Use external DNS from within EMK

Estimated time to read: 4 minutes

How to link DNS to the service managed from within Kubernetes based on resources.

In this tutorial you will learn how to set up external DNS management from within your Kubernetes cluster with resources.

Prerequisites:

In this tutorial we use the following tools:

• kubectl (https://kubernetes.io/docs/tasks/tools/)
• helm (https://helm.sh/docs/intro/install)
• bitnami repository (https://bitnami.com/stacks/helm)
• A DNS zone in Fuga Cloud

It's required to have those installed before beginning.

The tutorial will be split into three parts:

1. Installing the DNS controller
2. Configuring the DNS controller
3. Using the DNS controller

Info

Within EMK you can select a DNS domain, that can be specified to be attached to your cluster, for things like the API or Grafana dashboard.

This tutorial will go into how to attach DNS records to services that run inside the k8s cluster. It is wise not to use the subdomain you use here else, not even for the cluster itself.

Installing the DNS controller

To have EMK create DNS entries in the Fuga DNS service we use the DNS manager in k8s.

git clone https://github.com/gardener/external-dns-management.git
cd external dns management

Make sure you have a kubeconfig that works. Adjust charts/external-dns-management/values.yaml as you see fit.

By default, this pod wants the vpa crd installed, for the simplicity of this tutorial we do not use it and disable it as you can see below in the helm install command.

Pay attention to the identifier we supply with the helm install command, this is a name that you potentially reuse, and it must be unique inside your cluster. You can for example use "uuidgen" to make an uuid or use a somewhat simpler name like "dns_controller" that is also allowed.

helm install dns-controller charts/external-dns-management \
--namespace=default \
--set configuration.identifier=<configuration.identifier> \
--set vpa.enabled=false

Configuring the DNS controller

To give the DNS controller access to your DNS zones and create records, you have to give it access to your OpenStack project where the DNS zone is assigned. For this we can make use of OpenStack application credentials. You can find those in the Fuga Dashboard: https://my.fuga.cloud/account/application-credentials.

To let the DNS controller use those credentials we have to supply it a k8s secret with the access to the OpenStack DNS service. As you have retrieved the application credentials from Fuga Cloud, those are still in normal form. To be used in k8s we have to encode them to base64. This can be done with:

echo -n "value" | base64 -w 0

Enter this in the file below with which we add a secret and a DNS provider. Also adjust everything where you see <..>, then execute.

To check you can decode for example the OS_AUTH_ORL with:

echo "aHR0cHM6Ly9jb3JlLmZ1Z2EuY2xvdWQ6NTAwMA==" |base64 -d

The outcome of this should be exactly (without line feeds)

https://core.fuga.cloud:5000

Now we know how to encode the application credentials we can submit the k8s secret so the DNS controller can actually submit / update / delete DNS records to the OpenStack DNS service. Execute the following below, with your "<configuration.identifier>" that you have set for the DNS controller:

cat << EOF | kubectl apply -f -
apiVersion: v1
data:
  OS_AUTH_URL: aHR0cHM6Ly9jb3JlLmZ1Z2EuY2xvdWQ6NTAwMA==
  applicationCredentialID: <base64 data>
  applicationCredentialSecret: <base64 data>
  domainName: <base64 data>
kind: Secret
metadata:
  name: emk-dns-<configuration.identifier>
  namespace: default
type: Opaque


apiVersion: dns.gardener.cloud/v1alpha1
kind: DNSProvider
metadata:
  name: openstack-designate
  namespace: default
spec:
  type: openstack-designate
  secretRef:
    name: emk-dns-<configuration.identifier>
  domains:
    include:
    - <domain name>
EOF

Now the DNS controller is configured, how can we use this further?

Using the DNS controller

The service is now running and can insert DNS entries into the OpenStack DNS setup. For the test here we quickly set up a WordPress using Bitnami charts. A deeper explanation about this can be found "here".

helm install wordpress bitnami/wordpress

So WordPress is up and running, and we want to have it reachable through our domain with a subdomain of something like: wordpress.<my domain>. To do this we can create the following service:

(Don't forget to change your domain. Your main domain should be here as it is known in OpenStack. A subdomain only works if you have created it as a zone.)

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
  annotations:
    dns.gardener.cloud/dnsnames: wordpress.<domain name>
    dns.gardener.cloud/ttl: "500"
  name: wordpress
  namespace: default
EOF

You can view the DNS entries with:

kubectl get dnsentry

If everything is ok, you can now see your WordPress page at http://wordpress.<my domain>. It may take a while before your DNS update is actually visible.