traefik: reduce rbac scope if one namespace is handled (helm#16111)

Signed-off-by: Nandor Kracser <bonifaido@gmail.com>

stable/traefik/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: traefik
-version: 1.77.2
+version: 1.77.3
 appVersion: 1.7.14
 description: A Traefik based Kubernetes ingress controller with Let's Encrypt support
 keywords:

stable/traefik/templates/_helpers.tpl

@@ -148,6 +148,21 @@ Helper for containerPort (http)
 	{{- end -}}
 {{- end -}}
 
+{{/*
+Helper for RBAC Scope
+If Kubernetes namespace selection is defined and the (one) selected
+namespace is the release namespace Cluster scope is unnecessary.
+*/}}
+{{- define "traefik.rbac.scope" -}}
+	{{- if .Values.kubernetes -}}
+		{{- if not (eq (.Values.kubernetes.namespaces | default (list) | toString) (list .Release.Namespace | toString)) -}}
+		Cluster
+		{{- end -}}
+	{{- else -}}
+	Cluster
+	{{- end -}}
+{{- end -}}
+
 {{/*
 Helper for containerPort (https)
 */}}

stable/traefik/templates/rbac.yaml

@@ -4,7 +4,7 @@ apiVersion: v1
 metadata:
   name: {{ template "traefik.fullname" . }}
 ---
-kind: ClusterRole
+kind: {{ include "traefik.rbac.scope" . | printf "%sRole" }}
 {{- if semverCompare "^1.8-0" .Capabilities.KubeVersion.GitVersion }}
 apiVersion: rbac.authorization.k8s.io/v1
 {{- else }}
@@ -39,7 +39,7 @@ rules:
     verbs:
       - update
 ---
-kind: ClusterRoleBinding
+kind: {{ include "traefik.rbac.scope" . | printf "%sRoleBinding" }}
 {{- if semverCompare "^1.8-0" .Capabilities.KubeVersion.GitVersion }}
 apiVersion: rbac.authorization.k8s.io/v1
 {{- else }}
@@ -49,7 +49,7 @@ metadata:
   name: {{ template "traefik.fullname" . }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: {{ include "traefik.rbac.scope" . | printf "%sRole" }}
   name: {{ template "traefik.fullname" . }}
 subjects:
 - kind: ServiceAccount