github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/external-dns/README.md (about) 1 # external-dns 2 3 [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) is a Kubernetes addon that configures public DNS servers with information about exposed Kubernetes services to make them discoverable. 4 5 ## TL;DR; 6 7 ```console 8 $ helm install my-release stable/external-dns 9 ``` 10 11 ## Introduction 12 13 This chart bootstraps a [ExternalDNS](https://github.com/bitnami/bitnami-docker-external-dns) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. 14 15 Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). 16 17 ## Prerequisites 18 19 - Kubernetes 1.12+ 20 - Helm 2.11+ or Helm 3.0-beta3+ 21 22 ## Installing the Chart 23 24 To install the chart with the release name `my-release`: 25 26 ```bash 27 $ helm install my-release stable/external-dns 28 ``` 29 30 The command deploys ExternalDNS on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. 31 32 > **Tip**: List all releases using `helm list` 33 34 ## Uninstalling the Chart 35 36 To uninstall/delete the `my-release` deployment: 37 38 ```console 39 $ helm delete my-release 40 ``` 41 42 The command removes all the Kubernetes components associated with the chart and deletes the release. 43 44 ## Parameters 45 46 The following table lists the configurable parameters of the external-dns chart and their default values. 47 48 49 | Parameter | Description | Default | 50 | ----------------------------------- | -------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- | 51 | `global.imageRegistry` | Global Docker image registry | `nil` | 52 | `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | 53 | `image.registry` | ExternalDNS image registry | `docker.io` | 54 | `image.repository` | ExternalDNS Image name | `bitnami/external-dns` | 55 | `image.tag` | ExternalDNS Image tag | `{TAG_NAME}` | 56 | `image.pullPolicy` | ExternalDNS image pull policy | `IfNotPresent` | 57 | `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | 58 | `nameOverride` | String to partially override external-dns.fullname template with a string (will prepend the release name)| `nil` | 59 | `fullnameOverride` | String to fully override external-dns.fullname template with a string | `nil` | 60 | `sources` | K8s resources type to be observed for new DNS entries by ExternalDNS | `[service, ingress]` | 61 | `provider` | DNS provider where the DNS records will be created (mandatory) (options: aws, azure, google, ...) | `aws` | 62 | `namespace` | Limit sources of endpoints to a specific namespace (default: all namespaces) | `""` | 63 | `fqdnTemplates` | Templated strings that are used to generate DNS names from sources that don't define a hostname themselves | `[]` | 64 | `combineFQDNAnnotation` | Combine FQDN template and annotations instead of overwriting | `false` | 65 | `ignoreHostnameAnnotation` | Ignore hostname annotation when generating DNS names, valid only when fqdn-template is set | `false` | 66 | `publishInternalServices` | Whether to publish DNS records for ClusterIP services or not | `false` | 67 | `publishHostIP` | Allow external-dns to publish host-ip for headless services | `false` | 68 | `serviceTypeFilter` | The service types to take care about (default: all, options: ClusterIP, NodePort, LoadBalancer, ExternalName) | `[]` | 69 | `aws.credentials.accessKey` | When using the AWS provider, set `aws_access_key_id` in the AWS credentials (optional) | `""` | 70 | `aws.credentials.secretKey` | When using the AWS provider, set `aws_secret_access_key` in the AWS credentials (optional) | `""` | 71 | `aws.credentials.mountPath` | When using the AWS provider, determine `mountPath` for `credentials` secret | `"/.aws"` | 72 | `aws.region` | When using the AWS provider, `AWS_DEFAULT_REGION` to set in the environment (optional) | `us-east-1` | 73 | `aws.zoneType` | When using the AWS provider, filter for zones of this type (optional, options: public, private) | `""` | 74 | `aws.assumeRoleArn` | When using the AWS provider, assume role by specifying --aws-assume-role to the external-dns daemon | `""` | 75 | `aws.batchChangeSize` | When using the AWS provider, set the maximum number of changes that will be applied in each batch | `1000` | 76 | `aws.zoneTags` | When using the AWS provider, filter for zones with these tags | `[]` | 77 | `aws.preferCNAME` | When using the AWS provider, replaces Alias recors with CNAME (options: true, false) | `[]` | 78 | `aws.evaluateTargetHealth` | When using the AWS provider, sets the evaluate target health flag (options: true, false) | `[true, false]` | 79 | `azure.secretName` | When using the Azure provider, set the secret containing the `azure.json` file | `""` | 80 | `azure.cloud` | When using the Azure provider, set the Azure Clound | `""` | 81 | `azure.resourceGroup` | When using the Azure provider, set the Azure Resource Group | `""` | 82 | `azure.tenantId` | When using the Azure provider, set the Azure Tenant ID | `""` | 83 | `azure.subscriptionId` | When using the Azure provider, set the Azure Subscription ID | `""` | 84 | `azure.aadClientId` | When using the Azure provider, set the Azure AAD Client ID | `""` | 85 | `azure.aadClientSecret` | When using the Azure provider, set the Azure AAD Client Secret | `""` | 86 | `azure.useManagedIdentityExtension` | When using the Azure provider, set if you use Azure MSI | `""` | 87 | `cloudflare.apiToken` | When using the Cloudflare provider, `CF_API_TOKEN` to set (optional) | `""` | 88 | `cloudflare.apiKey` | When using the Cloudflare provider, `CF_API_KEY` to set (optional) | `""` | 89 | `cloudflare.email` | When using the Cloudflare provider, `CF_API_EMAIL` to set (optional) | `""` | 90 | `cloudflare.proxied` | When using the Cloudflare provider, enable the proxy feature (DDOS protection, CDN...) (optional) | `true` | 91 | `coredns.etcdEndpoints` | When using the CoreDNS provider, set etcd backend endpoints (comma-separated list) | `"http://etcd-extdns:2379"` | 92 | `coredns.etcdTLS.enabled` | When using the CoreDNS provider, enable secure communication with etcd | `false` | 93 | `coredns.etcdTLS.secretName` | When using the CoreDNS provider, specify a name of existing Secret with etcd certs and keys | `"etcd-client-certs"` | 94 | `coredns.etcdTLS.mountPath` | When using the CoreDNS provider, set destination dir to mount data from `coredns.etcdTLS.secretName` to | `"/etc/coredns/tls/etcd"` | 95 | `coredns.etcdTLS.caFilename` | When using the CoreDNS provider, specify CA PEM file name from the `coredns.etcdTLS.secretName` | `"ca.crt"` | 96 | `coredns.etcdTLS.certFilename` | When using the CoreDNS provider, specify cert PEM file name from the `coredns.etcdTLS.secretName` | `"cert.pem"` | 97 | `coredns.etcdTLS.keyFilename` | When using the CoreDNS provider, specify private key PEM file name from the `coredns.etcdTLS.secretName` | `"key.pem"` | 98 | `designate.authUrl` | When using the Designate provider, specify the OpenStack authentication Url. (optional) | `none` | 99 | `designate.customCA.enabled` | When using the Designate provider, enable a custom CA (optional) | false | 100 | `designate.customCA.content` | When using the Designate provider, set the content of the custom CA | "" | 101 | `designate.customCA.mountPath` | When using the Designate provider, set the mountPath in which to mount the custom CA configuration | "/config/designate" | 102 | `designate.customCA.filename` | When using the Designate provider, set the custom CA configuration filename | "designate-ca.pem" | 103 | `designate.customCAHostPath` | When using the Designate provider, use a CA file already on the host to validate Openstack APIs. This conflicts with `designate.customCA.enabled` | `none` | 104 | `designate.password` | When using the Designate provider, specify the OpenStack authentication password. (optional) | `none` | 105 | `designate.projectName | When using the Designate provider, specify the OpenStack project name. (optional) | `none` | 106 | `designate.regionName | When using the Designate provider, specify the OpenStack region name. (optional) | `none` | 107 | `designate.userDomainName` | When using the Designate provider, specify the OpenStack user domain name. (optional) | `none` | 108 | `designate.username` | When using the Designate provider, specify the OpenStack authentication username. (optional) | `none` | 109 | `digitalocean.apiToken` | When using the DigitalOcean provider, `DO_TOKEN` to set (optional) | `""` | 110 | `google.project` | When using the Google provider, specify the Google project (required when provider=google) | `""` | 111 | `google.serviceAccountSecret` | When using the Google provider, specify the existing secret which contains credentials.json (optional) | `""` | 112 | `google.serviceAccountSecretKey` | When using the Google provider with an existing secret, specify the key name (optional) | `"credentials.json"` | 113 | `google.serviceAccountKey` | When using the Google provider, specify the service account key JSON file. (required when `google.serviceAccountSecret` is not provided. In this case a new secret will be created holding this service account | `""` | 114 | `infoblox.gridHost` | When using the Infoblox provider, specify the Infoblox Grid host (required when provider=infoblox) | `""` | 115 | `infoblox.wapiUsername` | When using the Infoblox provider, specify the Infoblox WAPI username | `"admin"` | 116 | `infoblox.wapiPassword` | When using the Infoblox provider, specify the Infoblox WAPI password (required when provider=infoblox) | `""` | 117 | `infoblox.domainFilter` | When using the Infoblox provider, specify the domain (optional) | `""` | 118 | `infoblox.noSslVerify` | When using the Infoblox provider, disable SSL verification (optional) | `false` | 119 | `infoblox.wapiPort` | When using the Infoblox provider, specify the Infoblox WAPI port (optional) | `""` | 120 | `infoblox.wapiVersion` | When using the Infoblox provider, specify the Infoblox WAPI version (optional) | `""` | 121 | `infoblox.wapiConnectionPoolSize` | When using the Infoblox provider, specify the Infoblox WAPI request connection pool size (optional) | `""` | 122 | `infoblox.wapiHttpTimeout` | When using the Infoblox provider, specify the Infoblox WAPI request timeout in seconds (optional) | `""` | 123 | `rfc2136.host` | When using the rfc2136 provider, specify the RFC2136 host (required when provider=rfc2136) | `""` | 124 | `rfc2136.port` | When using the rfc2136 provider, specify the RFC2136 port (optional) | `53` | 125 | `rfc2136.zone` | When using the rfc2136 provider, specify the zone (required when provider=rfc2136) | `""` | 126 | `rfc2136.tsigSecret` | When using the rfc2136 provider, specify the tsig secret to enable security (optional) | `""` | 127 | `rfc2136.tsigKeyname` | When using the rfc2136 provider, specify the tsig keyname to enable security (optional) | `"externaldns-key"` | 128 | `rfc2136.tsigSecretAlg` | When using the rfc2136 provider, specify the tsig secret to enable security (optional) | `"hmac-sha256"` | 129 | `rfc2136.tsigAxfr` | When using the rfc2136 provider, enable AFXR to enable security (optional) | `true` | 130 | `pdns.apiUrl` | When using the PowerDNS provider, specify the API URL of the server. | `""` | 131 | `pdns.apiPort` | When using the PowerDNS provider, specify the API port of the server. | `8081` | 132 | `pdns.apiKey` | When using the PowerDNS provider, specify the API key of the server. | `""` | 133 | `transip.account` | When using the TransIP provider, specify the account name. | `""` | 134 | `transip.apiKey` | When using the TransIP provider, specify the API key to use. | `""` | 135 | `annotationFilter` | Filter sources managed by external-dns via annotation using label selector (optional) | `""` | 136 | `domainFilters` | Limit possible target zones by domain suffixes (optional) | `[]` | 137 | `zoneIdFilters` | Limit possible target zones by zone id (optional) | `[]` | 138 | `crd.create` | Install and use the integrated DNSEndpoint CRD | `false` | 139 | `crd.apiversion` | Sets the API version for the CRD to watch | `""` | 140 | `crd.kind` | Sets the kind for the CRD to watch | `""` | 141 | `dryRun` | When enabled, prints DNS record changes rather than actually performing them (optional) | `false` | 142 | `logLevel` | Verbosity of the logs (options: panic, debug, info, warn, error, fatal) | `info` | 143 | `logFormat` | Which format to output logs in (options: text, json) | `text` | 144 | `interval` | Interval update period to use | `1m` | 145 | `triggerLoopOnEvent` | When enabled, triggers run loop on create/update/delete events in addition to regular interval (optional)| `false` | 146 | `istioIngressGateways` | The fully-qualified name of the Istio ingress gateway services . | `""` | 147 | `policy` | Modify how DNS records are sychronized between sources and providers (options: sync, upsert-only ) | `upsert-only` | 148 | `registry` | Registry method to use (options: txt, noop) | `txt` | 149 | `txtOwnerId` | When using the TXT registry, a name that identifies this instance of ExternalDNS (optional) | `"default"` | 150 | `txtPrefix` | When using the TXT registry, a prefix for ownership records that avoids collision with CNAME entries (optional) | `""` | 151 | `extraArgs` | Extra arguments to be passed to external-dns | `{}` | 152 | `extraEnv` | Extra environment variables to be passed to external-dns | `[]` | 153 | `replicas` | Desired number of ExternalDNS replicas | `1` | 154 | `affinity` | Affinity for pod assignment (this value is evaluated as a template) | `{}` | 155 | `nodeSelector` | Node labels for pod assignment (this value is evaluated as a template) | `{}` | 156 | `tolerations` | Tolerations for pod assignment (this value is evaluated as a template) | `[]` | 157 | `podAnnotations` | Additional annotations to apply to the pod. | `{}` | 158 | `podLabels` | Additional labels to be added to pods | {} | 159 | `podSecurityContext.fsGroup` | Group ID for the container | `1001` | 160 | `podSecurityContext.runAsUser` | User ID for the container | `1001` | 161 | `priorityClassName` | priorityClassName | `""` | 162 | `securityContext` | Security context for the container | `{}` | 163 | `service.type` | Kubernetes Service type | `ClusterIP` | 164 | `service.port` | ExternalDNS client port | `7979` | 165 | `service.nodePort` | Port to bind to for NodePort service type (client port) | `nil` | 166 | `service.clusterIP` | IP address to assign to service | `""` | 167 | `service.externalIPs` | Service external IP addresses | `[]` | 168 | `service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` | 169 | `service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]` | 170 | `service.annotations` | Annotations to add to service | `{}` | 171 | `rbac.create` | Weather to create & use RBAC resources or not | `true` | 172 | `rbac.serviceAccountName` | ServiceAccount (ignored if rbac.create == true) | `default` | 173 | `rbac.serviceAccountAnnotations` | Additional Service Account annotations | `{}` | 174 | `rbac.apiVersion` | Version of the RBAC API | `v1beta1` | 175 | `rbac.pspEnabled` | PodSecurityPolicy | `false` | 176 | `resources` | CPU/Memory resource requests/limits. | `{}` | 177 | `livenessProbe` | Deployment Liveness Probe | See `values.yaml` | 178 | `readinessProbe` | Deployment Readiness Probe | See `values.yaml` | 179 | `extraVolumes` | A list of volumes to be added to the pod | `[]` | 180 | `extraVolumeMounts` | A list of volume mounts to be added to the pod | `[]` | 181 | `metrics.enabled` | Enable prometheus to access external-dns metrics endpoint | `false` | 182 | `metrics.podAnnotations` | Annotations for enabling prometheus to access the metrics endpoint | | 183 | `metrics.serviceMonitor.enabled` | Create ServiceMonitor object | `false` | 184 | `metrics.serviceMonitor.selector` | Additional labels for ServiceMonitor object | `{}` | 185 | `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | 186 | `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `30s` | 187 188 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, 189 190 ```console 191 $ helm install my-release \ 192 --set provider=aws stable/external-dns 193 ``` 194 195 Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, 196 197 ```bash 198 $ helm install my-release -f values.yaml stable/external-dns 199 ``` 200 201 > **Tip**: You can use the default [values.yaml](values.yaml) 202 203 ## Configuration and installation details 204 205 ### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) 206 207 It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. 208 209 Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. 210 211 ### Production configuration 212 213 This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one. 214 215 - Desired number of ExternalDNS replicas: 216 ```diff 217 - replicas: 1 218 + replicas: 3 219 ``` 220 221 - Enable prometheus to access external-dns metrics endpoint: 222 ```diff 223 - metrics.enabled: false 224 + metrics.enabled: true 225 ``` 226 227 ## Tutorials 228 229 Find information about the requirements for each DNS provider on the link below: 230 231 - [ExternalDNS Tutorials](https://github.com/kubernetes-sigs/external-dns/tree/master/docs/tutorials) 232 233 For instance, to install ExternalDNS on AWS, you need to: 234 235 - Provide the K8s worker node which runs the cluster autoscaler with a minimum IAM policy (check [IAM permissions docs](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-permissions) for more information). 236 - Setup a hosted zone on Route53 and annotate the Hosted Zone ID and its associated "nameservers" as described on [these docs](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#set-up-a-hosted-zone). 237 - Install ExternalDNS chart using the command below: 238 239 > Note: replace the placeholder HOSTED_ZONE_IDENTIFIER and HOSTED_ZONE_NAME, with your hosted zoned identifier and name, respectively. 240 241 ```bash 242 $ helm install my-release \ 243 --set provider=aws \ 244 --set aws.zoneType=public \ 245 --set txtOwnerId=HOSTED_ZONE_IDENTIFIER \ 246 --set domainFilters[0]=HOSTED_ZONE_NAME \ 247 stable/external-dns 248 ``` 249 250 ## Upgrading 251 252 ### To 2.0.0 253 254 Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments. 255 Use the workaround below to upgrade from versions previous to 1.0.0. The following example assumes that the release name is `my-release`: 256 257 ```console 258 $ kubectl delete deployment my-release-external-dns 259 $ helm upgrade my-release stable/external-dns 260 ``` 261 262 Other mayor changes included in this major version are: 263 264 - Default image changes from `registry.opensource.zalan.do/teapot/external-dns` to `bitnami/external-dns`. 265 - The parameters below are renamed: 266 - `aws.secretKey` -> `aws.credentials.secretKey` 267 - `aws.accessKey` -> `aws.credentials.accessKey` 268 - `aws.credentialsPath` -> `aws.credentials.mountPath` 269 - `designate.customCA.directory` -> `designate.customCA.mountPath` 270 - Support to Prometheus metrics is added.