vSphere 7.x용 TKr로 프로비저닝된 TKG 클러스터에 ExternalDNS를 설치하려면 다음 지침을 참조하십시오.
사전 요구 사항
vSphere 7.x용 TKr에 표준 패키지를 설치하기 위한 워크플로의 내용을 참조하십시오.
ExternalDNS 설치
vSphere 7.x용 TKr로 프로비저닝된 TKG 클러스터에 ExternalDNS를 설치합니다.
- 저장소에서 사용 가능한 ExternalDNS 버전을 나열합니다.
kubectl get packages -n tkg-system | grep external-dns
- ExternalDNS 네임스페이스를 생성합니다.
kubectl create namespace tanzu-system-service-discovery --dry-run=client -o yaml | kubectl apply -f -
- 네임스페이스에서 보안 상태를 설정합니다.
kubectl label namespace tanzu-system-service-discovery pod-security.kubernetes.io/enforce=privileged
- 바인딩 배포 YAML을 준비합니다.
bind-deployment.yaml의 내용을 참조하십시오.
- 바인딩 DNS 서버를 배포합니다.
kubectl apply -n tanzu-system-service-discovery -f bind-deployment.yaml
- ExternalDNS 배포 YAML을 준비합니다.
external-dns-deploy.yaml의 내용을 참조하십시오.
external-dns-default-values.yaml파일을 사용하여 암호를 생성합니다.svcip=$(kubectl get svc bind -n tanzu-system-service-discovery -o jsonpath='{.spec.clusterIP}')sed -i "s/--rfc2136-host=[0-9.]\+/--rfc2136-host=$svcip/g" external-dns-deploy.yamlkubectl create secret generic external-dns-default-values --from-file=values.yaml=external-dns-deploy.yaml -n tkg-system
- 암호를 확인합니다.
kubectl get secret external-dns-default-values -n tkg-system
kubectl get secret external-dns-default-values -n tkg-system -oyaml
- ExternalDNS 패키지 설치 YAML을 준비합니다.
external-dns-packageinstall.yaml의 내용을 참조하십시오.
- 바인딩을 구성합니다.
sed -i "s/--rfc2136-host=[0-9.]\+/--rfc2136-host=$svcip/g" external-dns-packageinstall.yaml
- 외부 DNS 패키지를 생성합니다.
kubectl apply -f external-dns-packageinstall.yaml
- ExternalDNS 설치를 확인합니다.
kubectl get all -n tanzu-system-service-discovery
bind-deployment.yaml
예
bind-deployment.yaml.
---
apiVersion: v1
kind: ConfigMap
metadata:
name: bind-config
data:
named.conf: |
key "externaldns-key" {
algorithm hmac-sha256;
secret "O0DhTJzZ0GjfuQmB9TBc1ELchv5oDMTlQs3NNOdMZJU=";
};
# bind needs to recurse to coredns in the case of resolving CNAME records
# it may know about to A records. E.g This test runs on AWS which uses
# CNAMEs for their LoadBalancer Services and bind will want to resolve
# those CNAME records to A records using an upstream DNS server.
options {
recursion yes;
forwarders {
COREDNS_CLUSTER_IP;
};
forward only;
dnssec-enable yes;
dnssec-validation yes;
};
zone "k8s.example.org" {
type master;
file "/etc/bind/k8s.zone";
allow-transfer {
key "externaldns-key";
};
update-policy {
grant externaldns-key zonesub ANY;
};
};
k8s.zone: |
$TTL 60 ; 1 minute
@ IN SOA k8s.example.org. root.k8s.example.org. (
16 ; serial
60 ; refresh (1 minute)
60 ; retry (1 minute)
60 ; expire (1 minute)
60 ; minimum (1 minute)
)
NS ns.k8s.example.org.
ns A 1.2.3.4
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: bind
spec:
selector:
matchLabels:
app: bind
template:
metadata:
labels:
app: bind
spec:
containers:
- name: bind
image: docker.io/internetsystemsconsortium/bind9:9.16
imagePullPolicy: IfNotPresent
command:
- 'sh'
- '-c'
- |
/usr/sbin/named -g -c /etc/bind/named.conf
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
volumeMounts:
- name: named-conf-volume
mountPath: /etc/bind/named.conf
subPath: named.conf
- name: k8s-zone-volume
mountPath: /etc/bind/k8s.zone
subPath: k8s.zone
volumes:
- name: data
emptyDir: {}
- name: named-conf-volume
configMap:
name: bind-config
items:
- key: named.conf
path: named.conf
- name: k8s-zone-volume
configMap:
name: bind-config
items:
- key: k8s.zone
path: k8s.zone
---
apiVersion: v1
kind: Service
metadata:
name: bind
labels:
app: bind
spec:
selector:
app: bind
type: ClusterIP
ports:
- port: 53
targetPort: 53
protocol: TCP
name: dns-tcp
- port: 53
targetPort: 53
protocol: UDP
name: dns
external-dns-deploy.yaml
예
external-dns-deploy.yaml.
deployment: args: - --source=service - --source=ingress - --txt-owner-id=k8s - --domain-filter=k8s.example.org - --namespace=default - --provider=rfc2136 - --rfc2136-host=198.201.49.227 - --rfc2136-port=53 - --rfc2136-zone=k8s.example.org - --rfc2136-tsig-secret=O0DhTJzZ0GjfuQmB9TBc1ELchv5oDMTlQs3NNOdMZJU= - --rfc2136-tsig-secret-alg=hmac-sha256 - --rfc2136-tsig-keyname=externaldns-key
external-dns-packageinstall.yaml
다음 예는 BIND에 사용할 수 있습니다. 필요에 따라 패키지 버전을 업데이트합니다.
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-dns-default-sa
namespace: tkg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dns-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: external-dns-default-sa
namespace: tkg-system
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
name: dns
namespace: tkg-system
spec:
serviceAccountName: external-dns-default-sa
packageRef:
refName: external-dns.tanzu.vmware.com
versionSelection:
constraints: 0.13.6+vmware.1-tkg.1
values:
- secretRef:
name: external-dns-default-values
---
apiVersion: v1
kind: Secret
metadata:
name: external-dns-reg-creds
namespace: tanzu-system-service-discovery
stringData:
values.yml: |
---
namespace: tanzu-system-service-discovery
dns:
deployment:
args:
- --txt-owner-id=k8s
- --provider=rfc2136
- --rfc2136-host=198.201.49.227 #! IP of compatible DNS server
- --rfc2136-port=53
- --rfc2136-zone=mk8s.example.org #! zone where services are deployed
- --rfc2136-tsig-secret=O0DhTJzZ0GjfuQmB9TBc1ELchv5oDMTlQs3NNOdMZJU= #! TSIG secret authorized to update DNS
- --rfc2136-tsig-secret-alg=hmac-sha256
- --rfc2136-tsig-keyname=externaldns-key
- --rfc2136-tsig-axfr
- --source=service
- --source=ingress
- --domain-filter=k8s.example.org1 #! zone where services are deployed
다음 예는 AWS DNS 제공자(경로 53)에 사용할 수 있습니다. 필요에 따라 패키지 버전을 업데이트합니다.
apiVersion: v1
kind: ServiceAccount
metadata:
name: dns-sa
namespace: tkg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dns-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dns-sa
namespace: tkg-system
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
name: dns
namespace: tkg-system
spec:
serviceAccountName: dns-sa
packageRef:
refName: dns.tanzu.vmware.com
versionSelection:
constraints: 0.13.6+vmware.1-tkg.1
values:
- secretRef:
name: dns-data-values
---
apiVersion: v1
kind: Secret
metadata:
name: dns-data-values
namespace: tkg-system
stringData:
values.yml: |
---
namespace: tanzu-system-service-discovery
dns:
pspNames: "vmware-system-restricted"
deployment:
args:
- --source=service
- --source=ingress
- --source=contour-httpproxy #! configure external-dns to read Contour HTTPProxy resources
- --domain-filter=my-zone.example.org #! zone where services are deployed
- --provider=aws
- --policy=upsert-only #! prevent deleting any records, omit to enable full sync
- --aws-zone-type=public #! only look at public hosted zones (public, private, no value for both)
- --aws-prefer-cname
- --registry=txt
- --txt-owner-id=ROUTE_53_HOSTED_ZONE_ID #! Route53 hosted zone identifier for my-zone.example.org
- --txt-prefix=txt #! disambiguates TXT records from CNAME records
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: route53-credentials #! Kubernetes secret for route53 credentials
key: aws_access_key_id
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: route53-credentials #! Kubernetes secret for route53 credentials
key: aws_secret_access_key
다음 예는 Azure DNS 제공자에 사용할 수 있습니다. 필요에 따라 패키지 버전을 업데이트합니다.
apiVersion: v1
kind: ServiceAccount
metadata:
name: dns-sa
namespace: tkg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dns-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dns-sa
namespace: tkg-system
---
apiVersion: packaging.carvel.dev/v1alpha1
kind: PackageInstall
metadata:
name: dns
namespace: tkg-system
spec:
serviceAccountName: dns-sa
packageRef:
refName: dns.tanzu.vmware.com
versionSelection:
constraints: 0.13.6+vmware.1-tkg.1
values:
- secretRef:
name: dns-data-values
---
apiVersion: v1
kind: Secret
metadata:
name: dns-data-values
namespace: tkg-system
stringData:
values.yml: |
---
namespace: tanzu-system-service-discovery
dns:
pspNames: "vmware-system-restricted"
deployment:
args:
- --provider=azure
- --source=service
- --source=ingress
- --source=contour-httpproxy #! read Contour HTTPProxy resources
- --domain-filter=my-zone.example.org #! zone where services are deployed
- --azure-resource-group=my-resource-group #! Azure resource group
volumeMounts:
- name: azure-config-file
mountPath: /etc/kubernetes
readOnly: true
#@overlay/replace
volumes:
- name: azure-config-file
secret:
secretName: azure-config-file
