diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go
index c81fe1c5da..482cf28113 100644
--- a/api/v1alpha1/envoyproxy_types.go
+++ b/api/v1alpha1/envoyproxy_types.go
@@ -373,6 +373,17 @@ type EnvoyProxyKubernetesProvider struct {
// EnvoyPDB allows to control the pod disruption budget of an Envoy Proxy.
// +optional
EnvoyPDB *KubernetesPodDisruptionBudgetSpec `json:"envoyPDB,omitempty"`
+
+ // EnvoyServiceAccount defines the desired state of the Envoy service account resource.
+ EnvoyServiceAccount *KubernetesServiceAccountSpec `json:"envoyServiceAccount,omitempty"`
+}
+
+type KubernetesServiceAccountSpec struct {
+ // Name of the Service Account.
+ // When unset, this defaults to an autogenerated name.
+ //
+ // +optional
+ Name *string `json:"name,omitempty"`
}
// ProxyLogging defines logging parameters for managed proxies.
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 86d35a1146..fe790712a4 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -2262,6 +2262,11 @@ func (in *EnvoyProxyKubernetesProvider) DeepCopyInto(out *EnvoyProxyKubernetesPr
*out = new(KubernetesPodDisruptionBudgetSpec)
(*in).DeepCopyInto(*out)
}
+ if in.EnvoyServiceAccount != nil {
+ in, out := &in.EnvoyServiceAccount, &out.EnvoyServiceAccount
+ *out = new(KubernetesServiceAccountSpec)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvoyProxyKubernetesProvider.
@@ -4223,6 +4228,26 @@ func (in *KubernetesPodSpec) DeepCopy() *KubernetesPodSpec {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubernetesServiceAccountSpec) DeepCopyInto(out *KubernetesServiceAccountSpec) {
+ *out = *in
+ if in.Name != nil {
+ in, out := &in.Name, &out.Name
+ *out = new(string)
+ **out = **in
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesServiceAccountSpec.
+func (in *KubernetesServiceAccountSpec) DeepCopy() *KubernetesServiceAccountSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(KubernetesServiceAccountSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *KubernetesServiceSpec) DeepCopyInto(out *KubernetesServiceSpec) {
*out = *in
diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml
index c06dc41cb5..d6546ae3c1 100644
--- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml
+++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml
@@ -10445,6 +10445,16 @@ spec:
- message: loadBalancerIP can only be set for LoadBalancer
type
rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer'''
+ envoyServiceAccount:
+ description: EnvoyServiceAccount defines the desired state
+ of the Envoy service account resource.
+ properties:
+ name:
+ description: |-
+ Name of the Service Account.
+ When unset, this defaults to an autogenerated name.
+ type: string
+ type: object
useListenerPortAsContainerPort:
description: |-
UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
index 5df38fb97e..a2bd3b2d2c 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
@@ -10444,6 +10444,16 @@ spec:
- message: loadBalancerIP can only be set for LoadBalancer
type
rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer'''
+ envoyServiceAccount:
+ description: EnvoyServiceAccount defines the desired state
+ of the Envoy service account resource.
+ properties:
+ name:
+ description: |-
+ Name of the Service Account.
+ When unset, this defaults to an autogenerated name.
+ type: string
+ type: object
useListenerPortAsContainerPort:
description: |-
UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 8e182a587c..e2025a0da8 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -1590,6 +1590,7 @@ _Appears in:_
| `envoyHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ | false | | EnvoyHpa defines the Horizontal Pod Autoscaler settings for Envoy Proxy Deployment. |
| `useListenerPortAsContainerPort` | _boolean_ | false | | UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
When set to false (default value), if the service port is a privileged port (1-1023), add a constant to the value converting it into an ephemeral port.
This allows the container to bind to the port without needing a CAP_NET_BIND_SERVICE capability. |
| `envoyPDB` | _[KubernetesPodDisruptionBudgetSpec](#kubernetespoddisruptionbudgetspec)_ | false | | EnvoyPDB allows to control the pod disruption budget of an Envoy Proxy. |
+| `envoyServiceAccount` | _[KubernetesServiceAccountSpec](#kubernetesserviceaccountspec)_ | true | | EnvoyServiceAccount defines the desired state of the Envoy service account resource. |
#### EnvoyProxyProvider
@@ -2925,6 +2926,20 @@ _Appears in:_
| `topologySpreadConstraints` | _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#topologyspreadconstraint-v1-core) array_ | false | | TopologySpreadConstraints describes how a group of pods ought to spread across topology
domains. Scheduler will schedule pods in a way which abides by the constraints.
All topologySpreadConstraints are ANDed. |
+#### KubernetesServiceAccountSpec
+
+
+
+
+
+_Appears in:_
+- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
+
+| Field | Type | Required | Default | Description |
+| --- | --- | --- | --- | --- |
+| `name` | _string_ | false | | Name of the Service Account.
When unset, this defaults to an autogenerated name. |
+
+
#### KubernetesServiceSpec
diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml
index 4a779b4df6..7ef1a4eefe 100644
--- a/test/helm/gateway-crds-helm/all.out.yaml
+++ b/test/helm/gateway-crds-helm/all.out.yaml
@@ -34026,6 +34026,16 @@ spec:
- message: loadBalancerIP can only be set for LoadBalancer
type
rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer'''
+ envoyServiceAccount:
+ description: EnvoyServiceAccount defines the desired state
+ of the Envoy service account resource.
+ properties:
+ name:
+ description: |-
+ Name of the Service Account.
+ When unset, this defaults to an autogenerated name.
+ type: string
+ type: object
useListenerPortAsContainerPort:
description: |-
UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
index 912213e9fe..c618fa66fa 100644
--- a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
+++ b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
@@ -16714,6 +16714,16 @@ spec:
- message: loadBalancerIP can only be set for LoadBalancer
type
rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer'''
+ envoyServiceAccount:
+ description: EnvoyServiceAccount defines the desired state
+ of the Envoy service account resource.
+ properties:
+ name:
+ description: |-
+ Name of the Service Account.
+ When unset, this defaults to an autogenerated name.
+ type: string
+ type: object
useListenerPortAsContainerPort:
description: |-
UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.