apiVersion:v1kind:ServiceAccountmetadata:name:external-dns---apiVersion:rbac.authorization.k8s.io/v1beta1kind:ClusterRolemetadata:name:external-dnsrules:-apiGroups:[""]resources:["services","endpoints","pods"]verbs:["get","watch","list"]-apiGroups:["extensions","networking.k8s.io"]resources:["ingresses"]verbs:["get","watch","list"]-apiGroups:[""]resources:["nodes"]verbs:["list"]---apiVersion:rbac.authorization.k8s.io/v1beta1kind:ClusterRoleBindingmetadata:name:external-dns-viewerroleRef:apiGroup:rbac.authorization.k8s.iokind:ClusterRolename:external-dnssubjects:-kind:ServiceAccountname:external-dnsnamespace:default---apiVersion:apps/v1kind:Deploymentmetadata:name:external-dnsspec:strategy:type:Recreateselector:matchLabels:app:external-dnstemplate:metadata:labels:app:external-dnsspec:serviceAccountName:external-dnscontainers:-name:external-dnsimage:registry.opensource.zalan.do/teapot/external-dns:latestargs:---source=service---source=ingress#- --domain-filter=example.com # (optional) limit to only example.com domains; change to match the zone created above.---provider=azure#- --azure-resource-group=externaldns # (optional) use the DNS zones from the specific resource groupvolumeMounts:-name:azure-config-filemountPath:/etc/kubernetesreadOnly:truevolumes:-name:azure-config-filesecret:secretName:azure-config-file
Step-03: Create MSI - Managed Service Identity for External DNS to access Azure DNS Zones¶
Go to All Services -> Virtual Machine Scale Sets (VMSS) -> Open aksdemo1 related VMSS (aks-agentpool-27193923-vmss)
Go to Settings -> Identity -> User assigned -> Add -> aksdemo1-externaldns-access-to-dnszones
Step-05: Create Kubernetes Secret and Deploy ExternalDNS¶
# Create Secret
cd kube-manifests/01-ExteranlDNS
kubectl create secret generic azure-config-file --from-file=azure.json
# List Secrets
kubectl get secrets
# Deploy ExternalDNS
cd kube-manifests/01-ExteranlDNS
kubectl apply -f external-dns.yml
# Verify ExternalDNS Logs
kubectl logs -f $(kubectl get po | egrep -o 'external-dns[A-Za-z0-9-]+')
# Error Type: 400
time="2020-08-24T11:25:04Z" level=error msg="azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/82808767-144c-4c66-a320-b30791668b0a/resourceGroups/dns-zones/providers/Microsoft.Network/dnsZones?api-version=2018-05-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {\"error\":\"invalid_request\",\"error_description\":\"Identity not found\"}"
# Error Type: 403
Notes: Error 403 will come when our Managed Service Identity dont have access to respective destination resource
# When all good, we should get log as below
time="2020-08-24T11:27:59Z" level=info msg="Resolving to user assigned identity, client id is 404b0cc1-ba04-4933-bcea-7d002d184436."
Wait for 3 to 5 minutes for Record Set update in DNZ Zones
# Verify ExternalDNS Logs
kubectl logs -f $(kubectl get po | egrep -o 'external-dns[A-Za-z0-9-]+')
External DNS Pod Logs
time="2020-08-24T11:30:54Z" level=info msg="Updating A record named 'eapp1' to '20.37.141.33' for Azure DNS zone 'kubeoncloud.com'."
time="2020-08-24T11:30:55Z" level=info msg="Updating TXT record named 'eapp1' to '\"heritage=external-dns,external-dns/owner=default,external-dns/resource=ingress/default/nginxapp1-ingress-service\"' for Azure DNS zone 'kubeoncloud.com'."
Verify Record Set in DNZ Zones -> kubeoncloud.com¶
Go to All Services -> DNS Zones -> kubeoncloud.com
Verify if we have eapp1.kubeoncloud.com created
# Template Command
az network dns record-set a list -g <Resource-Group-dnz-zones> -z <yourdomain.com>
# Replace DNS Zones Resource Group and yourdomain
az network dns record-set a list -g dns-zones -z kubeoncloud.com
# Delete Application
kubectl delete -f kube-manifests/02-NginxApp1
# Verify External DNS pod to ensure record set got deleted
kubectl logs -f $(kubectl get po | egrep -o 'external-dns[A-Za-z0-9-]+')
# Verify Record set got automatically deleted in DNS Zones
# Template Command
az network dns record-set a list -g <Resource-Group-dnz-zones> -z <yourdomain.com>
# Replace DNS Zones Resource Group and yourdomain
az network dns record-set a list -g dns-zones -z kubeoncloud.com
time="2020-08-24T12:08:52Z" level=info msg="Deleting A record named 'eapp1' for Azure DNS zone 'kubeoncloud.com'."
time="2020-08-24T12:08:53Z" level=info msg="Deleting TXT record named 'eapp1' for Azure DNS zone 'kubeoncloud.com'."
