feat: support infra deployment in the gateway namespace

api/v1alpha1/envoygateway_helpers.go

@@ -101,6 +101,14 @@
 		len(e.Provider.Kubernetes.Watch.Namespaces) > 0
 }
 
+// GatewayNamespaceMode returns true if controller uses gateway namespace mode for infra deployments.
+func (e *EnvoyGateway) GatewayNamespaceMode() bool {
+	return e.Provider != nil &&
+		e.Provider.Kubernetes != nil &&
+		e.Provider.Kubernetes.Deploy != nil &&
+		*e.Provider.Kubernetes.Deploy.Type == KubernetesDeployModeTypeGatewayNamespace
+}
+
 // DefaultLeaderElection returns a new LeaderElection with default configuration parameters.
 func DefaultLeaderElection() *LeaderElection {
 	return &LeaderElection{

charts/gateway-helm/templates/_rbac.tpl

@@ -192,3 +192,50 @@ resources:
 verbs:
 - update
 {{- end }}
+
+{{- define "eg.rbac.infra.basic" -}}
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  - services
+  - configmaps
+  verbs:
+  - create
+  - get
+  - delete
+  - deletecollection
+  - patch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  verbs:
+  - create
+  - get
+  - delete
+  - deletecollection
+  - patch
+- apiGroups:
+  - autoscaling
+  - policy
+  resources:
+  - horizontalpodautoscalers
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - get
+  - delete
+  - deletecollection
+  - patch
+{{- end }}
+
+{{- define "eg.rbac.infra.tokenreview" -}}
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+{{- end }}

charts/gateway-helm/templates/infra-manager-rbac.yaml

@@ -1,3 +1,34 @@
+{{ if .Values.config.envoyGateway.provider.kubernetes }}
+{{ $kube := .Values.config.envoyGateway.provider.kubernetes }}
+{{ if and (not $kube.watch) ($kube.deploy) (eq $kube.deploy.type "GatewayNamespace") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "eg.fullname" $ }}-cluster-infra-manager
+  labels:
+  {{- include "eg.labels" $ | nindent 4 }}
+rules:
+{{ include "eg.rbac.infra.basic" . }}
+{{ include "eg.rbac.infra.tokenreview" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "eg.fullname" $ }}-cluster-infra-manager
+  labels:
+  {{- include "eg.labels" $ | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ include "eg.fullname" $ }}-cluster-infra-manager'
+subjects:
+- kind: ServiceAccount
+  name: 'envoy-gateway'
+  namespace: '{{ $.Release.Namespace }}'
+---
+{{ end }}
+{{ end }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -6,41 +37,7 @@ metadata:
   labels:
   {{- include "eg.labels" . | nindent 4 }}
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  - services
-  - configmaps
-  verbs:
-  - create
-  - get
-  - delete
-  - deletecollection
-  - patch
-- apiGroups:
-  - apps
-  resources:
-  - deployments
-  - daemonsets
-  verbs:
-  - create
-  - get
-  - delete
-  - deletecollection
-  - patch
-- apiGroups:
-  - autoscaling
-  - policy
-  resources:
-  - horizontalpodautoscalers
-  - poddisruptionbudgets
-  verbs:
-  - create
-  - get
-  - delete
-  - deletecollection
-  - patch
+{{ include "eg.rbac.infra.basic" . }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/gateway-helm/templates/namespaced-infra-manager-rbac.yaml

@@ -0,0 +1,66 @@
+{{ $watchedNamespaces := list }}
+{{ if .Values.config.envoyGateway.provider.kubernetes }}
+{{ $kube := .Values.config.envoyGateway.provider.kubernetes }}
+{{ if and ($kube.watch) ($kube.deploy) (eq $kube.deploy.type "GatewayNamespace") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "eg.fullname" $ }}-infra-manager-tokenreview
+  labels:
+  {{- include "eg.labels" $ | nindent 4 }}
+rules:
+{{ include "eg.rbac.infra.tokenreview" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "eg.fullname" $ }}-infra-manager-tokenreview
+  labels:
+  {{- include "eg.labels" $ | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ include "eg.fullname" $ }}-infra-manager-tokenreview'
+subjects:
+- kind: ServiceAccount
+  name: 'envoy-gateway'
+  namespace: '{{ $.Release.Namespace }}'
+{{ if $kube.watch.namespaces }}
+{{ if gt (len $kube.watch.namespaces) 0 }}
+{{ $watchedNamespaces = $kube.watch.namespaces }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{ if gt (len $watchedNamespaces) 0 }}
+{{ range $_, $ns := $watchedNamespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "eg.fullname" $ }}-namespaced-infra-manager
+  namespace: {{ $ns | quote }}
+  labels:
+  {{- include "eg.labels" $ | nindent 4 }}
+rules:
+{{ include "eg.rbac.infra.basic" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "eg.fullname" $ }}-namespaced-infra-manager
+  namespace: {{ $ns | quote }}
+  labels:
+  {{- include "eg.labels" $ | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: '{{ include "eg.fullname" $ }}-namespaced-infra-manager'
+subjects:
+- kind: ServiceAccount
+  name: 'envoy-gateway'
+  namespace: '{{ $.Release.Namespace }}'
+---
+{{- end }}
+{{- end }}

internal/cmd/certgen.go

@@ -97,7 +97,7 @@
 func outputCertsForKubernetes(ctx context.Context, cli client.Client, cfg *config.Server,
 	updateSecrets bool, certs *crypto.Certificates,
 ) error {
-	secrets, err := kubernetes.CreateOrUpdateSecrets(ctx, cli, kubernetes.CertsToSecret(cfg.Namespace, certs), updateSecrets)
+	secrets, err := kubernetes.CreateOrUpdateSecrets(ctx, cli, kubernetes.CertsToSecret(cfg.ControllerNamespace, certs), updateSecrets)
 	log := cfg.Logger
 
 	if err != nil {
@@ -121,7 +121,7 @@
 		return nil
 	}
 
-	webhookConfigName := fmt.Sprintf("%s.%s", topologyWebhookNamePrefix, cfg.Namespace)
+	webhookConfigName := fmt.Sprintf("%s.%s", topologyWebhookNamePrefix, cfg.ControllerNamespace)
 	webhookCfg := &admissionregistrationv1.MutatingWebhookConfiguration{}
 	if err := cli.Get(ctx, client.ObjectKey{Name: webhookConfigName}, webhookCfg); err != nil {
 		return fmt.Errorf("failed to get mutating webhook configuration: %w", err)

internal/cmd/certgen_test.go

@@ -65,7 +65,7 @@ func TestPatchTopologyWebhook(t *testing.T) {
 			caseName: "Update caBundle",
 			webhook: &admissionregistrationv1.MutatingWebhookConfiguration{
 				ObjectMeta: metav1.ObjectMeta{
-					Name: fmt.Sprintf("%s.%s", topologyWebhookNamePrefix, cfg.Namespace),
+					Name: fmt.Sprintf("%s.%s", topologyWebhookNamePrefix, cfg.ControllerNamespace),
 				},
 				Webhooks: []admissionregistrationv1.MutatingWebhook{{ClientConfig: admissionregistrationv1.WebhookClientConfig{}}},
 			},
@@ -77,7 +77,7 @@ func TestPatchTopologyWebhook(t *testing.T) {
 			caseName: "No-op",
 			webhook: &admissionregistrationv1.MutatingWebhookConfiguration{
 				ObjectMeta: metav1.ObjectMeta{
-					Name: fmt.Sprintf("%s.%s", topologyWebhookNamePrefix, cfg.Namespace),
+					Name: fmt.Sprintf("%s.%s", topologyWebhookNamePrefix, cfg.ControllerNamespace),
 				},
 				Webhooks: []admissionregistrationv1.MutatingWebhook{{ClientConfig: admissionregistrationv1.WebhookClientConfig{CABundle: []byte("foo")}}},
 			},

internal/cmd/egctl/config_test.go

@@ -223,8 +223,6 @@ func TestExtractSubResourcesConfigDump(t *testing.T) {
 }
 
 func TestLabelSelectorBadInput(t *testing.T) {
-	podNamespace = "default"
-
 	cases := []struct {
 		name   string
 		args   []string

internal/cmd/egctl/testdata/translate/out/quickstart.all.yaml

@@ -98,6 +98,7 @@ infraIR:
           gateway.envoyproxy.io/owning-gateway-name: eg
           gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway-system
       name: envoy-gateway-system/eg
+      namespace: ""
 xdsIR:
   envoy-gateway-system/eg:
     accessLog:

internal/crypto/certgen.go

@@ -108,8 +108,8 @@ func GenerateCerts(cfg *config.Server) (*Certificates, error) {
 		egProvider := cfg.EnvoyGateway.GetEnvoyGatewayProvider().Type
 		switch egProvider {
 		case egv1a1.ProviderTypeKubernetes:
-			egDNSNames = kubeServiceNames(DefaultEnvoyGatewayDNSPrefix, cfg.Namespace, cfg.DNSDomain)
-			envoyDNSNames = append(envoyDNSNames, fmt.Sprintf("*.%s", cfg.Namespace))
+			egDNSNames = kubeServiceNames(DefaultEnvoyGatewayDNSPrefix, cfg.ControllerNamespace, cfg.DNSDomain)
+			envoyDNSNames = append(envoyDNSNames, fmt.Sprintf("*.%s", cfg.ControllerNamespace))
 		default:
 			// Kubernetes is the only supported Envoy Gateway provider.
 			return nil, fmt.Errorf("unsupported provider type %v", egProvider)

internal/envoygateway/config/config.go

@@ -31,8 +31,8 @@ const (
 type Server struct {
 	// EnvoyGateway is the configuration used to startup Envoy Gateway.
 	EnvoyGateway *egv1a1.EnvoyGateway
-	// Namespace is the namespace that Envoy Gateway runs in.
-	Namespace string
+	// ControllerNamespace is the namespace that Envoy Gateway runs in.
+	ControllerNamespace string
 	// DNSDomain is the dns domain used by k8s services. Defaults to "cluster.local".
 	DNSDomain string
 	// Logger is the logr implementation used by Envoy Gateway.
@@ -44,11 +44,11 @@ type Server struct {
 // New returns a Server with default parameters.
 func New(logOut io.Writer) (*Server, error) {
 	return &Server{
-		EnvoyGateway: egv1a1.DefaultEnvoyGateway(),
-		Namespace:    env.Lookup("ENVOY_GATEWAY_NAMESPACE", DefaultNamespace),
-		DNSDomain:    env.Lookup("KUBERNETES_CLUSTER_DOMAIN", DefaultDNSDomain),
-		Logger:       logging.DefaultLogger(logOut, egv1a1.LogLevelInfo),
-		Elected:      make(chan struct{}),
+		EnvoyGateway:        egv1a1.DefaultEnvoyGateway(),
+		ControllerNamespace: env.Lookup("ENVOY_GATEWAY_NAMESPACE", DefaultNamespace),
+		DNSDomain:           env.Lookup("KUBERNETES_CLUSTER_DOMAIN", DefaultDNSDomain),
+		Logger:              logging.DefaultLogger(logOut, egv1a1.LogLevelInfo),
+		Elected:             make(chan struct{}),
 	}, nil
 }
 
@@ -57,7 +57,7 @@ func (s *Server) Validate() error {
 	switch {
 	case s == nil:
 		return errors.New("server config is unspecified")
-	case len(s.Namespace) == 0:
+	case len(s.ControllerNamespace) == 0:
 		return errors.New("namespace is empty string")
 	}
 	if err := validation.ValidateEnvoyGateway(s.EnvoyGateway); err != nil {

internal/envoygateway/config/config_test.go

@@ -49,15 +49,15 @@ func TestValidate(t *testing.T) {
 						Provider: egv1a1.DefaultEnvoyGatewayProvider(),
 					},
 				},
-				Namespace: "",
+				ControllerNamespace: "",
 			},
 			expect: false,
 		},
 		{
 			name: "unspecified envoy gateway",
 			cfg: &Server{
-				Namespace: "test-ns",
-				Logger:    logging.DefaultLogger(os.Stdout, egv1a1.LogLevelInfo),
+				ControllerNamespace: "test-ns",
+				Logger:              logging.DefaultLogger(os.Stdout, egv1a1.LogLevelInfo),
 			},
 			expect: false,
 		},

internal/extension/registry/extension_manager.go

@@ -77,7 +77,7 @@
 
 	return &Manager{
 		k8sClient: cli,
-		namespace: cfg.Namespace,
+		namespace: cfg.ControllerNamespace,
 		extension: *extension,
 	}, nil
 }

internal/gatewayapi/runner/runner.go

@@ -157,7 +157,8 @@
 					GlobalRateLimitEnabled:    r.EnvoyGateway.RateLimit != nil,
 					EnvoyPatchPolicyEnabled:   r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableEnvoyPatchPolicy,
 					BackendEnabled:            r.EnvoyGateway.ExtensionAPIs != nil && r.EnvoyGateway.ExtensionAPIs.EnableBackend,
-					Namespace:                 r.Namespace,
+					ControllerNamespace:       r.ControllerNamespace,
+					GatewayNamespaceMode:      r.EnvoyGateway.GatewayNamespaceMode(),
 					MergeGateways:             gatewayapi.IsMergeGatewaysEnabled(resources),
 					WasmCache:                 r.wasmCache,
 					ListenerPortShiftDisabled: r.EnvoyGateway.Provider != nil && r.EnvoyGateway.Provider.IsRunningOnHost(),
@@ -312,7 +313,7 @@
 func (r *Runner) loadTLSConfig(ctx context.Context) (tlsConfig *tls.Config, salt []byte, err error) {
 	switch {
 	case r.EnvoyGateway.Provider.IsRunningOnKubernetes():
-		salt, err = hmac(ctx, r.Namespace)
+		salt, err = hmac(ctx, r.ControllerNamespace)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to get hmac secret: %w", err)
 		}

internal/gatewayapi/securitypolicy.go

@@ -905,14 +905,14 @@
 	// HMAC secret is generated by the CertGen job and stored in a secret
 	// We need to rotate the HMAC secret in the future, probably the same
 	// way we rotate the certs generated by the CertGen job.
-	hmacSecret := resources.GetSecret(t.Namespace, oidcHMACSecretName)
+	hmacSecret := resources.GetSecret(t.ControllerNamespace, oidcHMACSecretName)
 	if hmacSecret == nil {
-		return nil, fmt.Errorf("HMAC secret %s/%s not found", t.Namespace, oidcHMACSecretName)
+		return nil, fmt.Errorf("HMAC secret %s/%s not found", t.ControllerNamespace, oidcHMACSecretName)
 	}
 	hmacData, ok := hmacSecret.Data[oidcHMACSecretKey]
 	if !ok || len(hmacData) == 0 {
 		return nil, fmt.Errorf(
-			"HMAC secret not found in secret %s/%s", t.Namespace, oidcHMACSecretName)
+			"HMAC secret not found in secret %s/%s", t.ControllerNamespace, oidcHMACSecretName)
 	}
 
 	return &ir.OIDC{

internal/gatewayapi/testdata/accesslog-als-backend.out.yaml

@@ -148,6 +148,7 @@ infraIR:
           gateway.envoyproxy.io/owning-gateway-name: gateway-1
           gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
       name: envoy-gateway/gateway-1
+      namespace: envoy-gateway-system
 xdsIR:
   envoy-gateway/gateway-1:
     accessLog:

internal/gatewayapi/testdata/accesslog.out.yaml

@@ -115,6 +115,7 @@ infraIR:
           gateway.envoyproxy.io/owning-gateway-name: gateway-1
           gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
       name: envoy-gateway/gateway-1
+      namespace: envoy-gateway-system
 xdsIR:
   envoy-gateway/gateway-1:
     accessLog: