fix(Traefik Hub): RBACs missing with API Gateway

Author: darkweaver87

traefik/templates/rbac/clusterrole.yaml

@@ -32,14 +32,14 @@ rules:
       - networking.k8s.io
     resources:
       - ingressclasses
-{{- if not .Values.rbac.namespaced }}
+  {{- if not .Values.rbac.namespaced }}
       - ingresses
-{{- end }}
+  {{- end }}
     verbs:
       - get
       - list
       - watch
-{{- if (.Values.providers.kubernetesGateway).enabled }}
+  {{- if (.Values.providers.kubernetesGateway).enabled }}
   - apiGroups:
       - ""
     resources:
@@ -61,8 +61,8 @@ rules:
       - gatewayclasses/status
     verbs:
       - update
-{{- end }}
-{{- if not .Values.rbac.namespaced }}
+  {{- end }}
+ {{- if not .Values.rbac.namespaced }}
   {{- if (semverCompare "<v3.1.0-0" $version) }}
   - apiGroups:
       - ""
@@ -87,7 +87,6 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - nodes
       - services
     verbs:
       - get
@@ -112,16 +111,22 @@ rules:
       - get
       - list
       - watch
-{{- if .Values.providers.kubernetesIngress.enabled }}
+    {{- if and .Values.hub.token .Values.hub.apimanagement.enabled }}
+      - update
+      - create
+      - delete
+      - deletecollection
+    {{- end }}
+  {{- if .Values.providers.kubernetesIngress.enabled }}
   - apiGroups:
       - extensions
       - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
-{{- end -}}
-{{- if .Values.providers.kubernetesCRD.enabled }}
+  {{- end -}}
+  {{- if .Values.providers.kubernetesCRD.enabled }}
   - apiGroups:
       - traefik.io
     resources:
@@ -139,8 +144,8 @@ rules:
       - get
       - list
       - watch
-{{- end -}}
-{{- if .Values.podSecurityPolicy.enabled }}
+  {{- end -}}
+  {{- if .Values.podSecurityPolicy.enabled }}
   - apiGroups:
       - policy
     resourceNames:
@@ -149,29 +154,29 @@ rules:
       - podsecuritypolicies
     verbs:
       - use
-{{- end -}}
-{{- if .Values.providers.kubernetesGateway.enabled }}
+  {{- end -}}
+  {{- if .Values.providers.kubernetesGateway.enabled }}
   - apiGroups:
       - ""
     resources:
       - services
-{{- if (semverCompare "<v3.1.0-0" $version) }}
+    {{- if (semverCompare "<v3.1.0-0" $version) }}
       - endpoints
-{{- end }}
+    {{- end }}
       - secrets
     verbs:
       - get
       - list
       - watch
-{{- if (semverCompare ">=v3.1.0-0" $version) }}
+    {{- if (semverCompare ">=v3.1.0-0" $version) }}
   - apiGroups:
       - discovery.k8s.io
     resources:
       - endpointslices
     verbs:
       - list
       - watch
-{{- end }}
+    {{- end }}
   - apiGroups:
       - gateway.networking.k8s.io
     resources:
@@ -193,74 +198,62 @@ rules:
       - tlsroutes/status
     verbs:
       - update
-{{- end -}}
-{{- end -}}
-{{- if and .Values.hub.token .Values.hub.apimanagement.enabled }}
+  {{- end }}
+  {{- if .Values.hub.token }}
   - apiGroups:
-      - hub.traefik.io
+      - coordination.k8s.io
     resources:
-      - accesscontrolpolicies
-      - apiaccesses
-      - apiportals
-      - apiratelimits
-      - apis
-      - apiversions
+      - leases
     verbs:
+      - get
       - list
       - watch
       - create
       - update
       - patch
       - delete
-      - get
-  - apiGroups:
-      - ""
-    resources:
-      - namespaces
-      - pods
-    verbs:
-      - list
+  {{- end }}
+{{- /* not .Values.rbac.namespace */}}
+{{- end }}
+{{- if .Values.hub.token }}
   - apiGroups:
       - ""
     resources:
       - namespaces
+    {{- if .Values.hub.apimanagement.enabled }}
       - pods
-      - nodes
+    {{- end }}
     verbs:
       - get
       - list
+    {{- if .Values.hub.apimanagement.enabled }}
       - watch
+    {{- end }}
+  {{- if .Values.hub.apimanagement.enabled }}
   - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-  - apiGroups:
-      - coordination.k8s.io
+      - hub.traefik.io
     resources:
-      - leases
+      - accesscontrolpolicies
+      - apiaccesses
+      - apiportals
+      - apiratelimits
+      - apis
+      - apiversions
     verbs:
-      - get
       - list
       - watch
       - create
       - update
       - patch
       - delete
+      - get
   - apiGroups:
       - ""
     resources:
-      - secrets
+      - events
     verbs:
-      - get
-      - list
-      - watch
-      - update
       - create
-      - delete
-      - deletecollection
+      - patch
   - apiGroups:
       - apps
     resources:
@@ -270,14 +263,13 @@ rules:
       - list
       - watch
   - apiGroups:
-      - extensions
-      - networking.k8s.io
+      - ""
     resources:
-      - ingresses
+      - nodes
     verbs:
-      - get
       - list
       - watch
+  {{- end -}}
 {{- end }}
 {{- end }}
 {{- end }}

traefik/tests/rbac-config_test.yaml

@@ -1160,8 +1160,42 @@ tests:
               - get
               - list
               - watch
+  - it: should contain additional RBACS for hub API gateway
+    image:
+      tag: v3.1.0
+    set:
+      hub:
+        token: xxx
+    asserts:
+      - template: rbac/clusterrole.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - namespaces
+            verbs:
+              - get
+              - list
+      - template: rbac/clusterrole.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - coordination.k8s.io
+            resources:
+              - leases
+            verbs:
+              - get
+              - list
+              - watch
+              - create
+              - update
+              - patch
+              - delete
 
-  - it: should contain additional RBACS for hub
+  - it: should contain additional RBACS for hub API management
     image:
       tag: v3.1.0
     set:
@@ -1200,18 +1234,6 @@ tests:
             resources:
               - namespaces
               - pods
-            verbs:
-              - list
-      - template: rbac/clusterrole.yaml
-        contains:
-          path: rules
-          content:
-            apiGroups:
-              - ""
-            resources:
-              - namespaces
-              - pods
-              - nodes
             verbs:
               - get
               - list
@@ -1291,11 +1313,23 @@ tests:
               - extensions
               - networking.k8s.io
             resources:
+              - ingressclasses
               - ingresses
             verbs:
               - get
               - list
               - watch
+      - template: rbac/clusterrole.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - nodes
+            verbs:
+              - list
+              - watch
 
   - it: should provide expected namespace'd RBACS for version < v3.1
     set: