docs(traefik): public and private routing (#5559)

* docs: added treafik public and private routing

Signed-off-by: ivan katliarchuk <[email protected]>

docs: added treafik public and private routing

Signed-off-by: ivan katliarchuk <[email protected]>

docs: added treafik public and private routing

Signed-off-by: ivan katliarchuk <[email protected]>

docs: added treafik public and private routing

Signed-off-by: ivan katliarchuk <[email protected]>

docs: added treafik public and private routing

Signed-off-by: ivan katliarchuk <[email protected]>

docs: added treafik public and private routing

Signed-off-by: ivan katliarchuk <[email protected]>

docs: added treafik public and private routing

Signed-off-by: ivan katliarchuk <[email protected]>

docs: added treafik public and private routing

Co-authored-by: Michel Loiseleur <[email protected]>

docs(traefik): public and private routing

Signed-off-by: ivan katliarchuk <[email protected]>

* docs(traefik): public and private routing

Signed-off-by: ivan katliarchuk <[email protected]>

* docs(traefik): public and private routing

Co-authored-by: Michel Loiseleur <[email protected]>

* docs(traefik): public and private routing

Signed-off-by: ivan katliarchuk <[email protected]>

* docs(traefik): public and private routing

Co-authored-by: Michel Loiseleur <[email protected]>

---------

Signed-off-by: ivan katliarchuk <[email protected]>
Co-authored-by: Michel Loiseleur <[email protected]>

Author: ivankatliarchuk

docs/flags.md

@@ -38,7 +38,7 @@
 | `--[no-]ignore-ingress-rules-spec` | Ignore the spec.rules section in Ingress resources (default: false) |
 | `--[no-]ignore-ingress-tls-spec` | Ignore the spec.tls section in Ingress resources (default: false) |
 | `--[no-]ignore-non-host-network-pods` | Ignore pods not running on host network when using pod source (default: false) |
-| `--ingress-class=INGRESS-CLASS` | Require an Ingress to have this class name (defaults to any class; specify multiple times to allow more than one class) |
+| `--ingress-class=INGRESS-CLASS` | Require an Ingress to have this class name; specify multiple times to allow more than one class (optional; defaults to any class) |
 | `--label-filter=""` | Filter resources queried for endpoints by label selector; currently supported by source types crd, gateway-httproute, gateway-grpcroute, gateway-tlsroute, gateway-tcproute, gateway-udproute, ingress, node, openshift-route, service and ambassador-host |
 | `--managed-record-types=A...` | Record types to manage; specify multiple times to include many; (default: A,AAAA,CNAME) (supported records: A, AAAA, CNAME, NS, SRV, TXT) |
 | `--namespace=""` | Limit resources queried for endpoints to a specific namespace (default: all namespaces) |

docs/snippets/traefik-proxy/ingress-route-default.yaml

@@ -0,0 +1,18 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-ingress
+  annotations:
+    external-dns.alpha.kubernetes.io/target: traefik.example.com
+    kubernetes.io/ingress.class: traefik
+spec:
+  entryPoints:
+    - web
+    - websecure
+  routes:
+    - match: Host(`application.example.com`)
+      kind: Rule
+      services:
+        - name: service
+          namespace: namespace
+          port: port

docs/snippets/traefik-proxy/ingress-route-public-private.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: traefik.io/v1
+kind: IngressRoute
+metadata:
+  name: traefik-public-abc
+  annotations:
+    kubernetes.io/ingress.class: traefik-public
+spec:
+  entryPoints:
+    - web
+    - websecure
+  routes:
+    - match: Host(`application.public.example.com`)
+      kind: Rule
+      services:
+        - name: service
+          namespace: namespace
+          port: port
+  tls:
+    secretName: traefik-tls-cert-public
+---
+apiVersion: traefik.io/v1
+kind: IngressRoute
+metadata:
+  name: traefik-private-abc
+  annotations:
+    kubernetes.io/ingress.class: traefik-private
+spec:
+  entryPoints:
+    - web
+    - websecure
+  routes:
+    - match: Host(`application.private.tlc`)
+      kind: Rule
+      services:
+        - name: service
+          namespace: namespace
+          port: port
+  tls:
+    secretName: traefik-tls-cert-private

docs/snippets/traefik-proxy/traefik-public-private-config.yaml

@@ -0,0 +1,16 @@
+---
+type: public
+providers:
+  kubernetesCRD:
+    ingressClass: traefik-public
+
+  kubernetesIngress:
+    ingressClass: traefik-public
+---
+type: private
+providers:
+  kubernetesCRD:
+    ingressClass: traefik-private
+
+  kubernetesIngress:
+    ingressClass: traefik-private

