The main artefact of this project is the DNS controller manager for managing DNS records, also nicknamed as the Gardener "DNS Controller".
It contains provisioning controllers for creating DNS records in one of the DNS cloud services
and source controllers for services and ingresses to create DNS entries by annotations.
The configuration for the external DNS service is specified in a custom resource DNSProvider
.
Multiple DNSProvider
can be used simultaneously and changed without restarting the DNS controller.
DNS records are either created directly for a corresponding custom resource DNSEntry
or by
annotating a service or ingress.
For a detailed explanation of the model, see section The Model.
For extending or adapting this project with your own source or provisioning controllers, see section Extensions
To install the DNS controller manager in your Kubernetes cluster, follow these steps.
Prerequisites
Check out or download the project to get a copy of the Helm charts. It is recommended to check out the tag of the last release, so that Helm values reference the newest released container image for the deployment.
Make sure, that you have installed Helm client (helm
) locally. See e.g. Helm installation for more details.
Install the DNS controller manager
As multiple Gardener DNS controllers can act on the same DNS Hosted Zone concurrently, each instance needs an owner identifier. Therefore choose an identifier sufficiently unique across these instances.
Then install the DNS controller manager with
helm install dns-controller charts/external-dns-management --namespace=<my-namespace> --set configuration.identifier=<my-identifier>
This will use the default configuration with all source and provisioning controllers enabled.
The complete set of configuration variables can be found in charts/external-dns-management/values.yaml
.
Their meaning is explained by their corresponding command line options in section
Using the DNS controller manager
By default, the DNS controller looks for custom resources in all namespaces. The choosen namespace is only relevant for the deployment itself.
You may need to install VerticalPodAutoscaler CRDs
or set vpa.enabled=false
to disable VPA.
Create a DNSProvider
To specify a DNS provider, you need to create a custom resource DNSProvider
and a secret containing the
credentials for your account at the provider. E.g. if you want to use AWS Route53, create a secret and
provider with
cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: aws-credentials
namespace: default
type: Opaque
data:
# replace '...' with values encoded as base64
# see https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html
AWS_ACCESS_KEY_ID: ...
AWS_SECRET_ACCESS_KEY: ...
# or if the chain of credential providers should be used:
#AWS_USE_CREDENTIALS_CHAIN: dHJ1ZQ==
EOF
and
cat << EOF | kubectl apply -f -
apiVersion: dns.gardener.cloud/v1alpha1
kind: DNSProvider
metadata:
name: aws
namespace: default
spec:
type: aws-route53
secretRef:
name: aws-credentials
domains:
include:
# this must be replaced with a (sub)domain of the hosted zone
- my.own.domain.com
EOF
Check the successful creation with
kubectl get dnspr
You should see something like
NAME TYPE STATUS AGE
aws aws-route53 Ready 12s
Create a DNSEntry
Create an DNS entry with
cat << EOF | kubectl apply -f -
apiVersion: dns.gardener.cloud/v1alpha1
kind: DNSEntry
metadata:
name: mydnsentry
namespace: default
spec:
dnsName: "myentry.my-own-domain.com"
ttl: 600
targets:
- 1.2.3.4
EOF
Check the status of the DNS entry with
kubectl get dnsentry
You should see something like
NAME DNS TYPE PROVIDER STATUS AGE
mydnsentry myentry.my-own-domain.com aws-route53 default/aws Ready 24s
As soon as the status of the entry is Ready
, the provider has accepted the new DNS record.
Depending on the provider and your DNS settings and cache, it may take up to a few minutes before
the domain name can be resolved.
Wait for/check DNS record
To check the DNS resolution, use nslookup
or dig
.
nslookup myentry.my-own-domain.com
or with dig
# or with dig
dig +short myentry.my-own-domain.com
Depending on your network settings, you may get a successful response faster using a public DNS server (e.g. 8.8.8.8, 8.8.4.4, or 1.1.1.1)
dig @8.8.8.8 +short myentry.my-own-domain.com
For more examples about the custom resources and the annotations for services and ingresses
see the examples directory and translation of DNSEntries
examples
Using the source controllers, it is also possible to create DNS entries for services (of type LoadBalancer
)
and ingresses automatically. The resources only need to be annotated with some special values.
