From fb4fffa8e6633cf2719c46db2065bbf14c19c15e Mon Sep 17 00:00:00 2001 From: honarkhah Date: Mon, 16 Feb 2026 14:08:05 +0100 Subject: [PATCH 1/2] feat: add namespaceOverride to support umbrella charts --- charts/gateway-helm/templates/NOTES.txt | 2 +- charts/gateway-helm/templates/_helpers.tpl | 7 +++++++ .../gateway-helm/templates/certgen-rbac.yaml | 18 +++++++++--------- charts/gateway-helm/templates/certgen.yaml | 2 +- .../templates/envoy-gateway-config.yaml | 2 +- .../templates/envoy-gateway-deployment.yaml | 2 +- .../templates/envoy-gateway-hpa.yaml | 2 +- .../envoy-gateway-poddisruptionbudget.yaml | 4 ++-- .../templates/envoy-gateway-rbac.yaml | 6 +++--- .../templates/envoy-gateway-service.yaml | 2 +- .../envoy-gateway-serviceaccount.yaml | 2 +- .../envoy-proxy-topology-injector-webhook.yaml | 8 ++++---- .../templates/infra-manager-rbac.yaml | 8 ++++---- .../templates/leader-election-rbac.yaml | 6 +++--- charts/gateway-helm/templates/namespace.yaml | 2 +- .../namespaced-infra-manager-rbac.yaml | 4 ++-- charts/gateway-helm/values.tmpl.yaml | 4 ++++ 17 files changed, 46 insertions(+), 35 deletions(-) diff --git a/charts/gateway-helm/templates/NOTES.txt b/charts/gateway-helm/templates/NOTES.txt index 595c49bcd9..0b24e1cfa2 100644 --- a/charts/gateway-helm/templates/NOTES.txt +++ b/charts/gateway-helm/templates/NOTES.txt @@ -8,7 +8,7 @@ Thank you for installing Envoy Gateway! 🎉 Your release is named: {{ .Release.Name }}. 🎉 -Your release is in namespace: {{ .Release.Namespace }}. 🎉 +Your release is in namespace: {{ include "eg.namespace" . }}. 🎉 To learn more about the release, try: diff --git a/charts/gateway-helm/templates/_helpers.tpl b/charts/gateway-helm/templates/_helpers.tpl index 8d7ed5675c..567b8dea85 100755 --- a/charts/gateway-helm/templates/_helpers.tpl +++ b/charts/gateway-helm/templates/_helpers.tpl @@ -1,3 +1,10 @@ +{{/* +Allow the release namespace to be overridden. +*/}} +{{- define "eg.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end }} + {{/* Expand the name of the chart. */}} diff --git a/charts/gateway-helm/templates/certgen-rbac.yaml b/charts/gateway-helm/templates/certgen-rbac.yaml index 5baf2fff02..685f14c29a 100644 --- a/charts/gateway-helm/templates/certgen-rbac.yaml +++ b/charts/gateway-helm/templates/certgen-rbac.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "eg.fullname" . }}-certgen - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' labels: {{- include "eg.labels" . | nindent 4 }} {{- if .Values.certgen.rbac.labels }} @@ -19,7 +19,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "eg.fullname" . }}-certgen - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' labels: {{- include "eg.labels" . | nindent 4 }} {{- if .Values.certgen.rbac.labels }} @@ -45,7 +45,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "eg.fullname" . }}-certgen - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' labels: {{- include "eg.labels" . | nindent 4 }} {{- if .Values.certgen.rbac.labels }} @@ -64,13 +64,13 @@ roleRef: subjects: - kind: ServiceAccount name: '{{ include "eg.fullname" . }}-certgen' - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' --- {{- if .Values.topologyInjector.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: '{{ include "eg.fullname" . }}-certgen:{{ .Release.Namespace }}' + name: '{{ include "eg.fullname" . }}-certgen:{{ include "eg.namespace" . }}' labels: {{- include "eg.labels" . | nindent 4 }} {{- if .Values.certgen.rbac.labels }} @@ -96,7 +96,7 @@ rules: resources: - mutatingwebhookconfigurations resourceNames: - - 'envoy-gateway-topology-injector.{{ .Release.Namespace }}' + - 'envoy-gateway-topology-injector.{{ include "eg.namespace" . }}' verbs: - update - patch @@ -104,7 +104,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: '{{ include "eg.fullname" . }}-certgen:{{ .Release.Namespace }}' + name: '{{ include "eg.fullname" . }}-certgen:{{ include "eg.namespace" . }}' labels: {{- include "eg.labels" . | nindent 4 }} {{- if .Values.certgen.rbac.labels }} @@ -119,9 +119,9 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: '{{ include "eg.fullname" . }}-certgen:{{ .Release.Namespace }}' + name: '{{ include "eg.fullname" . }}-certgen:{{ include "eg.namespace" . }}' subjects: - kind: ServiceAccount name: '{{ include "eg.fullname" . }}-certgen' - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' {{- end }} diff --git a/charts/gateway-helm/templates/certgen.yaml b/charts/gateway-helm/templates/certgen.yaml index 7f5f7dc722..0764a839e2 100644 --- a/charts/gateway-helm/templates/certgen.yaml +++ b/charts/gateway-helm/templates/certgen.yaml @@ -2,7 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: name: {{ include "eg.fullname" . }}-certgen - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' labels: {{- include "eg.labels" . | nindent 4 }} annotations: diff --git a/charts/gateway-helm/templates/envoy-gateway-config.yaml b/charts/gateway-helm/templates/envoy-gateway-config.yaml index 8fc1d2dfb6..cb8a4e6d64 100644 --- a/charts/gateway-helm/templates/envoy-gateway-config.