dns-operator-azure

command module
v2.0.0-...-947fdf0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 24, 2024 License: Apache-2.0 Imports: 21 Imported by: 0

README

CircleCI Docker Repository on Quay

dns-operator-azure

dns-operator-azure is an operator to create necessary DNS records on Azure DNS for CAPI workload clusters. It supports both CAPZ and non-CAPZ workload clusters.

Use cases

CAPZ workload clusters

cluster-api-provider-azure takes care of the most of the DNS management for CAPZ WCs but there are some shortcomings:

Non-CAPZ workload clusters

We manage non-CAPZ workload clusters in CAPZ MCs too. We call this concept as multi-provider setup. In this case, dns-operator-azure helps us to manage DNS records of workload clusters on Azure DNS.

Supported non-CAPZ providers:

  • CAPV WCs (Vsphere)

Expected Behavior

Public DNS Zone <wc_name>.<base_domain> in <wc_name> resource group

When to create

  • When the WC is public CAPZ, created by CAPZ.
  • When the WC is private CAPZ, created by dns-operator-azure.
  • When the WC is non-CAPZ, created by dns-operator-azure.
  • Used by everyone to access the WC.
  • MC can be public or private. It doesn't matter.

A records

  • api and apiserver should refer

    • Public CAPZ: IP of AzureCluster.Spec.NetworkSpec.APIServerLB.FrontendIPs[0].PublicIP.Name LB in Azure
    • Private CAPZ: AzureCluster.Spec.NetworkSpec.APIServerLB.FrontendIPs[0].PrivateIPAddress
    • Non-CAPZ WCs: Cluster.Spec.ControlPlaneEndpoint.Host
  • ingress should refer the IP of k8s service in the WC if exists.

    • CAPZ Clusters: Managed by external-dns (deployed by default-apps-azure)
    • Non-CAPZ Clusters: Managed by dns-operator-azure

CNAME records

  • * should refer ingress.<wc_name>.<base_domain>

NS records in basedomain

dns-operator-azure is supposed to create an NS record in the <baseDomain> zone to refer the <wc_name>.<base_domain> zone.

Public DNS Zone <mc_name>.<base_domain> in <mc_name> resource group

Since MC is also a workload cluster in itself, this entry is supposed to exist as above.

Private DNS Zone <wc_name>.<base_domain> in <wc_name> resource group
  • Created only for private CAPZ workload clusters by CAPZ.
  • Used by the WC itself.

A records

  • apiserver should refer AzureCluster.Spec.NetworkSpec.APIServerLB.FrontendIPs[0].PrivateIPAddress
  • ingress should refer the IP of k8s service in the WC if exists. Managed by external-dns (deployed by default-apps-azure)
Private DNS Zone <wc_name>.<base_domain> in <mc_name> resource group
  • Used by the MC to access the WC api.
  • Created for private CAPZ workload clusters by dns-operator-azure.
  • MC can be public or private. It doesn't matter.
  • Not created for non-CAPZ workload clusters.

A records

  • apiserver should refer the private endpoint in the MC VNet that points the private link of WC api.
Private DNS Zone <mc_name>.<base_domain> in <mc_name> resource group

Since MC is also a workload cluster in itself, this entry is supposed to exist as above if MC is a private cluster..

Private DNS Zone <mc_name>.<base_domain> in <wc_name> resource group
  • Used by the WC to access the MC ingress endpoints.
  • Created for private CAPZ management clusters by dns-operator-azure.
  • WC can be public or private. It doesn't matter.
  • Not created for non-CAPZ workload clusters.
  • The ingress record refers the private endpoint in the WC VNet that points the private link of MC ingress endpoints.

A records

  • ingress should refer the private endpoint in the WC VNet that points the private link of MC ingress.

CNAME records

  • * should refer ingress.<mc_name>.<base_domain>.

Bastion concept

We switched to teleport to access cluster nodes, so we stopped deploying bastion nodes. This feature is no supported anymore. Last supported version was 1.3.4.

Cluster Deletion

On Cluster deletion, CAPZ deletes the entire resourceGroup where the <clustername> specific DNS zone exists as well. For that reason on deletion only the NS record in the <baseDomain> must be handled by the operator.

Configuration of the operator

dns-operator-azure expect an existing DNS Zone which is used as baseDomain (e.g. kubernetes.my-company.io). There is no need to have this DNS Zone in the same subscription where dns-operator-azure is running.

To act on this DNS Zone, the name and the resource group must be defined by -base-domain and -base-domain-resource-group flag. The subscription where this DNS Zone exist must be defined by setting the AZURE_SUBSCRIPTION_ID environment variable.

Azure AuthN/AuthZ

To make dns-operator-azure work on the baseDomain DNS Zone you have to create an application in Azure ActiveDirectory. This application need the DNS Zone Contributor role applied for to the baseDomain DNS Zone.

The application secrets must be defined by setting the AZURE_CLIENT_ID, AZURE_TENANT_ID and AZURE_CLIENT_SECRET environment variables.

To make dns-operator-azure work on the clustername DNS zone it's only required that the Kubernetes serviceAccount is able to get the referenced AzureClusterIdentity from the AzureCluster. With these information the dns-operator-azure creates an internal Azure client to interact with the cluster specific Azure resources.

To enable dns-operator-azure to create Azure DNS zones and records for non-Azure workload clusters, the operator needs to know credentials and details of the destination Azure subscription, where the DNS zone and records for the non-Azure workload clusters are supposed to be stored. By default, the dns-operator-azure uses credentials referenced in the management cluster's AzureCluster resource. In case this behaviour is acceptable, there is no need to provide any additional configuration to the operator. The default behaviour can be overridden by providing an explicit reference to a specific AzureClusterIdentity resource in the --azure-identity-ref-name and --azure-identity-ref-namespace flags. Additional details about the subscription need to be provided by setting the CLUSTER_AZURE_CLIENT_ID, CLUSTER_AZURE_TENANT_ID, CLUSTER_AZURE_SUBSCRIPTION_ID and CLUSTER_AZURE_LOCATION (the Azure Location of the DNS records for the non-Azure workload clusters) flags.

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis
pkg

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL