fix tigera-operator permission error for egressgateway

vara2504 · vara2504 · commit 7c6a2ba84f23 · 2025-04-03T18:58:40.000-07:00
diff --git a/pkg/render/egressgateway/egressgateway.go b/pkg/render/egressgateway/egressgateway.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2023-2024 Tigera, Inc. All rights reserved.
+// Copyright (c) 2023-2025 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -100,10 +100,11 @@ func (c *component) SupportedOSType() rmeta.OSType {
 }
 
 func (c *component) Objects() ([]client.Object, []client.Object) {
-	objectsToCreate := append(
-		secret.ToRuntimeObjects(c.egwPullSecrets()...),
-		c.egwServiceAccount(),
-	)
+
+	var objectsToCreate []client.Object
+	objectsToCreate = append(objectsToCreate, c.egwOperatorSecretsRoleBinding())
+	objectsToCreate = append(objectsToCreate, secret.ToRuntimeObjects(c.egwPullSecrets()...)...)
+	objectsToCreate = append(objectsToCreate, c.egwServiceAccount())
 
 	var objectsToDelete []client.Object
 	if c.config.OpenShift {
@@ -122,6 +123,16 @@ func (c *component) Objects() ([]client.Object, []client.Object) {
 	return objectsToCreate, objectsToDelete
 }
 
+func (c *component) egwOperatorSecretsRoleBinding() *rbacv1.RoleBinding {
+	operatorSecretRB := render.CreateOperatorSecretsRoleBinding(c.config.EgressGW.Namespace)
+	operatorSecretRB.ObjectMeta.Labels = common.MapExistsOrInitialize(operatorSecretRB.ObjectMeta.Labels)
+	// The tigera-operator-secrets RoleBinding is shared across all EGW CRs in this namespace.
+	// As such, we mark it as having multiple owners so that we maintain multiple owner references
+	// when creating the rolebinding so that it will only be GC'd when all of its owners have been deleted.
+	operatorSecretRB.ObjectMeta.Labels[common.MultipleOwnersLabel] = "true"
+	return operatorSecretRB
+}
+
 func (c *component) Ready() bool {
 	return true
 }
