feat: allow to custom service account name (#6393)

* impl custom envoy sa name

Signed-off-by: zirain <zirain2009@gmail.com>

* address comment

Signed-off-by: zirain <zirain2009@gmail.com>

* lint

Signed-off-by: zirain <zirain2009@gmail.com>

* create sa with custom name

Signed-off-by: zirain <zirain2009@gmail.com>

* fix lint and test

Signed-off-by: zirain <zirain2009@gmail.com>

* fix test

Signed-off-by: zirain <zirain2009@gmail.com>

* fix

Signed-off-by: zirain <zirain2009@gmail.com>

* fix gen

Signed-off-by: zirain <zirain2009@gmail.com>

---------

Signed-off-by: zirain <zirain2009@gmail.com>

Author: zirain

charts/gateway-helm/templates/_rbac.tpl

@@ -203,6 +203,7 @@ verbs:
   verbs:
   - create
   - get
+  - list
   - delete
   - deletecollection
   - patch

internal/infrastructure/kubernetes/infra.go

@@ -23,9 +23,10 @@ import (
 	"github.com/envoyproxy/gateway/internal/logging"
 )
 
-var _ ResourceRender = &proxy.ResourceRender{}
-
-var _ ResourceRender = &ratelimit.ResourceRender{}
+var (
+	_ ResourceRender = &proxy.ResourceRender{}
+	_ ResourceRender = &ratelimit.ResourceRender{}
+)
 
 // ResourceRender renders Kubernetes infrastructure resources
 // based on Infra IR resources.

internal/infrastructure/kubernetes/infra_resource.go

@@ -38,20 +38,34 @@ func (i *Infra) createOrUpdateServiceAccount(ctx context.Context, r ResourceRend
 		}
 	)
 
-	if sa, err = r.ServiceAccount(); err != nil {
-		resourceApplyTotal.WithFailure(metrics.ReasonError, labels...).Increment()
-		return err
-	}
-
 	defer func() {
 		if err == nil {
 			resourceApplyDurationSeconds.With(labels...).Record(time.Since(startTime).Seconds())
 			resourceApplyTotal.WithSuccess(labels...).Increment()
 		} else {
 			resourceApplyTotal.WithFailure(metrics.ReasonError, labels...).Increment()
 		}
+
+		if sa != nil {
+			deleteErr := i.Client.DeleteAllExcept(ctx, &corev1.ServiceAccountList{}, client.ObjectKey{
+				Namespace: sa.Namespace,
+				Name:      sa.Name,
+			}, &client.ListOptions{
+				Namespace:     sa.Namespace,
+				LabelSelector: r.LabelSelector(),
+			})
+
+			if deleteErr != nil {
+				i.logger.Error(deleteErr, "failed to delete all except serviceaccount", "name", sa.Name)
+			}
+		}
 	}()
 
+	if sa, err = r.ServiceAccount(); err != nil {
+		resourceApplyTotal.WithFailure(metrics.ReasonError, labels...).Increment()
+		return err
+	}
+
 	return i.Client.ServerSideApply(ctx, sa)
 }
 

internal/infrastructure/kubernetes/proxy/resource_provider.go

@@ -78,23 +78,34 @@ type KubernetesInfraProvider interface {
 	GetResourceNamespace(ir *ir.Infra) string
 }
 
-func NewResourceRender(ctx context.Context, kubernetesInfra KubernetesInfraProvider, infra *ir.Infra) (*ResourceRender, error) {
-	ownerReference, err := kubernetesInfra.GetOwnerReferenceUID(ctx, infra)
+func NewResourceRender(ctx context.Context, kubeInfra KubernetesInfraProvider, infra *ir.Infra) (*ResourceRender, error) {
+	ownerReference, err := kubeInfra.GetOwnerReferenceUID(ctx, infra)
 	if err != nil {
 		return nil, err
 	}
 
 	return &ResourceRender{
-		envoyNamespace:       kubernetesInfra.GetResourceNamespace(infra),
-		controllerNamespace:  kubernetesInfra.GetControllerNamespace(),
-		DNSDomain:            kubernetesInfra.GetDNSDomain(),
+		envoyNamespace:       kubeInfra.GetResourceNamespace(infra),
+		controllerNamespace:  kubeInfra.GetControllerNamespace(),
+		DNSDomain:            kubeInfra.GetDNSDomain(),
 		infra:                infra.GetProxyInfra(),
-		ShutdownManager:      kubernetesInfra.GetEnvoyGateway().GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().ShutdownManager,
-		GatewayNamespaceMode: kubernetesInfra.GetEnvoyGateway().GatewayNamespaceMode(),
+		ShutdownManager:      kubeInfra.GetEnvoyGateway().GetEnvoyGatewayProvider().GetEnvoyGatewayKubeProvider().ShutdownManager,
+		GatewayNamespaceMode: kubeInfra.GetEnvoyGateway().GatewayNamespaceMode(),
 		ownerReferenceUID:    ownerReference,
 	}, nil
 }
 
+func (r *ResourceRender) serviceAccountName() string {
+	prov := r.infra.GetProxyConfig().GetEnvoyProxyProvider().GetEnvoyProxyKubeProvider()
+	if prov != nil &&
+		prov.EnvoyServiceAccount != nil &&
+		prov.EnvoyServiceAccount.Name != nil {
+		return *prov.EnvoyServiceAccount.Name
+	}
+
+	return r.Name()
+}
+
 func (r *ResourceRender) Name() string {
 	if r.GatewayNamespaceMode {
 		return r.infra.Name
@@ -150,7 +161,7 @@ func (r *ResourceRender) ServiceAccount() (*corev1.ServiceAccount, error) {
 		AutomountServiceAccountToken: ptr.To(false),
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace:       r.Namespace(),
-			Name:            r.Name(),
+			Name:            r.serviceAccountName(),
 			Labels:          saLabels,
 			Annotations:     r.infra.GetProxyMetadata().Annotations,
 			OwnerReferences: r.OwnerReferences(),
@@ -393,7 +404,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
 					AutomountServiceAccountToken:  ptr.To(false),
 					Containers:                    containers,
 					InitContainers:                deploymentConfig.InitContainers,
-					ServiceAccountName:            r.Name(),
+					ServiceAccountName:            r.serviceAccountName(),
 					TerminationGracePeriodSeconds: expectedTerminationGracePeriodSeconds(proxyConfig.Spec.Shutdown),
 					DNSPolicy:                     corev1.DNSClusterFirst,
 					RestartPolicy:                 corev1.RestartPolicyAlways,

internal/infrastructure/kubernetes/proxy/resource_provider_test.go

@@ -106,6 +106,19 @@ func newTestInfraWithNamespacedName(gwNN types.NamespacedName) *ir.Infra {
 	return i
 }
 
+func newTestInfraWithCustomServiceAccount(gwNN types.NamespacedName) *ir.Infra {
+	i := newTestInfraWithNamespacedName(gwNN)
+	i.Proxy.Config = new(egv1a1.EnvoyProxy)
+	i.Proxy.Config.Spec.Provider = egv1a1.DefaultEnvoyProxyProvider()
+	i.Proxy.Config.Spec.Provider.Kubernetes = &egv1a1.EnvoyProxyKubernetesProvider{
+		EnvoyServiceAccount: &egv1a1.KubernetesServiceAccountSpec{
+			Name: ptr.To("custom-sa"),
+		},
+	}
+
+	return i
+}
+
 func newTestInfraWithIPFamily(family *egv1a1.IPFamily) *ir.Infra {
 	i := newTestInfra()
 	i.Proxy.Config = &egv1a1.EnvoyProxy{
@@ -632,6 +645,12 @@ func TestDeployment(t *testing.T) {
 			deploy:               nil,
 			gatewayNamespaceMode: true,
 		},
+		{
+			caseName:             "custom-sa",
+			infra:                newTestInfraWithCustomServiceAccount(types.NamespacedName{Namespace: "ns1", Name: "gateway-1"}),
+			deploy:               nil,
+			gatewayNamespaceMode: true,
+		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.caseName, func(t *testing.T) {
@@ -1442,6 +1461,11 @@ func TestServiceAccount(t *testing.T) {
 			infra:                newTestInfraWithNamespacedName(types.NamespacedName{Namespace: "ns1", Name: "gateway-1"}),
 			gatewayNamespaceMode: true,
 		},
+		{
+			name:                 "custom-sa",
+			infra:                newTestInfraWithCustomServiceAccount(types.NamespacedName{Namespace: "ns1", Name: "gateway-1"}),
+			gatewayNamespaceMode: false,
+		},
 	}
 
 	for _, tc := range cases {