sigs.k8s.io/external-dns@v0.14.1/docs/tutorials/oracle.md (about) 1 # Setting up ExternalDNS for Oracle Cloud Infrastructure (OCI) 2 3 This tutorial describes how to setup ExternalDNS for usage within a Kubernetes cluster using OCI DNS. 4 5 Make sure to use the latest version of ExternalDNS for this tutorial. 6 7 ## Creating an OCI DNS Zone 8 9 Create a DNS zone which will contain the managed DNS records. Let's use 10 `example.com` as a reference here. Make note of the OCID of the compartment 11 in which you created the zone; you'll need to provide that later. 12 13 For more information about OCI DNS see the documentation [here][1]. 14 15 ## Using Private OCI DNS Zones 16 17 By default, the ExternalDNS OCI provider is configured to use Global OCI 18 DNS Zones. If you want to use Private OCI DNS Zones, add the following 19 argument to the ExternalDNS controller: 20 21 ``` 22 --oci-zone-scope=PRIVATE 23 ``` 24 25 To use both Global and Private OCI DNS Zones, set the OCI Zone Scope to be 26 empty: 27 28 ``` 29 --oci-zone-scope= 30 ``` 31 32 ## Deploy ExternalDNS 33 34 Connect your `kubectl` client to the cluster you want to test ExternalDNS with. 35 The OCI provider supports two authentication options: key-based and instance 36 principals. 37 38 ### Key-based 39 40 We first need to create a config file containing the information needed to connect with the OCI API. 41 42 Create a new file (oci.yaml) and modify the contents to match the example 43 below. Be sure to adjust the values to match your own credentials, and the OCID 44 of the compartment containing the zone: 45 46 ```yaml 47 auth: 48 region: us-phoenix-1 49 tenancy: ocid1.tenancy.oc1... 50 user: ocid1.user.oc1... 51 key: | 52 -----BEGIN RSA PRIVATE KEY----- 53 -----END RSA PRIVATE KEY----- 54 fingerprint: af:81:71:8e... 55 # Omit if there is not a password for the key 56 passphrase: Tx1jRk... 57 compartment: ocid1.compartment.oc1... 58 ``` 59 60 Create a secret using the config file above: 61 62 ```shell 63 $ kubectl create secret generic external-dns-config --from-file=oci.yaml 64 ``` 65 66 ### OCI IAM Instance Principal 67 68 If you're running ExternalDNS within OCI, you can use OCI IAM instance 69 principals to authenticate with OCI. This obviates the need to create the 70 secret with your credentials. You'll need to ensure an OCI IAM policy exists 71 with a statement granting the `manage dns` permission on zones and records in 72 the target compartment to the dynamic group covering your instance running 73 ExternalDNS. 74 E.g.: 75 76 ``` 77 Allow dynamic-group <dynamic-group-name> to manage dns in compartment id <target-compartment-OCID> 78 ``` 79 80 You'll also need to add the `--oci-auth-instance-principal` flag to enable 81 this type of authentication. Finally, you'll need to add the 82 `--oci-compartment-ocid=ocid1.compartment.oc1...` flag to provide the OCID of 83 the compartment containing the zone to be managed. 84 85 For more information about OCI IAM instance principals, see the documentation [here][2]. 86 For more information about OCI IAM policy details for the DNS service, see the documentation [here][3]. 87 88 ### OCI IAM Workload Identity 89 90 If you're running ExternalDNS within an OCI Container Engine for Kubernetes (OKE) cluster, 91 you can use OCI IAM Workload Identity to authenticate with OCI. You'll need to ensure an 92 OCI IAM policy exists with a statement granting the `manage dns` permission on zones and 93 records in the target compartment covering your OKE cluster running ExternalDNS. 94 E.g.: 95 96 ``` 97 Allow any-user to manage dns in compartment <compartment-name> where all {request.principal.type='workload',request.principal.cluster_id='<cluster-ocid>',request.principal.service_account='external-dns'} 98 ``` 99 100 You'll also need to create a new file (oci.yaml) and modify the contents to match the example 101 below. Be sure to adjust the values to match your region and the OCID 102 of the compartment containing the zone: 103 104 ```yaml 105 auth: 106 region: us-phoenix-1 107 useWorkloadIdentity: true 108 compartment: ocid1.compartment.oc1... 