Skip to content

Instantly share code, notes, and snippets.

@vrabbi

vrabbi/README.md

Last active February 14, 2023 08:44
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save vrabbi/f73daff39f611547eac65ada5b51ca10 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save vrabbi/f73daff39f611547eac65ada5b51ca10 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md

Deploy External DNS

Microsoft DNS

Secure Updates Using RFC3645 (GSS-TSIG)

Prerequisites:

  • Create a DNS zone
  • Enable secure dynamic updates for the zone
  • Enable Zone Transfers to all servers

Deploy the External DNS Package

Set the context of kubectl to the relevant cluster. For example:

kubectl config use-context tkg-wld-01-admin@tkg-wld-01

Retrieve the version of the ExternalDNS package.

PKG_NAME=external-dns.tanzu.vmware.com
PKG_VERSIONS=($(tanzu package available list "$PKG_NAME" -n tanzu-package-repo-global -o json | jq -r ".[].version" | sort -t "." -k1,1n -k2,2n -k3,3n))
PKG_VERSION=${PKG_VERSIONS[-1]}
echo "$PKG_VERSION"

For example: 0.10.0+vmware.1-tkg.1

Install the package.

tanzu package install external-dns \
--package-name "$PKG_NAME" \
--version "$PKG_VERSION" \
--values-file external-dns-data-values.yaml \
--namespace tkg-packages \
--create-namespace

Output:

| Installing package 'external-dns.tanzu.vmware.com'
| Getting namespace 'tkg-packages'
| Getting package metadata for 'external-dns.tanzu.vmware.com'
| Creating service account 'external-dns-tkg-packages-sa'
| Creating cluster admin role 'external-dns-tkg-packages-cluster-role'
| Creating cluster role binding 'external-dns-tkg-packages-cluster-rolebinding'
| Creating secret 'external-dns-tkg-packages-values'
| Creating package resource
| Package install status: Reconciling

 Added installed package 'external-dns' in namespace 'tkg-packages'

If you are using RFC3645 (GSS-TSIG) and need to add Kerberos configuration to your External DNS deployment:

  1. Create a secret using the Kerberos overlay file.

    kubectl create secret generic external-dns-kerberos-overlay -n tkg-packages \
--from-file=overlay-external-dns-kerberos.yaml \
-o yaml --dry-run=client | kubectl apply -f -

  2. Annotate the external-dns package using the overlay.

    kubectl annotate packageinstalls external-dns \
ext.packaging.carvel.dev/ytt-paths-from-secret-name.0=external-dns-kerberos-overlay \
-n tkg-packages

Confirm that the external-dns package has been installed.

tanzu package installed list -n tkg-packages

Output:

| Retrieving installed packages... 
  NAME          PACKAGE-NAME                   PACKAGE-VERSION        STATUS
  cert-manager  cert-manager.tanzu.vmware.com  1.1.0+vmware.1-tkg.2   Reconcile succeeded
  contour       contour.tanzu.vmware.com       1.17.1+vmware.1-tkg.1  Reconcile succeeded
  external-dns  external-dns.tanzu.vmware.com  0.8.0+vmware.1-tkg.1   Reconcile succeeded

Confirm that the external-dns pod is running.

kubectl get pods -n tanzu-system-service-discovery

Output:

NAME                            READY   STATUS    RESTARTS   AGE
external-dns-7ff78744d8-qj26p   1/1     Running   0          2m35s

You can also view the External DNS logs.

kubectl logs $(kubectl get pod -n tanzu-system-service-discovery -o name) -n tanzu-system-service-discovery

For example:

time="2021-11-29T12:22:36Z" level=info msg="Instantiating new Kubernetes client"
time="2021-11-29T12:22:36Z" level=info msg="Using inCluster-config based on serviceaccount-token"
time="2021-11-29T12:22:36Z" level=info msg="Created Kubernetes client https://100.64.0.1:443"
time="2021-11-29T12:22:38Z" level=info msg="Created Dynamic Kubernetes client https://100.64.0.1:443"
time="2021-11-29T12:22:39Z" level=info msg="Configured RFC2136 with zone 'terasky.demo.' and nameserver 'demo-dc-01.terasky.demo:53'"

Reference:

Raw
data-values.yaml
deployment:
args:
- --provider=rfc2136
- --rfc2136-host=demo-dc-01.terasky.demo
- --rfc2136-port=53
- --rfc2136-zone=terasky.demo
- --rfc2136-gss-tsig
- --rfc2136-kerberos-realm=terasky.demo
- --rfc2136-kerberos-username=tkg-dns-admin
- --rfc2136-kerberos-password=VMware1!
- --rfc2136-tsig-axfr
- --source=service
- --source=ingress
- --source=contour-httpproxy
- --domain-filter=terasky.demo
- --txt-owner-id=skadden-tkg-shared-services-cls
- --txt-prefix=external-dns-
- --registry=txt
- --policy=sync
Raw
gistfile1.txt
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata":{"name":"external-dns"}}),expects=1
---
spec:
template:
spec:
containers:
#@overlay/match by="name"
- name: external-dns
#@overlay/match missing_ok=True
volumeMounts:
#@overlay/append
- mountPath: /etc/krb5.conf
name: kerberos-config-volume
subPath: krb5.conf
readOnly: true
#@overlay/match missing_ok=True
volumes:
#@overlay/append
- name: kerberos-config-volume
configMap:
defaultMode: 420
name: krb5.conf
---
apiVersion: v1
kind: ConfigMap
metadata:
name: krb5.conf
namespace: tanzu-system-service-discovery
data:
krb5.conf: |
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = TERASKY.DEMO
[realms]
TERASKY.DEMO = {
kdc = terasky.demo
admin_server = terasky.demo
}
[domain_realm]
terasky.demo = TERASKY.DEMO
.terasky.demo = TERASKY.DEMO
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment