This DNS provider allows you to create and manage DNS entries via a remote dns-controller-manager
instance.
A DNSProvider
on the client side uses the type remote
and a secret with the configuration to access the remote instance.
The communication between the local (client) and the remote (server) dns-controller-manager
uses mTLS.
Therefore both sides must be configured using TLS certificates of a known CA.
These are the supported keys:
REMOTE_ENDPOINT
- ":" of the remote-access service running on the remote dns-controller-manager.NAMESPACE
- of the remote cluster. All included zones of all namespace's DNSProvider objects annotated with 'dns.gardener.cloud/remote-access=true' are available.tls.crt
orCLIENT_CERT
- client certificatetls.key
orCLIENT_KEY
- private key of the client certificateca.crt
orSERVER_CA_CERT
- optional CA used for the server certificateOVERRIDE_SERVER_NAME
- optionally overrides server name as specified in the server certificate (if server cannot be accessed with the DNS name/IP address as specified in the TLS certificate)
Create a Secret
resource with the complete set of keys .
All values are base64 encoded.
apiVersion: v1
kind: Secret
metadata:
name: remote-credentials
namespace: default
type: Opaque
data:
# Replace '...' with values encoded as base64.
REMOTE_ENDPOINT: ... # "<host>:<port>" of the remote-access service running on the remote dns-controller-manager
NAMESPACE: ... # <namespace> of the remote cluster. All included zones of all namespace's DNSProvider objects annotated with 'dns.gardener.cloud/remoteAccess=true' are available.
tls.crt: ... # client certificate
tls.key: ... # client private key
ca.crt: ... # CA used for the server certificate
#OVERRIDE_SERVER_NAME: ... # optional override server name as specified in the server certificate
The remote dns-controller-manager
instance must run with enabled remote access (see --remote-access-*
command line
options for more details) and must expose an endpoint with the remote access service.
If you use the Helm chart, see the remoteaccess
section in the values file (e.g. ../charts/external-dns-management/values.yaml):
remoteaccess:
enabled: true
service:
annotations:
#dns.gardener.cloud/class: garden
#cert.gardener.cloud/purpose: managed
#cert.gardener.cloud/secretname: remoteaccess-service
dns.gardener.cloud/dnsnames: my.foo.bar.com
type: LoadBalancer
certs:
ca:
cert: LS0t... # CA used for client certs
server:
#secretName: remoteaccess-service # if managed server certificate is used
cert: LS0t... # only needed if certificate is not managed
key: LS0t... # only needed if certificate is not managed
port: 7777
DNSProvider
objects are defined normally with any provider type. Only providers annotated with dns.gardener.cloud/remote-access=true
can be accessed
remotely using a DNSProvider
of type remote
.
Additionally, depending on the common name of the client certificate, only providers of one namespace may be accessible.
-
Example: A common name
default.my.client
restricts the client to providers in namespacedefault
. -
Example: A common name
*.my.second.client
allows access to all providers in all namespaces.