diff --git a/charts/gateway-helm/templates/_rbac.tpl b/charts/gateway-helm/templates/_rbac.tpl index 28a6abb47a..1725e99150 100644 --- a/charts/gateway-helm/templates/_rbac.tpl +++ b/charts/gateway-helm/templates/_rbac.tpl @@ -203,6 +203,7 @@ verbs: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/internal/infrastructure/kubernetes/infra.go b/internal/infrastructure/kubernetes/infra.go index 0cde2e2c50..2803f2ef06 100644 --- a/internal/infrastructure/kubernetes/infra.go +++ b/internal/infrastructure/kubernetes/infra.go @@ -23,9 +23,10 @@ import ( "github.com/envoyproxy/gateway/internal/logging" ) -var _ ResourceRender = &proxy.ResourceRender{} - -var _ ResourceRender = &ratelimit.ResourceRender{} +var ( + _ ResourceRender = &proxy.ResourceRender{} + _ ResourceRender = &ratelimit.ResourceRender{} +) // ResourceRender renders Kubernetes infrastructure resources // based on Infra IR resources. diff --git a/internal/infrastructure/kubernetes/infra_resource.go b/internal/infrastructure/kubernetes/infra_resource.go index b44db672a8..14b9fadeaf 100644 --- a/internal/infrastructure/kubernetes/infra_resource.go +++ b/internal/infrastructure/kubernetes/infra_resource.go @@ -38,11 +38,6 @@ func (i *Infra) createOrUpdateServiceAccount(ctx context.Context, r ResourceRend } ) - if sa, err = r.ServiceAccount(); err != nil { - resourceApplyTotal.WithFailure(metrics.ReasonError, labels...).Increment() - return err - } - defer func() { if err == nil { resourceApplyDurationSeconds.With(labels...).Record(time.Since(startTime).Seconds()) @@ -50,8 +45,27 @@ func (i *Infra) createOrUpdateServiceAccount(ctx context.Context, r ResourceRend } else { resourceApplyTotal.WithFailure(metrics.ReasonError, labels...).Increment() } + + if sa != nil { + deleteErr := i.Client.DeleteAllExcept(ctx, &corev1.ServiceAccountList{}, client.ObjectKey{ + Namespace: sa.Namespace, + Name: sa.Name, + }, &client.ListOptions{ + Namespace: sa.Namespace, + LabelSelector: r.LabelSelector(), + }) + + if deleteErr != nil { + i.logger.Error(deleteErr, "failed to delete all except serviceaccount", "name", sa.Name) + } + } }() + if sa, err = r.ServiceAccount(); err != nil { + resourceApplyTotal.WithFailure(metrics.ReasonError, labels...).Increment() + return err + } + return i.Client.ServerSideApply(ctx, sa) } diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index c150bb313a..87b7a3a4e9 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -78,23 +78,34 @@ type KubernetesInfraProvider interface { GetResourceNamespace(ir *ir.Infra) string } -func NewResourceRender(ctx context.Context, kubernetesInfra KubernetesInfraProvider, infra *ir.Infra) (*ResourceRender, error) { - ownerReference, err := kubernetesInfra.GetOwnerReferenceUID(ctx, infra) +func NewResourceRender(ctx context.Context, kubeInfra KubernetesInfraProvider, infra *ir.Infra) (*ResourceRender, error) { + ownerReference, err := kubeInfra.GetOwnerReferenceUID(ctx, infra) if err != nil { return nil, err } return &ResourceRender{ - envoyNamespace: kubernetesInfra.GetResourceNamespace(infra), - controllerNamespace: kubernetesInfra.GetControllerNamespace(), - DNSDomain: kubernetesInfra.GetDNSDomain(), + envoyNamespace: kubeInfra.GetResourceNamespace(infra), + controllerNamespace: kubeInfra.GetControllerNamespace(), + DNSDomain: kubeInfra.GetDNSDomain(), infra: infra.GetProxyInfra(), - ShutdownManager: kubernetesInfra.GetEnvoyGateway().GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().ShutdownManager, - GatewayNamespaceMode: kubernetesInfra.GetEnvoyGateway().GatewayNamespaceMode(), + ShutdownManager: kubeInfra.GetEnvoyGateway().GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().ShutdownManager, + GatewayNamespaceMode: kubeInfra.GetEnvoyGateway().GatewayNamespaceMode(), ownerReferenceUID: ownerReference, }, nil } +func (r *ResourceRender) serviceAccountName() string { + prov := r.infra.GetProxyConfig().GetEnvoyProxyProvider().GetEnvoyProxyKubeProvider() + if prov != nil && + prov.EnvoyServiceAccount != nil && + prov.EnvoyServiceAccount.Name != nil { + return *prov.EnvoyServiceAccount.Name + } + + return r.Name() +} + func (r *ResourceRender) Name() string { if r.GatewayNamespaceMode { return r.infra.Name @@ -150,7 +161,7 @@ func (r *ResourceRender) ServiceAccount() (*corev1.ServiceAccount, error) { AutomountServiceAccountToken: ptr.To(false), ObjectMeta: metav1.ObjectMeta{ Namespace: r.Namespace(), - Name: r.Name(), + Name: r.serviceAccountName(), Labels: saLabels, Annotations: r.infra.GetProxyMetadata().Annotations, OwnerReferences: r.OwnerReferences(), @@ -393,7 +404,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { AutomountServiceAccountToken: ptr.To(false), Containers: containers, InitContainers: deploymentConfig.InitContainers, - ServiceAccountName: r.Name(), + ServiceAccountName: r.serviceAccountName(), TerminationGracePeriodSeconds: expectedTerminationGracePeriodSeconds(proxyConfig.Spec.Shutdown), DNSPolicy: corev1.DNSClusterFirst, RestartPolicy: corev1.RestartPolicyAlways, diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go index 843712a966..2d9ee7b840 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider_test.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider_test.go @@ -106,6 +106,19 @@ func newTestInfraWithNamespacedName(gwNN types.NamespacedName) *ir.Infra { return i } +func newTestInfraWithCustomServiceAccount(gwNN types.NamespacedName) *ir.Infra { + i := newTestInfraWithNamespacedName(gwNN) + i.Proxy.Config = new(egv1a1.EnvoyProxy) + i.Proxy.Config.Spec.Provider = egv1a1.DefaultEnvoyProxyProvider() + i.Proxy.Config.Spec.Provider.Kubernetes = &egv1a1.EnvoyProxyKubernetesProvider{ + EnvoyServiceAccount: &egv1a1.KubernetesServiceAccountSpec{ + Name: ptr.To("custom-sa"), + }, + } + + return i +} + func newTestInfraWithIPFamily(family *egv1a1.IPFamily) *ir.Infra { i := newTestInfra() i.Proxy.Config = &egv1a1.EnvoyProxy{ @@ -632,6 +645,12 @@ func TestDeployment(t *testing.T) { deploy: nil, gatewayNamespaceMode: true, }, + { + caseName: "custom-sa", + infra: newTestInfraWithCustomServiceAccount(types.NamespacedName{Namespace: "ns1", Name: "gateway-1"}), + deploy: nil, + gatewayNamespaceMode: true, + }, } for _, tc := range cases { t.Run(tc.caseName, func(t *testing.T) { @@ -1442,6 +1461,11 @@ func TestServiceAccount(t *testing.T) { infra: newTestInfraWithNamespacedName(types.NamespacedName{Namespace: "ns1", Name: "gateway-1"}), gatewayNamespaceMode: true, }, + { + name: "custom-sa", + infra: newTestInfraWithCustomServiceAccount(types.NamespacedName{Namespace: "ns1", Name: "gateway-1"}), + gatewayNamespaceMode: false, + }, } for _, tc := range cases { diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom-sa.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom-sa.yaml new file mode 100644 index 0000000000..ecae105bc0 --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom-sa.yaml @@ -0,0 +1,413 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: ns1 + gateway.networking.k8s.io/gateway-name: gateway-1 + name: gateway-1 + namespace: ns1 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + name: gateway-1 + uid: test-owner-reference-uid-for-gateway +spec: + progressDeadlineSeconds: 600 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: ns1 + gateway.networking.k8s.io/gateway-name: gateway-1 + strategy: + type: RollingUpdate + template: + metadata: + annotations: + prometheus.io/path: /stats/prometheus + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: ns1 + gateway.networking.k8s.io/gateway-name: gateway-1 + spec: + automountServiceAccountToken: false + containers: + - args: + - --service-cluster ns1/gateway-1 + - --service-node $(ENVOY_POD_NAME) + - | + --config-yaml admin: + access_log: + - name: envoy.access_loggers.file + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/null + address: + socket_address: + address: 127.0.0.1 + port_value: 19000 + cluster_manager: + local_cluster_name: local_cluster + node: + locality: + zone: $(ENVOY_SERVICE_ZONE) + layered_runtime: + layers: + - name: global_config + static_layer: + envoy.restart_features.use_eds_cache_for_ads: true + re2.max_program_size.error_level: 4294967295 + re2.max_program_size.warn_level: 1000 + dynamic_resources: + ads_config: + api_type: DELTA_GRPC + transport_api_version: V3 + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + set_node_on_first_message_only: true + lds_config: + ads: {} + resource_api_version: V3 + cds_config: + ads: {} + resource_api_version: V3 + static_resources: + listeners: + - name: envoy-gateway-proxy-stats-0.0.0.0-19001 + address: + socket_address: + address: '0.0.0.0' + port_value: 19001 + protocol: TCP + bypass_overload_manager: true + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: eg-stats-http + normalize_path: true + route_config: + name: local_route + virtual_hosts: + - name: prometheus_stats + domains: + - "*" + routes: + - match: + path: /stats/prometheus + headers: + - name: ":method" + string_match: + exact: GET + route: + cluster: prometheus_stats + http_filters: + - name: envoy.filters.http.router + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + clusters: + - name: prometheus_stats + connect_timeout: 0.250s + type: STATIC + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: prometheus_stats + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 19000 + - connect_timeout: 10s + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: local_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 10080 + load_balancing_weight: 1 + load_balancing_weight: 1 + locality: + zone: $(ENVOY_SERVICE_ZONE) + name: local_cluster + type: STATIC + - connect_timeout: 10s + load_assignment: + cluster_name: xds_cluster + endpoints: + - load_balancing_weight: 1 + lb_endpoints: + - load_balancing_weight: 1 + endpoint: + address: + socket_address: + address: envoy-gateway.envoy-gateway-system.svc.cluster.local + port_value: 18000 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions" + explicit_http_config: + http2_protocol_options: + connection_keepalive: + interval: 30s + timeout: 5s + http_filters: + - name: envoy.filters.http.credential_injector + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector + credential: + name: envoy.http.injected_credentials.generic + typed_config: + "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic + credential: + name: jwt-sa-bearer + overwrite: true + - name: envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec + name: xds_cluster + type: STRICT_DNS + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_params: + tls_maximum_protocol_version: TLSv1_3 + validation_context_sds_secret_config: + name: xds_trusted_ca + sds_config: + path_config_source: + path: /sds/xds-trusted-ca.json + resource_api_version: V3 + secrets: + - name: jwt-sa-bearer + generic_secret: + secret: + filename: "/var/run/secrets/token/sa-token" + overload_manager: + refresh_interval: 0.25s + resource_monitors: + - name: "envoy.resource_monitors.global_downstream_max_connections" + typed_config: + "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig + max_active_downstream_connections: 50000 + - --log-level warn + - --cpuset-threads + - --drain-strategy immediate + - --component-log-level misc:error + - --drain-time-s 60 + command: + - envoy + env: + - name: ENVOY_POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: ENVOY_SERVICE_ZONE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.annotations['topology.kubernetes.io/zone'] + image: docker.io/envoyproxy/envoy:distroless-dev + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + httpGet: + path: /shutdown/ready + port: 19002 + scheme: HTTP + livenessProbe: + failureThreshold: 3 + httpGet: + path: /ready + port: 19003 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: envoy + ports: + - containerPort: 19001 + name: metrics + protocol: TCP + - containerPort: 19003 + name: readiness + protocol: TCP + readinessProbe: + failureThreshold: 1 + httpGet: + path: /ready + port: 19003 + scheme: HTTP + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /ready + port: 19003 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /certs + name: certs + readOnly: true + - mountPath: /sds + name: sds + - mountPath: /var/run/secrets/token + name: sa-token + readOnly: true + - args: + - envoy + - shutdown-manager + command: + - envoy-gateway + env: + - name: ENVOY_POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ENVOY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: ENVOY_SERVICE_ZONE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.annotations['topology.kubernetes.io/zone'] + image: docker.io/envoyproxy/gateway-dev:latest + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - envoy-gateway + - envoy + - shutdown + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: shutdown-manager + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 10m + memory: 32Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz + port: 19002 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + serviceAccountName: custom-sa + terminationGracePeriodSeconds: 360 + volumes: + - name: sa-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + audience: envoy-gateway.envoy-gateway-system.svc.cluster.local + expirationSeconds: 3600 + path: sa-token + - configMap: + defaultMode: 420 + items: + - key: ca.crt + path: ca.crt + name: gateway-1 + optional: false + name: certs + - configMap: + defaultMode: 420 + items: + - key: xds-trusted-ca.json + path: xds-trusted-ca.json + name: gateway-1 + optional: false + name: sds +status: {} diff --git a/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/custom-sa.yaml b/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/custom-sa.yaml new file mode 100644 index 0000000000..8a3dc37882 --- /dev/null +++ b/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/custom-sa.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/managed-by: envoy-gateway + app.kubernetes.io/name: envoy + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: ns1 + gateway.networking.k8s.io/gateway-name: gateway-1 + name: custom-sa + namespace: ns1 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + name: gateway-1 + uid: test-owner-reference-uid-for-gateway diff --git a/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go b/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go index 7332cef6f6..54ad6d8a5f 100644 --- a/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go +++ b/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go @@ -281,7 +281,7 @@ func TestCreateOrUpdateProxyServiceAccount(t *testing.T) { actual := &corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ Namespace: kube.GetResourceNamespace(tc.in), - Name: expectedName(tc.in.Proxy, tc.gatewayNamespaceMode), + Name: tc.want.Name, }, } require.NoError(t, kube.Client.Get(ctx, client.ObjectKeyFromObject(actual), actual)) diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 18a60bdc02..edaf661f02 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -30,6 +30,7 @@ new features: | Added support for client certificate validation (SPKI, hash, SAN) in ClientTrafficPolicy. Added support for OIDC RP initialized logout. If the end session endpoint is explicitly specified or discovered from the issuer's well-known url, the end session endpoint will be invoked when the user logs out. Added support for specifying deployment annotations through the helm chart. + Added support for customizing the name of the ServiceAccount used by the Proxy. bug fixes: | diff --git a/test/e2e/testdata/envoyproxy-custom-name.yaml b/test/e2e/testdata/envoyproxy-custom-name.yaml index 26e49c1810..ade072ecd9 100644 --- a/test/e2e/testdata/envoyproxy-custom-name.yaml +++ b/test/e2e/testdata/envoyproxy-custom-name.yaml @@ -33,6 +33,8 @@ spec: envoyHpa: name: custom-hpa maxReplicas: 3 + envoyServiceAccount: + name: custom-sa --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute @@ -124,3 +126,18 @@ spec: - path: type: PathPrefix value: /daemonset +--- +# custom sa for gateway namespace mode +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + name: custom-sa + namespace: gateway-conformance-infra +--- +# custom sa for controller namespace mode +apiVersion: v1 +kind: ServiceAccount +metadata: + name: custom-sa + namespace: envoy-gateway-system diff --git a/test/e2e/tests/envoyproxy.go b/test/e2e/tests/envoyproxy.go index f03f924a31..8279ad069f 100644 --- a/test/e2e/tests/envoyproxy.go +++ b/test/e2e/tests/envoyproxy.go @@ -225,9 +225,10 @@ func checkDaemonSet(t *testing.T, suite *suite.ConformanceTestSuite, gwNN types. } var ( - serviceGVK = schema.FromAPIVersionAndKind("v1", "Service") - hpaGVK = schema.FromAPIVersionAndKind("autoscaling/v2", "HorizontalPodAutoscaler") - pdbGVK = schema.FromAPIVersionAndKind("policy/v1", "PodDisruptionBudget") + serviceGVK = schema.FromAPIVersionAndKind("v1", "Service") + serviceAccountGVK = schema.FromAPIVersionAndKind("v1", "ServiceAccount") + hpaGVK = schema.FromAPIVersionAndKind("autoscaling/v2", "HorizontalPodAutoscaler") + pdbGVK = schema.FromAPIVersionAndKind("policy/v1", "PodDisruptionBudget") ) func checkDeployment(t *testing.T, suite *suite.ConformanceTestSuite, gwNN types.NamespacedName, exceptNs, exceptName string, @@ -248,6 +249,9 @@ func checkDeployment(t *testing.T, suite *suite.ConformanceTestSuite, gwNN types if err := checkObject(t, suite, pdbGVK, gwNN, exceptPdbCount, exceptNs, exceptName); err != nil { return err } + if err := checkObject(t, suite, serviceAccountGVK, gwNN, 1, exceptNs, exceptName); err != nil { + return err + } return nil } diff --git a/test/helm/gateway-helm/certgen-args.out.yaml b/test/helm/gateway-helm/certgen-args.out.yaml index 4650695435..cb3a68e930 100644 --- a/test/helm/gateway-helm/certgen-args.out.yaml +++ b/test/helm/gateway-helm/certgen-args.out.yaml @@ -220,6 +220,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index a7cdf55c55..7a279fdebc 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -220,6 +220,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index 472f9f2c72..8c7d15ab51 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -235,6 +235,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 04002dadb9..c21cf76447 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -220,6 +220,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/deployment-annotations.out.yaml b/test/helm/gateway-helm/deployment-annotations.out.yaml index 8c9229a22f..7edd25e787 100644 --- a/test/helm/gateway-helm/deployment-annotations.out.yaml +++ b/test/helm/gateway-helm/deployment-annotations.out.yaml @@ -220,6 +220,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 9a45773b0a..8e816a896c 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -220,6 +220,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index a4b99d7be1..7a5f348940 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -220,6 +220,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index fb8ac3d091..53165663ff 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -220,6 +220,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml b/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml index 6a70ecf5f6..42347a01fd 100644 --- a/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml +++ b/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml @@ -220,6 +220,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/deployment-securitycontext.out.yaml b/test/helm/gateway-helm/deployment-securitycontext.out.yaml index ea260a1b69..adb0b81f2c 100644 --- a/test/helm/gateway-helm/deployment-securitycontext.out.yaml +++ b/test/helm/gateway-helm/deployment-securitycontext.out.yaml @@ -220,6 +220,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index 3012e22704..140beadd44 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -222,6 +222,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config-watch.out.yaml b/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config-watch.out.yaml index 7a3dcdfd99..47b782bee1 100644 --- a/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config-watch.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config-watch.out.yaml @@ -374,6 +374,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch @@ -469,6 +470,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch @@ -520,6 +522,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config.out.yaml index 12e4195a58..7d6dac03c2 100644 --- a/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-gateway-namespace-config.out.yaml @@ -207,6 +207,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch @@ -297,6 +298,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index 9cedcfd98b..1810ba70e6 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -224,6 +224,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml b/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml index ef1ead361c..9ebe569a90 100644 --- a/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml +++ b/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml @@ -224,6 +224,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml b/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml index 2d4788dcbc..e2ac583f05 100644 --- a/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml +++ b/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml @@ -224,6 +224,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/global-registry-override-deployment.out.yaml b/test/helm/gateway-helm/global-registry-override-deployment.out.yaml index ae0acd5ed6..09f384933d 100644 --- a/test/helm/gateway-helm/global-registry-override-deployment.out.yaml +++ b/test/helm/gateway-helm/global-registry-override-deployment.out.yaml @@ -220,6 +220,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/global-registry-override-global.out.yaml b/test/helm/gateway-helm/global-registry-override-global.out.yaml index ce9078c81b..24d32b56fe 100644 --- a/test/helm/gateway-helm/global-registry-override-global.out.yaml +++ b/test/helm/gateway-helm/global-registry-override-global.out.yaml @@ -220,6 +220,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml b/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml index ed0238f5a3..efe79a1bd9 100644 --- a/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml +++ b/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml @@ -220,6 +220,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/service-customization.out.yaml b/test/helm/gateway-helm/service-customization.out.yaml index 2f4984cbf4..2c123c3efc 100644 --- a/test/helm/gateway-helm/service-customization.out.yaml +++ b/test/helm/gateway-helm/service-customization.out.yaml @@ -220,6 +220,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch diff --git a/test/helm/gateway-helm/webhook-disabled.out.yaml b/test/helm/gateway-helm/webhook-disabled.out.yaml index 1669241ef5..6b8f1d5860 100644 --- a/test/helm/gateway-helm/webhook-disabled.out.yaml +++ b/test/helm/gateway-helm/webhook-disabled.out.yaml @@ -211,6 +211,7 @@ rules: verbs: - create - get + - list - delete - deletecollection - patch