In this case ensure that the source controllers are enabled on startup of the DNS controller manager, i.e. the
value of the command line option --controllers
must contain dnscontrollers
or equal to all
.
The DNS source controllers watch resources on the default cluster and create DNS entries on
the target cluster. As there can be multiple controllers active on the same cluster, you may
need to set the correct DNSClass
both for the controller and for the source resource by
setting the annotation dns.gardener.cloud/class
. The default value for the DNSClass
is gardendns
.
Note: If you delegate the DNS management for shoot resources to Gardener via the
shoot-dns-service extension,
the correct annotation is dns.gardener.cloud/class=garden
.
Here is an example for annotating a service (same as examples/50-service-with-dns.yaml
)]:
apiVersion: v1
kind: Service
metadata:
annotations:
dns.gardener.cloud/dnsnames: echo.my-dns-domain.com
dns.gardener.cloud/ttl: "500"
# If you are delegating the DNS Management to Gardener, uncomment the following line (see https://gardener.cloud/documentation/guides/administer_shoots/dns_names/)
#dns.gardener.cloud/class: garden
# To temporarily skip reconciliation of created entries
#dns.gardener.cloud/ignore: "true"
name: test-service
namespace: default
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
sessionAffinity: None
type: LoadBalancer
A
DNS records with alias targets for provider type AWS-Route53 and AWS load balancersFor AWS-Route53 and AWS load balancers, A
DNS records with alias target are created instead of CNAME
as an optimisation.
To support dual-stack IP addresses in this case, set one of these annotations:
service.beta.kubernetes.io/aws-load-balancer-ip-address-type=dualstack
(services only)dns.gardener.cloud/ip-stack=dual-stack
(ingresses, services or dnsentries)In this case, both A
and AAAA
records with alias target records are created.
With annotation dns.gardener.cloud/ip-stack=ipv6
, only an AAAA
record with alias target is created.
There are source controllers for Gateways
from Istio or the new Kubernetes Gateway API.
By annotating the Gateway
resource with the dns.gardener.cloud/dnsnames
annotation, DNS entries are managed automatically for the hosts.
For Istio, gateways for API versions networking.istio.io/v1
, networking.istio.io/v1beta1
, and networking.istio.io/v1alpha3
are supported.
To enable automatic management of DNSEntries
, annotate the Istio Gateway
resource with dns.gardener.cloud/dnsnames="*"
.
The domain names are extracted from the spec.servers.hosts
field and from the field spec.hosts
of related VirtualService
resources.
The determination of the DNSEntry
targets, typically the IP addresses or hostnames of the load balancer, follows these steps:
dns.gardener.cloud/targets
annotation is provided, its value is used.
This value is expected to be a comma-separated list of the load balancer's IP addresses or hostnames.dns.gardener.cloud/ingress
annotation is set, the IP addresses or hostnames are derived from the status
of the Ingress
resource. This resource is identified by its name, which can be in the format <namespace>/<name>
or simply <name>
.
In the latter case, the Gateway resource's namespace is assumed.spec.selector
field in Istio matches
a Service
resource of type LoadBalancer
. In this case, the targets are obtained from the service load balancer's status.apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
annotations:
dns.gardener.cloud/dnsnames: '*'
#dns.gardener.cloud/ttl: "500"
# If you are delegating the DNS Management to Gardener, uncomment the following line (see https://gardener.cloud/documentation/guides/administer_shoots/dns_names/)
#dns.gardener.cloud/class: garden
# To temporarily skip reconciliation of created entries
#dns.gardener.cloud/ignore: "true"
name: my-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- uk.example.com
- eu.example.com
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- uk.example.com
- eu.example.com
port:
name: https-443
number: 443
protocol: HTTPS
tls:
mode: SIMPLE
privateKey: /etc/certs/privatekey.pem
serverCertificate: /etc/certs/servercert.pem
- hosts:
- bookinfo-namespace/*.example.com
port:
name: https-9443
number: 9443
protocol: HTTPS
tls:
credentialName: my-secret
mode: SIMPLE
In this case, three DNSEntries
woudl be created with domain names uk.example.com
, eu.example.com
, and *.example.com
.
As neither dns.gardener.cloud/targets
or dns.gardener.cloud/ingress
annotation is provided, the targets need to
come from the load balancer status of a Service
resource with the label selector istio=ingressgateway
.
Note: Alternatively in this concrete example, you could annotate the Service
resource with `dns.gardener.cloud/dnsnames=".example.com"`,
if the domain names are static.*
See the Istio tutorial for a more detailed example.
The Gateway API version gateway.networking.k8s.io/v1
and gateway.networking.k8s.io/v1alpha2
are supported.
To enable automatic management of DNSEntries
, annotate the Gateway API Gateway
resource with dns.gardener.cloud/dnsnames="*"
.
The domain names are extracted from the spec.listeners.hostnames
field and from the field spec.hostnames
of related HTTPRoute
resources.
The targets of the DNSEntry
are extracted from the status.addresses
field.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
annotations:
dns.gardener.cloud/dnsnames: '*'
#dns.gardener.cloud/ttl: "500"
# If you are delegating the DNS Management to Gardener, uncomment the following line (see https://gardener.cloud/documentation/guides/administer_shoots/dns_names/)
#dns.gardener.cloud/class: garden
# To temporarily skip reconciliation of created entries
#dns.gardener.cloud/ignore: "true"
name: my-gateway
namespace: default
spec:
gatewayClassName: my-gateway-class
listeners:
- allowedRoutes:
namespaces:
from: Selector
selector:
matchLabels:
shared-gateway-access: "true"
hostname: foo.example.com
name: https
port: 443
protocol: HTTPS
tls: ...
status:
addresses:
- type: IPAddress
value: 1.2.3.4
In this case, a single DNSEntry
with domain name foo.example.com
and target IP 1.2.3.4
would be created.
See the Gateway API tutorial for a more detailed example.
This project provides a flexible model allowing to add DNS source objects and DNS provisioning environments by adding new independent controllers.
There is no single DNS controller anymore. The decoupling between the
handling of DNS source objects, like ingresses or services, and the
provisioning of DNS entries in an external DNS provider like
Route53 or CloudDNS is achieved by introducing a new custom resource
DNSEntry
.
These objects can either be explicitly created to request dedicated DNS
entries, or they are managed based on other resources like ingresses or
services. For the latter dedicated DNS Source Controllers are used.
There might be any number of such source controllers. They do not need to know
anything about the various DNS environments. Their task is to figure out which
DNS entries are required in their realm and manage appropriate DNSEntry
objects. From these objects they can also read the provisioning status and
report it back to the original source.
Provisioning of DNS entries in external DNS providers is done by
DNS Provisioning Controllers. They don't need to know anything about the
various DNS source objects. They watch DNSEntry
objects and check whether
they are responsible for such an object. If a provisioning controller feels
responsible for an entry it manages the corresponding settings in the
external DNS environment and reports the provisioning status back to the
corresponding DNSEntry
object.
To do this a provisioning controller is responsible for a dedicated
environment (for example Route53). For every such environment the controller
uses a dedicated type key. This key is used to look for DNSProvider
objects.
There might be multiple such objects per environment, specifying the
credentials needed to access different external accounts. These accounts are then
scanned for DNS zones and domain names they support.
This information is then used to dynamically assign DNSEntry
objects to
dedicated DNSProvider
objects. If such an assignment can be done by
a provisioning controller then it is responsible for this entry and manages
the corresponding entries in the external environment.
DNSProvider
objects can specify explicit inclusion and exclusion sets of domain names
and/or DNS zone identifiers to override the scanning results of the account.
Every DNS Provisioning Controller is responsible for a set of Owner Identifiers.
DNS records in an external DNS environment are attached to such an identifier.