docs/snippets/traefik-proxy/with-cluster-rbac.yaml

@@ -0,0 +1,59 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-dns
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns
+rules:
+- apiGroups: [""]
+  resources: ["services","endpoints","pods"]
+  verbs: ["get","watch","list"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["list","watch"]
+- apiGroups: ["traefik.containo.us","traefik.io"]
+  resources: ["ingressroutes", "ingressroutetcps", "ingressrouteudps"]
+  verbs: ["get","watch","list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns-viewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns
+subjects:
+- kind: ServiceAccount
+  name: external-dns
+  namespace: default
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: external-dns
+  template:
+    metadata:
+      labels:
+        app: external-dns
+    spec:
+      serviceAccountName: external-dns
+      containers:
+      - name: external-dns
+        # update this to the desired external-dns version
+        image: registry.k8s.io/external-dns/external-dns:v0.17.0
+        args:
+        - --source=traefik-proxy
+        - --provider=aws
+        - --registry=txt
+        - --txt-owner-id=my-identifier

docs/snippets/traefik-proxy/without-rbac.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: external-dns
+  template:
+    metadata:
+      labels:
+        app: external-dns
+    spec:
+      containers:
+      - name: external-dns
+        # update this to the desired external-dns version
+        image: registry.k8s.io/external-dns/external-dns:v0.17.0
+        args:
+        - --source=traefik-proxy
+        - --provider=aws
+        - --registry=txt
+        - --txt-owner-id=my-identifier

docs/sources/traefik-proxy.md

@@ -1,123 +1,29 @@
 # Traefik Proxy Source
 
+- [Traefik Documentation](https://doc.traefik.io/traefik/)
+- [Traefik Helm Chart](https://github.com/traefik/traefik-helm-chart)
+
 This tutorial describes how to configure ExternalDNS to use the Traefik Proxy source.
 It is meant to supplement the other provider-specific setup tutorials.
 
 ## Manifest (for clusters without RBAC enabled)
 
 ```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: external-dns
-spec:
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: external-dns
-  template:
-    metadata:
-      labels:
-        app: external-dns
-    spec:
-      containers:
-      - name: external-dns
-        # update this to the desired external-dns version
-        image: registry.k8s.io/external-dns/external-dns:v0.17.0
-        args:
-        - --source=traefik-proxy
-        - --provider=aws
-        - --registry=txt
-        - --txt-owner-id=my-identifier
+[[% include 'traefik-proxy/without-rbac.yaml' %]]
 ```
 
 ## Manifest (for clusters with RBAC enabled)
 
 ```yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-dns
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: external-dns
-rules:
-- apiGroups: [""]
-  resources: ["services","endpoints","pods"]
-  verbs: ["get","watch","list"]
-- apiGroups: [""]
-  resources: ["nodes"]
-  verbs: ["list","watch"]
-- apiGroups: ["traefik.containo.us","traefik.io"]
-  resources: ["ingressroutes", "ingressroutetcps", "ingressrouteudps"]
-  verbs: ["get","watch","list"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: external-dns-viewer
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: external-dns
-subjects:
-- kind: ServiceAccount
-  name: external-dns
-  namespace: default
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: external-dns
-spec:
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: external-dns
-  template:
-    metadata:
-      labels:
-        app: external-dns
-    spec:
-      serviceAccountName: external-dns
-      containers:
-      - name: external-dns
-        # update this to the desired external-dns version
-        image: registry.k8s.io/external-dns/external-dns:v0.17.0
-        args:
-        - --source=traefik-proxy
-        - --provider=aws
-        - --registry=txt
-        - --txt-owner-id=my-identifier
+[[% include 'traefik-proxy/with-cluster-rbac.yaml' %]]
 ```
 
 ## Deploying a Traefik IngressRoute
 
-Create a IngressRoute file called 'traefik-ingress.yaml' with the following contents:
+Create an IngressRoute file called 'ingress-route-default' with the following contents:
 
 ```yaml
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik-ingress
-  annotations:
-    external-dns.alpha.kubernetes.io/target: traefik.example.com
-    kubernetes.io/ingress.class: traefik
-spec:
-  entryPoints:
-    - web
-    - websecure
-  routes:
-    - match: Host(`application.example.com`)
-      kind: Rule
-      services:
-        - name: service
-          namespace: namespace
-          port: port
+[[% include 'traefik-proxy/ingress-route-default.yaml' %]]
 ```
 
 Note the annotation on the IngressRoute (`external-dns.alpha.kubernetes.io/target`); use the same hostname as the traefik DNS.
@@ -127,30 +33,61 @@ ExternalDNS uses this annotation to determine what services should be registered
 Create the IngressRoute:
 
 ```sh
-kubectl create -f traefik-ingress.yaml
+kubectl create -f docs/snippets/traefik-proxy/ingress-route-default.yaml
 ```
 
 Depending where you run your IngressRoute it can take a little while for ExternalDNS synchronize the DNS record.
 
