Add release-specific selector labels to Services

[monrax]

From: https://github.com/tigerpeng2001/graylog-helm/blob/main/evaluation.txt

The Service resources in the chart use a single hard-coded label for selection:

graylog-helm/charts/graylog/templates/service/graylog.yaml

Lines 31 to 32 in 5ffb072

	selector:
	app: graylog-app

graylog-helm/charts/graylog/templates/service/datanode.yaml

Lines 18 to 19 in 5ffb072

	selector:
	app: graylog-datanode

Meanwhile, the StatefulSet pods have multiple labels:

graylog-helm/charts/graylog/templates/workload/statefulsets/graylog.yaml

Lines 15 to 18 in 5ffb072

	selector:
	matchLabels:
	app: graylog-app
	{{- include "graylog.selectorLabels" . | nindent 6 }}

graylog-helm/charts/graylog/templates/workload/statefulsets/datanode.yaml

Lines 14 to 17 in 5ffb072

	selector:
	matchLabels:
	app: graylog-datanode
	{{- include "graylog.selectorLabels" . | nindent 6 }}

With graylog.selectorLabels defined in _helpers.tpl as release-specific labels:

graylog-helm/charts/graylog/templates/_helpers.tpl

Lines 48 to 54 in 5ffb072

	{{/*
	Selector labels
	*/}}
	{{- define "graylog.selectorLabels" -}}
	app.kubernetes.io/name: {{ include "graylog.name" . }}
	app.kubernetes.io/instance: {{ .Release.Name }}
	{{- end }}

If someone installs multiple releases of this chart in the same namespace (e.g., helm install prod-graylog ... and helm install staging-graylog ...), both deployments will have pods with app: graylog-app. The Services would then route traffic to pods from both releases indiscriminately.

How to reproduce?

1. Install one release of the chart in a given namespace

helm install graylog-prod graylog/graylog -n graylog --create-namespace --set graylog.replicas=1 --set datanode.replicas=1 --set mongodb.replicas=1 --set mongodb.arbiters=0 --set graylog.config.rootPassword="foo123"

2. Install another release of the same chart in the same namespace

helm install graylog-dev graylog/graylog -n graylog --set graylog.replicas=1 --set datanode.replicas=1 --set mongodb.replicas=1 --set mongodb.arbiters=0 --set graylog.config.rootPassword="bar456"

3. Get endpoints and verify both services have the same endpoints (when they shouldn't)

kubectl describe svc graylog-dev-svc -n graylog | grep Endpoints
kubectl describe svc graylog-prod-svc -n graylog | grep Endpoints

diff -s <(kubectl describe svc graylog-dev-svc -n graylog | grep Endpoints) <(kubectl describe svc graylog-prod-svc -n graylog | grep Endpoints)

4. Get pod addresses and verify that all addresses exist in both services

kubectl get pod -n graylog -o wide | grep "graylog-\(dev\|prod\)-0"

diff -s <(kubectl describe svc graylog-dev-svc -n graylog | grep Endpoints) <(kubectl describe svc graylog-dev-svc -n graylog | grep Endpoints | grep $(kubectl get pod graylog-dev-0 -n graylog -o custom-columns=IP:.status.podIP | grep -v "IP"))

diff -s <(kubectl describe svc graylog-dev-svc -n graylog | grep Endpoints) <(kubectl describe svc graylog-dev-svc -n graylog | grep Endpoints | grep $(kubectl get pod graylog-prod-0 -n graylog -o custom-columns=IP:.status.podIP | grep -v "IP"))

5. Expose one of the services

helm upgrade graylog-prod graylog/graylog -n graylog --reuse-values --set graylog.service.type=LoadBalancer

6. Browse to the external address

open http://$(kubectl get svc --namespace graylog graylog-prod-svc --template "{{ with (index .status.loadBalancer.ingress 0) }}{{ or .hostname .ip }}{{ end }}"):9000/

7. Verify you cannot log in with any of the credentials set in steps 1 and 2