fix(Traefik Proxy)!: use namespaceOverride as expected

traefik/VALUES.md

@@ -262,7 +262,7 @@ Kubernetes: `>=1.22.0-0`
 | providers.kubernetesGateway.nativeLBByDefault | bool | `false` | Defines whether to use Native Kubernetes load-balancing mode by default. |
 | providers.kubernetesGateway.statusAddress.hostname | string | `""` | This Hostname will get copied to the Gateway status.addresses. |
 | providers.kubernetesGateway.statusAddress.ip | string | `""` | This IP will get copied to the Gateway status.addresses, and currently only supports one IP value (IPv4 or IPv6). |
-| providers.kubernetesGateway.statusAddress.service | object | `{"name":"{{ (include \"traefik.fullname\" .) }}","namespace":"{{ .Release.Namespace }}"}` | The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart. |
+| providers.kubernetesGateway.statusAddress.service | object | `{"name":"{{ (include \"traefik.fullname\" .) }}","namespace":"{{ include \"traefik.namespace\" . }}"}` | The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart. |
 | providers.kubernetesIngress.allowEmptyServices | bool | `true` | Allows to return 503 when there is no endpoints available |
 | providers.kubernetesIngress.allowExternalNameServices | bool | `false` | Allows to reference ExternalName services in Ingress |
 | providers.kubernetesIngress.enabled | bool | `true` | Load Kubernetes Ingress provider |

traefik/templates/_helpers.tpl

@@ -43,7 +43,7 @@ If release name contains chart name it will be used as a full name.
 Allow customization of the instance label value.
 */}}
 {{- define "traefik.instance-name" -}}
-{{- default (printf "%s-%s" .Release.Name .Release.Namespace) .Values.instanceLabelOverride | trunc 63 | trimSuffix "-" -}}
+{{- default (printf "%s-%s" .Release.Name (include "traefik.namespace" .)) .Values.instanceLabelOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{/* Shared labels used for selector*/}}
@@ -89,7 +89,7 @@ Adds the namespace to name to prevent duplicate resource names when there
 are multiple namespaced releases with the same release name.
 */}}
 {{- define "traefik.clusterRoleName" -}}
-{{- (printf "%s-%s" (include "traefik.fullname" .) .Release.Namespace) | trunc 63 | trimSuffix "-" }}
+{{- (printf "%s-%s" (include "traefik.fullname" .) (include "traefik.namespace" .)) | trunc 63 | trimSuffix "-" }}
 {{- end -}}
 
 {{/*
@@ -99,7 +99,7 @@ service generated.
 Users can provide an override for an explicit service they want bound via `.Values.providers.kubernetesIngress.publishedService.pathOverride`
 */}}
 {{- define "providers.kubernetesIngress.publishedServicePath" -}}
-{{- $defServiceName := printf "%s/%s" .Release.Namespace (include "traefik.fullname" .) -}}
+{{- $defServiceName := printf "%s/%s" (include "traefik.namespace" .) (include "traefik.fullname" .) -}}
 {{- $servicePath := default $defServiceName .Values.providers.kubernetesIngress.publishedService.pathOverride }}
 {{- print $servicePath | trimSuffix "-" -}}
 {{- end -}}
@@ -150,15 +150,15 @@ based on semverCompare
 
 {{/* Generate/load self-signed certificate for admission webhooks */}}
 {{- define "traefik-hub.webhook_cert" -}}
-{{- $cert := lookup "v1" "Secret" .Release.Namespace "hub-agent-cert" -}}
+{{- $cert := lookup "v1" "Secret" (include "traefik.namespace" .) "hub-agent-cert" -}}
 {{- if $cert -}}
 {{/* reusing value of existing cert */}}
 Cert: {{ index $cert.data "tls.crt" }}
 Key: {{ index $cert.data "tls.key" }}
 {{- else -}}
 {{/* generate a new one */}}
-{{- $altNames := list ( printf "admission.%s.svc" .Release.Namespace ) -}}
-{{- $cert := genSelfSignedCert ( printf "admission.%s.svc" .Release.Namespace ) (list) $altNames 3650 -}}
+{{- $altNames := list ( printf "admission.%s.svc" (include "traefik.namespace" .) ) -}}
+{{- $cert := genSelfSignedCert ( printf "admission.%s.svc" (include "traefik.namespace" .) ) (list) $altNames 3650 -}}
 Cert: {{ $cert.Cert | b64enc }}
 Key: {{ $cert.Key | b64enc }}
 {{- end -}}