+## Support private and public routing
+
+To create a more robust and manageable Kubernetes environment, leverage separate Ingress classes to finely control public and private routing's security, performance, and operational policies. Similar approach could work in multi-tenant environments.
+
+For this we are going to need two instances of `traefik` (public and private) as well as two instances of `external-dns`.
+
+The `traefik` configuration should contain (for more detailed configured validate with the vendor)
+
+```yaml
+[[% include 'traefik-proxy/traefik-public-private-config.yaml' %]]
+```
+
+Create a IngressRoutes files with the following contents:
+
+```yaml
+[[% include 'traefik-proxy/ingress-route-public-private.yaml' %]]
+```
+
+And the arguments for `external-dns` instances should looks like
+
+```yaml
+---
+args:
+  - --source=traefik-proxy
+  - --annotation-filter="kubernetes.io/ingress.class=traefik-public"
+---
+args:
+  - --source=traefik-proxy
+  - --annotation-filter="kubernetes.io/ingress.class=traefik-private"
+```
+
 ## Cleanup
 
 Now that we have verified that ExternalDNS will automatically manage Traefik DNS records, we can delete the tutorial's example:
 
 ```sh
-kubectl delete -f traefik-ingress.yaml
+kubectl delete -f docs/snippets/traefik-proxy/ingress-route-default.yaml
 kubectl delete -f externaldns.yaml
 ```
 
 ## Additional Flags
 
-| Flag | Description |
-| --- | --- |
+| Flag                     | Description                                              |
+|--------------------------|----------------------------------------------------------|
 | --traefik-disable-legacy | Disable listeners on Resources under traefik.containo.us |
-| --traefik-disable-new | Disable listeners on Resources under traefik.io |
+| --traefik-disable-new    | Disable listeners on Resources under traefik.io          |
 
 ### Disabling Resource Listeners
 
-Traefik has deprecated the legacy API group, traefik.containo.us, in favor of traefik.io. By default the traefik-proxy source will listen for resources under both API groups; however, this may cause timeouts with the following message
+Traefik has deprecated the legacy API group, `traefik.containo.us`, in favor of `traefik.io`. By default the `traefik-proxy` source will listen for resources under both API groups; however, this may cause timeouts with the following message
 
 ```sh
 FATA[0060] failed to sync traefik.io/v1alpha1, Resource=ingressroutes: context deadline exceeded

pkg/apis/externaldns/types.go

@@ -473,7 +473,7 @@ func App(cfg *Config) *kingpin.Application {
 	app.Flag("ignore-ingress-rules-spec", "Ignore the spec.rules section in Ingress resources (default: false)").BoolVar(&cfg.IgnoreIngressRulesSpec)
 	app.Flag("ignore-ingress-tls-spec", "Ignore the spec.tls section in Ingress resources (default: false)").BoolVar(&cfg.IgnoreIngressTLSSpec)
 	app.Flag("ignore-non-host-network-pods", "Ignore pods not running on host network when using pod source (default: false)").BoolVar(&cfg.IgnoreNonHostNetworkPods)
-	app.Flag("ingress-class", "Require an Ingress to have this class name (defaults to any class; specify multiple times to allow more than one class)").StringsVar(&cfg.IngressClassNames)
+	app.Flag("ingress-class", "Require an Ingress to have this class name; specify multiple times to allow more than one class (optional; defaults to any class)").StringsVar(&cfg.IngressClassNames)
 	app.Flag("label-filter", "Filter resources queried for endpoints by label selector; currently supported by source types crd, gateway-httproute, gateway-grpcroute, gateway-tlsroute, gateway-tcproute, gateway-udproute, ingress, node, openshift-route, service and ambassador-host").Default(defaultConfig.LabelFilter).StringVar(&cfg.LabelFilter)
 	managedRecordTypesHelp := fmt.Sprintf("Record types to manage; specify multiple times to include many; (default: %s) (supported records: A, AAAA, CNAME, NS, SRV, TXT)", strings.Join(defaultConfig.ManagedDNSRecordTypes, ","))
 	app.Flag("managed-record-types", managedRecordTypesHelp).Default(defaultConfig.ManagedDNSRecordTypes...).StringsVar(&cfg.ManagedDNSRecordTypes)