The Gateway API provides a modern, standardized way to expose services in Kubernetes. It’s the successor to Ingress and is recommended for new deployments, especially on GKE where it’s natively supported.
Gateway API vs Ingress: Gateway API offers more flexibility and features compared to traditional Ingress resources. It supports advanced routing, traffic splitting, and is designed for multi-tenancy. GKE has built-in Gateway API support with no additional controller installation needed.
Core Configuration
Enable Gateway API for routing traffic to web and OAuth services.When Enabled:
- Creates or references a Gateway resource
- Configures HTTPRoutes for web and OAuth services (when their respective
gateway.enabled is true)
- Requires Gateway API CRDs installed in the cluster
Prerequisites:
- Cluster must have Gateway API CRDs installed
- On GKE, enable with:
gcloud container clusters update CLUSTER --gateway-api=standard
Example:gateway:
enabled: true
create: true
gatewayClassName: gke-l7-global-external-managed
Create a new Gateway resource or reference an existing one.When true:
- Chart creates a new Gateway resource
- Gateway name defaults to
<release-name>-gateway or can be set via gateway.name
- Gateway is created in the same namespace as the Helm release
When false:
- Chart references an existing Gateway by name
- Must specify
gateway.name and optionally gateway.namespace
- Useful for shared Gateway across multiple applications
Example - Create New Gateway:gateway:
enabled: true
create: true
gatewayClassName: gke-l7-global-external-managed
gateway:
enabled: true
create: false
name: shared-gateway
namespace: gateway-infra
Name of the Gateway resource.Default Behavior:
- When
create: true and empty: Defaults to <release-name>-gateway
- When
create: false: Must be specified (name of existing Gateway)
Example:gateway:
enabled: true
create: false
name: shared-gateway
namespace: istio-system
Namespace of the Gateway resource (only used when create: false).Purpose: Allows HTTPRoutes to reference a Gateway in a different namespace.Default Behavior: If empty when create: false, assumes Gateway is in the same namespace as the Helm release.Example:gateway:
enabled: true
create: false
name: shared-gateway
namespace: gateway-infra
Gateway controller class name.Required: Yes (when gateway.enabled: true)GKE Built-in Classes:
gke-l7-global-external-managed - Global external Application Load Balancergke-l7-regional-external-managed - Regional external Application Load Balancergke-l7-rilb - Regional internal Application Load Balancer
Other Controllers:
istio - Istio Gatewaynginx - NGINX Gateway (if NGINX Gateway Fabric is installed)
Example:gateway:
enabled: true
gatewayClassName: gke-l7-global-external-managed
On GKE, verify available GatewayClasses with: kubectl get gatewayclass
Annotations for the Gateway resource.Use Cases:
- GCP certificate maps for managed certificates
- Cloud-specific load balancer configuration
- Custom metadata
Example - GCP Managed Certificate:gateway:
enabled: true
gatewayClassName: gke-l7-global-external-managed
annotations:
networking.gke.io/certmap: crewai-cert-map
gateway:
annotations:
networking.gke.io/static-ip: crewai-static-ip
Listeners Configuration
List of Gateway listeners (ports and protocols).Purpose: Defines which ports the Gateway listens on and how traffic is handled.Default Configuration:listeners:
- name: http
protocol: HTTP
port: 80
name - Unique listener nameprotocol - HTTP, HTTPS, TCP, or TLSport - Port number (80, 443, etc.)
Optional fields:
hostname - Hostname filter for this listenertls - TLS configuration (for HTTPS/TLS protocols)
The chart automatically configures allowedRoutes.namespaces.from: Same to restrict HTTPRoutes to the same namespace.
