144 lines
3.0 KiB
YAML
144 lines
3.0 KiB
YAML
{{- $version := include "imageVersion" $ }}
|
|
{{- $ingressNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}}
|
|
{{- $CRDNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}}
|
|
{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces)) -}}
|
|
|
|
{{- if and .Values.rbac.enabled .Values.rbac.namespaced -}}
|
|
{{- range $allNamespaces }}
|
|
---
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: {{ template "traefik.fullname" $ }}
|
|
namespace: {{ . }}
|
|
labels:
|
|
{{- include "traefik.labels" $ | nindent 4 }}
|
|
rules:
|
|
{{- if (semverCompare "<v3.1.0-0" $version) }}
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- endpoints
|
|
- services
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
{{- else }}
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- discovery.k8s.io
|
|
resources:
|
|
- endpointslices
|
|
verbs:
|
|
- list
|
|
- watch
|
|
{{- end }}
|
|
# Required while https://github.com/traefik/traefik/issues/7097#issuecomment-1983581843
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- list
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
{{- if gt (len $.Values.rbac.secretResourceNames) 0 }}
|
|
resourceNames: {{ $.Values.rbac.secretResourceNames }}
|
|
{{- end }}
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
{{- if (and (has . $ingressNamespaces) $.Values.providers.kubernetesIngress.enabled) }}
|
|
- apiGroups:
|
|
- extensions
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- extensions
|
|
- networking.k8s.io
|
|
resources:
|
|
- ingresses/status
|
|
verbs:
|
|
- update
|
|
{{- end -}}
|
|
{{- if (and (has . $CRDNamespaces) $.Values.providers.kubernetesCRD.enabled) }}
|
|
- apiGroups:
|
|
- traefik.io
|
|
resources:
|
|
- ingressroutes
|
|
- ingressroutetcps
|
|
- ingressrouteudps
|
|
- middlewares
|
|
- middlewaretcps
|
|
- tlsoptions
|
|
- tlsstores
|
|
- traefikservices
|
|
- serverstransports
|
|
- serverstransporttcps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
{{- end -}}
|
|
{{- if $.Values.podSecurityPolicy.enabled }}
|
|
- apiGroups:
|
|
- extensions
|
|
resourceNames:
|
|
- {{ template "traefik.fullname" $ }}
|
|
resources:
|
|
- podsecuritypolicies
|
|
verbs:
|
|
- use
|
|
{{- end -}}
|
|
{{- if $.Values.hub.token }}
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
- endpoints
|
|
- namespaces
|
|
- pods
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- discovery.k8s.io
|
|
resources:
|
|
- endpointslices
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- coordination.k8s.io
|
|
resources:
|
|
- leases
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- create
|
|
- update
|
|
- patch
|
|
- delete
|
|
{{- end }}
|
|
{{- end -}}
|
|
{{- end -}}
|