sigs.k8s.io/external-dns@v0.14.1/docs/tutorials/pdns.md (about) 1 # Setting up ExternalDNS for PowerDNS 2 3 ## Prerequisites 4 5 The provider has been written for and tested against [PowerDNS](https://github.com/PowerDNS/pdns) v4.1.x and thus requires **PowerDNS Auth Server >= 4.1.x** 6 7 PowerDNS provider support was added via [this PR](https://github.com/kubernetes-sigs/external-dns/pull/373), thus you need to use external-dns version >= v0.5 8 9 The PDNS provider expects that your PowerDNS instance is already setup and 10 functional. It expects that zones, you wish to add records to, already exist 11 and are configured correctly. It does not add, remove or configure new zones in 12 anyway. 13 14 ## Feature Support 15 16 The PDNS provider currently does not support: 17 18 * Dry running a configuration is not supported 19 20 ## Deployment 21 22 Deploying external DNS for PowerDNS is actually nearly identical to deploying 23 it for other providers. This is what a sample `deployment.yaml` looks like: 24 25 ```yaml 26 apiVersion: apps/v1 27 kind: Deployment 28 metadata: 29 name: external-dns 30 spec: 31 strategy: 32 type: Recreate 33 selector: 34 matchLabels: 35 app: external-dns 36 template: 37 metadata: 38 labels: 39 app: external-dns 40 spec: 41 # Only use if you're also using RBAC 42 # serviceAccountName: external-dns 43 containers: 44 - name: external-dns 45 image: registry.k8s.io/external-dns/external-dns:v0.14.0 46 args: 47 - --source=service # or ingress or both 48 - --provider=pdns 49 - --pdns-server={{ pdns-api-url }} 50 - --pdns-api-key={{ pdns-http-api-key }} 51 - --txt-owner-id={{ owner-id-for-this-external-dns }} 52 - --domain-filter=external-dns-test.my-org.com # will make ExternalDNS see only the zones matching provided domain; omit to process all available zones in PowerDNS 53 - --log-level=debug 54 - --interval=30s 55 ``` 56 57 #### Domain Filter (`--domain-filter`) 58 When the `--domain-filter` argument is specified, external-dns will only create DNS records for host names (specified in ingress objects and services with the external-dns annotation) related to zones that match the `--domain-filter` argument in the external-dns deployment manifest. 59 60 eg. ```--domain-filter=example.org``` will allow for zone `example.org` and any zones in PowerDNS that ends in `.example.org`, including `an.example.org`, ie. the subdomains of example.org. 61 62 eg. ```--domain-filter=.example.org``` will allow *only* zones that end in `.example.org`, ie. the subdomains of example.org but not the `example.org` zone itself. 63 64 The filter can also match parent zones. For example `--domain-filter=a.example.com` will allow for zone `example.com`. If you want to match parent zones, you cannot pre-pend your filter with a ".", eg. `--domain-filter=.example.com` will not attempt to match parent zones. 65 66 ### Regex Domain Filter (`--regex-domain-filter`) 67 `--regex-domain-filter` limits possible domains and target zone with a regex. It overrides domain filters and can be specified only once. 68 69 ## RBAC 70 71 If your cluster is RBAC enabled, you also need to setup the following, before you can run external-dns: 72 ```yaml 73 apiVersion: v1 74 kind: ServiceAccount 75 metadata: 76 name: external-dns 77 --- 78 apiVersion: rbac.authorization.k8s.io/v1 79 kind: ClusterRole 80 metadata: 81 name: external-dns 82 rules: 83 - apiGroups: [""] 84 resources: ["services","endpoints","pods"] 85 verbs: ["get","watch","list"] 86 - apiGroups: ["extensions","networking.k8s.io"] 87 resources: ["ingresses"] 88 verbs: ["get","watch","list"] 89 - apiGroups: [""] 90 resources: ["pods"] 91 verbs: ["get","watch","list"] 92 - apiGroups: [""] 93 resources: ["nodes"] 94 verbs: ["list"] 95 --- 96 apiVersion: rbac.authorization.k8s.io/v1 97 kind: ClusterRoleBinding 98 metadata: 99 name: external-dns-viewer 100 roleRef: 101 apiGroup: rbac.authorization.k8s.io 102 kind: ClusterRole 103 name: external-dns 104 subjects: 105 - kind: ServiceAccount 106 name: external-dns 107 namespace: default 108 ``` 109 110 ## Testing and Verification 111 112 **Important!**: Remember to change `example.com` with your own domain throughout the following text. 113 114 Spin up a simple "Hello World" HTTP server with the following spec (`kubectl apply -f`): 115 116 ```yaml 117 apiVersion: apps/v1 118 kind: Deployment 119 metadata: 120 name: echo 121 spec: 122 selector: 123 matchLabels: 124 app: echo 125 template: 126 metadata: 127 labels: 128 app: echo 129 spec: 130 containers: 131 - image: hashicorp/http-echo 132 name: echo 133 ports: 134 - containerPort: 5678 135 args: 136 - -text="Hello World" 137 --- 138 apiVersion: v1 139 kind: Service 140 metadata: 141 name: echo 142 annotations: 143 external-dns.alpha.kubernetes.io/hostname: echo.example.com 144 spec: 145 selector: 146 app: echo 147 type: LoadBalancer 148 ports: 149 - protocol: TCP 150 port: 80 151 targetPort: 5678 152 ``` 153 **Important!**: Don't run dig, nslookup or similar immediately (until you've 154 confirmed the record exists). You'll get hit by [negative DNS caching](https://tools.ietf.org/html/rfc2308), which is hard to flush. 155 156 Run the following to make sure everything is in order: 157 158 ```bash 159 $ kubectl get services echo 160 $ kubectl get endpoints echo 161 ``` 162 163 Make sure everything looks correct, i.e the service is defined and receives a 164 public IP, and that the endpoint also has a pod IP. 165 166 Once that's done, wait about 30s-1m (interval for external-dns to kick in), then do: 167 ```bash 168 $ curl -H "X-API-Key: ${PDNS_API_KEY}" ${PDNS_API_URL}/api/v1/servers/localhost/zones/example.com. | jq '.rrsets[] | select(.name | contains("echo"))' 169 ``` 170 171 Once the API shows the record correctly, you can double check your record using: 172 ```bash 173 $ dig @${PDNS_FQDN} echo.example.com. 174 ```