fix: helm secrets rbac for gateway namespace with watch list of namespaces

Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

Author: cnvergence

charts/gateway-helm/templates/_rbac.tpl

@@ -249,6 +249,17 @@ verbs:
   - watch
 {{- end }}
 
+{{- define "eg.rbac.namespaced.infra.secrets.read" -}}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+{{- end }}
+
 {{- define "eg.rbac.infra.tokenreview" -}}
 - apiGroups:
   - authentication.k8s.io

charts/gateway-helm/templates/infra-manager-rbac.yaml

@@ -42,6 +42,9 @@ metadata:
   {{- include "eg.labels" . | nindent 4 }}
 rules:
 {{ include "eg.rbac.infra.basic" . }}
+{{ if and (.Values.config.envoyGateway.provider.kubernetes) (.Values.config.envoyGateway.provider.kubernetes.watch) (.Values.config.envoyGateway.provider.kubernetes.deploy) (eq .Values.config.envoyGateway.provider.kubernetes.deploy.type "GatewayNamespace") (.Values.config.envoyGateway.provider.kubernetes.watch.namespaces) (gt (len .Values.config.envoyGateway.provider.kubernetes.watch.namespaces) 0) }}
+{{ include "eg.rbac.namespaced.infra.secrets.read" . }}
+{{ end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

test/helm/gateway-helm/envoy-gateway-gateway-namespace-config-watch.out.yaml

@@ -414,6 +414,15 @@ rules:
   - list
   - get
   - watch
+
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
 ---
 # Source: gateway-helm/templates/leader-election-rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1