Update the k8s CRD documentation

traefik · Mar 5, 2020 · 93a7af2 · 93a7af2
1 parent 082fb16
commit 93a7af2
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 178 deletions.
diff --git a/docs/content/migration/v2.md b/docs/content/migration/v2.md
@@ -61,50 +61,114 @@ rules:
       - traefik.containo.us
     resources:
       - middlewares
+      - ingressroutes
+      - traefikservices
+      - ingressroutetcps
+      - tlsoptions
     verbs:
       - get
       - list
       - watch
+```
+
+After having both resources applied, Traefik will work properly.
+
+## v2.1 to v2.2
+
+### Headers middleware: accessControlAllowOrigin
+
+`accessControlAllowOrigin` is deprecated.
+This field will be removed in future 2.x releases.
+Please configure your allowed origins in `accessControlAllowOriginList` instead.
+
+### Kubernetes CRD
+
+In v2.2, new Kubernetes CRDs called `TLSStore` and `IngressRouteUDP` were added.
+While updating an installation to v2.2,
+one should apply that CRDs, and update the existing `ClusterRole` definition to allow Traefik to use that CRDs.
+
+To add that CRDs and enhance the permissions, following definitions need to be applied to the cluster.
+
+```yaml tab="TLSStore"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsstores.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSStore
+    plural: tlsstores
+    singular: tlsstore
+  scope: Namespaced
+
+```
+
+```yaml tab="IngressRouteUDP"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressrouteudps.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: IngressRouteUDP
+    plural: ingressrouteudps
+    singular: ingressrouteudp
+  scope: Namespaced
+
+```
+
+```yaml tab="ClusterRole"
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: traefik-ingress-controller
+
+rules:
   - apiGroups:
-      - traefik.containo.us
+      - ""
     resources:
-      - ingressroutes
+      - services
+      - endpoints
+      - secrets
     verbs:
       - get
       - list
       - watch
   - apiGroups:
-      - traefik.containo.us
+      - extensions
     resources:
-      - ingressroutetcps
+      - ingresses
     verbs:
       - get
       - list
       - watch
   - apiGroups:
-      - traefik.containo.us
+      - extensions
     resources:
-      - tlsoptions
+      - ingresses/status
     verbs:
-      - get
-      - list
-      - watch
+      - update
   - apiGroups:
       - traefik.containo.us
     resources:
+      - middlewares
+      - ingressroutes
       - traefikservices
+      - ingressroutetcps
+      - ingressrouteudps
+      - tlsoptions
+      - tlsstores
     verbs:
       - get
       - list
       - watch
+
 ```
 
 After having both resources applied, Traefik will work properly.
-
-## v2.1 to v2.2
-
-### Headers middleware: accessControlAllowOrigin
-
-`accessControlAllowOrigin` is deprecated.
-This field will be removed in future 2.x releases.
-Please configure your allowed origins in `accessControlAllowOriginList` instead.
diff --git a/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml b/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
@@ -37,6 +37,7 @@ rules:
       - ingressroutetcps
       - ingressrouteudps
       - tlsoptions
+      - tlsstores
     verbs:
       - get
       - list

diff --git a/docs/content/routing/providers/kubernetes-crd.md b/docs/content/routing/providers/kubernetes-crd.md
@@ -300,6 +300,7 @@ You can find an excerpt of the available custom resources in the table below:
 | [IngressRouteTCP](#kind-ingressroutetcp) | TCP Routing                                                   | [TCP router](../routers/index.md#configuring-tcp-routers)      |
 | [IngressRouteUDP](#kind-ingressrouteudp) | UDP Routing                                                   | [UDP router](../routers/index.md#configuring-udp-routers)      |
 | [TLSOptions](#kind-tlsoption)            | Allows to configure some parameters of the TLS connection     | [TLSOptions](../../https/tls.md#tls-options)                   |
+| [TLSStores](#kind-tlsstore)              | Allows to configure the default TLS store                     | [TLSStores](../../https/tls.md#certificates-stores)            |
 
 ### Kind: `IngressRoute`
 

diff --git a/docs/content/user-guides/crd-acme/01-crd.yml b/docs/content/user-guides/crd-acme/01-crd.yml
diff --git a/docs/content/user-guides/crd-acme/index.md b/docs/content/user-guides/crd-acme/index.md
@@ -43,7 +43,10 @@ First, the definition of the `IngressRoute` and the `Middleware` kinds.
 Also note the RBAC authorization resources; they'll be referenced through the `serviceAccountName` of the deployment, later on.
 
 ```yaml
---8<-- "content/user-guides/crd-acme/01-crd.yml"
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition.yml"
+
+---
+--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
 ```
 
 ### Services