redpanda: correct Role and ClusterRole naming

In 5d72f8a, the Names for `Role`s generated by
the chart were mistakenly changed from `Fullname` to `Name`. This regression
went by unnoticed as we did not have any tests that installed multiple
instances of the chart into a single namespace.

This commit corrects the regression and updates the naming of `ClusterRole`s to
include the release namespace. This allows:
- Installing multiple instances of the chart into a single namespace.
- Installing multiple instances of the chart with the same release name into different namespaces.

(cherry picked from commit d7ad813)

Author: chrisseto

.changes/unreleased/charts-redpanda-Fixed-20250619-113317.yaml

@@ -0,0 +1,4 @@
+project: charts/redpanda
+kind: Fixed
+body: Corrected naming of `Role`s to use Fullname instead of Name, which ensures they are unique within their namespace.
+time: 2025-06-19T11:33:17.161135-04:00

.changes/unreleased/charts-redpanda-Fixed-20250619-113526.yaml

@@ -0,0 +1,4 @@
+project: charts/redpanda
+kind: Fixed
+body: Updated naming of `ClusterRole`s to include the release namespace. This ensures that they are unique per release and permits installing the chart with the same name across different namespaces.
+time: 2025-06-19T11:35:26.699507-04:00

charts/redpanda/CHANGELOG.md

@@ -133,6 +133,8 @@ of `enterprise.license` and `enterprise.licenseSecretRef`, respectively.
   now respect `listeners.kafka.tls.trustStore`, when provided.
   See also [helm-chart 1573 issue](https://github.com/redpanda-data/helm-charts/issues/1573).
 
+* Corrected naming of `Role`s to use Fullname instead of Name, which ensures they are unique within their namespace.
+* Updated naming of `ClusterRole`s to include the release namespace. This ensures that they are unique per release and permits installing the chart with the same name across different namespaces.
 
 ## [v25.1.1-beta3](https://github.com/redpanda-data/redpanda-operator/releases/tag/charts%2Fredpanda%2Fv25.1.1-beta3) - 2025-05-06
 ### Added

charts/redpanda/chart_test.go

@@ -49,6 +49,7 @@ import (
 	"github.com/redpanda-data/redpanda-operator/pkg/helm"
 	"github.com/redpanda-data/redpanda-operator/pkg/helm/helmtest"
 	"github.com/redpanda-data/redpanda-operator/pkg/kube"
+	"github.com/redpanda-data/redpanda-operator/pkg/kube/kubetest"
 	"github.com/redpanda-data/redpanda-operator/pkg/testutil"
 	"github.com/redpanda-data/redpanda-operator/pkg/tlsgeneration"
 	"github.com/redpanda-data/redpanda-operator/pkg/valuesutil"
@@ -1167,3 +1168,76 @@ func TestGoHelmEquivalence(t *testing.T) {
 		})
 	}
 }
+
+// TestMultiNamespaceInstall verifies that:
+// - Multiple instances of the redpanda chart with different names may be installed in the same instance.
+// - Multiple instances of the redpanda chart with the same name may be installed in different namespaces.
+func TestMultiNamespaceInstall(t *testing.T) {
+	ctl := kubetest.NewEnv(t)
+	client, err := helm.New(helm.Options{
+		KubeConfig: ctl.RestConfig(),
+	})
+	require.NoError(t, err)
+
+	values := redpanda.PartialValues{
+		// Disable NodePort services to avoid port conflicts.
+		External: &redpanda.PartialExternalConfig{
+			Type: ptr.To(corev1.ServiceTypeLoadBalancer),
+		},
+		// Disable cert-manager integration so we don't have to
+		// install their CRDs.
+		TLS: &redpanda.PartialTLS{
+			Certs: redpanda.PartialTLSCertMap{
+				"default": redpanda.PartialTLSCert{
+					SecretRef: &corev1.LocalObjectReference{
+						Name: "default",
+					},
+				},
+				"external": redpanda.PartialTLSCert{
+					SecretRef: &corev1.LocalObjectReference{
+						Name: "default",
+					},
+				},
+			},
+		},
+	}
+
+	for i := 0; i < 2; i++ {
+		namespace := fmt.Sprintf("namespace-%d", i)
+
+		require.NoError(t, ctl.Apply(t.Context(), &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{Name: namespace},
+		}))
+
+		for j := 0; j < 2; j++ {
+			_, err := client.Install(t.Context(), ".", helm.InstallOptions{
+				Name:      fmt.Sprintf("redpanda-%d", j),
+				Namespace: namespace,
+				// Disable all forms of waits / checks. This isn't an actual
+				// cluster, were just verifying that the API server and helm
+				// don't report naming conflicts.
+				NoHooks:       true,
+				NoWait:        true,
+				NoWaitForJobs: true,
+				Timeout:       ptr.To(5 * time.Second),
+				Values:        values,
+			})
+			require.NoError(t, err)
+		}
+
+		// One final check to show that conflicting names will result in an error.
+		_, err := client.Install(t.Context(), ".", helm.InstallOptions{
+			Name:      "redpanda-0",
+			Namespace: namespace,
+			// Disable all forms of waits / checks. This isn't an actual
+			// cluster, were just verifying that the API server and helm
+			// don't report naming conflicts.
+			NoHooks:       true,
+			NoWait:        true,
+			NoWaitForJobs: true,
+			Timeout:       ptr.To(5 * time.Second),
+			Values:        values,
+		})
+		require.Error(t, err)
+	}
+}

charts/redpanda/helpers.go

@@ -46,16 +46,22 @@ func ChartLabel(dot *helmette.Dot) string {
 	return cleanForK8s(strings.ReplaceAll(fmt.Sprintf("%s-%s", dot.Chart.Name, dot.Chart.Version), "+", "_"))
 }
 
-// Expand the name of the chart
+// Name returns the name of this chart as specified in Chart.yaml, unless
+// explicitly overridden.
+// Name is effectively static and should not be used for naming of resources.
+// Name is truncated at 63 characters to satisfy Kubernetes field limits
+// and DNS limits.
 func Name(dot *helmette.Dot) string {
 	if override, ok := dot.Values["nameOverride"].(string); ok && override != "" {
 		return cleanForK8s(override)
 	}
 	return cleanForK8s(dot.Chart.Name)
 }
 
-// Create a default fully qualified app name.
-// We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+// Fullname returns the name of this helm release, unless explicitly
+// overridden.
+// Fullname is truncated at 63 characters to satisfy Kubernetes field limits
+// and DNS limits.
 func Fullname(dot *helmette.Dot) string {
 	if override, ok := dot.Values["fullnameOverride"].(string); ok && override != "" {
 		return cleanForK8s(override)

charts/redpanda/rbac.go

@@ -39,7 +39,7 @@ func Roles(dot *helmette.Dot) []*rbacv1.Role {
 		role := helmette.FromYaml[rbacv1.Role](dot.Files.Get(file))
 
 		// Populated all chart values on the loaded static Role.
-		role.ObjectMeta.Name = fmt.Sprintf("%s-%s", Name(dot), role.ObjectMeta.Name)
+		role.ObjectMeta.Name = fmt.Sprintf("%s-%s", Fullname(dot), role.ObjectMeta.Name)
 		role.ObjectMeta.Namespace = dot.Release.Namespace
 		role.ObjectMeta.Labels = FullLabels(dot)
 		role.ObjectMeta.Annotations = helmette.Merge(
@@ -73,7 +73,10 @@ func ClusterRoles(dot *helmette.Dot) []*rbacv1.ClusterRole {
 		role := helmette.FromYaml[rbacv1.ClusterRole](dot.Files.Get(file))
 
 		// Populated all chart values on the loaded static Role.
-		role.ObjectMeta.Name = fmt.Sprintf("%s-%s", Fullname(dot), role.ObjectMeta.Name)
+		// For ClusterScoped resources, we include the Namespace to permit
+		// installing multiple releases with the same names into the same
+		// cluster.
+		role.ObjectMeta.Name = cleanForK8s(fmt.Sprintf("%s-%s-%s", Fullname(dot), dot.Release.Namespace, role.ObjectMeta.Name))
 		role.ObjectMeta.Labels = FullLabels(dot)
 		role.ObjectMeta.Annotations = helmette.Merge(
 			map[string]string{},

charts/redpanda/templates/_helpers.go.tpl

@@ -14,9 +14,9 @@
 {{- $dot := (index .a 0) -}}
 {{- range $_ := (list 1) -}}
 {{- $_is_returning := false -}}
-{{- $_51_override_1_ok_2 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "nameOverride") "")))) "r") -}}
-{{- $override_1 := (index $_51_override_1_ok_2 0) -}}
-{{- $ok_2 := (index $_51_override_1_ok_2 1) -}}
+{{- $_55_override_1_ok_2 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "nameOverride") "")))) "r") -}}
+{{- $override_1 := (index $_55_override_1_ok_2 0) -}}
+{{- $ok_2 := (index $_55_override_1_ok_2 1) -}}
 {{- if (and $ok_2 (ne $override_1 "")) -}}
 {{- $_is_returning = true -}}
 {{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_1)))) "r")) | toJson -}}
@@ -32,9 +32,9 @@
 {{- $dot := (index .a 0) -}}
 {{- range $_ := (list 1) -}}
 {{- $_is_returning := false -}}
-{{- $_61_override_3_ok_4 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "fullnameOverride") "")))) "r") -}}
-{{- $override_3 := (index $_61_override_3_ok_4 0) -}}
-{{- $ok_4 := (index $_61_override_3_ok_4 1) -}}
+{{- $_67_override_3_ok_4 := (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "fullnameOverride") "")))) "r") -}}
+{{- $override_3 := (index $_67_override_3_ok_4 0) -}}
+{{- $ok_4 := (index $_67_override_3_ok_4 1) -}}
 {{- if (and $ok_4 (ne $override_3 "")) -}}
 {{- $_is_returning = true -}}
 {{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_3)))) "r")) | toJson -}}
@@ -375,9 +375,9 @@
 {{- range $_ := (list 1) -}}
 {{- $_is_returning := false -}}
 {{- $version := (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot)))) "r")) -}}
-{{- $_356_result_err := (list (semverCompare $constraint $version) nil) -}}
-{{- $result := (index $_356_result_err 0) -}}
-{{- $err := (index $_356_result_err 1) -}}
+{{- $_362_result_err := (list (semverCompare $constraint $version) nil) -}}
+{{- $result := (index $_362_result_err 0) -}}
+{{- $err := (index $_362_result_err 1) -}}
 {{- if (ne (toJson $err) "null") -}}
 {{- $_ := (fail $err) -}}
 {{- end -}}
@@ -498,9 +498,9 @@
 {{- $originalKeys := (dict) -}}
 {{- $overrideByKey := (dict) -}}
 {{- range $_, $el := $override -}}
-{{- $_493_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}}
-{{- $key := (index $_493_key_ok 0) -}}
-{{- $ok := (index $_493_key_ok 1) -}}
+{{- $_499_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}}
+{{- $key := (index $_499_key_ok 0) -}}
+{{- $ok := (index $_499_key_ok 1) -}}
 {{- if (not $ok) -}}
 {{- continue -}}
 {{- end -}}
@@ -511,13 +511,13 @@
 {{- end -}}
 {{- $merged := (coalesce nil) -}}
 {{- range $_, $el := $original -}}
-{{- $_505_key__ := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}}
-{{- $key := (index $_505_key__ 0) -}}
-{{- $_ := (index $_505_key__ 1) -}}
+{{- $_511_key__ := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}}
+{{- $key := (index $_511_key__ 0) -}}
+{{- $_ := (index $_511_key__ 1) -}}
 {{- $_ := (set $originalKeys $key true) -}}
-{{- $_507_elOverride_7_ok_8 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $overrideByKey $key (coalesce nil))))) "r") -}}
-{{- $elOverride_7 := (index $_507_elOverride_7_ok_8 0) -}}
-{{- $ok_8 := (index $_507_elOverride_7_ok_8 1) -}}
+{{- $_513_elOverride_7_ok_8 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $overrideByKey $key (coalesce nil))))) "r") -}}
+{{- $elOverride_7 := (index $_513_elOverride_7_ok_8 0) -}}
+{{- $ok_8 := (index $_513_elOverride_7_ok_8 1) -}}
 {{- if $ok_8 -}}
 {{- $merged = (concat (default (list) $merged) (list (get (fromJson (include $mergeFunc (dict "a" (list $el $elOverride_7)))) "r"))) -}}
 {{- else -}}
@@ -528,15 +528,15 @@
 {{- break -}}
 {{- end -}}
 {{- range $_, $el := $override -}}
-{{- $_517_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}}
-{{- $key := (index $_517_key_ok 0) -}}
-{{- $ok := (index $_517_key_ok 1) -}}
+{{- $_523_key_ok := (get (fromJson (include "_shims.get" (dict "a" (list $el $mergeKey)))) "r") -}}
+{{- $key := (index $_523_key_ok 0) -}}
+{{- $ok := (index $_523_key_ok 1) -}}
 {{- if (not $ok) -}}
 {{- continue -}}
 {{- end -}}
-{{- $_522___ok_9 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $originalKeys $key false)))) "r") -}}
-{{- $_ := (index $_522___ok_9 0) -}}
-{{- $ok_9 := (index $_522___ok_9 1) -}}
+{{- $_528___ok_9 := (get (fromJson (include "_shims.dicttest" (dict "a" (list $originalKeys $key false)))) "r") -}}
+{{- $_ := (index $_528___ok_9 0) -}}
+{{- $ok_9 := (index $_528___ok_9 1) -}}
 {{- if $ok_9 -}}
 {{- continue -}}
 {{- end -}}

charts/redpanda/templates/_rbac.go.tpl

@@ -12,7 +12,7 @@
 {{- continue -}}
 {{- end -}}
 {{- $role := (get (fromJson (include "_shims.fromYaml" (dict "a" (list ($dot.Files.Get $file))))) "r") -}}
-{{- $_ := (set $role.metadata "name" (printf "%s-%s" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot)))) "r") $role.metadata.name)) -}}
+{{- $_ := (set $role.metadata "name" (printf "%s-%s" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") $role.metadata.name)) -}}
 {{- $_ := (set $role.metadata "namespace" $dot.Release.Namespace) -}}
 {{- $_ := (set $role.metadata "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot)))) "r")) -}}
 {{- $_ := (set $role.metadata "annotations" (merge (dict) (dict) $values.serviceAccount.annotations $values.rbac.annotations)) -}}
@@ -39,7 +39,7 @@
 {{- continue -}}
 {{- end -}}
 {{- $role := (get (fromJson (include "_shims.fromYaml" (dict "a" (list ($dot.Files.Get $file))))) "r") -}}
-{{- $_ := (set $role.metadata "name" (printf "%s-%s" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") $role.metadata.name)) -}}
+{{- $_ := (set $role.metadata "name" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list (printf "%s-%s-%s" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot)))) "r") $dot.Release.Namespace $role.metadata.name))))) "r")) -}}
 {{- $_ := (set $role.metadata "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot)))) "r")) -}}
 {{- $_ := (set $role.metadata "annotations" (merge (dict) (dict) $values.serviceAccount.annotations $values.rbac.annotations)) -}}
 {{- $clusterRoles = (concat (default (list) $clusterRoles) (list $role)) -}}