diff --git a/traefik/templates/_helpers.tpl b/traefik/templates/_helpers.tpl index 3b0d12ee0..a6c8b9fa4 100644 --- a/traefik/templates/_helpers.tpl +++ b/traefik/templates/_helpers.tpl @@ -108,10 +108,10 @@ Users can provide an override for an explicit service they want bound via `.Valu Construct a comma-separated list of whitelisted namespaces */}} {{- define "providers.kubernetesIngress.namespaces" -}} -{{- default .Release.Namespace (join "," .Values.providers.kubernetesIngress.namespaces) }} +{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesIngress.namespaces) }} {{- end -}} {{- define "providers.kubernetesCRD.namespaces" -}} -{{- default .Release.Namespace (join "," .Values.providers.kubernetesCRD.namespaces) }} +{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesCRD.namespaces) }} {{- end -}} {{/* diff --git a/traefik/templates/rbac/role.yaml b/traefik/templates/rbac/role.yaml index 5be815953..be0f90f71 100644 --- a/traefik/templates/rbac/role.yaml +++ b/traefik/templates/rbac/role.yaml @@ -1,11 +1,17 @@ -{{- if and .Values.rbac.enabled .Values.rbac.namespaced }} +{{- $ingressNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}} +{{- $CRDNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}} +{{- $allNamespaces := uniq (concat $ingressNamespaces $CRDNamespaces) -}} + +{{- if and .Values.rbac.enabled .Values.rbac.namespaced -}} +{{- range $allNamespaces }} +--- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ template "traefik.fullname" . }} - namespace: {{ template "traefik.namespace" . }} + name: {{ template "traefik.fullname" $ }} + namespace: {{ . }} labels: - {{- include "traefik.labels" . | nindent 4 }} + {{- include "traefik.labels" $ | nindent 4 }} rules: - apiGroups: - "" @@ -17,7 +23,7 @@ rules: - get - list - watch -{{- if .Values.providers.kubernetesIngress.enabled }} +{{- if (and (has . $ingressNamespaces) $.Values.providers.kubernetesIngress.enabled) }} - apiGroups: - extensions - networking.k8s.io @@ -35,7 +41,7 @@ rules: verbs: - update {{- end -}} -{{- if .Values.providers.kubernetesCRD.enabled }} +{{- if (and (has . $CRDNamespaces) $.Values.providers.kubernetesCRD.enabled) }} - apiGroups: - traefik.io {{- if semverCompare "<3.0.0-0" (default $.Chart.AppVersion $.Values.image.tag) }} @@ -59,14 +65,15 @@ rules: - list - watch {{- end -}} -{{- if .Values.podSecurityPolicy.enabled }} +{{- if $.Values.podSecurityPolicy.enabled }} - apiGroups: - extensions resourceNames: - - {{ template "traefik.fullname" . }} + - {{ template "traefik.fullname" $ }} resources: - podsecuritypolicies verbs: - use {{- end -}} {{- end -}} +{{- end -}} diff --git a/traefik/templates/rbac/rolebinding.yaml b/traefik/templates/rbac/rolebinding.yaml index 91334b4b2..263a2e05a 100644 --- a/traefik/templates/rbac/rolebinding.yaml +++ b/traefik/templates/rbac/rolebinding.yaml @@ -1,17 +1,24 @@ +{{- $ingressNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}} +{{- $CRDNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}} +{{- $allNamespaces := uniq (concat $ingressNamespaces $CRDNamespaces) -}} + {{- if and .Values.rbac.enabled .Values.rbac.namespaced }} +{{- range $allNamespaces }} +--- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ template "traefik.fullname" . }} - namespace: {{ template "traefik.namespace" . }} + name: {{ template "traefik.fullname" $ }} + namespace: {{ . }} labels: - {{- include "traefik.labels" . | nindent 4 }} + {{- include "traefik.labels" $ | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "traefik.fullname" . }} + name: {{ template "traefik.fullname" $ }} subjects: - kind: ServiceAccount - name: {{ include "traefik.serviceAccountName" . }} - namespace: {{ template "traefik.namespace" . }} + name: {{ include "traefik.serviceAccountName" $ }} + namespace: {{ template "traefik.namespace" $ }} +{{- end -}} {{- end -}} diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml index 3b653edd7..703adb1b1 100644 --- a/traefik/tests/rbac-config_test.yaml +++ b/traefik/tests/rbac-config_test.yaml @@ -175,6 +175,148 @@ tests: path: metadata.namespace value: NAMESPACE template: rbac/serviceaccount.yaml + - it: should use multiple namespaces if provided to kubernetesCRD + set: + providers: + kubernetesCRD: + namespaces: + - default + - foo + rbac: + namespaced: true + asserts: + - hasDocuments: + count: 3 + template: rbac/role.yaml + - hasDocuments: + count: 3 + template: rbac/rolebinding.yaml + - equal: + path: metadata.namespace + value: NAMESPACE + template: rbac/role.yaml + documentIndex: 0 + - equal: + path: metadata.namespace + value: default + template: rbac/role.yaml + documentIndex: 1 + - equal: + path: metadata.namespace + value: foo + template: rbac/role.yaml + documentIndex: 2 + - equal: + path: metadata.namespace + value: NAMESPACE + template: rbac/rolebinding.yaml + documentIndex: 0 + - equal: + path: metadata.namespace + value: default + template: rbac/rolebinding.yaml + documentIndex: 1 + - equal: + path: metadata.namespace + value: foo + template: rbac/rolebinding.yaml + documentIndex: 2 + - it: should use multiple namespaces if provided to kubernetesIngress + set: + providers: + kubernetesIngress: + namespaces: + - default + - bar + rbac: + namespaced: true + asserts: + - hasDocuments: + count: 3 + template: rbac/role.yaml + - hasDocuments: + count: 3 + template: rbac/rolebinding.yaml + - equal: + path: metadata.namespace + value: default + template: rbac/role.yaml + documentIndex: 0 + - equal: + path: metadata.namespace + value: bar + template: rbac/role.yaml + documentIndex: 1 + - equal: + path: metadata.namespace + value: NAMESPACE + template: rbac/role.yaml + documentIndex: 2 + - equal: + path: metadata.namespace + value: default + template: rbac/rolebinding.yaml + documentIndex: 0 + - equal: + path: metadata.namespace + value: bar + template: rbac/rolebinding.yaml + documentIndex: 1 + - equal: + path: metadata.namespace + value: NAMESPACE + template: rbac/rolebinding.yaml + documentIndex: 2 + - it: should use multiple namespaces if provided to both providers + set: + providers: + kubernetesCRD: + namespaces: + - default + - foo + kubernetesIngress: + namespaces: + - default + - bar + rbac: + namespaced: true + asserts: + - hasDocuments: + count: 3 + template: rbac/role.yaml + - hasDocuments: + count: 3 + template: rbac/rolebinding.yaml + - equal: + path: metadata.namespace + value: default + template: rbac/role.yaml + documentIndex: 0 + - equal: + path: metadata.namespace + value: bar + template: rbac/role.yaml + documentIndex: 1 + - equal: + path: metadata.namespace + value: foo + template: rbac/role.yaml + documentIndex: 2 + - equal: + path: metadata.namespace + value: default + template: rbac/rolebinding.yaml + documentIndex: 0 + - equal: + path: metadata.namespace + value: bar + template: rbac/rolebinding.yaml + documentIndex: 1 + - equal: + path: metadata.namespace + value: foo + template: rbac/rolebinding.yaml + documentIndex: 2 - it: should accept overridden namespace set: namespaceOverride: "traefik-ns-override"