* docs: add RBAC overhaul design spec and requirements
Captures the motivation, constraints, and design decisions for the RBAC
overhaul before the implementation changes land.
* refactor(rbac): remove kubebuilder RBAC markers and disable controller-gen RBAC output
RBAC is now defined explicitly in Helm templates rather than generated
from code annotations. Removes all +kubebuilder:rbac markers from
controllers and drain.go, and drops the rbac output target from
controller-gen so it no longer clobbers the Helm-managed files.
* refactor(rbac): reorganize operator component RBAC into per-component Helm templates
Replaces the monolithic controller-rbac.yaml and per-component rbac.yaml
files with a consistent per-component directory structure (agent/,
api-manager/, bindings-forwarder/). Each component now owns its own
Role, RoleBinding, and optional namespace-scoped variants.
Key changes:
- agent: split rbac.yaml into role.yaml + rolebinding.yaml with
optional namespaced variants for namespace-scoped installs
- api-manager: moved from templates/rbac/role.yaml into dedicated
api-manager/ directory alongside its other templates; adds
leader-election-role.yaml and namespaced role support
- bindings-forwarder: renamed rbac.yaml -> role.yaml for consistency
- Deleted controller-rbac.yaml (replaced by api-manager/role.yaml)
- Renamed controller-{cm,deployment,pdb,serviceaccount}.yaml into
api-manager/ directory for cohesion
- Renamed service-account.yaml -> serviceaccount.yaml everywhere
- values.yaml/schema: adds crdAccessRoles and per-component RBAC flags
* feat(rbac): add CRD editor/viewer ClusterRoles for ngrok resources
Moves existing editor/viewer roles into a dedicated rbac/crd-access/
subdirectory with consistent naming, and adds new roles for
NgrokTrafficPolicy (previously missing).
These ClusterRoles are for users of the operator — granting cluster
members read or write access to ngrok CRDs — as opposed to the
operator's own service account permissions.
* test(rbac): update Helm unit tests and add chainsaw e2e RBAC verification
Updates all Helm unit tests and snapshots to match the reorganized
template structure (per-component directories, renamed files). Adds
new test suites for api-manager RBAC and crd-access roles.
Also adds a chainsaw e2e test that verifies the operator's service
accounts have exactly the permissions they need — no more, no less.
* chore: update generated artifacts after RBAC overhaul
Regenerates manifest-bundle.yaml and updates the Helm README to
reflect the new values added for per-component RBAC configuration.
* remove plan and chainsaw tests and make bindings not try to use watchNamespace
* break out k8soperator permissions and bindings permissions to separate role
* update requirements and gen manifest bundle
* make agent and api manager only query their release namespace when looking for the kubernetesoperator crd
* make bindings role always be created even if bindings is disabled
* fix(gateway): correct inverted validation logic in validateGateway — bug 2.1
The condition checked if gateway was Accepted (valid) and returned
an error, which is backwards. Fixed to return error only when
gateway is NOT accepted.
Bug-ID: 2.1
Co-Authored-By: Claude <noreply@anthropic.com>
* fix(gateway): avoid mutating cached gateway objects in predicates — bug 2.3
secretReferencedByGateway() and configMapReferencedByGateway()
mutated certRef.Namespace on cached Gateway objects via shared
pointers, corrupting the informer cache. Replaced with local
variable computation.
Bug-ID: 2.3
Co-Authored-By: Claude <noreply@anthropic.com>
* fix(gateway): default nil parentRef namespace in findHTTPRouteForGateway — bug 2.17
Per Gateway API spec, nil parentRef.Namespace defaults to the
route's namespace. The code skipped the namespace check entirely,
matching any gateway with the same name regardless of namespace.
Bug-ID: 2.17
Co-Authored-By: Claude <noreply@anthropic.com>
* fix(lint): consolidate duplicate corev1/v1 import aliases
The test file had both corev1 and v1 as aliases for k8s.io/api/core/v1,
which won't compile. Consolidate to corev1 matching the rest of the package.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: address PR feedback on gateway changes
- Extract certRefMatches helper to remove duplication across three
call sites in secretReferencedByGateway and configMapReferencedByGateway
- Remove validateGateway Describe block: return value is discarded by
the caller so the bug is not user-observable, and existing env tests
already cover accepted/not-accepted paths
- Remove findHTTPRouteForGateway Describe block: watch mapper behavior
is not user-observable via CR status; existing HTTPRoute env tests
cover reconcile behavior
- Revert corev1 alias back to v1 so this PR does not touch the import
* fix lint
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Jonathan Stacks <jonstacks@users.noreply.github.com>
* Don't overwrite other ingress/gateway class resource statuses
* Apply suggestions from code review
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* add tests and return empty when controllname is not set
* check parent ref controller name when validating
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* feat(devenv): Add bashInteractive
Signed-off-by: Jonathan Stacks <jonstacks@users.noreply.github.com>
* fix(controller): skip reconciliation for [HTTP,TLS,TCP]Routes not referencing ngrok-managed Gateways
Signed-off-by: Jonathan Stacks <jonstacks@users.noreply.github.com>
* test: Remove gateway chainsaw tests for now
We'll add this back in once we have a better way to do chainsaw tests
with the Gateway API
Signed-off-by: Jonathan Stacks <jonstacks@users.noreply.github.com>
---------
Signed-off-by: Jonathan Stacks <jonstacks@users.noreply.github.com>
* Allow helm uninstall to be configured to handle cleaning up api resources and removing finalizers
* update helm values readme
* fix lint in drain.go
* Update helm snapshots
* use endpoints-verbose in tests and add a tiny sleep to the drain
* add more go tests
* code review comments addressed: move dockerfile args back, simplify api-manager.go kubernetesoperator changes, and add type of drainstatus in type
* feat(gateway-api): Validate gateway listeners hostname and port
* fix: Don't remove the gateway from the store if it is invalid
* fix: don't update gateway status unless it needs updating
* chore: Upgrade envtest & k8s version
* test: Enable HTTPReconciler and GatewayReconciler in tests
* test: Add more utilities to testutils package
* refactor: Use meta to set status condition and use test helpers
* feat(gateway-controller): Accept Gateway Controllers
* feat(httproute-controller): Accept HTTP Routes
alex bezek
Copilot
Jonathan Stacks
Alice Lilith
Harrison Katz
Oz