From 0f987f6acdbe182bd7c9d60a794cace658ae47ae Mon Sep 17 00:00:00 2001 From: zirain Date: Thu, 19 Jun 2025 21:48:31 +0800 Subject: [PATCH 1/2] api: allow reuse exiting service account Signed-off-by: zirain --- api/v1alpha1/envoyproxy_types.go | 12 +++++++++ api/v1alpha1/zz_generated.deepcopy.go | 25 +++++++++++++++++++ .../gateway.envoyproxy.io_envoyproxies.yaml | 11 ++++++++ .../gateway.envoyproxy.io_envoyproxies.yaml | 11 ++++++++ site/content/en/latest/api/extension_types.md | 15 +++++++++++ test/helm/gateway-crds-helm/all.out.yaml | 11 ++++++++ .../envoy-gateway-crds.out.yaml | 11 ++++++++ 7 files changed, 96 insertions(+) diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go index c81fe1c5da..618a25ca34 100644 --- a/api/v1alpha1/envoyproxy_types.go +++ b/api/v1alpha1/envoyproxy_types.go @@ -373,6 +373,18 @@ type EnvoyProxyKubernetesProvider struct { // EnvoyPDB allows to control the pod disruption budget of an Envoy Proxy. // +optional EnvoyPDB *KubernetesPodDisruptionBudgetSpec `json:"envoyPDB,omitempty"` + + // EnvoyServiceAccount defines the desired state of the Envoy service account resource. + EnvoyServiceAccount *KubernetesServiceAccountSpec `json:"envoyServiceAccount,omitempty"` +} + +type KubernetesServiceAccountSpec struct { + // Name is the name of the service account. + // If specified, the controller will use the provided service account + // instead of creating a new one. + // + // +optional + Name *string `json:"name,omitempty"` } // ProxyLogging defines logging parameters for managed proxies. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 86d35a1146..fe790712a4 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2262,6 +2262,11 @@ func (in *EnvoyProxyKubernetesProvider) DeepCopyInto(out *EnvoyProxyKubernetesPr *out = new(KubernetesPodDisruptionBudgetSpec) (*in).DeepCopyInto(*out) } + if in.EnvoyServiceAccount != nil { + in, out := &in.EnvoyServiceAccount, &out.EnvoyServiceAccount + *out = new(KubernetesServiceAccountSpec) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvoyProxyKubernetesProvider. @@ -4223,6 +4228,26 @@ func (in *KubernetesPodSpec) DeepCopy() *KubernetesPodSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubernetesServiceAccountSpec) DeepCopyInto(out *KubernetesServiceAccountSpec) { + *out = *in + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesServiceAccountSpec. +func (in *KubernetesServiceAccountSpec) DeepCopy() *KubernetesServiceAccountSpec { + if in == nil { + return nil + } + out := new(KubernetesServiceAccountSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KubernetesServiceSpec) DeepCopyInto(out *KubernetesServiceSpec) { *out = *in diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml index c06dc41cb5..24fbe8622d 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10445,6 +10445,17 @@ spec: - message: loadBalancerIP can only be set for LoadBalancer type rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer''' + envoyServiceAccount: + description: EnvoyServiceAccount defines the desired state + of the Envoy service account resource. + properties: + name: + description: |- + Name is the name of the service account. + If specified, the controller will use the provided service account + instead of creating a new one. + type: string + type: object useListenerPortAsContainerPort: description: |- UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 5df38fb97e..145003c345 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10444,6 +10444,17 @@ spec: - message: loadBalancerIP can only be set for LoadBalancer type rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer''' + envoyServiceAccount: + description: EnvoyServiceAccount defines the desired state + of the Envoy service account resource. + properties: + name: + description: |- + Name is the name of the service account. + If specified, the controller will use the provided service account + instead of creating a new one. + type: string + type: object useListenerPortAsContainerPort: description: |- UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy. diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 8e182a587c..922c66d1f4 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1590,6 +1590,7 @@ _Appears in:_ | `envoyHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ | false | | EnvoyHpa defines the Horizontal Pod Autoscaler settings for Envoy Proxy Deployment. | | `useListenerPortAsContainerPort` | _boolean_ | false | | UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
When set to false (default value), if the service port is a privileged port (1-1023), add a constant to the value converting it into an ephemeral port.
This allows the container to bind to the port without needing a CAP_NET_BIND_SERVICE capability. | | `envoyPDB` | _[KubernetesPodDisruptionBudgetSpec](#kubernetespoddisruptionbudgetspec)_ | false | | EnvoyPDB allows to control the pod disruption budget of an Envoy Proxy. | +| `envoyServiceAccount` | _[KubernetesServiceAccountSpec](#kubernetesserviceaccountspec)_ | true | | EnvoyServiceAccount defines the desired state of the Envoy service account resource. | #### EnvoyProxyProvider @@ -2925,6 +2926,20 @@ _Appears in:_ | `topologySpreadConstraints` | _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#topologyspreadconstraint-v1-core) array_ | false | | TopologySpreadConstraints describes how a group of pods ought to spread across topology
domains. Scheduler will schedule pods in a way which abides by the constraints.
