NET-6752 Change scope of MeshGateway CRD to Namespaced (#3287)

* Change scope of MeshGateway CRD to Namespaced

This matches the scope of the corresponding Gateway CRD in the Kubernetes Gateway API, which we will one day use.

It also prevents some undesirable side effects of being cluster-scoped. Namely, the cluster-scoped MeshGateway always resides in the "default" namespace implicitly and thus cannot be referenced as the owner of Deployments, ServiceAccounts, etc in any other namespace due to the fact that cross-namespace owner references are not allowed.

* Specify namespace in serviceaccount builder test

* Set namespace for meshGateways in resource job config map

* Modify unit test to use non-default namespace

charts/consul/templates/crd-meshgateways.yaml

@@ -18,7 +18,7 @@ spec:
     listKind: MeshGatewayList
     plural: meshgateways
     singular: meshgateway
-  scope: Cluster
+  scope: Namespaced
   versions:
   - additionalPrinterColumns:
     - description: The sync status of the resource with Consul

charts/consul/templates/gateway-resources-configmap.yaml

@@ -32,6 +32,7 @@ data:
           serviceType: {{ .Values.meshGateway.service.type }}
     meshGateways:
       - name: mesh-gateway
+        namespace: {{ .Release.Namespace }}
         spec:
           gatewayClassName: consul-mesh-gateway
     {{- end }}

control-plane/api/mesh/v2beta1/mesh_gateway_types.go

@@ -33,7 +33,7 @@ func init() {
 // +kubebuilder:printcolumn:name="Synced",type="string",JSONPath=".status.conditions[?(@.type==\"Synced\")].status",description="The sync status of the resource with Consul"
 // +kubebuilder:printcolumn:name="Last Synced",type="date",JSONPath=".status.lastSyncedTime",description="The last successful synced time of the resource with Consul"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The age of the resource"
-// +kubebuilder:resource:scope="Cluster"
+// +kubebuilder:resource:scope="Namespaced"
 type MeshGateway struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

control-plane/config-entries/controllersv2/mesh_gateway_controller_test.go

@@ -45,21 +45,21 @@ func TestMeshGatewayController_Reconcile(t *testing.T) {
 			k8sObjects: []runtime.Object{
 				&v2beta1.MeshGateway{
 					ObjectMeta: metav1.ObjectMeta{
-						Namespace: "default",
+						Namespace: "consul",
 						Name:      "mesh-gateway",
 					},
 				},
 			},
 			request: ctrl.Request{
 				NamespacedName: types.NamespacedName{
-					Namespace: "default",
+					Namespace: "consul",
 					Name:      "mesh-gateway",
 				},
 			},
 			expectedResult: ctrl.Result{},
 			postReconcile: func(t *testing.T, c client.Client) {
 				// Verify ServiceAccount was created
-				key := client.ObjectKey{Namespace: "default", Name: "mesh-gateway"}
+				key := client.ObjectKey{Namespace: "consul", Name: "mesh-gateway"}
 				assert.NoError(t, c.Get(context.Background(), key, &corev1.ServiceAccount{}))
 			},
 		},

control-plane/config/crd/bases/mesh.consul.hashicorp.com_meshgateways.yaml

@@ -14,7 +14,7 @@ spec:
     listKind: MeshGatewayList
     plural: meshgateways
     singular: meshgateway
-  scope: Cluster
+  scope: Namespaced
   versions:
   - additionalPrinterColumns:
     - description: The sync status of the resource with Consul

control-plane/gateways/serviceaccount_test.go

@@ -13,14 +13,14 @@ import (
 func TestNewMeshGatewayBuilder_ServiceAccount(t *testing.T) {
 	b := NewMeshGatewayBuilder(&meshv2beta1.MeshGateway{
 		ObjectMeta: metav1.ObjectMeta{
-			Namespace: "",
+			Namespace: "default",
 			Name:      "mesh-gateway",
 		},
 	})
 
 	expected := &corev1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
-			Namespace: "",
+			Namespace: "default",
 			Name:      "mesh-gateway",
 			Labels:    b.Labels(),
 		},