From ebd3a7eafb30cb3d29904989c7031b976317588c Mon Sep 17 00:00:00 2001 From: Pier-Olivier Thibault <23230+pier-oliviert@users.noreply.github.com> Date: Wed, 26 Jun 2024 10:46:34 -0400 Subject: [PATCH 1/7] AWS: Change documentation to use Helm values The Helm section includes templates files that aren't needed as those values can all be generated from the values.yaml file. It seems that the current documentation also missed the role arn annotation so it was added as well. --- docs/tutorials/aws.md | 95 ++++--------------------------------------- 1 file changed, 9 insertions(+), 86 deletions(-) diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md index d4ac65741..762e89fb5 100644 --- a/docs/tutorials/aws.md +++ b/docs/tutorials/aws.md @@ -477,97 +477,20 @@ kubectl create --filename externaldns-no-rbac.yaml \ ### Manifest (for clusters with RBAC enabled) -Save the following below as `externaldns-with-rbac.yaml`. +Update the `values.yaml` file you created earlier to include the annotations to link the Role ARN you created before. ```yaml -# comment out sa if it was previously created -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-dns - labels: - app.kubernetes.io/name: external-dns ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: external-dns - labels: - app.kubernetes.io/name: external-dns -rules: - - apiGroups: [""] - resources: ["services","endpoints","pods","nodes"] - verbs: ["get","watch","list"] - - apiGroups: ["extensions","networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get","watch","list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: external-dns-viewer - labels: - app.kubernetes.io/name: external-dns -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: external-dns -subjects: - - kind: ServiceAccount - name: external-dns - namespace: default # change to desired namespace: externaldns, kube-addons ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: external-dns - labels: - app.kubernetes.io/name: external-dns -spec: - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/name: external-dns - template: - metadata: - labels: - app.kubernetes.io/name: external-dns - spec: - serviceAccountName: external-dns - containers: - - name: external-dns - image: registry.k8s.io/external-dns/external-dns:v0.14.2 - args: - - --source=service - - --source=ingress - - --domain-filter=example.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones - - --provider=aws - - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization - - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both) - - --registry=txt - - --txt-owner-id=external-dns - env: - - name: AWS_DEFAULT_REGION - value: us-east-1 # change to region where EKS is installed - # # Uncommend below if using static credentials - # - name: AWS_SHARED_CREDENTIALS_FILE - # value: /.aws/credentials - # volumeMounts: - # - name: aws-credentials - # mountPath: /.aws - # readOnly: true - # volumes: - # - name: aws-credentials - # secret: - # secretName: external-dns +provider: + name: aws +serviceAccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/${EXTERNALDNS_ROLE_NAME:-"external-dns"} ``` -When ready deploy: +When ready deploy, update your Helm installation: -```bash -kubectl create --filename externaldns-with-rbac.yaml \ - --namespace ${EXTERNALDNS_NS:-"default"} +```shell +helm upgrade --install external-dns external-dns/external-dns --values values.yaml ``` ## Arguments From c7138b8a15e86bc6788c0ee641b7bb32b47b2c10 Mon Sep 17 00:00:00 2001 From: Pier-Olivier Thibault <23230+pier-oliviert@users.noreply.github.com> Date: Thu, 27 Jun 2024 09:44:32 -0400 Subject: [PATCH 2/7] Update docs/tutorials/aws.md Co-authored-by: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com> --- docs/tutorials/aws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md index 762e89fb5..5077ba2c0 100644 --- a/docs/tutorials/aws.md +++ b/docs/tutorials/aws.md @@ -475,7 +475,7 @@ kubectl create --filename externaldns-no-rbac.yaml \ --namespace ${EXTERNALDNS_NS:-"default"} ``` -### Manifest (for clusters with RBAC enabled) +### When using clusters with RBAC enabled Update the `values.yaml` file you created earlier to include the annotations to link the Role ARN you created before. From dd0667849cdfa849694f35f97ecf5405a959c965 Mon Sep 17 00:00:00 2001 From: Pier-Olivier Thibault <23230+pier-oliviert@users.noreply.github.com> Date: Thu, 27 Jun 2024 09:56:44 -0400 Subject: [PATCH 3/7] Change header to be consistent within the section --- docs/tutorials/aws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md index 5077ba2c0..360d8c7a6 100644 --- a/docs/tutorials/aws.md +++ b/docs/tutorials/aws.md @@ -418,7 +418,7 @@ Finally, install the ExternalDNS chart with Helm using the configuration specifi helm upgrade --install external-dns external-dns/external-dns --values values.yaml ``` -### Manifest (for clusters without RBAC enabled) +### When using clusters without RBAC enabled Save the following below as `externaldns-no-rbac.yaml`. From edb2513a06b9d90afd8dbba33334f37e405fc3c3 Mon Sep 17 00:00:00 2001 From: Pier-Olivier Thibault <23230+pier-oliviert@users.noreply.github.com> Date: Thu, 27 Jun 2024 09:56:50 -0400 Subject: [PATCH 4/7] Add configuration option for non-eks with Helm --- docs/tutorials/aws.md | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md index 360d8c7a6..ae869ebe6 100644 --- a/docs/tutorials/aws.md +++ b/docs/tutorials/aws.md @@ -477,7 +477,7 @@ kubectl create --filename externaldns-no-rbac.yaml \ ### When using clusters with RBAC enabled -Update the `values.yaml` file you created earlier to include the annotations to link the Role ARN you created before. +If you're using EKS, you can update the `values.yaml` file you created earlier to include the annotations to link the Role ARN you created before. ```yaml provider: @@ -487,7 +487,25 @@ serviceAccount: eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/${EXTERNALDNS_ROLE_NAME:-"external-dns"} ``` -When ready deploy, update your Helm installation: +If you need to provide credentials directly using a secret (ie. You're not using EKS), you can change the `values.yaml` file to include volume and volume mounts. + +```yaml +provider: + name: aws +env: + - name: AWS_SHARED_CREDENTIALS_FILE + value: /.aws/credentials +extraVolumes: + - name: aws-credentials + secret: + secretName: external-dns +extraVolumeMounts: + - name: aws-credentials + mountPath: /.aws + readOnly: true +``` + +When ready, update your Helm installation: ```shell helm upgrade --install external-dns external-dns/external-dns --values values.yaml From e49c141cedcca834c239d2fe064764e83d427499 Mon Sep 17 00:00:00 2001 From: Pier-Olivier Thibault <23230+pier-oliviert@users.noreply.github.com> Date: Thu, 27 Jun 2024 11:48:41 -0400 Subject: [PATCH 5/7] Update docs/tutorials/aws.md Co-authored-by: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com> --- docs/tutorials/aws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md index ae869ebe6..0e8379a26 100644 --- a/docs/tutorials/aws.md +++ b/docs/tutorials/aws.md @@ -494,7 +494,7 @@ provider: name: aws env: - name: AWS_SHARED_CREDENTIALS_FILE - value: /.aws/credentials + value: /etc/aws/credentials extraVolumes: - name: aws-credentials secret: From 4c86e53d0116c80df35998296842a53f5c5fb8df Mon Sep 17 00:00:00 2001 From: Pier-Olivier Thibault <23230+pier-oliviert@users.noreply.github.com> Date: Thu, 27 Jun 2024 11:48:45 -0400 Subject: [PATCH 6/7] Update docs/tutorials/aws.md Co-authored-by: Michel Loiseleur <97035654+mloiseleur@users.noreply.github.com> --- docs/tutorials/aws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md index 0e8379a26..f32e4747e 100644 --- a/docs/tutorials/aws.md +++ b/docs/tutorials/aws.md @@ -501,7 +501,7 @@ extraVolumes: secretName: external-dns extraVolumeMounts: - name: aws-credentials - mountPath: /.aws + mountPath: /etc/aws/credentials readOnly: true ``` From bbaa3eb290d3c2db8f2c3069f35f93749c4382cd Mon Sep 17 00:00:00 2001 From: Pier-Olivier Thibault <23230+pier-oliviert@users.noreply.github.com> Date: Thu, 27 Jun 2024 12:14:05 -0400 Subject: [PATCH 7/7] Attempts at making the docs more clear with secret volume The secret includes keys/value pair and a secret, when mounted as a volume, will generate a file for each of the pair where the name of the file is the key and the content of the file, the value. This hopefully makes the doc clear on how to configured credentials. --- docs/tutorials/aws.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/tutorials/aws.md b/docs/tutorials/aws.md index f32e4747e..c7931ad26 100644 --- a/docs/tutorials/aws.md +++ b/docs/tutorials/aws.md @@ -494,11 +494,11 @@ provider: name: aws env: - name: AWS_SHARED_CREDENTIALS_FILE - value: /etc/aws/credentials + value: /etc/aws/credentials/my_credentials extraVolumes: - name: aws-credentials secret: - secretName: external-dns + secretName: external-dns # In this example, the secret will have the data stored in a key named `my_credentials` extraVolumeMounts: - name: aws-credentials mountPath: /etc/aws/credentials