All topologySpreadConstraints are ANDed. | +#### KubernetesServiceAccountSpec + + + + + +_Appears in:_ +- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider) + +| Field | Type | Required | Default | Description | +| --- | --- | --- | --- | --- | +| `name` | _string_ | false | | Name is the name of the service account.
If specified, the controller will use the provided service account
instead of creating a new one. | + + #### KubernetesServiceSpec diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml index 4a779b4df6..f443ef9bc3 100644 --- a/test/helm/gateway-crds-helm/all.out.yaml +++ b/test/helm/gateway-crds-helm/all.out.yaml @@ -34026,6 +34026,17 @@ spec: - message: loadBalancerIP can only be set for LoadBalancer type rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer''' + envoyServiceAccount: + description: EnvoyServiceAccount defines the desired state + of the Envoy service account resource. + properties: + name: + description: |- + Name is the name of the service account. + If specified, the controller will use the provided service account + instead of creating a new one. + type: string + type: object useListenerPortAsContainerPort: description: |- UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy. diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml index 912213e9fe..0f3aae1965 100644 --- a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml +++ b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml @@ -16714,6 +16714,17 @@ spec: - message: loadBalancerIP can only be set for LoadBalancer type rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer''' + envoyServiceAccount: + description: EnvoyServiceAccount defines the desired state + of the Envoy service account resource. + properties: + name: + description: |- + Name is the name of the service account. + If specified, the controller will use the provided service account + instead of creating a new one. + type: string + type: object useListenerPortAsContainerPort: description: |- UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy. From 41004f7bbf7429154f533f139a006e97da5ec5f1 Mon Sep 17 00:00:00 2001 From: zirain Date: Sat, 21 Jun 2025 11:34:34 +0800 Subject: [PATCH 2/2] update Signed-off-by: zirain --- api/v1alpha1/envoyproxy_types.go | 5 ++--- .../generated/gateway.envoyproxy.io_envoyproxies.yaml | 5 ++--- .../crds/generated/gateway.envoyproxy.io_envoyproxies.yaml | 5 ++--- site/content/en/latest/api/extension_types.md | 2 +- test/helm/gateway-crds-helm/all.out.yaml | 5 ++--- test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml | 5 ++--- 6 files changed, 11 insertions(+), 16 deletions(-) diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go index 618a25ca34..482cf28113 100644 --- a/api/v1alpha1/envoyproxy_types.go +++ b/api/v1alpha1/envoyproxy_types.go @@ -379,9 +379,8 @@ type EnvoyProxyKubernetesProvider struct { } type KubernetesServiceAccountSpec struct { - // Name is the name of the service account. - // If specified, the controller will use the provided service account - // instead of creating a new one. + // Name of the Service Account. + // When unset, this defaults to an autogenerated name. // // +optional Name *string `json:"name,omitempty"` diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml index 24fbe8622d..d6546ae3c1 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10451,9 +10451,8 @@ spec: properties: name: description: |- - Name is the name of the service account. - If specified, the controller will use the provided service account - instead of creating a new one. + Name of the Service Account. + When unset, this defaults to an autogenerated name. type: string type: object useListenerPortAsContainerPort: diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml index 145003c345..a2bd3b2d2c 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml @@ -10450,9 +10450,8 @@ spec: properties: name: description: |- - Name is the name of the service account. - If specified, the controller will use the provided service account - instead of creating a new one. + Name of the Service Account. + When unset, this defaults to an autogenerated name. type: string type: object useListenerPortAsContainerPort: diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 922c66d1f4..e2025a0da8 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2937,7 +2937,7 @@ _Appears in:_ | Field | Type | Required | Default | Description | | --- | --- | --- | --- | --- | -| `name` | _string_ | false | | Name is the name of the service account.
If specified, the controller will use the provided service account
instead of creating a new one. | +| `name` | _string_ | false | | Name of the Service Account.
When unset, this defaults to an autogenerated name. | #### KubernetesServiceSpec diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml index f443ef9bc3..7ef1a4eefe 100644 --- a/test/helm/gateway-crds-helm/all.out.yaml +++ b/test/helm/gateway-crds-helm/all.out.yaml @@ -34032,9 +34032,8 @@ spec: properties: name: description: |- - Name is the name of the service account. - If specified, the controller will use the provided service account - instead of creating a new one. + Name of the Service Account. + When unset, this defaults to an autogenerated name. type: string type: object useListenerPortAsContainerPort: diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml index 0f3aae1965..c618fa66fa 100644 --- a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml +++ b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml @@ -16720,9 +16720,8 @@ spec: properties: name: description: |- - Name is the name of the service account. - If specified, the controller will use the provided service account - instead of creating a new one. + Name of the Service Account. + When unset, this defaults to an autogenerated name. type: string type: object useListenerPortAsContainerPort: