feat(helm): propagate commonLabels to RBAC resources#8818
Open
mvanhorn wants to merge 2 commits intoenvoyproxy:mainfrom
Open
feat(helm): propagate commonLabels to RBAC resources#8818mvanhorn wants to merge 2 commits intoenvoyproxy:mainfrom
mvanhorn wants to merge 2 commits intoenvoyproxy:mainfrom
Conversation
✅ Deploy Preview for cerulean-figolla-1f9435 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Member
|
Hi @mvanhorn Can you sign this commit? |
Member
|
@codex review |
|
Codex Review: Didn't find any major issues. Can't wait for the next one! ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8818 +/- ##
==========================================
+ Coverage 73.62% 73.70% +0.07%
==========================================
Files 245 245
Lines 48805 48805
==========================================
+ Hits 35935 35970 +35
+ Misses 10866 10834 -32
+ Partials 2004 2001 -3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Issue envoyproxy#8817 reported that 'helm template ... --set commonLabels.custom-label=custom-value' left ClusterRole, ClusterRoleBinding, Role, and RoleBinding resources unlabelled. The other resources in the chart already include 'eg.labels' in their metadata - which picks up 'commonLabels' via the helper at _helpers.tpl:43 - but envoy-gateway-rbac.yaml didn't set any labels block. Add 'labels: {{- include "eg.labels" . | nindent 4 }}' on every Role / RoleBinding / ClusterRole / ClusterRoleBinding declared in envoy-gateway-rbac.yaml. Matches the existing labels pattern used in certgen-rbac.yaml and envoy-gateway-deployment.yaml. Scopes are '$' inside the watched-namespaces 'range' and '.' at the template root, same rule the helper block inside the file already used. Verified locally with: helm dependency update charts/gateway-helm envsubst < charts/gateway-helm/values.tmpl.yaml > \ charts/gateway-helm/values.yaml helm template eg charts/gateway-helm \ --set commonLabels.custom-label=custom-value | yq ... All four RBAC resources now emit 'custom-label: custom-value' in their metadata.labels, matching the issue's repro steps. Cert-gen RBAC resources already carried it; this PR brings the core envoy-gateway RBAC set into parity. Fixes envoyproxy#8817 Signed-off-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
Run 'make helm-template.gateway-helm' to regenerate the snapshot fixtures after the envoy-gateway-rbac.yaml labels change. Adds the 'labels:' block to the RBAC resources in all 27 test cases. Signed-off-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
29270b3 to
0af14ed
Compare
Author
|
@zhaohuabing signed the commit in fee67e5 and regenerated the helm-template snapshots in 0af14ed - the 27 .out.yaml files under test/helm/gateway-helm/ now include the RBAC labels block. Force-pushed to the PR. Let me know if gen-check still flags anything. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Thread
commonLabelsthrough the four RBAC resources declared incharts/gateway-helm/templates/envoy-gateway-rbac.yamlby adding the existingeg.labelshelper to each of them - the same pattern already used incertgen-rbac.yamlandenvoy-gateway-deployment.yaml.Why this matters
Issue #8817 pointed at the concrete gap:
helm template eg ... --set commonLabels.custom-label=custom-valuerendersClusterRole eg-gateway-helm-envoy-gateway-roleandClusterRoleBinding eg-gateway-helm-envoy-gateway-rolebindingwithcustom-label: null. The cause is mechanical - those resources just didn't declare alabels:block, so thecommonLabelsmerged in byeg.labels(at_helpers.tpl:43) never reached them. The cert-gen RBAC and the rest of the chart already have the labels block, so this PR just closes the last gap.Changes
charts/gateway-helm/templates/envoy-gateway-rbac.yaml: addrange, ClusterRole + ClusterRoleBinding at the template root, and the two outer ClusterRole/ClusterRoleBinding in the{{ else }}branch).$vs.matches the existing template-root scoping rules in the same file.Testing
Local render:
After this change, all four envoy-gateway RBAC resources (plus the cert-gen set that was already wired) render
custom-label: custom-value:Matches the expected output in the issue's repro block.
Fixes #8817
This contribution was developed with AI assistance (Claude Code).