external-dns with a Traefik 2.0 IngressRoute

[alysonfranklin]

I was able to use external-dns with AWS Route53 and EKS cluster with a Traefik 1.7 Ingress resource, but have been unable to achieve the same with the Traefik 2.0 IngressRoute resource. I have annotated my service to provide the hostname information.

annotations:
  external-dns.alpha.kubernetes.io/hostname: my.awesome.domain.com

Of course, my.awesome.domain.com is not my real domain, but is unimportant.

Does external-dns require a Kubernetes Ingress? If not how might I get it to work with a new CRD type, such as the Traefik 2.0 IngressRoute?

Many thanks in advance!

[mamiu]

@alysonfranklin Have you checked:

Which Service and Ingress controllers are supported?

#1257: Is it possible to use external-dns with a Traefik 2.0 IngressRoute resource?

#1299: How to handle traefik2 new CRD's ingressroute and ingressroutetcp

#413: Support Traefik ingress controller

[olljanat]

Workaround proposed on traefik/traefik#4655 works fine when there is just one copy of Traefik running but on multi-tenant K8s cluster with multiple Traefik instances those KubernetesIngress providers looks to be fighting about same resources and end up to CPU 100% which I have not see with KubernetesCRD configuration when allowcrossnamespace=false

Is someone working on to get Traefik IngressRoute support included to external-dns?
Will it get approved if someone will implement it?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[mamiu]

Let's keep this open for now (until there's an accepted solution from either traefik or external-dns).

/remove-lifecycle stale

[reixd]

I can confirm, when using traefik v2.6 as ingress controller set the value
providers.kubernetesIngress.publishedService.enabled to true
helps external-dns to update the DNS records for the ingress resource, containing the external-dns.alpha.kubernetes.io/hostname annotation.

[vadlungu]

Hello everyone , anyone has any luck to solve this issue ?

[dcristobalhMad]

Here the same problem :(

[myoung34]

Im also having no luck with Traefik 2.6.3 and External-DNS 0.12.0

Traefik is configured as:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: traefik

resources:
  - ns.yaml

helmCharts:
- name: traefik
  includeCRDs: true
  namespace: traefik
  releaseName: traefik
  version: 10.19.4
  repo: https://helm.traefik.io/traefik
  valuesInline:
    additionalArguments: []
    globalArguments: []
    providers:
      kubernetesIngress:
        publishedService:
          enabled: true

$ k -n dashy get service/dashy -oyaml | yq '.metadata.annotations' | grep -E '^external'
external-dns.alpha.kubernetes.io/hostname: dashy.mydomain.tld

The ingressroute for my app:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  annotations:
    kubernetes.io/ingress.class: traefik
  name: dashy
  namespace: dashy
spec:
  entryPoints:
  - web
  routes:
  - kind: Rule
    match: Host(`dashy.mydomain.tld`)
    services:
    - name: dashy
      port: 80

but external-dns is never finding anything to do:

time="2022-06-22T13:55:28Z" level=info msg="Applying provider record filter for domains: [mydomain.tld. .mydomain.tld. unrelateddomain.tld. .unrelateddomain.tld.]"
time="2022-06-22T13:55:28Z" level=info msg="All records are already up to date"

I dont have unrelateddomain.tld defined anywhere so I know its picking up from Route53 just fine but its not seeing the annotation ive added to the service

I also know the ingressroute/service are working as expected:

$ curl -s -o /dev/null -w "%{http_code}" -H "Host: dashy.mydomain.tld" ip.address.of.server
200

Not sure what else there is to troubleshoot to get external-dns to pick up the DNS to generate

I even tried using a DNSEndpoint CRD but external-dns still sees no work to do:

apiVersion: externaldns.k8s.io/v1alpha1
kind: DNSEndpoint
metadata:
  name: dashy
  namespace: dashy
spec:
  endpoints:
  - dnsName: dashy.mydomain.tld
    recordTTL: 180
    recordType: A
    targets:
    - ip.address.of.server

[svengreb]

Somehow it seems to have gone under here, but this issue keeps popping up in my notifications.
In short: Traefik's CRDs like IngressRoute and its variants IngressRouteTCP & IngressRouteUDP are NOT SUPPORTED!
The external-dns FAQ explictly mentions which controllers are supported and Traefik is listed, but this is scoped to Traefik as ingress controller, not its CRDs.

