api: allow to custom service account name (envoyproxy#6360)

zirain · web-flow · commit 40e3d6ec34fe · 2025-06-24T10:35:48.000+08:00
* api: allow reuse exiting service account

Signed-off-by: zirain &lt;zirain2009@gmail.com&gt;

* update

Signed-off-by: zirain &lt;zirain2009@gmail.com&gt;

---------

Signed-off-by: zirain &lt;zirain2009@gmail.com&gt;
diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go
@@ -373,6 +373,17 @@ type EnvoyProxyKubernetesProvider struct {
 	// EnvoyPDB allows to control the pod disruption budget of an Envoy Proxy.
 	// +optional
 	EnvoyPDB *KubernetesPodDisruptionBudgetSpec `json:"envoyPDB,omitempty"`
+
+	// EnvoyServiceAccount defines the desired state of the Envoy service account resource.
+	EnvoyServiceAccount *KubernetesServiceAccountSpec `json:"envoyServiceAccount,omitempty"`
+}
+
+type KubernetesServiceAccountSpec struct {
+	// Name of the Service Account.
+	// When unset, this defaults to an autogenerated name.
+	//
+	// +optional
+	Name *string `json:"name,omitempty"`
 }
 
 // ProxyLogging defines logging parameters for managed proxies.
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_envoyproxies.yaml
@@ -10445,6 +10445,16 @@ spec:
                         - message: loadBalancerIP can only be set for LoadBalancer
                             type
                           rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer'''
+                      envoyServiceAccount:
+                        description: EnvoyServiceAccount defines the desired state
+                          of the Envoy service account resource.
+                        properties:
+                          name:
+                            description: |-
+                              Name of the Service Account.
+                              When unset, this defaults to an autogenerated name.
+                            type: string
+                        type: object
                       useListenerPortAsContainerPort:
                         description: |-
                           UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
@@ -10444,6 +10444,16 @@ spec:
                         - message: loadBalancerIP can only be set for LoadBalancer
                             type
                           rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer'''
+                      envoyServiceAccount:
+                        description: EnvoyServiceAccount defines the desired state
+                          of the Envoy service account resource.
+                        properties:
+                          name:
+                            description: |-
+                              Name of the Service Account.
+                              When unset, this defaults to an autogenerated name.
+                            type: string
+                        type: object
                       useListenerPortAsContainerPort:
                         description: |-
                           UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
@@ -1590,6 +1590,7 @@ _Appears in:_
 | `envoyHpa` | _[KubernetesHorizontalPodAutoscalerSpec](#kuberneteshorizontalpodautoscalerspec)_ |  false  |  | EnvoyHpa defines the Horizontal Pod Autoscaler settings for Envoy Proxy Deployment. |
 | `useListenerPortAsContainerPort` | _boolean_ |  false  |  | UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.<br />When set to false (default value), if the service port is a privileged port (1-1023), add a constant to the value converting it into an ephemeral port.<br />This allows the container to bind to the port without needing a CAP_NET_BIND_SERVICE capability. |
 | `envoyPDB` | _[KubernetesPodDisruptionBudgetSpec](#kubernetespoddisruptionbudgetspec)_ |  false  |  | EnvoyPDB allows to control the pod disruption budget of an Envoy Proxy. |
+| `envoyServiceAccount` | _[KubernetesServiceAccountSpec](#kubernetesserviceaccountspec)_ |  true  |  | EnvoyServiceAccount defines the desired state of the Envoy service account resource. |
 
 
 #### EnvoyProxyProvider
@@ -2925,6 +2926,20 @@ _Appears in:_
 | `topologySpreadConstraints` | _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#topologyspreadconstraint-v1-core) array_ |  false  |  | TopologySpreadConstraints describes how a group of pods ought to spread across topology<br />domains. Scheduler will schedule pods in a way which abides by the constraints.<br />All topologySpreadConstraints are ANDed. |
 
 
+#### KubernetesServiceAccountSpec
+
+
+
+
+
+_Appears in:_
+- [EnvoyProxyKubernetesProvider](#envoyproxykubernetesprovider)
+
+| Field | Type | Required | Default | Description |
+| ---   | ---  | ---      | ---     | ---         |
+| `name` | _string_ |  false  |  | Name of the Service Account.<br />When unset, this defaults to an autogenerated name. |
+
+
 #### KubernetesServiceSpec
 
 
diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml
@@ -34026,6 +34026,16 @@ spec:
                         - message: loadBalancerIP can only be set for LoadBalancer
                             type
                           rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer'''
+                      envoyServiceAccount:
+                        description: EnvoyServiceAccount defines the desired state
+                          of the Envoy service account resource.
+                        properties:
+                          name:
+                            description: |-
+                              Name of the Service Account.
+                              When unset, this defaults to an autogenerated name.
+                            type: string
+                        type: object
                       useListenerPortAsContainerPort:
                         description: |-
                           UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml
@@ -16714,6 +16714,16 @@ spec:
                         - message: loadBalancerIP can only be set for LoadBalancer
                             type
                           rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer'''
+                      envoyServiceAccount:
+                        description: EnvoyServiceAccount defines the desired state
+                          of the Envoy service account resource.
+                        properties:
+                          name:
+                            description: |-
+                              Name of the Service Account.
+                              When unset, this defaults to an autogenerated name.
+                            type: string
+                        type: object
                       useListenerPortAsContainerPort:
                         description: |-
                           UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
