使用ExternalDNS自动化DNS配置

栏目: 编程工具 · 发布时间: 6年前

内容简介:Kubernetes社区的生态繁荣和该领域技术的快速茁壮发展,已经是众所周知。Kubernetes领域有太多强大的、创新的技术产品,而最近引起我注意的项目是ExternalDNS。这是在近期的POC期间客户主动咨询起来的,我承诺客户会尝试一下ExternalDNS子项目,且使用后发现它真的令人印象深刻。ExternalDNS子项目(孵化器流程已被弃用)是由sig-network赞助并由Tim Hockin倡导的,旨在自动配置云DNS提供商。这很重要,因为它进一步支持基础架构自动化,用户可以在应用程序部署的

Kubernetes社区的生态繁荣和该领域技术的快速茁壮发展,已经是众所周知。Kubernetes领域有太多强大的、创新的技术产品,而最近引起我注意的项目是ExternalDNS。这是在近期的POC期间客户主动咨询起来的,我承诺客户会尝试一下ExternalDNS子项目,且使用后发现它真的令人印象深刻。

ExternalDNS子项目

ExternalDNS子项目(孵化器流程已被弃用)是由sig-network赞助并由Tim Hockin倡导的,旨在自动配置云DNS提供商。这很重要,因为它进一步支持基础架构自动化,用户可以在应用程序部署的同时直接完成DNS配置。

传统企业部署模型,通常是由多个孤立业务单元,来处理部署过程的不同部分。但带有ExternalDNS的Kubernetes不同于传统企业部署模型,它可以自动完成此过程的这一部分工作。有时候有可能会出现这种不好的情况:一部分软件已准备就绪,但它却必须等待另一个业务部门手动配置DNS。而有了ExternalDNS,这一潜在问题就被解决了。

通过ExternalDNS,组织团队可实现自动化和共同责任协作,而这将避免手动配置的错误,并使各方都能够更有效地将其产品推向市场。

AKS上的ExternalDNS配置和部署

我曾作为软件开发人员在.NET领域有过多年的工作经验。微软开发人员社区在我心中一直有一个特殊的位置,过去几年以来我参加过不少费城地区的Azure用户meetup,分享如何通过ACS(Azure Container Service)和AKS(Azure Kubernetes Service)使用Kubernetes on Azure。恰巧的是,向我咨询ExternalDNS的用户也正是在选择了Azure作为其IaaS产品。

下文是我准备的在AKS集群上启动ExternalDNS的分步说明和帮助程序代码。即使您使用的是其他公有云上的托管的Kubernetes,本教程依然适用。

先决条件

登录Azure AD,必要情况下请设置订阅。

几点注意事项

1、请注意,本文档中的外部模板文件使用了许多可选设置。

2、它也在debug级别日志中,因此您也可以自行进行troubleshooting。

在Azure AKS或Azure IaaS上设置ExternalDNS

1、创建Azure DNS记录

RESOURCE_GROUP=MC_rancher-group_c-6vkts_eastus

DNS_ZONE=vanbrackel.net

az network dns zone create -g $RESOURCE_GROUP -n $DNS_ZONE

2、根据您的注册商的需要委派DNS

3、创建服务主体以代表Kubernetes行事。

SUBSCRIPTION_ID="$(az account show | jq '.id')" && SUBSCRIPTION_ID=${SUBSCRIPTION_ID//\"}

TENANT_ID=$(az account show | jq '.tenantId') && TENANT_ID=${TENANT_ID//\"}

SCOPE=$(az group show --name $RESOURCE_GROUP | jq '.id') && SCOPE=${SCOPE//\"}

PRINCIPAL=$(az ad sp create-for-rbac --role="Contributor" --scopes=$SCOPE -n ExternalDnsServicePrincipal)

CLIENT_ID=$(echo $PRINCIPAL | jq '.appId') && CLIENT_ID=${CLIENT_ID//\"}

CLIENT_SECRET=$(echo $PRINCIPAL | jq '.password') && CLIENT_SECRET=${CLIENT_SECRET//\"

4、创建你的云提供商配置。

echo "{ \"tenantId\": \"$TENANT_ID\", \"subscriptionId\": \"$SUBSCRIPTION_ID\", \"aadClientId\": \"$CLIENT_ID\", \"aadClientSecret\": \"$CLIENT_SECRET\", \"resourceGroup\": \"$RESOURCE_GROUP\"}" >> azure.json

