cilium-operator CrashLoopBackOff when cilium_gateway_api_enabled=true: TLSRoute v1alpha2 not served in Gateway API v1.5.1 standard channel

[bbaassssiiee]

Bug Report

Environment

• Kubespray branch: release-2.31
• Cilium version: 1.19.3 (as shipped in release-2.31)
• Gateway API CRDs version: v1.5.1 (standard channel — the default)
• Affected variable: cilium_gateway_api_enabled: true

What happened

After deploying with cilium_gateway_api_enabled: true and the default gateway_api_channel: standard, the cilium-operator enters CrashLoopBackOff immediately on startup.

Both replicas fail with:

level=fatal msg="failed to start: failed to populate object graph: failed to create gateway controller: failed to setup reconciler: failed to setup field indexer \"gatewayTLSRouteIndex\": no matches for kind \"TLSRoute\" in version \"gateway.networking.k8s.io/v1alpha2\""

Root cause

The Gateway API v1.5.1 standard channel CRD bundle includes the TLSRoute CRD, but marks v1alpha2 as not served:

v1        served=true   storage=true
v1alpha2  served=false  storage=false   <- Cilium tries to index this
v1alpha3  served=false  storage=false

TLSRoute is an experimental resource. In the standard channel bundle, its older versions are present in the CRD spec but intentionally not served. Cilium 1.19.3's operator unconditionally registers a field indexer for TLSRoute/v1alpha2 when enable-gateway-api: true, and treats the resulting error as fatal.

Reproduction steps

1. Deploy a cluster with Kubespray release-2.31
2. Set cilium_gateway_api_enabled: true (leave gateway_api_channel at default standard)
3. Observe cilium-operator pods in CrashLoopBackOff

Workaround

Manually patch the TLSRoute CRD to re-enable serving of v1alpha2:

kubectl patch crd tlsroutes.gateway.networking.k8s.io --type=json \
  -p='[{"op": "replace", "path": "/spec/versions/1/served", "value": true}]'
kubectl rollout restart deployment -n kube-system cilium-operator

[yankay]

Thanks @bbaassssiiee, your root-cause analysis is correct. Confirmed against the upstream sources:

• Gateway API v1.5.1 standard channel TLSRoute CRD: v1 served, v1alpha2/v1alpha3 not served.
• Cilium 1.19.x officially supports Gateway API v1.4.1 only (docs). Cilium 1.20+ supports v1.5.1 via cilium/cilium#45251 — and it will not be backported (see also cilium/cilium#44920 and cilium/cilium#45139).

Affected branches (whenever a user sets cilium_gateway_api_enabled: true):

branch	cilium_version	gateway_api default
master	1.19.3	1.5.1 standard
release-2.31	1.19.3	1.5.1 standard
release-2.30	1.18.6	1.5.1 standard

Workarounds (any one is enough):

1. Pin gateway_api_version: "1.4.1" (last version Cilium 1.19.x officially supports).
2. Set gateway_api_channel: "experimental" — TLSRoute v1alpha2 is served in the experimental bundle.
3. Wait for Cilium 1.20 GA + a kubespray bump.

I'll send a small PR adding a preflight assert so this incompatible combo fails fast at deploy time instead of leaving cilium-operator in CrashLoopBackOff. A Cilium 1.20 bump on master will be tracked separately once it goes stable (currently only v1.20.0-pre.1 is available).

[bbaassssiiee]

Option 2 seems to fail due to too large YAML, I notived a call to kubectl apply instead of kubectl create by plugins/modules/kube.py