I created and maintain multiple clusters with Traefik and external-dns and it works fine when simply using the default Ingress in combination with the required annotations which is well documented through the FAQ section "How do I specify a DNS name for my Kubernetes objects?". Following the instructions of setting the required configurations and using the external-dns.alpha.kubernetes.io/hostname annotation works totally fine. To be true Traefiks CRDs are nothing special and default Ingress is absolutely sufficient. The only advantage is the overview, but any feature like middleware can also be specified via annotations, e.g. traefik.ingress.kubernetes.io/router.middlewares which can be comma-separated list of middleware in the provider namespace format. Don't get me worng, I also like the CRDs, but using default Ingresses works in all use cases and I can wait until one day external-dns might support the CRDs.

In the end the Traefik CRDs are just a "nicer" instead of using annotations, but if that many people really want to use them it's easy to support them: implement the required logic to support it. Many CRDs of popular controllers are supported that can be found in the source package, e.g. the TCPIngress of Kong ¹. It was implemented by a external-dns user in #2109 and the same can be done for Traefik.

This issue keeps popping up and whenever I check it I see a new comment about how it does not work with a Traefik CRD, but exactly this is the topic of this issue and this is not a bug but simply a unsupported use case. This should not sound rude, but please always make sure to read a whole issue before posting (even when there are many comments), otherwise you keep pinging many others that watch this issue for information that are still not relevant to find a solution. There is also #1257 and some weeks ago a user posted a comment (not @-mention him to prevent notification noise) about his switchboard project that is a workaround and supports Traefiks IngressRoute* CRDs.

Footnotes

1. https://docs.konghq.com/kubernetes-ingress-controller/latest/guides/using-tcpingress ↩

[myoung34]

Your explanation about IngressTCP is actually very helpful.

However: you can unsubscribe from this issue if you feel like an open issue is bothering you with notifications. For what its worth I did read this entire issue and your explanation is the first here to explain the core problem.

I did find switchboard and have been digging in to see if it helps translate from IngressRouteTCP routes to DNSEndpoint for external-dns. It seems to work as expected as a lightweight shim for others that end up here.

[svengreb]

Yeah, the switchboard workaround looks like a good "in the meantime" solution for many users, maybe some parts of it can be ported into external-dns later on to support it officially.

Regarding the issue notifications: sure, unsubscribing is always a way, but then I will also miss possible replies from the maintainers about updates or possible solutions (release announcement etc.). And you're right, I've mistaken this issue with #1257 which contains tons of comments, this one is small and (due to the higher number) also a duplicate, but I always sub to all open issues to not miss solutions. Let's try to keep the conversation in #1257 to not cause any more sub-noise here 😉

[mozarik]

Hi @svengreb im trying to ise Ingress type with work with traefik ingress and external-dns. Is there an example of yaml that i can use ?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[HWiese1980]

@svengreb You do not seem to know exactly all use cases. I do have a use case where I cannot - as far as I know yet - use Ingress and need to use IngressRoute instead.

I have oauth2-proxy running as a standalone app in its own namespace, separated from everything else. I have an app that I would like to secure using Keycloak through oauth2-proxy. The app has its own namespace too. Traefik itself as well. So I have

• app - namespace: app
• oauth2-proxy - namespace: oauth2proxy
• traefik - namespace: traefik

Now if I want to add an ingress rule for / that points to the app's service and another rule /oauth2/ that points to oauth2-proxy service, I need a way to use Ingress accross namespace borders. I could use an ExternalName, but that would require me to allow ExternalName services, which I haven't yet. Multiple Ingress objects pointing to the same host are not allowed as it seems. I also seem to need different Middlewares for each path prefix.

So there's

• cross-namespace access
• different middlewares per path

which IngressRoute afaik supports but Ingress does not.

So, yeah, there are use cases which Ingress does not cover. That's why I would love ExternalDNS to support IngressRoute too.

In the meantime, of course I could use switchboard. But that's another component that adds to the complexity and another workload for my cluster.

If you see other solutions to my problem, don't hesitate to teach me! I'm merely a K8s novice.

[svengreb]

@HWiese1980 Since #3055 has been merged, and is available as of version 0.13.6, there is no need to use any workarounds anymore, it is now officially supported.

[pnowy]

Documentation for traefik if someone is looking is available here:

README format: https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/traefik-proxy.md

HTML format: https://kubernetes-sigs.github.io/external-dns/latest/tutorials/traefik-proxy/

Please take into account that external-dns.alpha.kubernetes.io/target operates on CNAME so would recommend for example in GCP set general DNS for LB IP on you zone and later reference by that entry.