5、使用云提供商配置来创建一个Kubernetes秘钥。

> kubectl create secret generic azure-config-file --from-file=azure.json

secret "azure-config-file" created

6、如果你使用的是Rancher配置的Azure IaaS Backed Clusters,从集群中删除ingress controller。

> kubectl get ns

NAME            STATUS    AGE

cattle-system   Active    1d

default         Active    1d

ingress-nginx   Active    1d

kube-public     Active    1d

kube-system     Active    1d

> kubectl delete ns/ingress-nginx

namespace "ingress-nginx" deleted

注意:如果您是使用Rancher中的 AKS配置的集群,则不会提供ingress controller。

7、安装nginx ingress controller并为ExternalDNS配置它。创建ingress-nginx部署和服务。

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml

8、由于在基于Rancher的Kubernetes集群上默认启用了RBAC,因此可以从下面的脚本创建名为

externaldns.yaml的yaml文件,或者使用此repo中的externaldns-template.yaml文件。



apiVersion: v1

kind: ServiceAccount

metadata:

name: external-dns

apiVersion: rbac.authorization.k8s.io/v1beta1

kind: ClusterRole

metadata:   name: external-dns

rules:

- apiGroups: [""]

resources: ["services"]

verbs: ["get","watch","list"]

- apiGroups: [""]

resources: ["pods"]

verbs: ["get","watch","list"]

- apiGroups: ["extensions"] 

resources: ["ingresses"] 

verbs: ["get","watch","list"]

apiVersion: rbac.authorization.k8s.io/v1beta1

kind: ClusterRoleBinding

metadata:   name: external-dns-viewer

roleRef:

apiGroup: rbac.authorization.k8s.io

kind: ClusterRole

name: external-dns

subjects:

- kind: ServiceAccount

name: external-dns

namespace: default

apiVersion: extensions/v1beta1

kind: Deployment

metadata:

name: external-dns

spec:

strategy:

type: Recreate

template:

metadata:

labels:

app: external-dns

spec:

serviceAccountName: external-dns

containers:

- name: external-dns

image: registry.opensource.zalan.do/teapot/external-dns:v0.5.2

args:

- --source=service

- --source=ingress

- --domain-filter=vanbrackel.net # (optional) limit to only vanbrackel.net domains; change to match the zone created above.

- --provider=azure

- --azure-resource-group=MC_rancher-group_c-6vkts_eastus # (optional) use the DNS zones from above

volumeMounts:

- name: azure-config-file

mountPath: /etc/kubernetes

readOnly: true

volumes:

- name: azure-config-file

secret:

secretName: azure-config-file

EXTERNAL_DNS=$(cat externaldns-template.yaml)

EXTERNAL_DNS=${EXTERNAL_DNS//DOMAIN/$DOMAIN} && echo "${EXTERNAL_DNS//RESOURCE_GROUP/$RESOURCE_GROUP}" >> externaldns.yaml

kubectl create -f externaldns.yaml

验证

1、以与部署ExternalDNS相同的方式在ingress中创建nginx服务

apiVersion: extensions/v1beta1

kind: Deployment

metadata:

name: nginx

spec:

template:

metadata:

  labels:

    app: nginx

spec:

  containers:

  - image: nginx

    name: nginx

    ports:

- containerPort: 80

apiVersion: v1

kind: Service

metadata:

name: nginx-svc

spec:

ports:

- port: 80

protocol: TCP

targetPort: 80

selector:

app: nginx

type: ClusterIP

---

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

name: nginx

annotations:

kubernetes.io/ingress.class: nginx

spec:

rules:

- host: server.vanbrackel.net

http:

paths:

- backend:

serviceName: nginx-svc

servicePort: 80

path: /

NGINX=$(cat nginx-ingress-test-template.yaml) && echo "${NGINX//DOMAIN/$DOMAIN}" >> nginx-ingress-test.yaml

2、创建nginx-ingress controller

kubectl create -f nginx-ingress-test.yaml

3、稍等几分钟

4、检查一下是否已有record被创建出来

[jason@vblinux ~ ]$ az network dns record-set a list --resource-group $RESOURCE_GROUP --zone-name $DNS_ZONE

[

{

"arecords": [

  {

    "ipv4Address": "13.68.138.206"

  }

],

"etag": "0fb3eaf9-7bf2-48c4-b8f8-432e05dce94a",

"fqdn": "server.vanbrackel.net.",

"id": "/subscriptions/c7e23d24-5dcd-4c7c-ae84-22f6f814dc02/resourceGroups/mc_rancher-group_c-6vkts_eastus/providers/Microsoft.Network/dnszones/vanbrackel.net/A/server",

"metadata": null,

"name": "server",

"resourceGroup": "mc_rancher-group_c-6vkts_eastus",

"ttl": 300,

"type": "Microsoft.Network/dnszones/A"

}

]

