From df6c91913aa39c145b10cca2c76aa376a4e80bae Mon Sep 17 00:00:00 2001 From: Nell Jerram Date: Thu, 19 Dec 2024 18:35:54 +0000 Subject: [PATCH] Allow operator to create secrets in tigera-gateway namespace (Per pattern of #3630) Also fix a log typo --- pkg/controller/gatewayapi/gatewayapi_controller.go | 2 +- pkg/render/gateway_api.go | 3 +++ pkg/render/gateway_api_test.go | 2 ++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/pkg/controller/gatewayapi/gatewayapi_controller.go b/pkg/controller/gatewayapi/gatewayapi_controller.go index 8c81730db0..9226d4e899 100644 --- a/pkg/controller/gatewayapi/gatewayapi_controller.go +++ b/pkg/controller/gatewayapi/gatewayapi_controller.go @@ -178,7 +178,7 @@ func (r *ReconcileGatewayAPI) Reconcile(ctx context.Context, request reconcile.R } err = utils.NewComponentHandler(log, r.client, r.scheme, gatewayAPI).CreateOrUpdateOrDelete(ctx, nonCRDComponent, r.status) if err != nil { - r.status.SetDegraded(operatorv1.ResourceCreateError, "Error rendering GatewayAPI CRDs", err, log) + r.status.SetDegraded(operatorv1.ResourceCreateError, "Error rendering GatewayAPI resources", err, log) return reconcile.Result{}, err } diff --git a/pkg/render/gateway_api.go b/pkg/render/gateway_api.go index 5a14c0f84e..6ef6d822df 100644 --- a/pkg/render/gateway_api.go +++ b/pkg/render/gateway_api.go @@ -403,6 +403,9 @@ func (pr *gatewayAPIImplementationComponent) Objects() ([]client.Object, []clien ), } + // Create role binding to allow creating secrets in our namespace. + objs = append(objs, CreateOperatorSecretsRoleBinding(resources.namespace.Name)) + // Add pull secrets (inferred from the Installation resource). objs = append(objs, secret.ToRuntimeObjects(secret.CopyToNamespace(resources.namespace.Name, pr.cfg.PullSecrets...)...)...) diff --git a/pkg/render/gateway_api_test.go b/pkg/render/gateway_api_test.go index ae8469484f..044b2b5a38 100644 --- a/pkg/render/gateway_api_test.go +++ b/pkg/render/gateway_api_test.go @@ -164,6 +164,7 @@ var _ = Describe("Gateway API rendering tests", func() { Expect(objsToDelete).To(HaveLen(0)) rtest.ExpectResources(objsToCreate, []client.Object{ &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway"}}, + &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-operator-secrets", Namespace: "tigera-gateway"}}, &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway", Namespace: "tigera-gateway"}}, &corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-config", Namespace: "tigera-gateway"}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-role"}}, @@ -257,6 +258,7 @@ var _ = Describe("Gateway API rendering tests", func() { Expect(objsToDelete).To(HaveLen(0)) rtest.ExpectResources(objsToCreate, []client.Object{ &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway"}}, + &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-operator-secrets", Namespace: "tigera-gateway"}}, &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway", Namespace: "tigera-gateway"}}, &corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-config", Namespace: "tigera-gateway"}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-role"}},