HTTP Listener Example
gateway:
enabled: true
gatewayClassName: gke-l7-global-external-managed
listeners:
- name: http
protocol: HTTP
port: 80
HTTPS Listener with Kubernetes TLS Secret
gateway:
enabled: true
gatewayClassName: gke-l7-global-external-managed
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: crewai-tls-secret
HTTPS Listener with GCP Managed Certificate
gateway:
enabled: true
gatewayClassName: gke-l7-global-external-managed
annotations:
networking.gke.io/certmap: crewai-cert-map
listeners:
- name: https
protocol: HTTPS
port: 443
When using GCP-managed certificates via networking.gke.io/certmap, the listener doesn’t need tls.certificateRefs. The certificate map is applied at the Gateway level via annotations.
HTTP and HTTPS Listeners (Dual-Stack)
gateway:
enabled: true
gatewayClassName: gke-l7-global-external-managed
listeners:
- name: http
protocol: HTTP
port: 80
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: crewai-tls-secret
Complete Examples
Basic HTTP Gateway (Development)
gateway:
enabled: true
create: true
gatewayClassName: gke-l7-regional-external-managed
listeners:
- name: http
protocol: HTTP
port: 80
web:
gateway:
enabled: true
hostnames:
- crewai.dev.company.com
Production HTTPS Gateway with Managed Certificate
gateway:
enabled: true
create: true
gatewayClassName: gke-l7-global-external-managed
annotations:
networking.gke.io/certmap: crewai-cert-map
listeners:
- name: https
protocol: HTTPS
port: 443
- name: http
protocol: HTTP
port: 80
web:
gateway:
enabled: true
hostnames:
- crewai.company.com
oauth:
enabled: true
gateway:
enabled: true
pathPrefix: /oauthsvc
Shared Gateway Across Multiple Applications
Install infrastructure Gateway once:
# Create shared gateway namespace
kubectl create namespace gateway-infra
# Install gateway
helm install shared-gateway ./gateway-chart \
--namespace gateway-infra \
--set gatewayClassName=gke-l7-global-external-managed
gateway:
enabled: true
create: false
name: shared-gateway
namespace: gateway-infra
web:
gateway:
enabled: true
hostnames:
- crewai.company.com
OAuth with Dedicated Hostname
When using a dedicated hostname for OAuth (recommended for non-NGINX ingress controllers):
gateway:
enabled: true
create: true
gatewayClassName: gke-l7-global-external-managed
annotations:
networking.gke.io/certmap: crewai-cert-map
listeners:
- name: https
protocol: HTTPS
port: 443
web:
gateway:
enabled: true
hostnames:
- crewai.company.com
oauth:
enabled: true
gateway:
enabled: true
hostname: oauth.company.com
pathPrefix: /
When using a dedicated OAuth hostname, ensure:
- The hostname is included in your TLS certificate or certificate map
- DNS points to the same Gateway IP address
- OAuth provider callback URLs are configured with the dedicated hostname
Troubleshooting
Gateway Not Found
Error: HTTPRoute shows Gateway not found in status
Solution: Verify Gateway exists and is in the correct namespace:
kubectl get gateway -n <namespace>
create: false, ensure the referenced Gateway exists:
kubectl get gateway <gateway-name> -n <gateway-namespace>
No GatewayClass Available
Error: no matches for kind "Gateway" or GatewayClass not found
Solution: Enable Gateway API on your cluster:
GKE:
gcloud container clusters update CLUSTER_NAME \
--gateway-api=standard \
--region REGION
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml
HTTPRoute Not Attached to Gateway
Error: HTTPRoute shows Accepted: False in status
Possible causes:
- Gateway namespace mismatch
- Listener protocol mismatch
- Hostname conflicts
Debug:
kubectl describe httproute <release-name>-web -n <namespace>
Status.Parents section for detailed error messages.
Web HTTPRoute: See Web Configuration - Gateway API for web service routing configuration.
OAuth HTTPRoute: See OAuth Configuration - Gateway API for OAuth service routing configuration.
GCP Gateway API Guide: See GCP Integration Guide - External Access for GCP-specific Gateway API setup including managed certificates and load balancer configuration. 