feat: allow deployment annotations to be added through helm (envoyproxy#6341)

lboynton · zirain · web-flow · commit fcddc4d9d05c · 2025-07-02T20:20:57.000+08:00
* feat: allow deployment annotations to be added through helm

Signed-off-by: Lee Boynton &lt;lee.boynton@truelayer.com&gt;

* Update changelog

Signed-off-by: Lee Boynton &lt;lee.boynton@truelayer.com&gt;

* Update readme values

Signed-off-by: Lee Boynton &lt;lee.boynton@truelayer.com&gt;

* update readme

Signed-off-by: Lee Boynton &lt;lee.boynton@truelayer.com&gt;

* add test

Signed-off-by: Lee Boynton &lt;lee.boynton@truelayer.com&gt;

* fix test, order is important

Signed-off-by: Lee Boynton &lt;lee.boynton@truelayer.com&gt;

---------

Signed-off-by: Lee Boynton &lt;lee.boynton@truelayer.com&gt;
Co-authored-by: zirain &lt;zirain2009@gmail.com&gt;
diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md
@@ -62,6 +62,7 @@ To uninstall the chart:
 | certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
 | config.envoyGateway | object | `{"extensionApis":{},"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. |
 | createNamespace | bool | `false` |  |
+| deployment.annotations | object | `{}` |  |
 | deployment.envoyGateway.image.repository | string | `""` |  |
 | deployment.envoyGateway.image.tag | string | `""` |  |
 | deployment.envoyGateway.imagePullPolicy | string | `""` |  |
diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml
@@ -3,6 +3,10 @@ kind: Deployment
 metadata:
   name: envoy-gateway
   namespace: '{{ .Release.Namespace }}'
+  {{- with .Values.deployment.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   labels:
     control-plane: envoy-gateway
   {{- include "eg.labels" . | nindent 4 }}
diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml
@@ -31,6 +31,7 @@ podDisruptionBudget:
   # maxUnavailable: 1
 
 deployment:
+  annotations: {}
   envoyGateway:
     image:
       # if both this and global.imageRegistry are specified, this has to include both registry and repository explicitly, eg docker.io/envoyproxy/gateway
diff --git a/release-notes/current.yaml b/release-notes/current.yaml
@@ -29,6 +29,7 @@ new features: |
   Added support for configuring user provided name to generated HorizontalPodAutoscaler and PodDisruptionBudget resources.
   Added support for client certificate validation (SPKI, hash, SAN) in ClientTrafficPolicy.
   Added support for OIDC RP initialized logout. If the end session endpoint is explicitly specified or discovered from the issuer's well-known url, the end session endpoint will be invoked when the user logs out.
+  Added support for specifying deployment annotations through the helm chart.
 
 
 bug fixes: |
diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md
@@ -26,6 +26,7 @@ The Helm chart for Envoy Gateway
 | certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
 | config.envoyGateway | object | `{"extensionApis":{},"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. |
 | createNamespace | bool | `false` |  |
+| deployment.annotations | object | `{}` |  |
 | deployment.envoyGateway.image.repository | string | `""` |  |
 | deployment.envoyGateway.image.tag | string | `""` |  |
 | deployment.envoyGateway.imagePullPolicy | string | `""` |  |
diff --git a/test/helm/gateway-helm/deployment-annotations.in.yaml b/test/helm/gateway-helm/deployment-annotations.in.yaml
@@ -0,0 +1,11 @@
+global:
+  images:
+    envoyGateway:
+      image: "docker.io/envoyproxy/gateway-dev:latest"
+      pullPolicy: Always
+
+deployment:
+  annotations:
+    my-custom-annotation-1: example-1
+    my-custom-annotation-2: example-2
+    my-custom-annotation-3: example-3
diff --git a/test/helm/gateway-helm/deployment-annotations.out.yaml b/test/helm/gateway-helm/deployment-annotations.out.yaml
