Skip to content

Commit dda8cc6

Browse files
edenreichclaude[bot]
edenreich
and
claude[bot]
authored
feat(gateway): Add ServiceAccount for RBAC configuration to Gateway CRD (#33)
* feat(gateway): Add ServiceAccount RBAC configuration to Gateway CRD - Add ServiceAccountSpec with create and name fields - Implement automatic ServiceAccount, Role, and RoleBinding creation - Grant A2A service discovery permissions across namespaces - Update deployment to use configured service account - Add serviceAccountName to Gateway status - Support custom service account names and disable creation option - Include example configurations for RBAC usage Co-authored-by: Eden Reich <edenreich@users.noreply.github.com> * chore(generate): Update generated files for ServiceAccount RBAC feature - Regenerate DeepCopy methods for ServiceAccount spec fields - Update CRD schema with serviceAccount spec and serviceAccountName status Co-authored-by: Eden Reich <edenreich@users.noreply.github.com> * fix(test): Create test-namespace for A2A service discovery RBAC test The RBAC reconciliation creates Role in the A2A ServiceDiscovery namespace. The test was failing because "test-namespace" didn't exist when the controller tried to create the Role for A2A discovery permissions. Co-authored-by: Eden Reich <edenreich@users.noreply.github.com> * refactor(gateway): Keep it simple - one complete example Signed-off-by: Eden Reich <eden.reich@gmail.com> * refactor(gateway): Simplify RBAC reconciliation logic by removing redundant comments Signed-off-by: Eden Reich <eden.reich@gmail.com> * refactor(gateway): Remove redundant comments in role and role binding reconciliation Signed-off-by: Eden Reich <eden.reich@gmail.com> * fix(gateway): Don't use default service account Signed-off-by: Eden Reich <eden.reich@gmail.com> * refactor(test): Remove unnecessary comments in A2A service discovery test Signed-off-by: Eden Reich <eden.reich@gmail.com> --------- Signed-off-by: Eden Reich <eden.reich@gmail.com> Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> Co-authored-by: Eden Reich <edenreich@users.noreply.github.com>
1 parent b978a42 commit dda8cc6

9 files changed

Lines changed: 427 additions & 0 deletions

File tree

api/v1alpha1/gateway_types.go

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,23 @@ type GatewaySpec struct {
8888
// HPA (Horizontal Pod Autoscaler) configuration
8989
// +optional
9090
HPA *HPASpec `json:"hpa,omitempty"`
91+
92+
// ServiceAccount configuration for RBAC
93+
// +optional
94+
ServiceAccount *ServiceAccountSpec `json:"serviceAccount,omitempty"`
95+
}
96+
97+
// ServiceAccountSpec contains service account configuration for RBAC
98+
type ServiceAccountSpec struct {
99+
// Create specifies whether to create a service account
100+
// +optional
101+
// +kubebuilder:default=true
102+
Create bool `json:"create,omitempty"`
103+
104+
// Name is the name of the service account to use
105+
// If not set and create is true, a name is generated using the gateway name
106+
// +optional
107+
Name string `json:"name,omitempty"`
91108
}
92109

93110
type HPASpec struct {
@@ -613,6 +630,10 @@ type GatewayStatus struct {
613630
// otherwise it will use the service URL
614631
// +optional
615632
URL string `json:"url,omitempty"`
633+
634+
// ServiceAccountName is the name of the created service account
635+
// +optional
636+
ServiceAccountName string `json:"serviceAccountName,omitempty"`
616637
}
617638

618639
// GatewayCondition represents a condition of a Gateway deployment

api/v1alpha1/zz_generated.deepcopy.go

Lines changed: 20 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/crd/bases/core.inference-gateway.com_gateways.yaml

Lines changed: 17 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/rbac/role.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ rules:
88
- ""
99
resources:
1010
- configmaps
11+
- serviceaccounts
1112
- services
1213
verbs:
1314
- create
@@ -94,3 +95,16 @@ rules:
9495
- patch
9596
- update
9697
- watch
98+
- apiGroups:
99+
- rbac.authorization.k8s.io
100+
resources:
101+
- rolebindings
102+
- roles
103+
verbs:
104+
- create
105+
- delete
106+
- get
107+
- list
108+
- patch
109+
- update
110+
- watch

examples/gateway-complete.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,13 @@ metadata:
1414
spec:
1515
environment: development
1616
image: "ghcr.io/inference-gateway/inference-gateway:0.12.0"
17+
# # ServiceAccount configuration for RBAC
18+
# serviceAccount:
19+
# # Create a service account (default: true)
20+
# create: true
21+
# # Custom name for the service account (optional)
22+
# # If not specified, uses the gateway name
23+
# name: "custom-gateway-sa"
1724
hpa:
1825
enabled: true
1926
config:

0 commit comments

Comments
 (0)