From 0efbcb5d88c8b036ade4b324c4eb656e7896b3bf Mon Sep 17 00:00:00 2001
From: mloiseleur <97035654+mloiseleur@users.noreply.github.com>
Date: Tue, 25 Apr 2023 10:29:00 +0200
Subject: [PATCH] =?UTF-8?q?fix:=20=F0=9F=90=9B=20update=20rbac=20for=20bot?=
 =?UTF-8?q?h=20traefik.io=20and=20containo.us=20apigroups=20(#836)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 traefik/templates/rbac/clusterrole.yaml |  1 +
 traefik/templates/rbac/role.yaml        |  1 +
 traefik/tests/rbac-config_test.yaml     | 50 +++++++++++++++++++++++++
 3 files changed, 52 insertions(+)

diff --git a/traefik/templates/rbac/clusterrole.yaml b/traefik/templates/rbac/clusterrole.yaml
index da85940aa..3865bc273 100644
--- a/traefik/templates/rbac/clusterrole.yaml
+++ b/traefik/templates/rbac/clusterrole.yaml
@@ -44,6 +44,7 @@ rules:
 {{- end -}}
 {{- if .Values.providers.kubernetesCRD.enabled }}
   - apiGroups:
+      - traefik.io
       - traefik.containo.us
     resources:
       - ingressroutes
diff --git a/traefik/templates/rbac/role.yaml b/traefik/templates/rbac/role.yaml
index 334702838..106ca588b 100644
--- a/traefik/templates/rbac/role.yaml
+++ b/traefik/templates/rbac/role.yaml
@@ -37,6 +37,7 @@ rules:
 {{- end -}}
 {{- if .Values.providers.kubernetesCRD.enabled }}
   - apiGroups:
+      - traefik.io
       - traefik.containo.us
     resources:
       - ingressroutes
diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml
index 83f0b73d3..a1d19fdcb 100644
--- a/traefik/tests/rbac-config_test.yaml
+++ b/traefik/tests/rbac-config_test.yaml
@@ -227,3 +227,53 @@ tests:
           path: subjects[0].namespace
           value: "traefik-ns-override"
         template: rbac/rolebinding.yaml
+  - it: cluster rbac should be on both traefik.io and containo.us API group
+    set:
+    asserts:
+      - template: rbac/clusterrole.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - traefik.io
+              - traefik.containo.us
+            resources:
+              - ingressroutes
+              - ingressroutetcps
+              - ingressrouteudps
+              - middlewares
+              - middlewaretcps
+              - tlsoptions
+              - tlsstores
+              - traefikservices
+              - serverstransports
+            verbs:
+              - get
+              - list
+              - watch
+  - it: namespaced rbac should be on both traefik.io and containo.us API group
+    set:
+      rbac:
+        namespaced: true
+    asserts:
+      - template: rbac/role.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - traefik.io
+              - traefik.containo.us
+            resources:
+              - ingressroutes
+              - ingressroutetcps
+              - ingressrouteudps
+              - middlewares
+              - middlewaretcps
+              - tlsoptions
+              - tlsstores
+              - traefikservices
+              - serverstransports
+            verbs:
+              - get
+              - list
+              - watch