helm: add controls for rendering clusterrole

Signed-off-by: zirain <[email protected]>

Author: zirain

charts/gateway-helm/README.md

@@ -60,7 +60,11 @@ To uninstall the chart:
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
-| config.envoyGateway | object | `{"extensionApis":{},"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. |
+| config.deploy.type | string | `"ControllerNamespace"` |  |
+| config.envoyGateway.extensionApis | object | `{}` |  |
+| config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` |  |
+| config.envoyGateway.logging.level.default | string | `"info"` |  |
+| config.envoyGateway.provider.type | string | `"Kubernetes"` |  |
 | createNamespace | bool | `false` |  |
 | deployment.envoyGateway.image.repository | string | `""` |  |
 | deployment.envoyGateway.image.tag | string | `""` |  |

charts/gateway-helm/templates/infra-manager-rbac.yaml

@@ -1,6 +1,7 @@
-{{ if .Values.config.envoyGateway.provider.kubernetes }}
 {{ $kube := .Values.config.envoyGateway.provider.kubernetes }}
-{{ if and (not $kube.watch) ($kube.deploy) (eq $kube.deploy.type "GatewayNamespace") }}
+{{ $enabledInConfigmap := and (not $kube.watch) ($kube.deploy) (eq $kube.deploy.type "GatewayNamespace") }}
+{{ $enabledInConfig := eq .Values.config.deploy.type "GatewayNamespace" }}
+{{ if or $enabledInConfig $enabledInConfigmap }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -28,7 +29,6 @@ subjects:
   namespace: '{{ $.Release.Namespace }}'
 ---
 {{ end }}
-{{ end }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

charts/gateway-helm/values.tmpl.yaml

@@ -93,6 +93,10 @@ hpa:
   behavior: {}
 
 config:
+  deploy:
+    # Deploy type controls which namespace EnvoyGateway will povison into.
+    # Optional value: ControllerNamespace, GatewayNamespace
+    type: ControllerNamespace
 # -- EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options.
   envoyGateway:
     gateway:

site/content/en/latest/install/gateway-helm-api.md

@@ -24,7 +24,11 @@ The Helm chart for Envoy Gateway
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
-| config.envoyGateway | object | `{"extensionApis":{},"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. |
+| config.deploy.type | string | `"ControllerNamespace"` |  |
+| config.envoyGateway.extensionApis | object | `{}` |  |
+| config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` |  |
+| config.envoyGateway.logging.level.default | string | `"info"` |  |
+| config.envoyGateway.provider.type | string | `"Kubernetes"` |  |
 | createNamespace | bool | `false` |  |
 | deployment.envoyGateway.image.repository | string | `""` |  |
 | deployment.envoyGateway.image.tag | string | `""` |  |

test/helm/gateway-helm/enabled-gateway-namespace-mode.in.yaml

@@ -0,0 +1,8 @@
+global:
+  images:
+    envoyGateway:
+      image: "docker.io/envoyproxy/gateway-dev:latest"
+      pullPolicy: Always
+config:
+  deploy:
+    type: GatewayNamespace