fix: RBACs for hub and disabled namespaced RBACs

traefik · Jul 8, 2024 · 0827106 · 0827106
1 parent 2dff203
commit 0827106
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 210 deletions.
diff --git a/traefik/templates/_helpers.tpl b/traefik/templates/_helpers.tpl
@@ -129,8 +129,16 @@ Renders a complete tree, even values that contains template.
 {{- end -}}
 
 {{- define "imageVersion" -}}
+{{/*
+Traefik hub is based on v3.0 of traefik proxy, so this is a hack to avoid to much complexity in RBAC management which are
+based on semverCompare
+*/}}
+{{- if $.Values.hub.token -}}
+v3.0
+{{- else -}}
 {{ (split "@" (default $.Chart.AppVersion $.Values.image.tag))._0 | replace "latest-" "" | replace "experimental-" "" }}
 {{- end -}}
+{{- end -}}
 
 {{/* Generate/load self-signed certificate for admission webhooks */}}
 {{- define "traefik-hub.webhook_cert" -}}

diff --git a/traefik/templates/rbac/clusterrole.yaml b/traefik/templates/rbac/clusterrole.yaml
@@ -72,6 +72,16 @@ rules:
       - get
       - list
       - watch
+    {{- if $.Values.hub.token }}
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
+    {{- end }}
   {{- else }}
   - apiGroups:
       - ""
@@ -87,9 +97,6 @@ rules:
     resources:
       - endpointslices
     verbs:
-    {{- if $.Values.hub.token }}
-      - get
-    {{- end }}
       - list
       - watch
   {{- end }}

diff --git a/traefik/templates/rbac/role.yaml b/traefik/templates/rbac/role.yaml
@@ -39,9 +39,6 @@ rules:
     resources:
       - endpointslices
     verbs:
-    {{- if $.Values.hub.token }}
-      - get
-    {{- end }}
       - list
       - watch
   {{- end }}
@@ -156,81 +153,5 @@ rules:
     verbs:
       - update
 {{- end -}}
-{{- if $.Values.hub.token }}
-  - apiGroups:
-      - hub.traefik.io
-    resources:
-      - accesscontrolpolicies
-      - apiaccesses
-      - apiportals
-      - apiratelimits
-      - apis
-      - apiversions
-    verbs:
-      - list
-      - watch
-      - create
-      - update
-      - patch
-      - delete
-      - get
-  - apiGroups:
-      - ""
-    resources:
-      - namespaces
-      - pods
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-  - apiGroups:
-      - coordination.k8s.io
-    resources:
-      - leases
-    verbs:
-      - get
-      - list
-      - watch
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-      - update
-      - create
-      - delete
-      - deletecollection
-  - apiGroups:
-      - apps
-    resources:
-      - replicasets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-{{- end -}}
 {{- end -}}
 {{- end -}}
diff --git a/traefik/templates/requirements.yaml b/traefik/templates/requirements.yaml
@@ -12,3 +12,7 @@
 {{- if and (.Values.providers.kubernetesGateway).enabled (and (semverCompare "<3.1.0-rc3" $version) (not .Values.experimental.kubernetesGateway.enabled)) }}
   {{- fail "ERROR: Before traefik v3.1.0-rc3, kubernetesGateway is experimental. Enable it by setting experimental.kubernetesGateway.enabled to true" -}}
 {{- end }}
+
+{{- if and .Values.hub.token (and .Values.rbac.enabled .Values.rbac.namespaced) }}
+  {{- fail "ERROR: Currently traefik-hub doesn't support namespaced RBACs" -}}
+{{- end }}
diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml
@@ -1141,8 +1141,8 @@ tests:
               - watch
 
   - it: should contain additional RBACS for hub
-    chart:
-      appVersion: v3.1.0
+    image:
+      tag: v3.1.0
     set:
       hub:
         token: xxx
@@ -1273,132 +1273,7 @@ tests:
               - get
               - list
               - watch
-  - it: should provide namespace'd RBACS for hub
-    chart:
-      appVersion: v3.1.0
-    set:
-      hub:
-        token: xxx
-      rbac:
-        namespaced: true
-      providers:
-        kubernetesIngress:
-          enabled: false
-    asserts:
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - hub.traefik.io
-            resources:
-              - accesscontrolpolicies
-              - apiaccesses
-              - apiportals
-              - apiratelimits
-              - apis
-              - apiversions
-            verbs:
-              - list
-              - watch
-              - create
-              - update
-              - patch
-              - delete
-              - get
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
-              - namespaces
-              - pods
-            verbs:
-              - get
-              - list
-              - watch
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
-              - events
-            verbs:
-              - create
-              - patch
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - discovery.k8s.io
-            resources:
-              - endpointslices
-            verbs:
-              - get
-              - list
-              - watch
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - coordination.k8s.io
-            resources:
-              - leases
-            verbs:
-              - get
-              - list
-              - watch
-              - create
-              - update
-              - patch
-              - delete
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
-              - secrets
-            verbs:
-              - get
-              - list
-              - watch
-              - update
-              - create
-              - delete
-              - deletecollection
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - apps
-            resources:
-              - replicasets
-            verbs:
-              - get
-              - list
-              - watch
-      - template: rbac/role.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - extensions
-              - networking.k8s.io
-            resources:
-              - ingresses
-            verbs:
-              - get
-              - list
-              - watch
+
   - it: should provide expected namespace'd RBACS for version < v3.1
     set:
       image:

diff --git a/traefik/tests/requirements-config_test.yaml b/traefik/tests/requirements-config_test.yaml
@@ -52,3 +52,12 @@ tests:
           enabled: true
     asserts:
       - notFailedTemplate: {}
+  - it: should not fail when using traefik-hub with namespaced RBACs
+    set:
+      hub:
+        token: xxx
+      rbac:
+        namespaced: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "ERROR: Currently traefik-hub doesn't support namespaced RBACs"