feat: 💥 rework and allow update of namespace policy for Gateway

traefik/templates/gateway.yaml

@@ -1,5 +1,4 @@
 {{- if .Values.experimental.kubernetesGateway.enabled }}
-{{- if .Values.experimental.kubernetesGateway.gateway.enabled }}
 ---
 apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: Gateway
@@ -8,7 +7,7 @@ metadata:
   namespace: {{ default (include "traefik.namespace" .) .Values.experimental.kubernetesGateway.namespace }}
   labels:
     {{- include "traefik.labels" . | nindent 4 }}
-  {{- with .Values.experimental.kubernetesGateway.gateway.annotations }}
+  {{- with .Values.experimental.kubernetesGateway.annotations }}
   annotations:
   {{- toYaml . | nindent 4 }}
   {{- end }}
@@ -18,7 +17,11 @@ spec:
     - name: web
       port: {{ .Values.ports.web.port }}
       protocol: HTTP
-
+      {{- with .Values.experimental.kubernetesGateway.namespacePolicy }}
+      allowedRoutes:
+        namespaces:
+          from: {{ . }}
+      {{- end }}
     {{- if .Values.experimental.kubernetesGateway.certificate }}
     - name: websecure
       port: {{ $.Values.ports.websecure.port }}
@@ -29,5 +32,4 @@ spec:
             group: {{ .Values.experimental.kubernetesGateway.certificate.group }}
             kind: {{ .Values.experimental.kubernetesGateway.certificate.kind }}
     {{- end }}
-{{- end }}
-{{- end }}
+{{- end }}

traefik/tests/gateway-config_test.yaml

@@ -17,6 +17,16 @@ tests:
       - equal:
           path: metadata.namespace
           value: "NAMESPACE"
+  - it: should configure allowedRoutes within web listener
+    set:
+      experimental:
+        kubernetesGateway:
+          enabled: true
+          namespacePolicy: All
+    asserts:
+      - equal:
+          path: spec.listeners[0].allowedRoutes.namespaces.from
+          value: "All"
   - it: should have one Gateway with the correct class and an http port as well as an https port
     set:
       experimental:
@@ -82,10 +92,8 @@ tests:
       experimental:
         kubernetesGateway:
           enabled: true
-          gateway:
-            enabled: true
-            annotations:
-              cert-manager.io/issuer: letsencrypt
+          annotations:
+            cert-manager.io/issuer: letsencrypt
     asserts:
       - equal:
           path: metadata.annotations

traefik/values.yaml

@@ -126,19 +126,19 @@ experimental:
   kubernetesGateway:
     # -- Enable traefik experimental GatewayClass CRD
     enabled: false
-    gateway:
-      # -- Enable traefik regular kubernetes gateway
-      enabled: true
-      # certificate:
-      #   group: "core"
-      #   kind: "Secret"
-      #   name: "mysecret"
-      # -- By default, Gateway would be created to the Namespace you are deploying Traefik to.
-      # You may create that Gateway in another namespace, setting its name below:
-      # namespace: default
-      # Additional gateway annotations (e.g. for cert-manager.io/issuer)
-      # annotations:
-      #   cert-manager.io/issuer: letsencrypt
+    ## Routes are restricted to namespace of the gateway by default.
+    ## https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.FromNamespaces
+    # namespacePolicy: All
+    # certificate:
+    #   group: "core"
+    #   kind: "Secret"
+    #   name: "mysecret"
+    # -- By default, Gateway would be created to the Namespace you are deploying Traefik to.
+    # You may create that Gateway in another namespace, setting its name below:
+    # namespace: default
+    # Additional gateway annotations (e.g. for cert-manager.io/issuer)
+    # annotations:
+    #   cert-manager.io/issuer: letsencrypt
 
 ## Create an IngressRoute for the dashboard
 ingressRoute: