sigs.k8s.io/external-dns@v0.14.1/docs/tutorials/infoblox.md (about) 1 # Setting up ExternalDNS for Infoblox 2 3 This tutorial describes how to setup ExternalDNS for usage with Infoblox. 4 5 Make sure to use **>=0.4.6** version of ExternalDNS for this tutorial. The only WAPI version that 6 has been validated is **v2.3.1**. It is assumed that the API user has rights to create objects of 7 the following types: `zone_auth`, `record:a`, `record:cname`, `record:txt`. 8 9 This tutorial assumes you have substituted the correct values for the following environment variables: 10 11 ``` 12 export GRID_HOST=127.0.0.1 13 export WAPI_PORT=443 14 export WAPI_VERSION=2.3.1 15 export WAPI_USERNAME=admin 16 export WAPI_PASSWORD=infoblox 17 ``` 18 19 ## Creating an Infoblox DNS zone 20 21 The Infoblox provider for ExternalDNS will find suitable zones for domains it manages; it will 22 not automatically create zones. 23 24 Create an Infoblox DNS zone for "example.com": 25 26 ``` 27 $ curl -kl \ 28 -X POST \ 29 -d fqdn=example.com \ 30 -u ${WAPI_USERNAME}:${WAPI_PASSWORD} \ 31 https://${GRID_HOST}:${WAPI_PORT}/wapi/v${WAPI_VERSION}/zone_auth 32 ``` 33 34 Substitute a domain you own for "example.com" if desired. 35 36 ## Creating an Infoblox Configuration Secret 37 38 For ExternalDNS to access the Infoblox API, create a Kubernetes secret. 39 40 To create the secret: 41 42 ``` 43 $ kubectl create secret generic external-dns \ 44 --from-literal=EXTERNAL_DNS_INFOBLOX_WAPI_USERNAME=${WAPI_USERNAME} \ 45 --from-literal=EXTERNAL_DNS_INFOBLOX_WAPI_PASSWORD=${WAPI_PASSWORD} 46 ``` 47 48 ## Deploy ExternalDNS 49 50 Connect your `kubectl` client to the cluster you want to test ExternalDNS with. 51 Then apply one of the following manifests file to deploy ExternalDNS. 52 53 ### Manifest (for clusters without RBAC enabled) 54 ```yaml 55 apiVersion: apps/v1 56 kind: Deployment 57 metadata: 58 name: external-dns 59 spec: 60 strategy: 61 type: Recreate 62 selector: 63 matchLabels: 64 app: external-dns 65 template: 66 metadata: 67 labels: 68 app: external-dns 69 spec: 70 containers: 71 - name: external-dns 72 image: registry.k8s.io/external-dns/external-dns:v0.14.0 73 args: 74 - --source=service 75 - --domain-filter=example.com # (optional) limit to only example.com domains. 76 - --provider=infoblox 77 - --infoblox-grid-host=${GRID_HOST} # (required) IP of the Infoblox Grid host. 78 - --infoblox-wapi-port=443 # (optional) Infoblox WAPI port. The default is "443". 79 - --infoblox-wapi-version=2.3.1 # (optional) Infoblox WAPI version. The default is "2.3.1" 80 - --infoblox-ssl-verify # (optional) Use --no-infoblox-ssl-verify to skip server certificate verification. 81 - --infoblox-create-ptr # (optional) Use --infoblox-create-ptr to create a ptr entry in addition to an entry. 82 - --infoblox-view="" # (optional) DNS view (default: "") 83 env: 84 - name: EXTERNAL_DNS_INFOBLOX_HTTP_POOL_CONNECTIONS 85 value: "10" # (optional) Infoblox WAPI request connection pool size. The default is "10". 86 - name: EXTERNAL_DNS_INFOBLOX_HTTP_REQUEST_TIMEOUT 87 value: "60" # (optional) Infoblox WAPI request timeout in seconds. The default is "60". 88 - name: EXTERNAL_DNS_INFOBLOX_WAPI_USERNAME 89 valueFrom: 90 secretKeyRef: 91 name: external-dns 92 key: EXTERNAL_DNS_INFOBLOX_WAPI_USERNAME 93 - name: EXTERNAL_DNS_INFOBLOX_WAPI_PASSWORD 94 valueFrom: 95 secretKeyRef: 96 name: external-dns 97 key: EXTERNAL_DNS_INFOBLOX_WAPI_PASSWORD 98 ``` 99 100 ### Manifest (for clusters with RBAC enabled) 101 102 ```yaml 103 apiVersion: v1 104 kind: ServiceAccount 105 metadata: 106 name: external-dns 107 --- 108 apiVersion: rbac.authorization.k8s.io/v1 109 kind: ClusterRole 110 metadata: 111 name: external-dns 112 rules: 113 - apiGroups: [""] 114 resources: ["services","endpoints","pods"] 115 verbs: ["get","watch","list"] 116 - apiGroups: ["extensions","networking.k8s.io"] 117 resources: ["ingresses"] 118 verbs: ["get","watch","list"] 119 - apiGroups: [""] 120 resources: ["nodes"] 121 verbs: ["list"] 122 --- 123 apiVersion: rbac.authorization.k8s.io/v1 124 kind: ClusterRoleBinding 125 metadata: 126 name: external-dns-viewer 127 roleRef: 128 apiGroup: rbac.authorization.k8s.io 129 kind: ClusterRole 130 name: external-dns 131 subjects: 132 - kind: ServiceAccount 133 name: external-dns 134 namespace: default 135 --- 136 apiVersion: apps/v1 137 kind: Deployment 138 metadata: 139 name: external-dns 140 spec: 141 strategy: 142 type: Recreate 143 selector: 144 matchLabels: 145 app: external-dns 146 template: 147 metadata: 148 labels: 149 app: external-dns 150 spec: 151 serviceAccountName: external-dns 152 containers: 153 - name: external-dns 154 image: registry.k8s.io/external-dns/external-dns:v0.14.0 155 args: 156 - --source=service 157 - --domain-filter=example.com # (optional) limit to only example.com domains. 158 - --provider=infoblox 159 - --infoblox-grid-host=${GRID_HOST} # (required) IP of the Infoblox Grid host. 160 - --infoblox-wapi-port=443 # (optional) Infoblox WAPI port. The default is "443". 161 - --infoblox-wapi-version=2.3.1 # (optional) Infoblox WAPI version. The default is "2.3.1" 162 - --infoblox-ssl-verify # (optional) Use --no-infoblox-ssl-verify to skip server certificate verification. 163 - --infoblox-create-ptr # (optional) Use --infoblox-create-ptr to create a ptr entry in addition to an entry. 164 - --infoblox-view="" # (optional) DNS view (default: "") 165 env: 166 - name: EXTERNAL_DNS_INFOBLOX_HTTP_POOL_CONNECTIONS 167 value: "10" # (optional) Infoblox WAPI request connection pool size. The default is "10". 168 - name: EXTERNAL_DNS_INFOBLOX_HTTP_REQUEST_TIMEOUT 169 value: "60" # (optional) Infoblox WAPI request timeout in seconds. The default is "60". 170 - name: EXTERNAL_DNS_INFOBLOX_WAPI_USERNAME 171 valueFrom: 172 secretKeyRef: 173 name: external-dns 174 key: EXTERNAL_DNS_INFOBLOX_WAPI_USERNAME 175 - name: EXTERNAL_DNS_INFOBLOX_WAPI_PASSWORD 176 valueFrom: 177 secretKeyRef: 178 name: external-dns 179 key: EXTERNAL_DNS_INFOBLOX_WAPI_PASSWORD 180 ``` 181 182 183 ## Deploying an Nginx Service 184 185 Create a service file called 'nginx.yaml' with the following contents: 186 187 ```yaml 188 apiVersion: apps/v1 189 kind: Deployment 190 metadata: 191 name: nginx 192 spec: 193 selector: 194 matchLabels: 195 app: nginx 196 template: 197 metadata: 198 labels: 199 app: nginx 200 spec: 201 containers: 202 - image: nginx 203 name: nginx 204 ports: 205 - containerPort: 80 206 --- 207 apiVersion: v1 208 kind: Service 209 metadata: 210 name: nginx 211 annotations: 212 external-dns.alpha.kubernetes.io/hostname: example.com 213 spec: 214 selector: 215 app: nginx 216 type: LoadBalancer 217 ports: 218 - protocol: TCP 219 port: 80 220 targetPort: 80 221 ``` 222 223 Note the annotation on the service; use the same hostname as the Infoblox DNS zone created above. The annotation may also be a subdomain 224 of the DNS zone (e.g. 'www.example.com'). 225 226 ExternalDNS uses this annotation to determine what services should be registered with DNS. Removing the annotation 227 will cause ExternalDNS to remove the corresponding DNS records. 228 229 Create the deployment and service: 230 231 ``` 232 $ kubectl create -f nginx.yaml 233 ``` 234 235 It takes a little while for the Infoblox cloud provider to create an external IP for the service. Check the status by running 236 `kubectl get services nginx`. If the `EXTERNAL-IP` field shows an address, the service is ready to be accessed externally. 237 238 Once the service has an external IP assigned, ExternalDNS will notice the new service IP address and synchronize 239 the Infoblox DNS records. 240 241 ## Verifying Infoblox DNS records 242 243 Run the following command to view the A records for your Infoblox DNS zone: 244 245 ``` 246 $ curl -kl \ 247 -X GET \ 248 -u ${WAPI_USERNAME}:${WAPI_PASSWORD} \ 249 https://${GRID_HOST}:${WAPI_PORT}/wapi/v${WAPI_VERSION}/record:a?zone=example.com 250 ``` 251 252 Substitute the zone for the one created above if a different domain was used. 253 254 This should show the external IP address of the service as the A record for your domain ('@' indicates the record is for the zone itself). 255 256 ## Clean up 257 258 Now that we have verified that ExternalDNS will automatically manage Infoblox DNS records, we can delete the tutorial's 259 DNS zone: 260 261 ``` 262 $ curl -kl \ 263 -X DELETE \ 264 -u ${WAPI_USERNAME}:${WAPI_PASSWORD} \ 265 https://${GRID_HOST}:${WAPI_PORT}/wapi/v${WAPI_VERSION}/zone_auth?fqdn=example.com 266 ``` 267 268 ## Ability to filter results from the zone auth API using a regular expression 269 270 There is also the ability to filter results from the Infoblox zone_auth service based upon a regular expression. See the [Infoblox API document](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-infoblox-rest-api.pdf) for examples. To use this feature for the zone_auth service, set the parameter infoblox-fqdn-regex for external-dns to a regular expression that makes sense for you. For instance, to only return hosted zones that start with staging in the test.com domain (like staging.beta.test.com, or staging.test.com), use the following command line option when starting external-dns 271 272 ``` 273 --infoblox-fqdn-regex=^staging.*test.com$ 274 ``` 275 276 ## Ability to filter A, Host, CNAME and TXT records from the by name using a regular expression 277 278 Infoblox supports filtering records by name using a regular expression. See the [Infoblox API document](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-infoblox-rest-api.pdf) for examples. To use this feature, set the parameter infoblox-name-regex for external-dns to a regular expression that makes sense for you. For instance, if all your dns records end with `cluster1.example.com`, you can fetch records matching this style by setting the following: 279 280 ``` 281 --infoblox-name-regex=cluster1.example.com 282 ``` 283 284 ## Infoblox PTR record support 285 286 There is an option to enable PTR records support for infoblox provider. PTR records allow to do reverse dns search. To enable PTR records support, add following into arguments for external-dns: 287 `--infoblox-create-ptr` to allow management of PTR records. 288 You can also add a filter for reverse dns zone to limit PTR records to specific zones only: 289 `--domain-filter=10.196.0.0/16` change this to the reverse zone(s) as defined in your infoblox. 290 Now external-dns will manage PTR records for you.