traefik-helm-chart icon indicating copy to clipboard operation
traefik-helm-chart copied to clipboard

Published 20 hours ago verified publisher icon traefik

helm traefik does not watch all namespaces when rbac namespaced

Open oleg-andreyev opened this issue 1 year ago • 2 comments

Welcome!

  • [X] Yes, I've searched similar issues on GitHub and didn't find any.
  • [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What version of the Traefik's Helm Chart are you using?

3.14.2

What version of Traefik are you using?

2.11.0

What did you do?

Following documentation and default Chart values, it is stated that traefik will watch all namespaces, but it's not

https://github.com/traefik/traefik-helm-chart/blob/ba5918d221d9a6eb52384f945dbaf31dfe41b384/traefik/values.yaml#L237-L239

If providers.kubernetesCRD.namespaces is not defined, helm will use default traefik namespace. if providers.kubernetesCRD.namespaces is defined as. empty array, same result as above.

What did you see instead?

image

Expected image

What is your environment & configuration?

# https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml

namespaceOverride: traefik

rbac:
  namespaced: true

deployment:
  replicas: null
  kind: Deployment
  name: traefik
  revisionHistoryLimit: 1

resources:
  requests:
    cpu: "100m"
    memory: "50Mi"
  limits:
    cpu: "300m"
    memory: "150Mi"

#autoscaling:
#  enabled: true
#  maxReplicas: 2
#  metrics:
#    - type: Resource
#      resource:
#        name: cpu
#        target:
#          type: Utilization
#          averageUtilization: 80

service:
  spec:
    loadBalancerIP: "<public-ip>"
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-resource-group: <group>

logs:
  general:
    level: DEBUG
  access:
    enabled: true

providers:
  kubernetesCRD:
    allowCrossNamespace: true
    namespaces: ['default', 'traefik', 'mktrade']

ports:
  web:
    redirectTo:
      port: websecure
  websecure:
    forwardedHeaders:
      trustedIPs:
        - 10.0.0.0/24
        - 172.16.0.0/20
        - 192.168.0.0/16

Additional Information

No response

oleg-andreyev avatar Feb 27 '24 15:02 oleg-andreyev

Looks like this configuration is conflicting with rbac.namespaced, probably it would be great to notify/warn user about it.

oleg-andreyev avatar Feb 27 '24 15:02 oleg-andreyev

Thanks for your interest in Traefik.

Above rbac.namespaced, it says:

Providers will only watch target namespace

If you have an idea on how it can be improved, feel free to open a PR.

mloiseleur avatar Feb 27 '24 16:02 mloiseleur

Since there is no news on this issue since 3 months, I close it. Feel free to re-open it if needed.

mloiseleur avatar May 28 '24 13:05 mloiseleur