Deploy ExternalDNS

In this section you will configure and deploy ExternalDNS using Workload Identity to provide it with permissions to manage DNS records on Google Cloud DNS.

Note

If you have already deployed ExternalDNS and configured it to manage DNS records for your managed zone domain for serving, proceed to the Verify section.

If you are not going to use Cloud DNS to assign an FQDN to your Load Balancer, you can use Cloud Endpoints or edit /etc/hosts manually. You will find instructions for the aforemetioned alternatives in the guide that follows. Proceed to the What’s Next section.

See also

• Official docs for deploying ExternalDNS on GKE.

What You’ll Need

• A configured management environment.
• Your clone of the Arrikto GitOps repository.
• An existing GKE cluster.
• An existing Cloud DNS managed zone.

Procedure

Note

If you have exposed EKF, it means you already have an ExternalDNS deployment. In this case, you may have already run part of this procedure. However, run this procedure again, as you need to make extra configurations.

1. Go to your GitOps repository, inside your rok-tools management environment:

   

   root@rok-tools:~# cd ~/ops/deployments

2. Specify the name for the service account for ExternalDNS:

   

   root@rok-tools:~/ops/deployments# export EDNS_SERVICE_ACCOUNT_NAME=<EDNS_SERVICE_ACCOUNT_NAME>

   Replace <EDNS_SERVICE_ACCOUNT_NAME> with your desired service account name. For example:

   

   root@rok-tools:~/ops/deployments# export EDNS_SERVICE_ACCOUNT_NAME=external-dns

   Note

   This must be between 6 and 30 characters, and can contain lowercase alphanumeric characters and dashes.

3. Create the service account for ExternalDNS:

   

   root@rok-tools:~/ops/deployments# gcloud iam service-accounts create ${EDNS_SERVICE_ACCOUNT_NAME?} \ > --display-name=${EDNS_SERVICE_ACCOUNT_NAME?}

   Troubleshooting

   The command fails with ‘Service account external-dns already exists within project myproject’.

   This happens because you have already created a service account with that name, for example when deploying ExternalDNS for EKF. Ingnore this error and proceed to the next step.

4. Specify the service account email:

   

   root@rok-tools:~/ops/deployments# export EDNS_SERVICE_ACCOUNT=${EDNS_SERVICE_ACCOUNT_NAME?}@${PROJECT_ID?}.iam.gserviceaccount.com

5. Bind the service account to the DNS admin role:

   

   root@rok-tools:~/ops/deployments# gcloud projects add-iam-policy-binding ${PROJECT_ID?} \ > --member="serviceAccount:${EDNS_SERVICE_ACCOUNT?}" \ > --role=roles/dns.admin \ > --condition=None

6. Link the Google Cloud service account to the Kubernetes service account that ExternalDNS will run under, that is the external-dns service account in the default namespace:

   

   root@rok-tools:~/ops/deployments# gcloud iam service-accounts add-iam-policy-binding ${EDNS_SERVICE_ACCOUNT?} \ > --member="serviceAccount:${PROJECT_ID?}.svc.id.goog[default/external-dns]" \ > --role=roles/iam.workloadIdentityUser

7. Edit rok/external-dns/overlays/deploy/kustomization.yaml and enable only the sa-gcp and deploy-gcp patches:

   

   patches: #- path: patches/sa.yaml - path: patches/sa-gcp.yaml #- target: # kind: Deployment # name: external-dns # path: patches/deploy.yaml - target: kind: Deployment name: external-dns path: patches/deploy-gcp.yaml

8. Edit rok/external-dns/overlays/deploy/patches/deploy-gcp.yaml and set --domain-filter to your domain:

   

   ... - --domain-filter=apps.example.com # <-- Update this line with you DOMAIN

9. Edit rok/external-dns/overlays/deploy/patches/deploy-gcp.yaml and set --google-project to your project ID:

   

   ... - --google-project=myproject # <-- Update this line with your PROJECT_ID

   Note

   DOMAIN may be unset if you have not gone through Deploy ExternalDNS already. If so, leave --domain-filter empty.

10. Edit rok/external-dns/overlays/deploy/kustomization.yaml and enable the domain-filter-serving patch:

    

    patches: ... - target: kind: Deployment name: external-dns path: patches/domain-filter-serving.yaml

11. Edit rok/external-dns/overlays/deploy/patches/domain-filter-serving.yaml to set --domain-filter to your domain:

    

    value: --domain-filter=serving.example.com # <-- Update this line with your SERVING_DOMAIN

12. Edit rok/external-dns/overlays/deploy/patches/sa-gcp.yaml and set the Workload Identity related annotation to the name of your Google Cloud service account for ExternalDNS:

    

    iam.gke.io/gcp-service-account: external-dns@myproject.iam.gserviceaccount.com # <-- Update this line with your EDNS_SERVICE_ACCOUNT

13. Commit your changes:

    

    root@rok-tools:~/ops/deployments# git commit -am "Deploy ExternalDNS on GKE"

14. Deploy ExternalDNS:

    

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/external-dns/overlays/deploy

Verify

1. Verify that the ExternalDNS deployment is up-and-running. Verify field READY is 1/1:

   

   root@rok-tools:~/ops/deployments# kubectl get deploy/external-dns NAME READY UP-TO-DATE AVAILABLE AGE external-dns 1/1 1 1 1m

Summary

You have successfully deployed ExternalDNS and allowed it to access your Cloud DNS managed zone.

What’s Next

The next step is to assign a proper FQDN to your Load Balancer IP address.

• Assign FQDN to GCLB