diff --git a/traefik/templates/_helpers.tpl b/traefik/templates/_helpers.tpl index 9a1bc46a4..2183f84ab 100644 --- a/traefik/templates/_helpers.tpl +++ b/traefik/templates/_helpers.tpl @@ -134,7 +134,7 @@ Traefik hub is based on v3.1 (v3.0 before v3.3.1) of traefik proxy, so this is a based on semverCompare */}} {{- if $.Values.hub.token -}} -{{ if and (regexMatch "v[0-9]+.[0-9]+.[0-9]+" (default "" $.Values.image.tag)) (semverCompare "<=v3.3.1-0" $.Values.image.tag) -}} +{{ if and (regexMatch "v[0-9]+.[0-9]+.[0-9]+" (default "" $.Values.image.tag)) (semverCompare "=v3.1.0-0" $version) .Values.hub.apimanagement.enabled }} + - apiGroups: + - "" + resources: + - endpoints + verbs: + - list + - watch + {{- end }} - apiGroups: - "" resources: diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml index 6be335a94..6e539b8ef 100644 --- a/traefik/tests/rbac-config_test.yaml +++ b/traefik/tests/rbac-config_test.yaml @@ -1330,6 +1330,17 @@ tests: verbs: - list - watch + - template: rbac/clusterrole.yaml + contains: + path: rules + content: + apiGroups: + - "" + resources: + - endpoints + verbs: + - list + - watch - it: should not contain additional RBACS for hub > 3.3.1 API management set: @@ -1351,6 +1362,36 @@ tests: verbs: - list - watch + - template: rbac/clusterrole.yaml + contains: + path: rules + content: + apiGroups: + - "" + resources: + - endpoints + verbs: + - list + - watch + + - it: should not contain additional RBACS for hub <= 3.3.1 API gateway + set: + image: + tag: v3.3.1 + hub: + token: xxx + asserts: + - template: rbac/clusterrole.yaml + notContains: + path: rules + content: + apiGroups: + - "" + resources: + - endpoints + verbs: + - list + - watch - it: should provide expected namespace'd RBACS for version < v3.1 set: