mirrors/external-dns
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/external-dns.git synced 2025-08-06 09:36:58 +02:00
Code Issues Packages Projects Releases Wiki Activity
0e7c3af221
external-dns/docs/tutorials/myra.md
Ahmed R. I. fe7940ce0a
docs(providers): add Myra Security DNS to the list (#5671) 
* docs: add Myra Security DNS to the list of providers

* docs(providers): add minor docs improvements to docs/tutorials/myra.md
2025-07-28 01:48:29 -07:00

216 lines
6.2 KiB
Markdown
Raw Blame History

# Myra ExternalDNS Webhook
This guide provides quick instructions for setting up and testing the [Myra ExternalDNS Webhook](https://github.com/Myra-Security-GmbH/external-dns-myrasec-webhook) in a Kubernetes environment.
## Prerequisites
- Kubernetes cluster (v1.19+)
- `kubectl` configured to access your cluster
- Docker for building the container image
- MyraSec API credentials (API key and secret)
- Domain registered with MyraSec
## Quick Installation
### 1. Build and Push the Docker Image
```bash
# From the project root
docker build -t myra-webhook:latest .
# Tag the image for your container registry
docker tag myra-webhook:latest YOUR_REGISTRY/myra-webhook:latest
# Push to your container registry
docker push YOUR_REGISTRY/myra-webhook:latest
```
> **Important**: The image must be pushed to a container registry accessible by your Kubernetes cluster. Update the image reference in the deployment YAML file to match your registry path.
### 2. Configure API Credentials
Create a secret with your MyraSec API credentials:
```bash
kubectl create secret generic myra-webhook-secrets \
--from-literal=myrasec-api-key=YOUR_API_KEY \
--from-literal=myrasec-api-secret=YOUR_API_SECRET \
--from-literal=domain-filter=YOUR_DOMAIN.com
```
Alternatively, apply the provided secret template after editing:
```bash
# Edit the secret file first
vi deploy/myra-webhook-secrets.yaml
# Then apply
kubectl apply -f deploy/myra-webhook-secrets.yaml
```
### 3. Deploy the Webhook and ExternalDNS
```bash
# Apply the combined deployment
kubectl apply -f deploy/combined-deployment.yaml
```
This deploys:
- ConfigMap with webhook configuration
- ServiceAccount, ClusterRole, and ClusterRoleBinding for RBAC
- Deployment with two containers:
- myra-webhook: The webhook provider implementation
- external-dns: The ExternalDNS controller using the webhook provider
### 4. Verify Deployment
```bash
# Check if pods are running
kubectl get pods -l app=myra-externaldns
# Check logs for the webhook container
kubectl logs -l app=myra-externaldns -c myra-webhook
# Check logs for the external-dns container
kubectl logs -l app=myra-externaldns -c external-dns
```
## Manual Testing with NGINX Demo
### 1. Deploy the NGINX Demo Application
```bash
# Edit the domain in the nginx-demo.yaml file to match your domain
vi deploy/nginx-demo.yaml
# Most important part is to set the correct domain in the external-dns.alpha.kubernetes.io/hostname annotation
# Example:
# annotations:
# external-dns.alpha.kubernetes.io/enabled: "true"
# external-dns.alpha.kubernetes.io/hostname: "nginx-demo.dummydomainforkubes.de"
# external-dns.alpha.kubernetes.io/target: "9.2.3.4"
# Apply the demo resources
kubectl apply -f deploy/nginx-demo.yaml
```
This creates:
- NGINX Deployment
- Service for the deployment
- Ingress resource with ExternalDNS annotations
### 2. Verify DNS Record Creation
After deploying the demo application, ExternalDNS should automatically create DNS records in MyraSec:
```bash
# Check external-dns logs to see record creation
kubectl logs -l app=myra-externaldns -c external-dns | grep "nginx-demo"
# Verify the webhook logs
kubectl logs -l app=myra-externaldns -c myra-webhook | grep "Created DNS record"
```
You can also verify through the MyraSec dashboard that the records were created.
### 3. Testing Record Deletion
To test record deletion:
```bash
# Delete the nginx-demo resources or remove annotation from ingress
kubectl delete -f deploy/nginx-demo.yaml
# Delete the ingress resource or remove annotation from ingress
# If resource is still active, external dns might still see the record and manage it
kubectl delete ingress nginx-demo -n default
# Check external-dns logs to see record deletion
kubectl logs -l app=myra-externaldns -c external-dns | grep "nginx-demo" | grep "delete"
# Verify the webhook logs
kubectl logs -l app=myra-externaldns -c myra-webhook | grep "Deleted DNS record"
```
## Configuration Options
The webhook can be configured through the ConfigMap:
| Parameter | Description | Default |
|-----------|-------------|---------|
| `dry-run` | Run in dry-run mode without making actual changes | `"false"` |
| `environment` | Environment name (affects private IP handling) | `"prod"` |
| `log-level` | Logging level (debug, info, warn, error) | `"debug"` |
| `ttl` | Default TTL for DNS records | `"300"` |
| `webhook-listen-address` | Address and port for the webhook server | `":8080"` |
## Troubleshooting
### Common Issues
1. **Webhook not receiving requests**
- Ensure the `webhook-provider-url` in the external-dns args is correct
- Check network connectivity between containers
2. **DNS records not being created**
- Verify MyraSec API credentials are correct
- Check if the domain filter is properly configured
- Look for error messages in the webhook and external-dns logs
3. **Permissions issues**
- Ensure the ServiceAccount has the correct RBAC permissions
### Getting Help
For more detailed logs:
```bash
# Set log level to debug in the ConfigMap
kubectl edit configmap myra-externaldns-config
# Change log-level to "debug"
# Restart the pods
kubectl rollout restart deployment myra-externaldns
```
## Environment Configuration
The webhook supports different environment configurations through the `environment` setting in the ConfigMap:
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: myra-externaldns-config
data:
environment: "prod" # Can be "prod", "staging", "dev", etc.
```
The environment setting affects how the webhook handles certain operations:
| Environment | Behavior |
|-------------|----------|
| `prod`, `production`, `staging` | Strict mode: Skips private IP records, enforces stricter validation |
| `dev`, `development`, `test`, etc. | Development mode: Allows private IP records, more permissive validation |
To modify the environment:
```bash
# Edit the ConfigMap directly
kubectl edit configmap myra-externaldns-config
# Or apply an updated YAML file
kubectl apply -f updated-config.yaml
```
## Advanced Configuration
For production deployments, consider:
1. Using a proper image registry instead of `latest` tag
2. Setting resource limits appropriate for your environment
3. Configuring horizontal pod autoscaling
4. Using Helm for deployment management
Reference in New Issue View Git Blame Copy Permalink