[Yandex Cloud documentation](../../../index.md) > [Yandex Managed Service for Kubernetes](../../index.md) > [Step-by-step guides](../index.md) > Installing applications from Cloud Marketplace > Installing Gateway API

# Installing Gateway API

# Installing Gateway API

{% note tip %}

We recommend using the new [Yandex Cloud Gwin](../../alb-ref/gwin-index.md) controller instead of an ALB Ingress controller and Gateway API.

{% endnote %}

[Gateway API](https://github.com/kubernetes-sigs/gateway-api) is a collection of API resources that model networking in a [Managed Service for Kubernetes cluster](../../concepts/index.md#kubernetes-cluster). These include `GatewayClass`, `Gateway`, `HTTPRoute`, etc.

In Managed Service for Kubernetes, Gateway API launches [Yandex Application Load Balancer](../../../application-load-balancer/index.md) and its auxiliary resources when a Kubernetes user announces the `Gateway` resource in a Managed Service for Kubernetes cluster.

{% note warning %}

Do not modify or delete the network load balancer and its child resources created using Managed Service for Kubernetes via the Yandex Cloud interfaces (the management console, Terraform, CLI, or API). This may cause incorrect operation of the cluster.

{% endnote %}

## Getting started {#before-you-begin}

1. If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

   The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

1. [Create a service account](../../../iam/operations/sa/create.md) for Gateway API.
1. [Assign the following roles to the service account](../../../iam/operations/sa/assign-role-for-sa.md):
   * `alb.editor`: To create the required resources.
   * `vpc.publicAdmin`: To manage [external connectivity](../../../vpc/security/index.md#roles-list).
   * `certificate-manager.admin`: To use [certificates](../../../certificate-manager/concepts/index.md#types) registered in [Yandex Certificate Manager](../../../certificate-manager/index.md).
   * `compute.viewer`: To use Managed Service for Kubernetes cluster [nodes](../../concepts/index.md#node-group) in balancer [target groups](../../../application-load-balancer/concepts/target-group.md).
1. Create an [authorized key](../../../iam/operations/authentication/manage-authorized-keys.md#create-authorized-key) for your service account and save it to the `sa-key.json` file:

   ```bash
   yc iam key create \
     --service-account-name <name_of_service_account_for_Gateway_API> \
     --output sa-key.json
   ```

1. [Make sure](../connect/security-groups.md) the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If a rule is missing, [add it](../../../vpc/operations/security-group-add-rule.md).

    {% note warning %}
    
    The configuration of security groups determines performance and availability of the cluster and the services and applications running in it.
    
    {% endnote %}

## Installation from Yandex Cloud Marketplace {#marketplace-install}

{% list tabs group=instructions %}

- Management console {#console}

  1. Go to the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) page.
  1. Navigate to **Managed Service for&nbsp;Kubernetes**.
  1. Click the name of the Managed Service for Kubernetes cluster you need and select the ![Marketplace](../../../_assets/console-icons/shopping-cart.svg) **Marketplace** tab.
  1. Under **Application available for installation**, select [Gateway API](https://yandex.cloud/en/marketplace/products/yc/gateway-api) and click **Go to install**.
  1. Configure the application:
     * **Namespace**: Create a new [namespace](../../concepts/index.md#namespace), e.g., `gateway-api-space`. If you leave the default namespace, Gateway API may work incorrectly.
     * **Application name**: Specify the application name.
     * **Folder ID**: Select the folder where you want to create your load balancers.
     * **Network ID**: Select the [cloud network](../../../vpc/concepts/network.md#network) where your [load balancers](../../../application-load-balancer/concepts/application-load-balancer.md#lb-location) will reside.
     * **Subnet 1 ID**, **Subnet 2 ID**, **Subnet 3 ID**: Select [subnets](../../../vpc/concepts/network.md#subnet) where your [load balancers](../../../application-load-balancer/concepts/application-load-balancer.md#lb-location) will reside.
     * **Service account key**: Paste the contents of the `sa-key.json` file or create a new [service account](../../../iam/concepts/users/service-accounts.md) [key](../../../iam/concepts/authorization/key.md).
  1. Click **Install**.
  1. Wait for the application status to change to `Deployed`.

