilium GatewayClass
+{{ end }}
 {{ if WithDefaultBool .Hubble.Enabled false }}
 {{ if .Hubble.Metrics }}
 ---