fix tigera-operator permission error for egressgateway (#3865)

Author: vara2504

pkg/render/egressgateway/egressgateway.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023-2024 Tigera, Inc. All rights reserved.
+// Copyright (c) 2023-2025 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -100,10 +100,11 @@ func (c *component) SupportedOSType() rmeta.OSType {
 }
 
 func (c *component) Objects() ([]client.Object, []client.Object) {
-	objectsToCreate := append(
-		secret.ToRuntimeObjects(c.egwPullSecrets()...),
-		c.egwServiceAccount(),
-	)
+
+	var objectsToCreate []client.Object
+	objectsToCreate = append(objectsToCreate, c.egwOperatorSecretsRoleBinding())
+	objectsToCreate = append(objectsToCreate, secret.ToRuntimeObjects(c.egwPullSecrets()...)...)
+	objectsToCreate = append(objectsToCreate, c.egwServiceAccount())
 
 	var objectsToDelete []client.Object
 	if c.config.OpenShift {
@@ -122,6 +123,16 @@ func (c *component) Objects() ([]client.Object, []client.Object) {
 	return objectsToCreate, objectsToDelete
 }
 
+func (c *component) egwOperatorSecretsRoleBinding() *rbacv1.RoleBinding {
+	operatorSecretRB := render.CreateOperatorSecretsRoleBinding(c.config.EgressGW.Namespace)
+	operatorSecretRB.ObjectMeta.Labels = common.MapExistsOrInitialize(operatorSecretRB.ObjectMeta.Labels)
+	// The tigera-operator-secrets RoleBinding is shared across all EGW CRs in this namespace.
+	// As such, we mark it as having multiple owners so that we maintain multiple owner references
+	// when creating the rolebinding so that it will only be GC'd when all of its owners have been deleted.
+	operatorSecretRB.ObjectMeta.Labels[common.MultipleOwnersLabel] = "true"
+	return operatorSecretRB
+}
+
 func (c *component) Ready() bool {
 	return true
 }

pkg/render/egressgateway/egressgateway_test.go

@@ -115,6 +115,7 @@ var _ = Describe("Egress Gateway rendering tests", func() {
 			version string
 			kind    string
 		}{
+			{"tigera-operator-secrets", "test-ns", "rbac.authorization.k8s.io", "v1", "RoleBinding"},
 			{"test-secret", "test-ns", "", "v1", "Secret"},
 			{"egress-test", "test-ns", "", "v1", "ServiceAccount"},
 			{"egress-test", "test-ns", "apps", "v1", "Deployment"},
@@ -273,7 +274,7 @@ var _ = Describe("Egress Gateway rendering tests", func() {
 			VXLANPort:    4790,
 		})
 		resources, _ := component.Objects()
-		Expect(resources).To(HaveLen(2))
+		Expect(resources).To(HaveLen(3))
 		dep := rtest.GetResource(resources, "egress-test", "test-ns", "apps", "v1", "Deployment").(*appsv1.Deployment)
 		Expect(dep.Spec.Template.Spec.Containers[0].Resources).To(Equal(expectedResource))
 		elasticIPAnnotation := dep.Spec.Template.ObjectMeta.Annotations["cni.projectcalico.org/awsElasticIPs"]
@@ -288,6 +289,7 @@ var _ = Describe("Egress Gateway rendering tests", func() {
 			version string
 			kind    string
 		}{
+			{"tigera-operator-secrets", "test-ns", "rbac.authorization.k8s.io", "v1", "RoleBinding"},
 			{"egress-test", "test-ns", "", "v1", "ServiceAccount"},
 			{"egress-test", "test-ns", rbac, "v1", "Role"},
 			{"egress-test", "test-ns", rbac, "v1", "RoleBinding"},