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-config.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: envoy-gateway-config - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' labels: {{- include "eg.labels" . | nindent 4 }} data: diff --git a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml index 1af77a6405..7d1a782533 100644 --- a/charts/gateway-helm/templates/envoy-gateway-deployment.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-deployment.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: envoy-gateway - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' {{- with .Values.deployment.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/gateway-helm/templates/envoy-gateway-hpa.yaml b/charts/gateway-helm/templates/envoy-gateway-hpa.yaml index 5fd341ca6b..3dac32ed01 100644 --- a/charts/gateway-helm/templates/envoy-gateway-hpa.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-hpa.yaml @@ -3,7 +3,7 @@ apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: envoy-gateway - namespace: '{{ $.Release.Namespace }}' + namespace: '{{ include "eg.namespace" $ }}' spec: scaleTargetRef: apiVersion: apps/v1 diff --git a/charts/gateway-helm/templates/envoy-gateway-poddisruptionbudget.yaml b/charts/gateway-helm/templates/envoy-gateway-poddisruptionbudget.yaml index 8e0bca0f1d..87471011b1 100644 --- a/charts/gateway-helm/templates/envoy-gateway-poddisruptionbudget.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-poddisruptionbudget.yaml @@ -3,7 +3,7 @@ apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: envoy-gateway - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' spec: {{- if and .Values.podDisruptionBudget.minAvailable }} minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} @@ -15,4 +15,4 @@ spec: matchLabels: control-plane: envoy-gateway {{- include "eg.selectorLabels" . | nindent 6 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/gateway-helm/templates/envoy-gateway-rbac.yaml b/charts/gateway-helm/templates/envoy-gateway-rbac.yaml index e07c25f9a3..336dde066e 100644 --- a/charts/gateway-helm/templates/envoy-gateway-rbac.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-rbac.yaml @@ -33,7 +33,7 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: '{{ $.Release.Namespace }}' + namespace: '{{ include "eg.namespace" $ }}' {{ end }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -55,7 +55,7 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' {{ else }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -78,5 +78,5 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' {{ end }} diff --git a/charts/gateway-helm/templates/envoy-gateway-service.yaml b/charts/gateway-helm/templates/envoy-gateway-service.yaml index bc2a1a318e..56b353a3a8 100644 --- a/charts/gateway-helm/templates/envoy-gateway-service.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: name: envoy-gateway - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' {{- with .Values.service.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/gateway-helm/templates/envoy-gateway-serviceaccount.yaml b/charts/gateway-helm/templates/envoy-gateway-serviceaccount.yaml index 23af6fee1f..874a68673a 100644 --- a/charts/gateway-helm/templates/envoy-gateway-serviceaccount.yaml +++ b/charts/gateway-helm/templates/envoy-gateway-serviceaccount.yaml @@ -2,6 +2,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: envoy-gateway - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' labels: {{- include "eg.labels" . | nindent 4 }} diff --git a/charts/gateway-helm/templates/envoy-proxy-topology-injector-webhook.yaml b/charts/gateway-helm/templates/envoy-proxy-topology-injector-webhook.yaml index 159c4e591c..e8709e49c0 100644 --- a/charts/gateway-helm/templates/envoy-proxy-topology-injector-webhook.yaml +++ b/charts/gateway-helm/templates/envoy-proxy-topology-injector-webhook.yaml @@ -17,7 +17,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - name: 'envoy-gateway-topology-injector.{{ .Release.Namespace }}' + name: 'envoy-gateway-topology-injector.{{ include "eg.namespace" . }}' annotations: "helm.sh/hook": pre-install, pre-upgrade "helm.sh/hook-weight": "-1" @@ -34,7 +34,7 @@ webhooks: clientConfig: service: name: envoy-gateway - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' path: "/inject-pod-topology" port: 9443 failurePolicy: Ignore @@ -49,7 +49,7 @@ webhooks: - key: kubernetes.io/metadata.name operator: In values: - - {{ .Release.Namespace }} + - {{ include "eg.namespace" . }} {{- else if gt (len $watchedNamespaces) 0 }} namespaceSelector: matchExpressions: @@ -60,4 +60,4 @@ webhooks: - {{ . | quote }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/gateway-helm/templates/infra-manager-rbac.yaml b/charts/gateway-helm/templates/infra-manager-rbac.yaml index d435093c81..948f697fa0 100644 --- a/charts/gateway-helm/templates/infra-manager-rbac.yaml +++ b/charts/gateway-helm/templates/infra-manager-rbac.yaml @@ -29,7 +29,7 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: '{{ $.Release.Namespace }}' + namespace: '{{ include "eg.namespace" $ }}' --- {{ end }} {{ end }} @@ -37,7 +37,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "eg.fullname" . }}-infra-manager - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' labels: {{- include "eg.labels" . | nindent 4 }} rules: @@ -47,7 +47,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "eg.fullname" . }}-infra-manager - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' labels: {{- include "eg.labels" . | nindent 4 }} roleRef: @@ -57,4 +57,4 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' diff --git a/charts/gateway-helm/templates/leader-election-rbac.yaml b/charts/gateway-helm/templates/leader-election-rbac.yaml index 5b59f34c7c..188c648a02 100644 --- a/charts/gateway-helm/templates/leader-election-rbac.yaml +++ b/charts/gateway-helm/templates/leader-election-rbac.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "eg.fullname" . }}-leader-election-role - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' labels: {{- include "eg.labels" . | nindent 4 }} rules: @@ -42,7 +42,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "eg.fullname" . }}-leader-election-rolebinding - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' labels: {{- include "eg.labels" . | nindent 4 }} roleRef: @@ -52,4 +52,4 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: '{{ .Release.Namespace }}' + namespace: '{{ include "eg.namespace" . }}' diff --git a/charts/gateway-helm/templates/namespace.yaml b/charts/gateway-helm/templates/namespace.yaml index 6a7477b99c..98ef770623 100644 --- a/charts/gateway-helm/templates/namespace.yaml +++ b/charts/gateway-helm/templates/namespace.yaml @@ -2,5 +2,5 @@ apiVersion: v1 kind: Namespace metadata: - name: '{{ .Release.Namespace }}' + name: '{{ include "eg.namespace" . }}' {{ end }} diff --git a/charts/gateway-helm/templates/namespaced-infra-manager-rbac.yaml b/charts/gateway-helm/templates/namespaced-infra-manager-rbac.yaml index 84057a926b..8d53f73585 100644 --- a/charts/gateway-helm/templates/namespaced-infra-manager-rbac.yaml +++ b/charts/gateway-helm/templates/namespaced-infra-manager-rbac.yaml @@ -25,7 +25,7 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: '{{ $.Release.Namespace }}' + namespace: '{{ include "eg.namespace" $ }}' {{ if $kube.watch.namespaces }} {{ if gt (len $kube.watch.namespaces) 0 }} {{ $watchedNamespaces = $kube.watch.namespaces }} @@ -60,7 +60,7 @@ roleRef: subjects: - kind: ServiceAccount name: 'envoy-gateway' - namespace: '{{ $.Release.Namespace }}' + namespace: '{{ include "eg.namespace" $ }}' --- {{- end }} {{- end }} diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index 874ab0b780..d5ff18bc8b 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -114,6 +114,10 @@ config: createNamespace: false +# -- Override the namespace for resources deployed by the chart. +# Defaults to the release namespace. +namespaceOverride: "" + kubernetesClusterDomain: cluster.local # -- Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. From e316a563eff40c63cf457a8440231adc290fc90a Mon Sep 17 00:00:00 2001 From: honarkhah Date: Mon, 16 Feb 2026 14:17:49 +0100 Subject: [PATCH 2/2] release note --- release-notes/current.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/release-notes/current.yaml b/release-notes/current.yaml index cdce7e9f52..b808944205 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -14,6 +14,8 @@ new features: | Added support for shadow mode in local rate limiting. Added `egctl config envoy-gateway` commands to retrieve Envoy Gateway admin config dumps. The DirectResponse body in HTTPFilter now supports Envoy command operators for dynamic content. See https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators for more details. + Added `namespaceOverride` support to gateway-helm chart + bug fixes: | Rejected ClientTrafficPolicy if invalid TLS cipher suites are configured.