feat: Improve user facing roles with dedicated roles

Signed-off-by: Rémy Jacquin <remy@remyj.fr>

Author: remyj38

traefik/VALUES.md

@@ -404,7 +404,11 @@ Kubernetes: `>=1.22.0-0`
 | providers.kubernetesIngress.publishedService.enabled | bool | `true` | Enable [publishedService](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#publishedservice) |
 | providers.kubernetesIngress.publishedService.pathOverride | string | `""` | Override path of Kubernetes Service used to copy status from. Format: namespace/servicename. Default to Service deployed with this Chart. |
 | providers.kubernetesIngress.strictPrefixMatching | bool | `false` | Defines whether to make prefix matching strictly comply with the Kubernetes Ingress specification. |
-| rbac | object | `{"aggregateTo":[],"enabled":true,"namespaced":false,"secretResourceNames":[]}` | Whether Role Based Access Control objects like roles and rolebindings should be created |
+| rbac.aggregateAdminTo | list | `[]` | Aggregate Traefik admin role to specified user roles |
+| rbac.aggregateViewTo | list | `[]` | Aggregate Traefik view role to specified user roles |
+| rbac.enabled | bool | `true` | Whether Role Based Access Control objects like roles and rolebindings should be created |
+| rbac.namespaced | bool | `false` |  |
+| rbac.secretResourceNames | list | `[]` | List of Kubernetes secrets that are accessible for Traefik. If empty, then access is granted to every secret. |
 | readinessProbe.failureThreshold | int | `1` | The number of consecutive failures allowed before considering the probe as failed. |
 | readinessProbe.initialDelaySeconds | int | `2` | The number of seconds to wait before starting the first probe. |
 | readinessProbe.periodSeconds | int | `10` | The number of seconds to wait between consecutive probes. |

traefik/templates/rbac/clusterrole.yaml

@@ -7,9 +7,6 @@ metadata:
   name: {{ template "traefik.clusterRoleName" . }}
   labels:
     {{- include "traefik.labels" . | nindent 4 }}
-    {{- range .Values.rbac.aggregateTo }}
-    rbac.authorization.k8s.io/aggregate-to-{{ . }}: "true"
-    {{- end }}
 rules:
   {{- if (semverCompare "<v3.1.0-0" $version) }}
   - apiGroups:

traefik/templates/rbac/user-facing-roles.yaml

@@ -0,0 +1,189 @@
+{{- $version := include "traefik.proxyVersion" $ }}
+{{- if and .Values.rbac.enabled .Values.rbac.aggregateAdminTo }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if (not .Values.rbac.namespaced) }}
+kind: ClusterRole
+{{- else }}
+kind: Role
+{{- end }}
+metadata:
+  name: {{ template "traefik.clusterRoleName" . }}-admin
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+    {{- range .Values.rbac.aggregateAdminTo }}
+    rbac.authorization.k8s.io/aggregate-to-{{ . }}: "true"
+    {{- end }}
+rules:
+  - apiGroups:
+      - traefik.io
+    resources:
+      - ingressroutes
+      - ingressroutetcps
+      - ingressrouteudps
+      - middlewares
+      - middlewaretcps
+      - serverstransports
+      - serverstransporttcps
+      - tlsoptions
+      - tlsstores
+      - traefikservices
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  {{- if (.Values.providers.kubernetesGateway).enabled }}
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - backendtlspolicies
+      - grpcroutes
+      {{- end }}
+      - gatewayclasses
+      - gateways
+      - httproutes
+      - referencegrants
+      - tcproutes
+      - tlsroutes
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - backendtlspolicies/status
+      - grpcroutes/status
+      {{- end }}
+      - gatewayclasses/status
+      - gateways/status
+      - httproutes/status
+      - tcproutes/status
+      - tlsroutes/status
+    verbs:
+      - get
+      - list
+      - watch
+  {{- end }}
+  {{- if .Values.hub.token }}
+    {{- if .Values.hub.apimanagement.enabled }}
+  - apiGroups:
+      - hub.traefik.io
+    resources:
+      - accesscontrolpolicies
+      - apiauths
+      - apiportals
+      - apiportalauths
+      - apiratelimits
+      - apis
+      - apiversions
+      - apibundles
+      - apiplans
+      - apicatalogitems
+      - managedsubscriptions
+      - managedapplications
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+    {{- end -}}
+  {{- end }}
+{{- end }}
+{{- if and .Values.rbac.enabled .Values.rbac.aggregateViewTo }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if (not .Values.rbac.namespaced) }}
+kind: ClusterRole
+{{- else }}
+kind: Role
+{{- end }}
+metadata:
+  name: {{ template "traefik.clusterRoleName" . }}-view
+  labels:
+    {{- include "traefik.labels" . | nindent 4 }}
+    {{- range .Values.rbac.aggregateViewTo }}
+    rbac.authorization.k8s.io/aggregate-to-{{ . }}: "true"
+    {{- end }}
+rules:
+  - apiGroups:
+      - traefik.io
+    resources:
+      - ingressroutes
+      - ingressroutetcps
+      - ingressrouteudps
+      - middlewares
+      - middlewaretcps
+      - serverstransports
+      - serverstransporttcps
+      - tlsoptions
+      - tlsstores
+      - traefikservices
+    verbs:
+      - get
+      - list
+      - watch
+  {{- if (.Values.providers.kubernetesGateway).enabled }}
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - backendtlspolicies
+      - backendtlspolicies/status
+      - grpcroutes
+      - grpcroutes/status
+      {{- end }}
+      - gatewayclasses
+      - gatewayclasses/status
+      - gateways
+      - gateways/status
+      - httproutes
+      - httproutes/status
+      - referencegrants
+      - tcproutes
+      - tcproutes/status
+      - tlsroutes
+      - tlsroutes/status
+    verbs:
+      - get
+      - list
+      - watch
+  {{- end }}
+  {{- if and .Values.hub.token .Values.hub.apimanagement.enabled }}
+  - apiGroups:
+      - hub.traefik.io
+    resources:
+      - accesscontrolpolicies
+      - apiauths
+      - apiportals
+      - apiportalauths
+      - apiratelimits
+      - apis
+      - apiversions
+      - apibundles
+      - apiplans
+      - apicatalogitems
+      - managedsubscriptions
+      - managedapplications
+    verbs:
+      - get
+      - list
+      - watch
+  {{- end }}
+{{- end }}