review

camilamacedo86 · camilamacedo86 · commit 823866349813 · 2026-01-10T09:02:05.000Z
diff --git a/docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/controller-manager-metrics-monitor.yaml b/docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/prometheus/controller-manager-metrics-monitor.yaml
@@ -29,7 +29,7 @@ spec:
             keySecret:
                 key: tls.key
                 name: metrics-server-cert
-            serverName: {{ include "project.resourceName" (dict "suffix" "controller-manager-metrics-service" "context" $) }}.{{ .Release.Namespace }}.svc
+            serverName: {{ include "project.resourceName" (dict "suffix" "controller-manager-metrics-service" "context" $) }}.project-system.svc
     selector:
         matchLabels:
             app.kubernetes.io/name: {{ include "project.name" . }}
diff --git a/docs/book/src/multiversion-tutorial/testdata/project/dist/chart/templates/prometheus/controller-manager-metrics-monitor.yaml b/docs/book/src/multiversion-tutorial/testdata/project/dist/chart/templates/prometheus/controller-manager-metrics-monitor.yaml
@@ -29,7 +29,7 @@ spec:
             keySecret:
                 key: tls.key
                 name: metrics-server-cert
-            serverName: {{ include "project.resourceName" (dict "suffix" "controller-manager-metrics-service" "context" $) }}.{{ .Release.Namespace }}.svc
+            serverName: {{ include "project.resourceName" (dict "suffix" "controller-manager-metrics-service" "context" $) }}.project-system.svc
     selector:
         matchLabels:
             app.kubernetes.io/name: {{ include "project.name" . }}
diff --git a/pkg/plugins/optional/helm/v2alpha/scaffolds/internal/kustomize/helm_templater.go b/pkg/plugins/optional/helm/v2alpha/scaffolds/internal/kustomize/helm_templater.go
@@ -122,16 +122,23 @@ func (t *HelmTemplater) substituteProjectNames(yamlContent string, _ *unstructur
 }
 
 // substituteNamespace replaces manager namespace references with {{ .Release.Namespace }}
-// while preserving cross-namespace references (e.g., infrastructure, production)
+// while preserving cross-namespace references (e.g., infrastructure, production).
+// Uses context-aware replacement to avoid breaking resource names that contain the namespace as a substring.
 func (t *HelmTemplater) substituteNamespace(yamlContent string, resource *unstructured.Unstructured) string {
 	managerNamespace := t.managerNamespace
 	namespaceTemplate := "{{ .Release.Namespace }}"
 
-	// Replace only the manager namespace with template variable.
-	// Cross-namespace values (infrastructure, production, etc.) are naturally preserved
-	// because they don't match the manager namespace string.
-	yamlContent = strings.ReplaceAll(yamlContent, managerNamespace, namespaceTemplate)
+	// 1. Replace namespace in YAML field contexts (namespace: <value>)
+	// This prevents bugs where namespace "user" breaks resource name "users" → "{{ .Release.Namespace }}s"
+	namespaceFieldPattern := regexp.MustCompile(`(?m)^(\s*)namespace:\s+` + regexp.QuoteMeta(managerNamespace) + `\s*$`)
+	yamlContent = namespaceFieldPattern.ReplaceAllString(yamlContent, "${1}namespace: "+namespaceTemplate)
 
+	// 2. Replace namespace in annotation values (e.g., cert-manager.io/inject-ca-from: <namespace>/resource)
+	// Pattern: <namespace>/ in annotation context
+	annotationNamespacePattern := regexp.MustCompile(regexp.QuoteMeta(managerNamespace) + `/`)
+	yamlContent = annotationNamespacePattern.ReplaceAllString(yamlContent, namespaceTemplate+"/")
+
+	// 3. Replace namespace in DNS names (handled in certificate-specific function)
 	if resource.GetKind() == kindCertificate {
 		yamlContent = t.substituteCertificateDNSNames(yamlContent, resource)
 	}
@@ -166,6 +173,12 @@ func (t *HelmTemplater) substituteCertificateDNSNames(yamlContent string, resour
 		yamlContent = strings.ReplaceAll(yamlContent, hardcodedWebhookServiceShort, t.resourceNameTemplate("webhook-service"))
 	}
 
+	// Replace namespace in DNS names (e.g., .project-system.svc → .{{ .Release.Namespace }}.svc)
+	// This handles hardcoded namespace values in service DNS names
+	namespaceInDNS := "." + t.managerNamespace + ".svc"
+	templatedNamespaceInDNS := ".{{ .Release.Namespace }}.svc"
+	yamlContent = strings.ReplaceAll(yamlContent, namespaceInDNS, templatedNamespaceInDNS)
+
 	return yamlContent
 }
 
diff --git a/pkg/plugins/optional/helm/v2alpha/scaffolds/internal/kustomize/helm_templater_test.go b/pkg/plugins/optional/helm/v2alpha/scaffolds/internal/kustomize/helm_templater_test.go
@@ -950,6 +950,101 @@ subjects:
 			// RoleBinding metadata namespace should be preserved
 			Expect(result).To(ContainSubstring("namespace: infrastructure"))
 		})
+
+		It("should NOT replace namespace substring in resource names (regression test for issue #5354)", func() {
+			// This test validates that namespace replacement is field-aware,
+			// not a blind string replacement that breaks resource names
+			roleResource := &unstructured.Unstructured{}
+			roleResource.SetAPIVersion("rbac.authorization.k8s.io/v1")
+			roleResource.SetKind("ClusterRole")
+			roleResource.SetName("manager-role")
+
+			// Scenario: manager namespace is "user", CRD resource is "users"
+			customTemplater := &HelmTemplater{
+				detectedPrefix:   "test-project",
+				chartName:        "test-project",
+				managerNamespace: "user", // Short namespace that appears as substring
+			}
+
+			content := `apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: test-project-manager-role
+rules:
+- apiGroups:
+  - identity.example.com
+  resources:
+  - users
+  - users/finalizers
+  - users/status
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete`
+
+			result := customTemplater.ApplyHelmSubstitutions(content, roleResource)
+
+			// Critical: resource name "users" must NOT be replaced with "{{ .Release.Namespace }}s"
+			Expect(result).To(ContainSubstring("- users"),
+				"resource name 'users' should remain unchanged")
+			Expect(result).To(ContainSubstring("- users/finalizers"),
+				"resource name 'users/finalizers' should remain unchanged")
+			Expect(result).To(ContainSubstring("- users/status"),
+				"resource name 'users/status' should remain unchanged")
+
+			// Ensure we didn't create templated resource names
+			Expect(result).NotTo(ContainSubstring("- {{ .Release.Namespace }}s"),
+				"must NOT replace 'user' substring in resource names")
+			Expect(result).NotTo(MatchRegexp(`resources:\s*-\s*\{\{.*\}\}`),
+				"resource names must never be templated")
+		})
+
+		It("should handle edge case where namespace is substring of multiple fields", func() {
+			// Test more edge cases: namespace "app" appears in "applications", "apps", etc.
+			customTemplater := &HelmTemplater{
+				detectedPrefix:   "test-project",
+				chartName:        "test-project",
+				managerNamespace: "app",
+			}
+
+			roleBindingResource := &unstructured.Unstructured{}
+			roleBindingResource.SetAPIVersion("rbac.authorization.k8s.io/v1")
+			roleBindingResource.SetKind("RoleBinding")
+			roleBindingResource.SetName("manager-rolebinding")
+
+			content := `apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: test-project-manager-rolebinding
+  namespace: app
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: test-project-manager-role
+subjects:
+- kind: ServiceAccount
+  name: test-project-controller-manager
+  namespace: app`
+
+			result := customTemplater.ApplyHelmSubstitutions(content, roleBindingResource)
+
+			// Namespace fields should be templated
+			Expect(result).To(ContainSubstring("namespace: {{ .Release.Namespace }}"),
+				"namespace fields should be templated")
+
+			// Verify we have exactly 2 namespace template substitutions (metadata + subject)
+			namespaceTemplateCount := strings.Count(result, "namespace: {{ .Release.Namespace }}")
+			Expect(namespaceTemplateCount).To(Equal(2),
+				"should have exactly 2 namespace field replacements")
+
+			// Verify apiGroup field is NOT affected (contains "app" in "rbac.authorization.k8s.io")
+			Expect(result).To(ContainSubstring("apiGroup: rbac.authorization.k8s.io"),
+				"apiGroup should not be affected by namespace replacement")
+		})
 	})
 
 	Context("templatePorts", func() {