109 ``` 110 111 Create a secret using the config file above: 112 113 ```shell 114 $ kubectl create secret generic external-dns-config --from-file=oci.yaml 115 ``` 116 117 ## Manifest (for clusters with RBAC enabled) 118 119 Apply the following manifest to deploy ExternalDNS. 120 121 ```yaml 122 apiVersion: v1 123 kind: ServiceAccount 124 metadata: 125 name: external-dns 126 --- 127 apiVersion: rbac.authorization.k8s.io/v1 128 kind: ClusterRole 129 metadata: 130 name: external-dns 131 rules: 132 - apiGroups: [""] 133 resources: ["services","endpoints","pods"] 134 verbs: ["get","watch","list"] 135 - apiGroups: ["extensions","networking.k8s.io"] 136 resources: ["ingresses"] 137 verbs: ["get","watch","list"] 138 - apiGroups: [""] 139 resources: ["nodes"] 140 verbs: ["list"] 141 --- 142 apiVersion: rbac.authorization.k8s.io/v1 143 kind: ClusterRoleBinding 144 metadata: 145 name: external-dns-viewer 146 roleRef: 147 apiGroup: rbac.authorization.k8s.io 148 kind: ClusterRole 149 name: external-dns 150 subjects: 151 - kind: ServiceAccount 152 name: external-dns 153 namespace: default 154 --- 155 apiVersion: apps/v1 156 kind: Deployment 157 metadata: 158 name: external-dns 159 spec: 160 strategy: 161 type: Recreate 162 selector: 163 matchLabels: 164 app: external-dns 165 template: 166 metadata: 167 labels: 168 app: external-dns 169 spec: 170 serviceAccountName: external-dns 171 containers: 172 - name: external-dns 173 image: registry.k8s.io/external-dns/external-dns:v0.14.0 174 args: 175 - --source=service 176 - --source=ingress 177 - --provider=oci 178 - --policy=upsert-only # prevent ExternalDNS from deleting any records, omit to enable full synchronization 179 - --txt-owner-id=my-identifier 180 # Specifies the OCI DNS Zone scope, defaults to GLOBAL. 181 # May be GLOBAL, PRIVATE, or an empty value to specify both GLOBAL and PRIVATE OCI DNS Zones 182 # - --oci-zone-scope=GLOBAL 183 # Specifies the zone cache duration, defaults to 0s. If set to 0s, the zone cache is disabled. 184 # Use of zone caching is recommended to reduce the amount of requests sent to OCI DNS. 185 # - --oci-zones-cache-duration=0s 186 volumeMounts: 187 - name: config 188 mountPath: /etc/kubernetes/ 189 volumes: 190 - name: config 191 secret: 192 secretName: external-dns-config 193 ``` 194 195 ## Verify ExternalDNS works (Service example) 196 197 Create the following sample application to test that ExternalDNS works. 198 199 > For services ExternalDNS will look for the annotation `external-dns.alpha.kubernetes.io/hostname` on the service and use the corresponding value. 200 201 ```yaml 202 apiVersion: v1 203 kind: Service 204 metadata: 205 name: nginx 206 annotations: 207 external-dns.alpha.kubernetes.io/hostname: example.com 208 spec: 209 type: LoadBalancer 210 ports: 211 - port: 80 212 name: http 213 targetPort: 80 214 selector: 215 app: nginx 216 --- 217 apiVersion: apps/v1 218 kind: Deployment 219 metadata: 220 name: nginx 221 spec: 222 selector: 223 matchLabels: 224 app: nginx 225 template: 226 metadata: 227 labels: 228 app: nginx 229 spec: 230 containers: 231 - image: nginx 232 name: nginx 233 ports: 234 - containerPort: 80 235 name: http 236 ``` 237 238 Apply the manifest above and wait roughly two minutes and check that a corresponding DNS record for your service was created. 239 240 ``` 241 $ kubectl apply -f nginx.yaml 242 ``` 243 244 [1]: https://docs.cloud.oracle.com/iaas/Content/DNS/Concepts/dnszonemanagement.htm 245 [2]: https://docs.cloud.oracle.com/iaas/Content/Identity/Reference/dnspolicyreference.htm 246 [3]: https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm 247