From 880358a54ea40d1e283b9e9bc9c2de993b85035d Mon Sep 17 00:00:00 2001 From: Patrick Zhan Date: Mon, 22 Jun 2026 17:07:17 -0700 Subject: [PATCH 1/2] [EV-6717] Document enabling Calico Ingress Gateway via the Helm gatewayAPI toggle Add the Helm install-time path (gatewayAPI.enabled) for enabling Calico Ingress Gateway alongside the existing kubectl method, with the matching Helm values reference entry and sample, plus a customization note that GatewayAPI spec fields can be set under gatewayAPI in values.yaml. Enterprise-only. Co-Authored-By: Claude Opus 4.8 --- .../create-ingress-gateway.mdx | 33 ++++++++++++++++++- .../customize-ingress-gateway.mdx | 4 +++ .../installation/helm_customization.mdx | 5 +++ 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/calico-enterprise/networking/ingress-gateway/create-ingress-gateway.mdx b/calico-enterprise/networking/ingress-gateway/create-ingress-gateway.mdx index f3316997c6..d923bde19e 100644 --- a/calico-enterprise/networking/ingress-gateway/create-ingress-gateway.mdx +++ b/calico-enterprise/networking/ingress-gateway/create-ingress-gateway.mdx @@ -2,6 +2,9 @@ description: Deploy a Calico Ingress Gateway in a Calico Enterprise cluster by applying GatewayAPI and Gateway resources tied to the Tigera-managed gateway class. --- +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + # Create an ingress gateway Create an ingress gateway to manage ingress traffic with the Kubernetes Gateway API. @@ -33,7 +36,31 @@ You need to do the following: allow traffic through the gateway by adding the `tigera-gateway` namespace to the list of excluded namespaces in the `namespaceSelector` field. -1. To enable Gateway API support, create a `GatewayAPI` resource with the name `tigera-secure`: +1. Enable Gateway API support by creating a `GatewayAPI` resource named `tigera-secure`. You can enable it at install time with Helm, or at any time with `kubectl`. Both methods create the same `tigera-secure` resource and the default `tigera-gateway-class`. + + + + + When you [install $[prodname] with Helm](../../getting-started/install-on-clusters/kubernetes/helm.mdx), set `gatewayAPI.enabled` to `true` in your `values.yaml`: + + ```yaml title='values.yaml' + gatewayAPI: + enabled: true + ``` + + The Tigera Operator creates the `tigera-secure` `GatewayAPI` resource as part of the installation. To customize the gateway, set any [`GatewayAPI` spec field](../../reference/installation/api.mdx#gatewayapi) under `gatewayAPI:` — for example, to [define additional gateway classes](customize-ingress-gateway.mdx#configure-multiple-gateway-classes): + + ```yaml title='values.yaml' + gatewayAPI: + enabled: true + gatewayClasses: + - name: tigera-gateway-class + ``` + + + + + If $[prodname] is already installed, create the `GatewayAPI` resource directly: ```bash kubectl apply -f - < + + The Tigera Operator pulls and sets up the hardened Envoy Gateway images. This gives you a set of Gateway API resources, including the `GatewayClass` resource you need to create your gateway. diff --git a/calico-enterprise/networking/ingress-gateway/customize-ingress-gateway.mdx b/calico-enterprise/networking/ingress-gateway/customize-ingress-gateway.mdx index 30358a2faf..97aeaa11be 100644 --- a/calico-enterprise/networking/ingress-gateway/customize-ingress-gateway.mdx +++ b/calico-enterprise/networking/ingress-gateway/customize-ingress-gateway.mdx @@ -24,6 +24,10 @@ For full details, see [the `GatewayAPI` reference documentation](../../reference To make use of these customization fields, use `kubectl edit gatewayapi tigera-secure` to edit the YAML for the `GatewayAPI` resource, and add or modify the customization fields that you require. +:::tip +You can also set these fields at install time. When you [install $[prodname] with Helm](../../getting-started/install-on-clusters/kubernetes/helm.mdx), add any `GatewayAPI` spec field under `gatewayAPI:` in your `values.yaml`, alongside `enabled: true`. +::: + ### Customization examples This section contains examples of common customizations. diff --git a/calico-enterprise/reference/installation/helm_customization.mdx b/calico-enterprise/reference/installation/helm_customization.mdx index bc3bcdb5ab..749dbc28af 100644 --- a/calico-enterprise/reference/installation/helm_customization.mdx +++ b/calico-enterprise/reference/installation/helm_customization.mdx @@ -17,6 +17,7 @@ You can customize the following resources and settings during $[prodname] Helm-b - [Policy recommendation](api.mdx#policyrecommendationspec) - [Authentication](api.mdx#authenticationspec) - [Application layer](api.mdx#applicationlayerspec) +- [Gateway API (Calico Ingress Gateway)](api.mdx#gatewayapi) - [Amazon cloud integration](api.mdx#amazoncloudintegrationspec) - [Default felix configuration](../resources/felixconfig.mdx#spec) @@ -78,6 +79,10 @@ applicationLayer: enabled: false +gatewayAPI: + enabled: false + + amazonCloudIntegration: enabled: false From 1d10de7a88f56e685273e11e68f64344661f8dd9 Mon Sep 17 00:00:00 2001 From: Patrick Zhan Date: Mon, 29 Jun 2026 17:39:27 -0700 Subject: [PATCH 2/2] Address review: link to #gatewayapispec and show an additional gateway class Per review on #2798: point the Gateway API links at the GatewayAPISpec anchor (matching the sibling *Spec links and landing users on the spec fields), and add a second class to the values example so it actually demonstrates defining additional gateway classes. Co-Authored-By: Claude Opus 4.8 --- .../networking/ingress-gateway/create-ingress-gateway.mdx | 3 ++- .../reference/installation/helm_customization.mdx | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/calico-enterprise/networking/ingress-gateway/create-ingress-gateway.mdx b/calico-enterprise/networking/ingress-gateway/create-ingress-gateway.mdx index d923bde19e..ce5e08de95 100644 --- a/calico-enterprise/networking/ingress-gateway/create-ingress-gateway.mdx +++ b/calico-enterprise/networking/ingress-gateway/create-ingress-gateway.mdx @@ -48,13 +48,14 @@ You need to do the following: enabled: true ``` - The Tigera Operator creates the `tigera-secure` `GatewayAPI` resource as part of the installation. To customize the gateway, set any [`GatewayAPI` spec field](../../reference/installation/api.mdx#gatewayapi) under `gatewayAPI:` — for example, to [define additional gateway classes](customize-ingress-gateway.mdx#configure-multiple-gateway-classes): + The Tigera Operator creates the `tigera-secure` `GatewayAPI` resource as part of the installation. To customize the gateway, set any [`GatewayAPI` spec field](../../reference/installation/api.mdx#gatewayapispec) under `gatewayAPI:` — for example, to [define additional gateway classes](customize-ingress-gateway.mdx#configure-multiple-gateway-classes): ```yaml title='values.yaml' gatewayAPI: enabled: true gatewayClasses: - name: tigera-gateway-class + - name: internal-gateway-class ``` diff --git a/calico-enterprise/reference/installation/helm_customization.mdx b/calico-enterprise/reference/installation/helm_customization.mdx index 749dbc28af..8aface888a 100644 --- a/calico-enterprise/reference/installation/helm_customization.mdx +++ b/calico-enterprise/reference/installation/helm_customization.mdx @@ -17,7 +17,7 @@ You can customize the following resources and settings during $[prodname] Helm-b - [Policy recommendation](api.mdx#policyrecommendationspec) - [Authentication](api.mdx#authenticationspec) - [Application layer](api.mdx#applicationlayerspec) -- [Gateway API (Calico Ingress Gateway)](api.mdx#gatewayapi) +- [Gateway API (Calico Ingress Gateway)](api.mdx#gatewayapispec) - [Amazon cloud integration](api.mdx#amazoncloudintegrationspec) - [Default felix configuration](../resources/felixconfig.mdx#spec)