diff --git a/traefik/templates/_helpers.tpl b/traefik/templates/_helpers.tpl index 2e4f3d508..2439abc62 100644 --- a/traefik/templates/_helpers.tpl +++ b/traefik/templates/_helpers.tpl @@ -129,8 +129,16 @@ Renders a complete tree, even values that contains template. {{- end -}} {{- define "imageVersion" -}} +{{/* +Traefik hub is based on v3.0 of traefik proxy, so this is a hack to avoid to much complexity in RBAC management which are +based on semverCompare +*/}} +{{- if $.Values.hub.token -}} +v3.0 +{{- else -}} {{ (split "@" (default $.Chart.AppVersion $.Values.image.tag))._0 | replace "latest-" "" | replace "experimental-" "" }} {{- end -}} +{{- end -}} {{/* Generate/load self-signed certificate for admission webhooks */}} {{- define "traefik-hub.webhook_cert" -}} diff --git a/traefik/templates/rbac/clusterrole.yaml b/traefik/templates/rbac/clusterrole.yaml index a255dcfaa..5d12fb77e 100644 --- a/traefik/templates/rbac/clusterrole.yaml +++ b/traefik/templates/rbac/clusterrole.yaml @@ -72,6 +72,16 @@ rules: - get - list - watch + {{- if $.Values.hub.token }} + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + {{- end }} {{- else }} - apiGroups: - "" @@ -87,9 +97,6 @@ rules: resources: - endpointslices verbs: - {{- if $.Values.hub.token }} - - get - {{- end }} - list - watch {{- end }} diff --git a/traefik/templates/rbac/role.yaml b/traefik/templates/rbac/role.yaml index cd859110d..e7ecc76f5 100644 --- a/traefik/templates/rbac/role.yaml +++ b/traefik/templates/rbac/role.yaml @@ -39,9 +39,6 @@ rules: resources: - endpointslices verbs: - {{- if $.Values.hub.token }} - - get - {{- end }} - list - watch {{- end }} @@ -156,81 +153,5 @@ rules: verbs: - update {{- end -}} -{{- if $.Values.hub.token }} - - apiGroups: - - hub.traefik.io - resources: - - accesscontrolpolicies - - apiaccesses - - apiportals - - apiratelimits - - apis - - apiversions - verbs: - - list - - watch - - create - - update - - patch - - delete - - get - - apiGroups: - - "" - resources: - - namespaces - - pods - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update - - create - - delete - - deletecollection - - apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -{{- end -}} {{- end -}} {{- end -}} diff --git a/traefik/templates/requirements.yaml b/traefik/templates/requirements.yaml index 79f1f4477..c37aa7bf5 100644 --- a/traefik/templates/requirements.yaml +++ b/traefik/templates/requirements.yaml @@ -12,3 +12,7 @@ {{- if and (.Values.providers.kubernetesGateway).enabled (and (semverCompare "<3.1.0-rc3" $version) (not .Values.experimental.kubernetesGateway.enabled)) }} {{- fail "ERROR: Before traefik v3.1.0-rc3, kubernetesGateway is experimental. Enable it by setting experimental.kubernetesGateway.enabled to true" -}} {{- end }} + +{{- if and .Values.hub.token (and .Values.rbac.enabled .Values.rbac.namespaced) }} + {{- fail "ERROR: Currently traefik-hub doesn't support namespaced RBACs" -}} +{{- end }} diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml index 4ff79e698..304abd401 100644 --- a/traefik/tests/rbac-config_test.yaml +++ b/traefik/tests/rbac-config_test.yaml @@ -1141,8 +1141,8 @@ tests: - watch - it: should contain additional RBACS for hub - chart: - appVersion: v3.1.0 + image: + tag: v3.1.0 set: hub: token: xxx @@ -1273,132 +1273,7 @@ tests: - get - list - watch - - it: should provide namespace'd RBACS for hub - chart: - appVersion: v3.1.0 - set: - hub: - token: xxx - rbac: - namespaced: true - providers: - kubernetesIngress: - enabled: false - asserts: - - template: rbac/role.yaml - contains: - path: rules - content: - apiGroups: - - hub.traefik.io - resources: - - accesscontrolpolicies - - apiaccesses - - apiportals - - apiratelimits - - apis - - apiversions - verbs: - - list - - watch - - create - - update - - patch - - delete - - get - - template: rbac/role.yaml - contains: - path: rules - content: - apiGroups: - - "" - resources: - - namespaces - - pods - verbs: - - get - - list - - watch - - template: rbac/role.yaml - contains: - path: rules - content: - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - template: rbac/role.yaml - contains: - path: rules - content: - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch - - template: rbac/role.yaml - contains: - path: rules - content: - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - template: rbac/role.yaml - contains: - path: rules - content: - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - update - - create - - delete - - deletecollection - - template: rbac/role.yaml - contains: - path: rules - content: - apiGroups: - - apps - resources: - - replicasets - verbs: - - get - - list - - watch - - template: rbac/role.yaml - contains: - path: rules - content: - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch + - it: should provide expected namespace'd RBACS for version < v3.1 set: image: diff --git a/traefik/tests/requirements-config_test.yaml b/traefik/tests/requirements-config_test.yaml index 937b2b16b..db390e78e 100644 --- a/traefik/tests/requirements-config_test.yaml +++ b/traefik/tests/requirements-config_test.yaml @@ -52,3 +52,12 @@ tests: enabled: true asserts: - notFailedTemplate: {} + - it: should not fail when using traefik-hub with namespaced RBACs + set: + hub: + token: xxx + rbac: + namespaced: true + asserts: + - failedTemplate: + errorMessage: "ERROR: Currently traefik-hub doesn't support namespaced RBACs"