feat(gatewayapi): add Gateway API RBAC for L7 log collector (#4282)

pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml

@@ -901,6 +901,7 @@ spec:
                     - %n: Policy or profile name.
                     - %p: Policy or profile name (namespace/name for namespaced kinds or just name for non namespaced kinds).
                     [Default: calico-packet]
+                  pattern: "^([a-zA-Z0-9%: /_-])*$"
                   type: string
                 logSeverityFile:
                   description:

pkg/crds/calico/crd.projectcalico.org_kubecontrollersconfigurations.yaml

@@ -80,6 +80,15 @@ spec:
                         reconcilerPeriod:
                           type: string
                       type: object
+                    policyMigration:
+                      properties:
+                        enabled:
+                          default: Enabled
+                          enum:
+                            - Disabled
+                            - Enabled
+                          type: string
+                      type: object
                     serviceAccount:
                       properties:
                         reconcilerPeriod:
@@ -167,6 +176,15 @@ spec:
                             reconcilerPeriod:
                               type: string
                           type: object
+                        policyMigration:
+                          properties:
+                            enabled:
+                              default: Enabled
+                              enum:
+                                - Disabled
+                                - Enabled
+                              type: string
+                          type: object
                         serviceAccount:
                           properties:
                             reconcilerPeriod:

pkg/render/gatewayapi/gateway_api.go

@@ -1121,7 +1121,9 @@ func (pr *gatewayAPIImplementationComponent) wafHttpFilterServiceAccount() *core
 	}
 }
 
-// wafHttpFilterClusterRole creates the ClusterRole for WAF HTTP Filter
+// wafHttpFilterClusterRole creates the ClusterRole for WAF HTTP Filter and L7 Log Collector.
+// The L7 Log Collector sidecar shares this ServiceAccount and needs additional permissions
+// to watch Gateway API resources for log enrichment.
 func (pr *gatewayAPIImplementationComponent) wafHttpFilterClusterRole() *rbacv1.ClusterRole {
 	return &rbacv1.ClusterRole{
 		TypeMeta: metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"},
@@ -1139,6 +1141,12 @@ func (pr *gatewayAPIImplementationComponent) wafHttpFilterClusterRole() *rbacv1.
 				Resources: []string{"tokenreviews"},
 				Verbs:     []string{"create"},
 			},
+			// Gateway API resources for L7 Log Collector enrichment
+			{
+				APIGroups: []string{"gateway.networking.k8s.io"},
+				Resources: []string{"gateways", "httproutes", "grpcroutes"},
+				Verbs:     []string{"get", "list", "watch"},
+			},
 		},
 	}
 }

pkg/render/gatewayapi/gateway_api_test.go

@@ -1236,4 +1236,63 @@ var _ = Describe("Gateway API rendering tests", func() {
 		// DaemonSet init containers are not supported, so these should not be present
 		// This is expected behavior as mentioned in the code comments
 	})
+
+	It("should create correct RBAC for L7 log collector enrichment", func() {
+		installation := &operatorv1.InstallationSpec{
+			Variant: operatorv1.TigeraSecureEnterprise,
+		}
+		gatewayAPI := &operatorv1.GatewayAPI{
+			Spec: operatorv1.GatewayAPISpec{
+				GatewayClasses: []operatorv1.GatewayClassSpec{{Name: "tigera-gateway-class"}},
+			},
+		}
+		gatewayComp := GatewayAPIImplementationComponent(&GatewayAPIImplementationConfig{
+			Installation: installation,
+			GatewayAPI:   gatewayAPI,
+		})
+
+		objsToCreate, _ := gatewayComp.Objects()
+
+		// Verify ClusterRole exists
+		clusterRole, err := rtest.GetResourceOfType[*rbacv1.ClusterRole](objsToCreate, "waf-http-filter", "")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(clusterRole.Name).To(Equal("waf-http-filter"))
+
+		// Verify the ClusterRole has the correct rules
+		Expect(clusterRole.Rules).To(HaveLen(3))
+
+		// Check license key access for WAF
+		Expect(clusterRole.Rules).To(ContainElement(rbacv1.PolicyRule{
+			APIGroups: []string{"crd.projectcalico.org"},
+			Resources: []string{"licensekeys"},
+			Verbs:     []string{"get", "watch"},
+		}))
+
+		// Check token review permissions for WAF
+		Expect(clusterRole.Rules).To(ContainElement(rbacv1.PolicyRule{
+			APIGroups: []string{"authentication.k8s.io"},
+			Resources: []string{"tokenreviews"},
+			Verbs:     []string{"create"},
+		}))
+
+		// Check Gateway API resources for L7 Log Collector enrichment
+		Expect(clusterRole.Rules).To(ContainElement(rbacv1.PolicyRule{
+			APIGroups: []string{"gateway.networking.k8s.io"},
+			Resources: []string{"gateways", "httproutes", "grpcroutes"},
+			Verbs:     []string{"get", "list", "watch"},
+		}))
+
+		// Verify ClusterRoleBinding exists
+		clusterRoleBinding, err := rtest.GetResourceOfType[*rbacv1.ClusterRoleBinding](objsToCreate, "waf-http-filter", "")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(clusterRoleBinding.Name).To(Equal("waf-http-filter"))
+		Expect(clusterRoleBinding.RoleRef.Name).To(Equal("waf-http-filter"))
+		Expect(clusterRoleBinding.RoleRef.Kind).To(Equal("ClusterRole"))
+
+		// Verify ServiceAccount exists
+		serviceAccount, err := rtest.GetResourceOfType[*corev1.ServiceAccount](objsToCreate, "waf-http-filter", "tigera-gateway")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(serviceAccount.Name).To(Equal("waf-http-filter"))
+		Expect(serviceAccount.Namespace).To(Equal("tigera-gateway"))
+	})
 })