{% endlist %}

## Installation using a Helm chart {#helm-install}

1. [Install Helm](https://helm.sh/docs/intro/install/) v3.8.0 or higher.
1. [Install kubect](https://kubernetes.io/docs/tasks/tools/install-kubectl) and [configure it to work with the new cluster](../connect/index.md#kubectl-connect).
1. To install a [Helm chart](https://helm.sh/docs/topics/charts/) with Gateway API, run this command:

   ```bash
   helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/gateway-api/gateway-api-helm/gateway-api \
     --version v0.7.3 \
     --untar && \
   helm install \
     --namespace <namespace> \
     --create-namespace \
     --set folderId='<folder_ID>' \
     --set networkId='<cloud_network_ID>' \
     --set subnet1Id='<subnet_1_ID>' \
     --set subnet2Id='<subnet_2_ID>' \
     --set subnet3Id='<subnet_3_ID>' \
     --set-file saKeySecretKey='<path_to_sa-key.json>' \
     gateway-api ./gateway-api/
   ```

   In this command, specify the network and its subnets where your [load balancers](../../../application-load-balancer/concepts/application-load-balancer.md#lb-location) will reside.

   If you set `namespace` to the default namespace, Gateway API may work incorrectly. We recommend specifying a value different from all the existing namespaces, e.g., `gateway-api-space`.

   {% note info %}
   
   If you are using a Helm version below 3.8.0, add the `export HELM_EXPERIMENTAL_OCI=1 && \` string at the beginning of the command to enable [Open Container Initiative](https://opencontainers.org/) (OCI) support in the Helm client.
   
   {% endnote %}

## Application auto upgrade {#auto-update}

Gateway API 0.6.0 contains a Gateway API CRD upgrade from version [0.6.2](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.6.2) to [1.2.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.1). When upgrading your Gateway API from version 0.5.0 or lower to version 0.6.0, installing from the Helm chart will automatically upgrade Gateway API CRDs and all dependent resources in the Managed Service for Kubernetes cluster. The upgrade is secure, i.e., none of your Application Load Balancer resources will be deleted or recreated.

Automatic upgrade from version 0.5.0 or lower follows these steps:

1. The cluster is checked for `GRPCRoute` or `ReferenceGrant` custom resources. If such resources exist, the application will not upgrade to avoid conflicts, as CRDs for these resources in the new version are incompatible with the previous version. For manual upgrade, see below.
1. The Gateway API controller is stopped; the number of replicas scales down to zero.
1. The CRDs of the `GRPCRoute` resources are removed; the CRDs of the remaining dependent resources of the new Gateway API version are applied.
1. The Gateway API controller is started; the number of replicas scales back to the original value.

To disable CRD auto update, add this Helm chart installation command parameter: `--set crdsAutoUpgrade=false`. Thus your resources will be updated, while you will have to update the Gateway API CRDs manually. You can get the CRD file in the `crds` directory in the Helm chart archive.

{% cut "Upgrading Gateway API manually" %}

1. Create a backup of your Gateway API resources.
1. Stop the Gateway API controller.
1. Remove all `GRPCRoute` resources from your cluster.
1. Apply the new versions of the Gateway API CRDs. You can get the CRD file in the `crds` directory in the Helm chart archive.
1. Start the Gateway API controller.
1. In your `GRPCRoute` resource specification, replace the `apiVersion` value with `gateway.networking.k8s.io/v1` and apply the specification.
1. Install the new Helm chart version.

{% endcut %}

## Use cases {#examples}

* [Setting up the Gateway API](../../tutorials/marketplace/gateway-api.md).

## See also {#see-also}

* [Gateway API project description](https://gateway-api.sigs.k8s.io/).
* [Gateway API description and configuration information](../../../application-load-balancer/tools/k8s-gateway-api/index.md) in the Application Load Balancer guides.