5、检查日志

kubectl logs external-dns-655df89959-7ztm2 

time="2018-06-13T23:57:11Z" level=info msg="config: {Master: KubeConfig: Sources:[service ingress] Namespace: AnnotationFilter: FQDNTemplate: CombineFQDNAndAnnotation:false Compatibility: PublishInternal:false ConnectorSourceServer:localhost:8080 Provider:azure GoogleProject: DomainFilter:[vanbrackel.net] ZoneIDFilter:[] AWSZoneType: AWSAssumeRole: AzureConfigFile:/etc/kubernetes/azure.json AzureResourceGroup:MC_rancher-group_c-6vkts_eastus CloudflareProxied:false InfobloxGridHost: InfobloxWapiPort:443 InfobloxWapiUsername:admin InfobloxWapiPassword: InfobloxWapiVersion:2.3.1 InfobloxSSLVerify:true DynCustomerName: DynUsername: DynPassword: DynMinTTLSeconds:0 InMemoryZones:[] PDNSServer:http://localhost:8081 PDNSAPIKey: Policy:sync Registry:txt TXTOwnerID:default TXTPrefix: Interval:1m0s Once:false DryRun:false LogFormat:text MetricsAddress::7979 LogLevel:debug}"

time="2018-06-13T23:57:11Z" level=info msg="Connected to cluster at https://10.0.0.1:443"

...

time="2018-06-14T00:02:11Z" level=debug msg="Retrieving Azure DNS zones."

time="2018-06-14T00:02:12Z" level=debug msg="Found 1 Azure DNS zone(s)."

time="2018-06-14T00:02:12Z" level=debug msg="Retrieving Azure DNS records for zone 'vanbrackel.net'."

time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service default/kubernetes"

time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service default/nginx-svc"

time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service ingress-nginx/default-http-backend"

time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service ingress-nginx/ingress-nginx"

time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service kube-system/full-guppy-nginx-ingress-controller" time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service kube-system/full-guppy-nginx-ingress-default-backend"

time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service kube-system/heapster"

time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service kube-system/kube-dns"

time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service kube-system/kubernetes-dashboard"

time="2018-06-14T00:02:12Z" level=debug msg="No endpoints could be generated from service kube-system/tiller-deploy"

time="2018-06-14T00:02:12Z" level=debug msg="Endpoints generated from ingress: default/nginx: [server.vanbrackel.net 0 IN A 13.68.138.206]"

time="2018-06-14T00:02:12Z" level=debug msg="Retrieving Azure DNS zones."

time="2018-06-14T00:02:12Z" level=debug msg="Found 1 Azure DNS zone(s)."

time="2018-06-14T00:02:12Z" level=info msg="Updating A record named 'server' to '13.68.138.206' for Azure DNS zone 'vanbrackel.net'."

time="2018-06-14T00:02:13Z" level=info msg="Updating TXT record named 'server' to '\"heritage=external-dns,external-dns/owner=default,external-dns/resource=ingress/default/nginx\"' for Azure DNS zone 'vanbrackel.net'."

time="2018-06-14T00:03:11Z" level=debug msg="Retrieving Azure DNS zones."

time="2018-06-14T00:03:12Z" level=debug msg="Found 1 Azure DNS zone(s)."

time="2018-06-14T00:03:12Z" level=debug msg="Retrieving Azure DNS records for zone 'vanbrackel.net'."

time="2018-06-14T00:03:12Z" level=debug msg="Found A record for 'server.vanbrackel.net' with target '13.68.138.206'."

time="2018-06-14T00:03:12Z" level=debug msg="Found TXT record for 'server.vanbrackel.net' with target '\"heritage=external-dns,external-dns/owner=default,external-dns/resource=ingress/default/nginx\"'."

time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service default/kubernetes"

time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service default/nginx-svc" time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service ingress-nginx/default-http-backend"

time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service ingress-nginx/ingress-nginx"

time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service kube-system/full-guppy-nginx-ingress-controller"

time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service kube-system/full-guppy-nginx-ingress-default-backend"

time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service kube-system/heapster"

time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service kube-system/kube-dns"

time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service kube-system/kubernetes-dashboard"

time="2018-06-14T00:03:12Z" level=debug msg="No endpoints could be generated from service kube-system/tiller-deploy"

time="2018-06-14T00:03:12Z" level=debug msg="Endpoints generated from ingress: default/nginx: [server.vanbrackel.net 0 IN A 13.68.138.206]"

time="2018-06-14T00:03:12Z" level=debug msg="Retrieving Azure DNS zones."

time="2018-06-14T00:03:12Z" level=debug msg="Found 1 Azure DNS zone(s)."

您还可以在ExternalDNS的repo中了解更多信息:

https://github.com/kubernetes- ... l-dns

如希望对原文中的代码有更深入的了解,请猛戳这里:


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

The Web Application Hacker's Handbook

The Web Application Hacker's Handbook

Dafydd Stuttard、Marcus Pinto / Wiley / 2011-9-27 / USD 50.00

The highly successful security book returns with a new edition, completely updated Web applications are the front door to most organizations, exposing them to attacks that may disclose personal infor......一起来看看 《The Web Application Hacker's Handbook》 这本书的介绍吧!

图片转BASE64编码
图片转BASE64编码

在线图片转Base64编码工具

随机密码生成器
随机密码生成器

多种字符组合密码

SHA 加密
SHA 加密

SHA 加密工具