This is used to identify the records in the DNS environment managed by a dedicated
controller (manager). Every controller manager hosting DNS Provisioning Controllers
offers an option to specify a default identifier. Additionally there might
be dedicated DNSOwner
objects that enable or disable additional owner ids.
Every DNSEntry
object may specify a dedicated owner that is used to tag
the records in the DNS environment. A DNS provisioning controller only acts
of DNS entries it is responsible for. Other resources in the external DNS
environment are not touched at all.
This way it is possbible to
If multiple DNS controller instances have access to the same DNS zones, it is very important, that every instance uses a unique owner identifier! Otherwise the cleanup of stale DNS record will delete entries created by another instance if they use the same identifier.
Multiple sets of controllers of the DNS ecosystem can run in parallel in a kubernetes cluster working on different object set. They are separated by using different DNS Classes. Adding a DNS class annotation to an object of the DNS ecosytems assigns this object to such a dedicated set of DNS controllers. This way it is possible to maintain clearly separated set of DNS objects in a single kubernetes cluster.
DNS source controllers support the creation of DNS entries for potentially any kind of resource originally not equipped to describe the generation of DNS entries. This is done by additionally annotations. Nevertheless it might be the case, that those objects are again the result of a generation process, ether by predefined helm starts or by other higher level controllers. It is not necessarily possible to influence those generation steps to additionally generate the deired DNS annotations.
The typical mechanis in Kubernetes to handle this is to provide mutating webhooks that enrich the generated objects accordingly. But this mechanism is basically not intended to support dedicated settings for dedicated instances. At least it is very strenous to provide web hooks for every such usecase.
Therefore the DNS ecosystem provided by this project supports an additional
extension mechanism to annotate any kind of object with additional annotations
by supported a dedicated resource, the DNSAnnotation
.
The handling of this resource is done by a dedicated controller, the annotation
controller. It caches the annotation settings declared by those objects and
makes them accessible for the DNS source controllers.
The DNS source controller responsible for a dedicated kind of resource
(for example Service reads the object analyses the annotations and then decides
what to do with it. Most of the flow is handled by a central library, only
some dedicated resource dependent steps are implemented separately by a
dedicated source controller. The DNSAnnotation
resource slightly extends this
flow: After reading the object the library additionally checks for the existence
of a DNSAnnotation
setting for this object by querying the annotation
controller's cache. If found, it adds annotations declared there to the original
object prior to the next processing steps.
This way, for example whenver a Service
without
any DNS related annotation is handled by the controller and it finds a matching
DNSAnnotation
setting, the set of actual annotations is enriched accordingly
before the actual processing of the service object is done by the controller.
This DNSAnnotation
object can be created before or even after the object to
be annotated and will implicity cause a reprocessing of the original object by
its DNS source controller.
For example, the following object enforces a DNS related annotation for the
processing of the service object testapp/default
by the service DNS source
controller:
apiVersion: dns.gardener.cloud/v1alpha1
kind: DNSAnnotation
metadata:
name: testapp
spec:
resourceRef:
kind: Service
apiVersion: v1
name: testapp
annotations:
dns.gardener.cloud/dnsnames: testapp.dns.gardener.cloud
dns.gardener.cloud/ttl: "500"
The controllers to run can be selected with the --controllers
option.
Here the following controller groups can be used:
dnssources
: all DNS Source Controllers. It includes the conrollers
ingress-dns
: handle DNS annotations for the standard kubernetes ingress resourceservice-dns
: handle DNS annotations for the standard kubernetes service resourcednscontrollers
: all DNS Provisioning Controllers. It includes the controllers
compound
: common DNS provisioning controllerall
: (default) all controllers
It is also possible to list dedicated controllers by their name.
To restrict the compound DNS provisioning controller to specific provider types,
use the --provider-types
option.
The following provider types can be selected (comma separated):
alicloud-dns
: Alicloud DNS provideraws-route53
: AWS Route 53 providerazure-dns
: Azure DNS providergoogle-clouddns
: Google CloudDNS provideropenstack-designate
: Openstack Designate providercloudflare-dns
: Cloudflare DNS providerinfoblox-dns
: Infoblox DNS providernetlify-dns
: Netlify DNS providerremote
: Remote DNS provider (a dns-controller-manager with enabled remote access service)powerdns
: PowerDNS providerIf the compound DNS Provisioning Controller is enabled it is important to specify a
unique controller identity using the --identifier
option.
