This topic provides reference information for the ExternalDNS package.
About ExternalDNS
ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with DNS providers.
Refer to the following topics to install ExternalDNS on a TKG cluster.
- TKr for vSphere 8x: Install ExternalDNS
- TKr for vSphere 7.x: Install ExternalDNS
ExternalDNS Components
The ExternalDNS package installs the container listed in the table. The package pulls the container from the public registry specified in package repository.
| Container | Resource Type | Replicas | Description |
|---|---|---|---|
| ExternalDNS | DaemonSet | 6 | Expose Kubernetes services for DNS lookup |
ExternalDNS Data Values
The ExternalDNS data values file is used to interface the ExternalDNS component with a supported DNS provider. The ExternalDNS package is validated with the following DNS providers: AWS (Route 53), Azure DNS, and RFC2136-compliant DNS servers (such as BIND).
The following example can be use for RFC2136-compliant DNS provider (such as BIND).
--- # Namespace in which to deploy ExternalDNS pods namespace: tanzu-system-service-discovery # Deployment-related configuration deployment: args: - --registry=txt - --txt-owner-id=k8s - --txt-prefix=external-dns- #! Disambiguates TXT records from CNAME records - --provider=rfc2136 - --rfc2136-host=IP-ADDRESS #! Replace with IP of RFC2136-compatible DNS server, such as 192.168.0.1 - --rfc2136-port=53 - --rfc2136-zone=DNS-ZONE #! Replace with zone where services are deployed, such as my-zone.example.org - --rfc2136-tsig-secret=TSIG-SECRET #! Replace with TSIG key secret authorized to update DNS server - --rfc2136-tsig-secret-alg=hmac-sha256 - --rfc2136-tsig-keyname=TSIG-KEY-NAME #! Replace with TSIG key name, such as externaldns-key - --rfc2136-tsig-axfr - --source=service - --source=ingress - --source=contour-httpproxy #! Enables Contour HTTPProxy object support - --domain-filter=DOMAIN #! Zone where services are deployed, such as my-zone.example.org
The following example can be used for AWS DNS provider (Route 53).
---
namespace: service-discovery
dns:
pspNames: "vmware-system-restricted"
deployment:
args:
- --source=service
- --source=ingress
- --source=contour-httpproxy #! read Contour HTTPProxy resources
- --domain-filter=my-zone.example.org #! zone where services are deployed
- --provider=aws
- --policy=upsert-only #! prevent deleting any records, omit to enable full synchronization
- --aws-zone-type=public #! only look at public hosted zones (public, private, no value for both)
- --aws-prefer-cname
- --registry=txt
- --txt-owner-id=HOSTED_ZONE_ID #! Route53 hosted zone identifier for my-zone.example.org
- --txt-prefix=txt #! disambiguates TXT records from CNAME records
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: route53-credentials #! Kubernetes secret for route53 credentials
key: aws_access_key_id
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: route53-credentials #! Kubernetes secret for route53 credentials
key: aws_secret_access_key
The following example can be used for an Azure DNS provider.
---
namespace: service-discovery
dns:
pspNames: "vmware-system-restricted"
deployment:
args:
- --provider=azure
- --source=service
- --source=ingress
- --source=contour-httpproxy #! read Contour HTTPProxy resources
- --domain-filter=my-zone.example.org #! zone where services are deployed
- --azure-resource-group=my-resource-group #! Azure resource group
volumeMounts:
- name: azure-config-file
mountPath: /etc/kubernetes
readOnly: true
#@overlay/replace
volumes:
- name: azure-config-file
secret:
secretName: azure-config-file
ExternalDNS Configuration
The table lists and describes the available configuration parameters for ExternalDNS. Refer to the site
https://github.com/kubernetes-sigs/external-dns#running-externaldns for additional guidance.
| Parameter | Description | Type | Default |
|---|---|---|---|
| externalDns.namespace | Namespace where external-dns will be deployed | string | tanzu-system-service-discovery |
| externalDns.image.repository | Repository containing external-dns image | string | projects.registry.vmware.com/tkg |
| externalDns.image.name | Name of external-dns | string | external-dns |
| externalDns.image.tag | ExternalDNS image tag | string | v0.7.4_vmware.1 |
| externalDns.image.pullPolicy | ExternalDNS image pull policy | string | IfNotPresent |
| externalDns.deployment.annotations | Annotations on the external-dns deployment | map<string,string> | {} |
| externalDns.deployment.args | Arguments passed via command-line to external-dns | list<string> | [] ( Mandatory parameter ) |
| externalDns.deployment.env | Environment variables to pass to external-dns | list<string> | [] |
| externalDns.deployment.securityContext | Security context of the external-dns container | SecurityContext | {} |
| externalDns.deployment.volumeMounts | Volume mounts of the external-dns container | list<VolumeMount> | [] |
| externalDns.deployment.volumes | Volumes of the external-dns pod | list<Volume> | [] |
Example Configmap
The following example configmap defines a Kerberos configuration that ExternalDNS can interface with. Custom entries include the domain/realm name and the kdc/admin_server addresses.
apiVersion: v1
kind: ConfigMap
metadata:
name: krb.conf
namespace: tanzu-system-service-discovery
data:
krb5.conf: |
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = CORP.ACME
[realms]
CORP.ACME = {
kdc = controlcenter.corp.acme
admin_server = controlcenter.corp.acme
}
[domain_realm]
corp.acme = CORP.ACME
.corp.acme = CORP.ACME
