refactor: move RBAC for EG into helm chart and drop unnecessary rules (#1377)

mathetake · web-flow · commit d5dea691cae3 · 2025-10-16T11:11:13.000-07:00
**Description** This moves the RBAC yaml necessary to be attached to EG controller into our helm chart. This removes one additional step during the installation. This also removes the unnecessary/unused roles from the RBAC. The remaining thing is only for the inference pool. **Related Issues/PRs (if applicable)** Part of #1191 --------- Signed-off-by: Takeshi Yoneda <t.y.mathetake@gmail.com>
diff --git a/manifests/charts/ai-gateway-helm/templates/envoy_gateway_cluster_role_for_inference_pool.yaml b/manifests/charts/ai-gateway-helm/templates/envoy_gateway_cluster_role_for_inference_pool.yaml
@@ -0,0 +1,37 @@
+# Copyright Envoy AI Gateway Authors
+# SPDX-License-Identifier: Apache-2.0
+# The full text of the Apache license is available in the LICENSE file at
+# the root of the repo.
+
+# This file contains the RBAC roles and role bindings for the Envoy Gateway
+# so that it can read the InferencePool resources that are set in the HTTPRoutes
+# generated by the AI Gateway.
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: envoy-ai-gateway-inference-pool-reader
+rules:
+  - apiGroups:
+      - "inference.networking.k8s.io"
+    resources:
+      - "inferencepools"
+    verbs:
+      - "get"
+      - "list"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: envoy-ai-gateway-inference-pool-reader-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: envoy-ai-gateway-inference-pool-reader
+subjects:
+  - kind: ServiceAccount
+    # The service account name is hardcoded to "envoy-gateway":
+    # https://github.com/envoyproxy/gateway/blob/70af785fba094929bc6044a57470d429205c4d5e/charts/gateway-helm/templates/envoy-gateway-serviceaccount.yaml#L4
+    name: envoy-gateway
+    namespace: {{ .Values.envoyGateway.namespace }}
+---
diff --git a/manifests/charts/ai-gateway-helm/values.yaml b/manifests/charts/ai-gateway-helm/values.yaml
@@ -178,3 +178,8 @@ controller:
   #
   # This value should be set to a secure random string in production environments instead of the default below.
   mcpSessionEncryptionSeed: "default-insecure-seed"
+
+# Configuration for the Envoy Gateway component that AI Gateway relies on to program Envoy.
+envoyGateway:
+  # The namespace where the Envoy Gateway controller is installed.
+  namespace : envoy-gateway-system
diff --git a/manifests/envoy-gateway-config/rbac.yaml b/manifests/envoy-gateway-config/rbac.yaml
diff --git a/site/docs/getting-started/installation.md b/site/docs/getting-started/installation.md
@@ -58,7 +58,6 @@ After installing Envoy AI Gateway, apply the AI Gateway-specific configuration t
 ```shell
 kubectl apply -f https://raw.githubusercontent.com/envoyproxy/ai-gateway/main/manifests/envoy-gateway-config/redis.yaml
 kubectl apply -f https://raw.githubusercontent.com/envoyproxy/ai-gateway/main/manifests/envoy-gateway-config/config.yaml
-kubectl apply -f https://raw.githubusercontent.com/envoyproxy/ai-gateway/main/manifests/envoy-gateway-config/rbac.yaml
 
 kubectl rollout restart -n envoy-gateway-system deployment/envoy-gateway
 

Original file line number	Diff line number	Diff line change
`@@ -178,3 +178,8 @@ controller:`
`178`	`178`	`#`
`179`	`179`	`# This value should be set to a secure random string in production environments instead of the default below.`
`180`	`180`	`mcpSessionEncryptionSeed: "default-insecure-seed"`
	`181`	`+`
	`182`	`+# Configuration for the Envoy Gateway component that AI Gateway relies on to program Envoy.`
	`183`	`+envoyGateway:`
	`184`	`+ # The namespace where the Envoy Gateway controller is installed.`
	`185`	`+ namespace : envoy-gateway-system`