fix: namespaced RBACs hub api gateway

traefik · Jul 24, 2024 · 50c24e5 · 50c24e5
1 parent 9240475
commit 50c24e5
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 5 deletions.
diff --git a/traefik/templates/rbac/clusterrole.yaml b/traefik/templates/rbac/clusterrole.yaml
@@ -194,7 +194,7 @@ rules:
       - update
 {{- end -}}
 {{- end -}}
-{{- if .Values.hub.token }}
+{{- if and .Values.hub.token .Values.hub.apimanagement.enabled }}
   - apiGroups:
       - hub.traefik.io
     resources:

diff --git a/traefik/templates/rbac/role.yaml b/traefik/templates/rbac/role.yaml
@@ -153,5 +153,38 @@ rules:
     verbs:
       - update
 {{- end -}}
+{{- if $.Values.hub.token }}
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - namespaces
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+{{- end }}
 {{- end -}}
 {{- end -}}
diff --git a/traefik/templates/requirements.yaml b/traefik/templates/requirements.yaml
@@ -13,6 +13,8 @@
   {{- fail "ERROR: Before traefik v3.1.0-rc3, kubernetesGateway is experimental. Enable it by setting experimental.kubernetesGateway.enabled to true" -}}
 {{- end }}
 
-{{- if and .Values.hub.token (and .Values.rbac.enabled .Values.rbac.namespaced) }}
-  {{- fail "ERROR: Currently traefik-hub doesn't support namespaced RBACs" -}}
+{{- if .Values.hub.token }}
+  {{- if and .Values.hub.apimanagement.enabled (and .Values.rbac.enabled .Values.rbac.namespaced) }}
+    {{- fail "ERROR: Currently Traefik Hub doesn't support namespaced RBACs" -}}
+  {{- end }}
 {{- end }}
diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml
@@ -1146,6 +1146,8 @@ tests:
     set:
       hub:
         token: xxx
+        apimanagement:
+          enabled: true
     asserts:
       - template: rbac/clusterrole.yaml
         contains:

diff --git a/traefik/tests/requirements-config_test.yaml b/traefik/tests/requirements-config_test.yaml
@@ -52,12 +52,14 @@ tests:
           enabled: true
     asserts:
       - notFailedTemplate: {}
-  - it: should not fail when using traefik-hub with namespaced RBACs
+  - it: should fail when using traefik-hub API management with namespaced RBACs
     set:
       hub:
         token: xxx
+        apimanagement:
+          enabled: true
       rbac:
         namespaced: true
     asserts:
       - failedTemplate:
-          errorMessage: "ERROR: Currently traefik-hub doesn't support namespaced RBACs"
+          errorMessage: "ERROR: Currently Traefik Hub doesn't support namespaced RBACs"