From cae906eeb35450f9b05615dfa22f032be22ce274 Mon Sep 17 00:00:00 2001
From: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com>
Date: Fri, 4 Oct 2024 11:28:04 +0200
Subject: [PATCH] feat(Traefik Proxy): update rbac following v3.2 migration
 guide

---
 traefik/templates/rbac/clusterrole.yaml | 12 +++++++
 traefik/tests/rbac-config_test.yaml     | 45 ++++++++++++++++++++++++-
 2 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/traefik/templates/rbac/clusterrole.yaml b/traefik/templates/rbac/clusterrole.yaml
index 9f0836225..79239fa42 100644
--- a/traefik/templates/rbac/clusterrole.yaml
+++ b/traefik/templates/rbac/clusterrole.yaml
@@ -149,8 +149,14 @@ rules:
   - apiGroups:
       - gateway.networking.k8s.io
     resources:
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - backendtlspolicies
+      {{- end }}
       - gatewayclasses
       - gateways
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - grpcroutes
+      {{- end }}
       - httproutes
       - referencegrants
       - tcproutes
@@ -162,8 +168,14 @@ rules:
   - apiGroups:
       - gateway.networking.k8s.io
     resources:
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - backendtlspolicies/status
+      {{- end }}
       - gatewayclasses/status
       - gateways/status
+      {{- if semverCompare ">=v3.2.0-0" $version }}
+      - grpcroutes/status
+      {{- end }}
       - httproutes/status
       - tcproutes/status
       - tlsroutes/status
diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml
index 8d39e3eaf..ad77beff6 100644
--- a/traefik/tests/rbac-config_test.yaml
+++ b/traefik/tests/rbac-config_test.yaml
@@ -643,7 +643,7 @@ tests:
   - it: should provide expected role rbac when k8s gw api is enabled >=v3.1.0
     set:
       image:
-        tag: v3.1.0-rc2
+        tag: v3.1.0-rc3
       providers:
         kubernetesGateway:
           enabled: true
@@ -717,6 +717,49 @@ tests:
               - list
               - watch
 
+  - it: should provide expected role rbac when k8s gw api is enabled >=v3.2.0
+    set:
+      image:
+        tag: v3.2.0-rc1
+      providers:
+        kubernetesGateway:
+          enabled: true
+    asserts:
+      - template: rbac/clusterrole.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - gateway.networking.k8s.io
+            resources:
+              - backendtlspolicies/status
+              - gatewayclasses/status
+              - gateways/status
+              - grpcroutes/status
+              - httproutes/status
+              - tcproutes/status
+              - tlsroutes/status
+            verbs:
+              - update
+      - template: rbac/clusterrole.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - gateway.networking.k8s.io
+            resources:
+              - backendtlspolicies
+              - gatewayclasses
+              - gateways
+              - grpcroutes
+              - httproutes
+              - referencegrants
+              - tcproutes
+              - tlsroutes
+            verbs:
+              - get
+              - list
+              - watch
   - it: should contain additional RBACS for hub API gateway
     set:
       image: