<!-- NOTICE: This Issue tracker is for the GitLab Helm chart, not the GitLab Rails application. Support: Please do not raise support issues for GitLab.com on this tracker. See https://about.gitlab.com/support/ --> ### Summary When `global.ingress.provider: traefik`, the chart renders a `<release>-gitlab-shell` `IngressRouteTCP`, but it omits `spec.ingressClassName` and offers no value to set it. Traefik's `kubernetesCRD` provider can be scoped with an `ingressClass` filter (a documented, common option); with that filter active, the rendered route is **silently dropped** and git-over-SSH through it does not work. The webservice `Ingress` already derives `ingressClassName` from `global.ingress.class` — the `IngressRouteTCP` should support the same. ### Steps to reproduce 1. Deploy the chart with `global.ingress.provider: traefik`, `global.ingress.class: traefik`, gitlab-shell enabled. 2. Run a Traefik instance whose CRD provider is class-scoped, e.g. `--providers.kubernetescrd.ingressClass=traefik` (so Traefik only serves CRDs carrying `spec.ingressClassName: traefik`). 3. Inspect the rendered route: `kubectl get ingressroutetcps.traefik.io <release>-gitlab-shell -o yaml` → no `spec.ingressClassName`. 4. Traefik does not register a router for it (no error logged); SSH via this route is unreachable. There is no chart value to add the class. ### Configuration used ```yaml global: ingress: provider: traefik class: traefik shell: port: 22 tcp: proxyProtocol: true gitlab: gitlab-shell: config: proxyProtocol: true gitlab-shell: traefik: entrypoint: gitlab-shell ``` Traefik static config (the CRD provider is class-scoped): ```yaml providers: kubernetesCRD: ingressClass: traefik ``` Rendered route (note the missing `ingressClassName`): ```yaml apiVersion: traefik.io/v1alpha1 kind: IngressRouteTCP metadata: name: gitlab-gitlab-shell spec: # spec.ingressClassName is absent and cannot be set via values entryPoints: - gitlab-shell routes: - match: HostSNI(`*`) services: - name: gitlab-gitlab-shell port: 22 proxyProtocol: version: 2 ``` ### Current behavior The rendered `IngressRouteTCP` has no `spec.ingressClassName`, and no chart value exists to set one. On any Traefik whose `kubernetesCRD` provider is configured with an `ingressClass`, the route does not match the provider and is silently ignored — the workaround is to maintain a hand-written `IngressRouteTCP` (with `ingressClassName`) alongside the chart, which then duplicates the chart's object. ### Expected behavior A value (e.g. `gitlab-shell.traefik.ingressClassName`, defaulting to unset) that, when set, renders `spec.ingressClassName` on the `IngressRouteTCP` — mirroring how the webservice `Ingress` already gets its `ingressClassName` from `global.ingress.class`. The change in `charts/gitlab/charts/gitlab-shell/templates/traefik-tcp-ingressroute.yaml` is a single conditional under `spec:`: ```yaml {{- with .Values.traefik.ingressClassName }} ingressClassName: {{ . }} {{- end }} ``` ### Versions - Chart: `10.0.1` - Platform: - Cloud: n/a - Self-hosted: Rancher **RKE2** (nodes: Ubuntu 24.04.3 LTS) - Kubernetes (`kubectl version`): - Client: `v1.31.2` - Server: `v1.34.5+rke2r1` - Helm (`helm version`): - Client: `v4.1.0` - Server: n/a (Helm 3+/4, no Tiller) - Traefik: `v3.7.1` ### Relevant logs No error is emitted — the route is simply absent from Traefik's registered routers because it doesn't match the `kubernetesCRD` provider's `ingressClass`. With Traefik log level `DEBUG`, the CRD is skipped during provider configuration (no router/service is created for `<release>-gitlab-shell`); at default log level there is nothing, which is what makes this easy to miss.