Deploy ExternalDNS¶
In this section you will configure and deploy ExternalDNS using Workload Identity to provide it with permissions to manage DNS records on Google Cloud DNS.
Note
If you are not going to use Cloud DNS to assign an FQDN to your Load
Balancer, you can use Cloud Endpoints or edit /etc/hosts
manually.
You will find instructions for the aforemetioned alternatives in the guide
that follows. You may proceed to the What's Next section.
Overview
What You'll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing GKE cluster.
- An existing Cloud DNS managed zone.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deployments
Specify the name for the service account for ExternalDNS:
root@rok-tools:~/ops/deployments# export EDNS_SERVICE_ACCOUNT_NAME=<EDNS_SERVICE_ACCOUNT_NAME>
Replace
<EDNS_SERVICE_ACCOUNT_NAME>
with your desired service account name. For example:root@rok-tools:~/ops/deployments# export EDNS_SERVICE_ACCOUNT_NAME=external-dns
Note
This must be between 6 and 30 characters, and can contain lowercase alphanumeric characters and dashes.
Create the service account for ExternalDNS:
root@rok-tools:~/ops/deployments# gcloud iam service-accounts create ${EDNS_SERVICE_ACCOUNT_NAME?} \ > --display-name=${EDNS_SERVICE_ACCOUNT_NAME?}
Specify the service account email:
root@rok-tools:~/ops/deployments# export EDNS_SERVICE_ACCOUNT=${EDNS_SERVICE_ACCOUNT_NAME?}@${PROJECT_ID?}.iam.gserviceaccount.com
Bind the service account to the DNS admin role:
root@rok-tools:~/ops/deployments# gcloud projects add-iam-policy-binding ${PROJECT_ID?} \ > --member="serviceAccount:${EDNS_SERVICE_ACCOUNT?}" \ > --role=roles/dns.admin \ > --condition=None
Link the Google Cloud service account to the Kubernetes service account that ExternalDNS will run under, that is the
external-dns
service account in thedefault
namespace:root@rok-tools:~/ops/deployments# gcloud iam service-accounts add-iam-policy-binding ${EDNS_SERVICE_ACCOUNT?} \ > --member="serviceAccount:${PROJECT_ID?}.svc.id.goog[default/external-dns]" \ > --role=roles/iam.workloadIdentityUser
Edit
rok/external-dns/overlays/deploy/kustomization.yaml
and usegke
as base:bases: #- ../eks - ../gke
Edit
rok/external-dns/overlays/deploy/kustomization.yaml
and enable only thesa-gcp
anddeploy-gcp
patches:patches: #- path: patches/sa.yaml - path: patches/sa-gcp.yaml #- target: # kind: Deployment # name: external-dns # path: patches/deploy.yaml - target: kind: Deployment name: external-dns path: patches/deploy-gcp.yaml
Retrieve your domain. Copy the output to your clipboard, as you are going to use this value in the next step:
root@rok-tools:~/ops/deployments# echo ${DOMAIN?} apps.example.com
Edit
rok/external-dns/overlays/deploy/patches/deploy-gcp.yaml
and set--domain-filter
to your domain:... - --domain-filter=apps.example.com # <-- Update this line with you DOMAIN
Retrieve the ID of your Google project. Copy the output to your clipboard, as you are going to use this value in the next step:
root@rok-tools:~/ops/deployments# echo ${PROJECT_ID?} myproject
Edit
rok/external-dns/overlays/deploy/patches/deploy-gcp.yaml
and set--google-project
to your project ID:... - --google-project=myproject # <-- Update this line with your PROJECT_ID
Retrieve the email of your Google Cloud service account for ExternalDNS. Copy the output to your clipboard, as you are going to use this value in the next step:
root@rok-tools:~/ops/deployments# echo ${EDNS_SERVICE_ACCOUNT?} external-dns@myproject.iam.gserviceaccount.com
Edit
rok/external-dns/overlays/deploy/patches/sa-gcp.yaml
and set the Workload Identity related annotation to the email of your Google Cloud service account for ExternalDNS:iam.gke.io/gcp-service-account: external-dns@myproject.iam.gserviceaccount.com # <-- Update this line with your EDNS_SERVICE_ACCOUNT
Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Deploy ExternalDNS on GKE"
Deploy ExternalDNS:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/external-dns/overlays/deploy
Verify¶
Verify that the ExternalDNS deployment is up-and-running. Verify field READY is 1/1:
root@rok-tools:~/ops/deployments# kubectl get deploy/external-dns NAME READY UP-TO-DATE AVAILABLE AGE external-dns 1/1 1 1 1m
Summary¶
You have successfully deployed ExternalDNS and allowed it to access your Cloud DNS managed zone.
What's Next¶
The next step is to assign a proper FQDN to your Load Balancer IP address.