vSphere 7.x 用の TKr を使用してプロビジョニングされた TKG クラスタに ExternalDNS をインストールするには、次の手順を参照してください。
前提条件
ExternalDNS のインストール
vSphere 7.x 用の TKr を使用してプロビジョニングされた TKG クラスタに ExternalDNS をインストールします。
- リポジトリで使用可能な ExternalDNS バージョンを一覧表示します。
kubectl get packages -n tkg-system | grep external-dns
- ExternalDNS 名前空間を作成します。
kubectl create namespace tanzu-system-service-discovery --dry-run=client -o yaml | kubectl apply -f -
- 名前空間にセキュリティ状態を設定します。
kubectl label namespace tanzu-system-service-discovery pod-security.kubernetes.io/enforce=privileged
- バインド デプロイの YAML を準備します。
bind-deployment.yamlを参照してください。
- BIND DNS サーバをデプロイします。
kubectl apply -n tanzu-system-service-discovery -f bind-deployment.yaml
- ExternalDNS デプロイの YAML を準備します。
external-dns-deploy.yamlを参照してください。
external-dns-default-values.yamlファイルを使用してシークレットを作成します。svcip=$(kubectl get svc bind -n tanzu-system-service-discovery -o jsonpath='{.spec.clusterIP}')sed -i "s/--rfc2136-host=[0-9.]\+/--rfc2136-host=$svcip/g" external-dns-deploy.yamlkubectl create secret generic external-dns-default-values --from-file=values.yaml=external-dns-deploy.yaml -n tkg-system
- シークレットを確認します。
kubectl get secret external-dns-default-values -n tkg-system
kubectl get secret external-dns-default-values -n tkg-system -oyaml
- ExternalDNS パッケージ インストールの YAML を準備します。
external-dns-packageinstall.yamlを参照してください。
- バインドを構成します。
sed -i "s/--rfc2136-host=[0-9.]\+/--rfc2136-host=$svcip/g" external-dns-packageinstall.yaml
- 外部 DNS パッケージを作成します。
kubectl apply -f external-dns-packageinstall.yaml
- ExternalDNS のインストールを確認します。
kubectl get all -n tanzu-system-service-discovery
bind-deployment.yaml
bind-deployment.yaml の例。
---
apiVersion: v1
kind: ConfigMap
metadata:
name: bind-config
data:
named.conf: |
key "externaldns-key" {
algorithm hmac-sha256;
secret "O0DhTJzZ0GjfuQmB9TBc1ELchv5oDMTlQs3NNOdMZJU=";
};
# bind needs to recurse to coredns in the case of resolving CNAME records
# it may know about to A records. E.g This test runs on AWS which uses
# CNAMEs for their LoadBalancer Services and bind will want to resolve
# those CNAME records to A records using an upstream DNS server.
options {
recursion yes;
forwarders {
COREDNS_CLUSTER_IP;
};
forward only;
dnssec-enable yes;
dnssec-validation yes;
};
zone "k8s.example.org" {
type master;
file "/etc/bind/k8s.zone";
allow-transfer {
key "externaldns-key";
};
update-policy {
grant externaldns-key zonesub ANY;
};
};
k8s.zone: |
$TTL 60 ; 1 minute
@ IN SOA k8s.example.org. root.k8s.example.org. (
16 ; serial
60 ; refresh (1 minute)
60 ; retry (1 minute)
60 ; expire (1 minute)
60 ; minimum (1 minute)
)
NS ns.k8s.example.org.
ns A 1.2.3.4
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: bind
spec:
selector:
matchLabels:
app: bind
template:
metadata:
labels:
app: bind
spec:
containers:
- name: bind
image: docker.io/internetsystemsconsortium/bind9:9.16
imagePullPolicy: IfNotPresent
command:
- 'sh'
- '-c'
- |
/usr/sbin/named -g -c /etc/bind/named.conf
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
volumeMounts:
- name: named-conf-volume
mountPath: /etc/bind/named.conf
subPath: named.conf
- name: k8s-zone-volume
mountPath: /etc/bind/k8s.zone
subPath: k8s.zone
volumes:
- name: data
emptyDir: {}
- name: named-conf-volume
configMap:
name: bind-config
items:
- key: named.conf
path: named.conf
- name: k8s-zone-volume
configMap:
name: bind-config
items:
- key: k8s.zone
path: k8s.zone
---
apiVersion: v1
kind: Service
metadata:
name: bind
labels:
app: bind
spec:
selector:
app: bind
type: ClusterIP
ports:
- port: 53
targetPort: 53
protocol: TCP
name: dns-tcp
- port: 53
targetPort: 53
protocol: UDP
name: dns
external-dns-deploy.yaml
external-dns-deploy.yaml の例。
deployment: args: - --source=service - --source=ingress - --txt-owner-id=k8s - --domain-filter=k8s.example.org - --namespace=default - --provider=rfc2136 - --rfc2136-host=198.201.49.227 - --rfc2136-port=53 - --rfc2136-zone=k8s.example.org - --rfc2136-tsig-secret=O0DhTJzZ0GjfuQmB9TBc1ELchv5oDMTlQs3NNOdMZJU= - --rfc2136-tsig-secret-alg=hmac-sha256 - --rfc2136-tsig-keyname=externaldns-key
external-dns-packageinstall.yaml
次の例は、BIND に使用できます。必要に応じて、パッケージのバージョンを更新します。
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-dns-default-sa
namespace: tkg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dns-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: external-dns-default-sa
namespace: tkg-system
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
name: dns
namespace: tkg-system
spec:
serviceAccountName: external-dns-default-sa
packageRef:
refName: external-dns.tanzu.vmware.com
versionSelection:
constraints: 0.13.6+vmware.1-tkg.1
values:
- secretRef:
name: external-dns-default-values
---
apiVersion: v1
kind: Secret
metadata:
name: external-dns-reg-creds
namespace: tanzu-system-service-discovery
stringData:
values.yml: |
---
namespace: tanzu-system-service-discovery
dns:
deployment:
args:
- --txt-owner-id=k8s
- --provider=rfc2136
- --rfc2136-host=198.201.49.227 #! IP of compatible DNS server
- --rfc2136-port=53
- --rfc2136-zone=mk8s.example.org #! zone where services are deployed
- --rfc2136-tsig-secret=O0DhTJzZ0GjfuQmB9TBc1ELchv5oDMTlQs3NNOdMZJU= #! TSIG secret authorized to update DNS
- --rfc2136-tsig-secret-alg=hmac-sha256
- --rfc2136-tsig-keyname=externaldns-key
- --rfc2136-tsig-axfr
- --source=service
- --source=ingress
- --domain-filter=k8s.example.org1 #! zone where services are deployed
次の例は、AWS DNS プロバイダ (Route 53) に使用できます。必要に応じて、パッケージのバージョンを更新します。
apiVersion: v1
kind: ServiceAccount
metadata:
name: dns-sa
namespace: tkg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dns-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dns-sa
namespace: tkg-system
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
name: dns
namespace: tkg-system
spec:
serviceAccountName: dns-sa
packageRef:
refName: dns.tanzu.vmware.com
versionSelection:
constraints: 0.13.6+vmware.1-tkg.1
values:
- secretRef:
name: dns-data-values
---
apiVersion: v1
kind: Secret
metadata:
name: dns-data-values
namespace: tkg-system
stringData:
values.yml: |
---
namespace: tanzu-system-service-discovery
dns:
pspNames: "vmware-system-restricted"
deployment:
args:
- --source=service
- --source=ingress
- --source=contour-httpproxy #! configure external-dns to read Contour HTTPProxy resources
- --domain-filter=my-zone.example.org #! zone where services are deployed
- --provider=aws
- --policy=upsert-only #! prevent deleting any records, omit to enable full sync
- --aws-zone-type=public #! only look at public hosted zones (public, private, no value for both)
- --aws-prefer-cname
- --registry=txt
- --txt-owner-id=ROUTE_53_HOSTED_ZONE_ID #! Route53 hosted zone identifier for my-zone.example.org
- --txt-prefix=txt #! disambiguates TXT records from CNAME records
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: route53-credentials #! Kubernetes secret for route53 credentials
key: aws_access_key_id
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: route53-credentials #! Kubernetes secret for route53 credentials
key: aws_secret_access_key
次の例は、Azure DNS プロバイダに使用できます。必要に応じて、パッケージのバージョンを更新します。
apiVersion: v1
kind: ServiceAccount
metadata:
name: dns-sa
namespace: tkg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dns-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dns-sa
namespace: tkg-system
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
name: dns
namespace: tkg-system
spec:
serviceAccountName: dns-sa
packageRef:
refName: dns.tanzu.vmware.com
versionSelection:
constraints: 0.13.6+vmware.1-tkg.1
values:
- secretRef:
name: dns-data-values
---
apiVersion: v1
kind: Secret
metadata:
name: dns-data-values
namespace: tkg-system
stringData:
values.yml: |
---
namespace: tanzu-system-service-discovery
dns:
pspNames: "vmware-system-restricted"
deployment:
args:
- --provider=azure
- --source=service
- --source=ingress
- --source=contour-httpproxy #! read Contour HTTPProxy resources
- --domain-filter=my-zone.example.org #! zone where services are deployed
- --azure-resource-group=my-resource-group #! Azure resource group
volumeMounts:
- name: azure-config-file
mountPath: /etc/kubernetes
readOnly: true
#@overlay/replace
volumes:
- name: azure-config-file
secret:
secretName: azure-config-file
