projectcontour · Sefiris · Dec 2, 2025 · Dec 2, 2025 · Dec 2, 2025
diff --git a/charts/contour-gateway-provisioner/Chart.yaml b/charts/contour-gateway-provisioner/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+name: contour-gateway-provisioner
+description: Contour Gateway API provisioner deployment chart.
+type: application
+version: 0.1.0
+appVersion: 1.33.0
+home: https://projectcontour.io/
+sources:
+  - https://github.com/projectcontour/contour
+maintainers:
+  - name: Contour Team
diff --git a/charts/contour-gateway-provisioner/README.md b/charts/contour-gateway-provisioner/README.md
@@ -0,0 +1,51 @@
+# Helm Chart for Contour Gateway Provisioner
+
+Deploys the Contour Gateway API provisioner controller using the upstream example manifest for dynamically provisioned Gateways.
+
+> **Note:** The Gateway API and Contour CRDs must be installed in the cluster before running the provisioner. It watches those resources (GatewayClass, Gateway, ContourDeployment, etc.) and will fail without the CRDs present.
+
+## Installing the Chart
+
+```console
+helm repo add contour https://projectcontour.github.io/helm-charts/
+helm repo update
+helm install my-provisioner contour/contour-gateway-provisioner
+```
+
+> **Tip**: List all releases using `helm list` or `helm ls --all-namespaces`
+
+## Local testing
+
+Render manifests locally from this repo:
+
+```console
+helm template test ./charts/contour-gateway-provisioner
+```
+
+Override values inline for quick checks (example disabling RBAC):
+
+```console
+helm template test ./charts/contour-gateway-provisioner \
+  --set rbac.create=false
+```
+
+## Configuration
+
+| Name                     | Description                                                         | Value          |
+| ------------------------ | ------------------------------------------------------------------- | -------------- |
+| `image.registry`         | Contour image registry                                              | `ghcr.io`      |
+| `image.repository`       | Contour image name                                                  | `projectcontour/contour` |
+| `image.tag`              | Contour image tag                                                   | `v1.33.0`      |
+| `image.pullPolicy`       | Image pull policy                                                   | `IfNotPresent` |
+| `image.pullSecrets`      | Image pull secrets                                                  | `[]`           |
+| `replicaCount`           | Provisioner controller replicas                                     | `1`            |
+| `metricsAddress`         | Metrics bind address                                                | `127.0.0.1:8080` |
+| `serviceAccount.create`  | Create a ServiceAccount for the provisioner                         | `true`         |
+| `serviceAccount.name`    | Override ServiceAccount name                                        | `""`           |
+| `serviceAccount.namespace` | Override ServiceAccount namespace used in RBAC subjects           | `""`           |
+| `serviceAccount.annotations` | Annotations for the ServiceAccount                              | `{}`           |
+| `serviceAccount.automountServiceAccountToken` | Automount ServiceAccount token                        | `true`         |
+| `resources.requests`     | Resource requests for the controller                                | `cpu: 100m`, `memory: 70Mi` |
+| `resources.limits`       | Resource limits for the controller                                  | `{}`           |
+| `rbac.create`            | Create RBAC resources                                               | `true`         |
+| `extraArgs`              | Extra CLI args appended to `contour gateway-provisioner`            | `[]`           |
diff --git a/charts/contour-gateway-provisioner/templates/_helpers.tpl b/charts/contour-gateway-provisioner/templates/_helpers.tpl
@@ -0,0 +1,45 @@
+{{- /*
+Common template helpers
+*/ -}}
+
+{{- define "contour-gateway-provisioner.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "contour-gateway-provisioner.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := include "contour-gateway-provisioner.name" . -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "contour-gateway-provisioner.labels" -}}
+app.kubernetes.io/name: {{ include "contour-gateway-provisioner.name" . }}
+helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/component: gateway-provisioner
+{{- end -}}
+
+{{- define "contour-gateway-provisioner.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "contour-gateway-provisioner.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{- define "contour-gateway-provisioner.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+{{- default (include "contour-gateway-provisioner.fullname" .) .Values.serviceAccount.name -}}
+{{- else -}}
+{{- default "default" .Values.serviceAccount.name -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "contour-gateway-provisioner.serviceAccountNamespace" -}}
+{{- default .Release.Namespace .Values.serviceAccount.namespace -}}
+{{- end -}}
diff --git a/charts/contour-gateway-provisioner/templates/deployment.yaml b/charts/contour-gateway-provisioner/templates/deployment.yaml
@@ -0,0 +1,58 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "contour-gateway-provisioner.fullname" . }}
+  labels:
+    {{- include "contour-gateway-provisioner.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "contour-gateway-provisioner.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "contour-gateway-provisioner.labels" . | nindent 8 }}
+      {{- if .Values.podAnnotations }}
+      annotations: {{- toYaml .Values.podAnnotations | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccountName: {{ include "contour-gateway-provisioner.serviceAccountName" . }}
+      {{- with .Values.image.pullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      terminationGracePeriodSeconds: 10
+      containers:
+        - name: contour-gateway-provisioner
+          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - contour
+          args:
+            - gateway-provisioner
+            - --metrics-addr={{ .Values.metricsAddress }}
+            - --enable-leader-election
+            {{- with .Values.extraArgs }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          env:
+            - name: CONTOUR_PROVISIONER_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
diff --git a/charts/contour-gateway-provisioner/templates/rbac.yaml b/charts/contour-gateway-provisioner/templates/rbac.yaml
@@ -0,0 +1,220 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "contour-gateway-provisioner.fullname" . }}
+  labels:
+    {{- include "contour-gateway-provisioner.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - serviceaccounts
+      - services
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - update
+      - watch
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+      - deployments
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - update
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - update
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - backendtlspolicies
+      - gatewayclasses
+      - gateways
+      - grpcroutes
+      - httproutes
+      - referencegrants
+      - tcproutes
+      - tlsroutes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - backendtlspolicies/status
+      - gatewayclasses/status
+      - gateways/status
+      - grpcroutes/status
+      - httproutes/status
+      - tcproutes/status
+      - tlsroutes/status
+    verbs:
+      - update
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - create
+      - get
+      - update
+  - apiGroups:
+      - projectcontour.io
+    resources:
+      - contourconfigurations
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - update
+      - watch
+  - apiGroups:
+      - projectcontour.io
+    resources:
+      - contourconfigurations/status
+      - extensionservices/status
+      - httpproxies/status
+    verbs:
+      - create
+      - get
+      - update
+  - apiGroups:
+      - projectcontour.io
+    resources:
+      - contourdeployments
+      - extensionservices
+      - httpproxies
+      - tlscertificatedelegations
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterrolebindings
+      - clusterroles
+      - rolebindings
+      - roles
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "contour-gateway-provisioner.fullname" . }}
+  labels:
+    {{- include "contour-gateway-provisioner.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "contour-gateway-provisioner.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "contour-gateway-provisioner.serviceAccountName" . }}
+    namespace: {{ include "contour-gateway-provisioner.serviceAccountNamespace" . | quote }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "contour-gateway-provisioner.fullname" . }}
+  namespace: {{ include "contour-gateway-provisioner.serviceAccountNamespace" . | quote }}
+  labels:
+    {{- include "contour-gateway-provisioner.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - get
+      - update
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ printf "%s-leader-election" (include "contour-gateway-provisioner.fullname" .) }}
+  namespace: {{ include "contour-gateway-provisioner.serviceAccountNamespace" . | quote }}
+  labels:
+    {{- include "contour-gateway-provisioner.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "contour-gateway-provisioner.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "contour-gateway-provisioner.serviceAccountName" . }}
+    namespace: {{ include "contour-gateway-provisioner.serviceAccountNamespace" . | quote }}
+{{- end }}