diff --git a/docs/content/migration/v2.md b/docs/content/migration/v2.md index d9ab4fa27..3de365203 100644 --- a/docs/content/migration/v2.md +++ b/docs/content/migration/v2.md @@ -61,38 +61,10 @@ rules: - traefik.containo.us resources: - middlewares - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - ingressroutes - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - - ingressroutetcps - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - - tlsoptions - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - traefikservices + - ingressroutetcps + - tlsoptions verbs: - get - list @@ -108,3 +80,95 @@ After having both resources applied, Traefik will work properly. `accessControlAllowOrigin` is deprecated. This field will be removed in future 2.x releases. Please configure your allowed origins in `accessControlAllowOriginList` instead. + +### Kubernetes CRD + +In v2.2, new Kubernetes CRDs called `TLSStore` and `IngressRouteUDP` were added. +While updating an installation to v2.2, +one should apply that CRDs, and update the existing `ClusterRole` definition to allow Traefik to use that CRDs. + +To add that CRDs and enhance the permissions, following definitions need to be applied to the cluster. + +```yaml tab="TLSStore" +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tlsstores.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: TLSStore + plural: tlsstores + singular: tlsstore + scope: Namespaced + +``` + +```yaml tab="IngressRouteUDP" +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ingressrouteudps.traefik.containo.us + +spec: + group: traefik.containo.us + version: v1alpha1 + names: + kind: IngressRouteUDP + plural: ingressrouteudps + singular: ingressrouteudp + scope: Namespaced + +``` + +```yaml tab="ClusterRole" +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: traefik-ingress-controller + +rules: + - apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - traefik.containo.us + resources: + - middlewares + - ingressroutes + - traefikservices + - ingressroutetcps + - ingressrouteudps + - tlsoptions + - tlsstores + verbs: + - get + - list + - watch + +``` + +After having both resources applied, Traefik will work properly. diff --git a/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml b/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml index c31cfc508..3e7337031 100644 --- a/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml +++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml @@ -37,6 +37,7 @@ rules: - ingressroutetcps - ingressrouteudps - tlsoptions + - tlsstores verbs: - get - list diff --git a/docs/content/routing/providers/kubernetes-crd.md b/docs/content/routing/providers/kubernetes-crd.md index a62cc07e9..04ea73066 100644 --- a/docs/content/routing/providers/kubernetes-crd.md +++ b/docs/content/routing/providers/kubernetes-crd.md @@ -300,6 +300,7 @@ You can find an excerpt of the available custom resources in the table below: | [IngressRouteTCP](#kind-ingressroutetcp) | TCP Routing | [TCP router](../routers/index.md#configuring-tcp-routers) | | [IngressRouteUDP](#kind-ingressrouteudp) | UDP Routing | [UDP router](../routers/index.md#configuring-udp-routers) | | [TLSOptions](#kind-tlsoption) | Allows to configure some parameters of the TLS connection | [TLSOptions](../../https/tls.md#tls-options) | +| [TLSStores](#kind-tlsstore) | Allows to configure the default TLS store | [TLSStores](../../https/tls.md#certificates-stores) | ### Kind: `IngressRoute` diff --git a/docs/content/user-guides/crd-acme/01-crd.yml b/docs/content/user-guides/crd-acme/01-crd.yml deleted file mode 100644 index 9cc06829b..000000000 --- a/docs/content/user-guides/crd-acme/01-crd.yml +++ /dev/null @@ -1,160 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutes.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRoute - plural: ingressroutes - singular: ingressroute - scope: Namespaced - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: ingressroutetcps.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: IngressRouteTCP - plural: ingressroutetcps - singular: ingressroutetcp - scope: Namespaced - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: middlewares.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: Middleware - plural: middlewares - singular: middleware - scope: Namespaced - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: tlsoptions.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TLSOption - plural: tlsoptions - singular: tlsoption - scope: Namespaced - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: traefikservices.traefik.containo.us - -spec: - group: traefik.containo.us - version: v1alpha1 - names: - kind: TraefikService - plural: traefikservices - singular: traefikservice - scope: Namespaced - ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -rules: - - apiGroups: - - "" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - traefik.containo.us - resources: - - middlewares - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - - ingressroutes - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - - ingressroutetcps - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - - tlsoptions - verbs: - - get - - list - - watch - - apiGroups: - - traefik.containo.us - resources: - - traefikservices - verbs: - - get - - list - - watch - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik-ingress-controller - -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: traefik-ingress-controller -subjects: - - kind: ServiceAccount - name: traefik-ingress-controller - namespace: default diff --git a/docs/content/user-guides/crd-acme/index.md b/docs/content/user-guides/crd-acme/index.md index 0eb47705b..e27ffdf7c 100644 --- a/docs/content/user-guides/crd-acme/index.md +++ b/docs/content/user-guides/crd-acme/index.md @@ -43,7 +43,10 @@ First, the definition of the `IngressRoute` and the `Middleware` kinds. Also note the RBAC authorization resources; they'll be referenced through the `serviceAccountName` of the deployment, later on. ```yaml ---8<-- "content/user-guides/crd-acme/01-crd.yml" +--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml" + +--- +--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml" ``` ### Services