Merge pull request #3669 from nelljerram/gateway-api-fix-321

Allow operator to create secrets in tigera-gateway namespace
tigera · Dec 20, 2024 · 7b01da4 · 7b01da4
2 parents 2714b1e + df6c919
commit 7b01da4
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 1 deletion.
diff --git a/pkg/controller/gatewayapi/gatewayapi_controller.go b/pkg/controller/gatewayapi/gatewayapi_controller.go
@@ -178,7 +178,7 @@ func (r *ReconcileGatewayAPI) Reconcile(ctx context.Context, request reconcile.R
 	}
 	err = utils.NewComponentHandler(log, r.client, r.scheme, gatewayAPI).CreateOrUpdateOrDelete(ctx, nonCRDComponent, r.status)
 	if err != nil {
-		r.status.SetDegraded(operatorv1.ResourceCreateError, "Error rendering GatewayAPI CRDs", err, log)
+		r.status.SetDegraded(operatorv1.ResourceCreateError, "Error rendering GatewayAPI resources", err, log)
 		return reconcile.Result{}, err
 	}
 

diff --git a/pkg/render/gateway_api.go b/pkg/render/gateway_api.go
@@ -403,6 +403,9 @@ func (pr *gatewayAPIImplementationComponent) Objects() ([]client.Object, []clien
 		),
 	}
 
+	// Create role binding to allow creating secrets in our namespace.
+	objs = append(objs, CreateOperatorSecretsRoleBinding(resources.namespace.Name))
+
 	// Add pull secrets (inferred from the Installation resource).
 	objs = append(objs, secret.ToRuntimeObjects(secret.CopyToNamespace(resources.namespace.Name, pr.cfg.PullSecrets...)...)...)
 

diff --git a/pkg/render/gateway_api_test.go b/pkg/render/gateway_api_test.go
@@ -164,6 +164,7 @@ var _ = Describe("Gateway API rendering tests", func() {
 		Expect(objsToDelete).To(HaveLen(0))
 		rtest.ExpectResources(objsToCreate, []client.Object{
 			&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway"}},
+			&rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-operator-secrets", Namespace: "tigera-gateway"}},
 			&corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway", Namespace: "tigera-gateway"}},
 			&corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-config", Namespace: "tigera-gateway"}},
 			&rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-role"}},
@@ -257,6 +258,7 @@ var _ = Describe("Gateway API rendering tests", func() {
 		Expect(objsToDelete).To(HaveLen(0))
 		rtest.ExpectResources(objsToCreate, []client.Object{
 			&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway"}},
+			&rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "tigera-operator-secrets", Namespace: "tigera-gateway"}},
 			&corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway", Namespace: "tigera-gateway"}},
 			&corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "envoy-gateway-config", Namespace: "tigera-gateway"}},
 			&rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: "tigera-gateway-api-gateway-helm-envoy-gateway-role"}},