traefik/tests/container-config_test.yaml

@@ -206,3 +206,13 @@ tests:
             matchLabels:
               app.kubernetes.io/name: traefik
               app.kubernetes.io/instance: traefik
+  - it: should set instance label to release.name-namespaceOverride when it is set
+    set:
+      namespaceOverride: foo
+    asserts:
+      - isSubset:
+          path: spec.selector
+          content:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+              app.kubernetes.io/instance: RELEASE-NAME-foo

traefik/tests/pod-config_test.yaml

@@ -314,6 +314,18 @@ tests:
       - contains:
           path: spec.template.spec.containers[0].args
           content: "--providers.kubernetesgateway.statusaddress.service.namespace=NAMESPACE"
+  - it: When gateway provider is enabled with ns override, k8s providers & default statusAddress should be set
+    set:
+      namespaceOverride: foo
+      providers:
+        kubernetesGateway:
+          enabled: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--providers.kubernetesgateway.statusaddress.service.namespace=foo"
+
+
   - it: should have experimental flag when set
     set:
       experimental:
@@ -744,4 +756,4 @@ tests:
     asserts:
       - contains:
           path: spec.template.spec.containers[0].args
-          content: "--providers.kubernetesingress.allowEmptyServices=false"
+          content: "--providers.kubernetesingress.allowEmptyServices=false"

traefik/tests/rbac-config_test.yaml

@@ -40,6 +40,26 @@ tests:
           path: subjects[0].name
           value: RELEASE-NAME-traefik
         template: rbac/clusterrolebinding.yaml
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-traefik-NAMESPACE
+        template: rbac/clusterrole.yaml
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-traefik-NAMESPACE
+        template: rbac/clusterrolebinding.yaml
+  - it: should set expected name when ns is overriden
+    set:
+      namespaceOverride: foo
+    asserts:
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-traefik-foo
+        template: rbac/clusterrole.yaml
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-traefik-foo
+        template: rbac/clusterrolebinding.yaml
   - it: should not create RBAC related objects when disabled
     set:
       rbac:

traefik/tests/traefik-config_test.yaml

@@ -74,12 +74,18 @@ tests:
       - notContains:
           path: spec.template.spec.containers[0].args
           content: "--providers.kubernetescrd"
-
   - it: should have enabled published Kubernetes service when default configuration
     asserts:
       - contains:
           path: spec.template.spec.containers[0].args
           content: "--providers.kubernetesingress.ingressendpoint.publishedservice=NAMESPACE/RELEASE-NAME-traefik"
+  - it: should use overrided namespace when specified
+    set:
+      namespaceOverride: foo
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--providers.kubernetesingress.ingressendpoint.publishedservice=foo/RELEASE-NAME-traefik"
   - it: should be possible to disable published Kubernetes service when specified in configuration
     set:
       providers:

traefik/tests/values/antiaffinity.yaml

@@ -4,5 +4,5 @@ affinity:
       - labelSelector:
           matchLabels:
             app.kubernetes.io/name: '{{ template "traefik.name" . }}'
-            app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}'
+            app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}'
         topologyKey: kubernetes.io/hostname

traefik/values.yaml

@@ -315,7 +315,7 @@ providers:  # @schema additionalProperties: false
       # -- The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart.
       service:
         name: "{{ (include \"traefik.fullname\" .) }}"
-        namespace: "{{ .Release.Namespace }}"
+        namespace: "{{ include \"traefik.namespace\" . }}"
 
   file:
     # -- Create a file provider
@@ -869,7 +869,7 @@ affinity: {}
 #      - labelSelector:
 #          matchLabels:
 #            app.kubernetes.io/name: '{{ template "traefik.name" . }}'
-#            app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}'
+#            app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}'
 #        topologyKey: kubernetes.io/hostname
 
 # -- nodeSelector is the simplest recommended form of node selection constraint.