This identifier is stored in the DNS system to identify the DNS entries
managed by a dedicated controller. There should never be two
DNS controllers with the same identifier running at the same time for the
same DNS domains/accounts.
Here is the complete list of options provided:
Usage:
dns-controller-manager [flags]
Flags:
--accepted-maintainers string accepted maintainer key(s) for crds
--advanced.batch-size int batch size for change requests (currently only used for aws-route53)
--advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53)
--alicloud-dns.advanced.batch-size int batch size for change requests (currently only used for aws-route53)
--alicloud-dns.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53)
--alicloud-dns.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing.
--alicloud-dns.ratelimiter.burst int number of burst requests for rate limiter
--alicloud-dns.ratelimiter.enabled enables rate limiter for DNS provider requests
--alicloud-dns.ratelimiter.qps int maximum requests/queries per second
--annotation.default.pool.size int Worker pool size for pool default of controller annotation
--annotation.pool.size int Worker pool size of controller annotation
--annotation.setup int number of processors for controller setup of controller annotation
--aws-route53.advanced.batch-size int batch size for change requests (currently only used for aws-route53)
--aws-route53.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53)
--aws-route53.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing.
--aws-route53.ratelimiter.burst int number of burst requests for rate limiter
--aws-route53.ratelimiter.enabled enables rate limiter for DNS provider requests
--aws-route53.ratelimiter.qps int maximum requests/queries per second
--azure-dns.advanced.batch-size int batch size for change requests (currently only used for aws-route53)
--azure-dns.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53)
--azure-dns.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing.
--azure-dns.ratelimiter.burst int number of burst requests for rate limiter
--azure-dns.ratelimiter.enabled enables rate limiter for DNS provider requests
--azure-dns.ratelimiter.qps int maximum requests/queries per second
--azure-private-dns.advanced.batch-size int batch size for change requests (currently only used for aws-route53)
--azure-private-dns.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53)
--azure-private-dns.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing.
--azure-private-dns.ratelimiter.burst int number of burst requests for rate limiter
--azure-private-dns.ratelimiter.enabled enables rate limiter for DNS provider requests
--azure-private-dns.ratelimiter.qps int maximum requests/queries per second
--bind-address-http string HTTP server bind address
--blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing.
--cache-ttl int Time-to-live for provider hosted zone cache
--cloudflare-dns.advanced.batch-size int batch size for change requests (currently only used for aws-route53)
--cloudflare-dns.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53)
--cloudflare-dns.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing.
--cloudflare-dns.ratelimiter.burst int number of burst requests for rate limiter
--cloudflare-dns.ratelimiter.enabled enables rate limiter for DNS provider requests
--cloudflare-dns.ratelimiter.qps int maximum requests/queries per second
--compound.advanced.batch-size int batch size for change requests (currently only used for aws-route53) of controller compound
--compound.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53) of controller compound
--compound.alicloud-dns.advanced.batch-size int batch size for change requests (currently only used for aws-route53) of controller compound
--compound.alicloud-dns.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53) of controller compound
--compound.alicloud-dns.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing. of controller compound
--compound.alicloud-dns.ratelimiter.burst int number of burst requests for rate limiter of controller compound
--compound.alicloud-dns.ratelimiter.enabled enables rate limiter for DNS provider requests of controller compound
--compound.alicloud-dns.ratelimiter.qps int maximum requests/queries per second of controller compound
--compound.aws-route53.advanced.batch-size int batch size for change requests (currently only used for aws-route53) of controller compound
--compound.aws-route53.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53) of controller compound
--compound.aws-route53.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing. of controller compound
--compound.aws-route53.ratelimiter.burst int number of burst requests for rate limiter of controller compound
--compound.aws-route53.ratelimiter.enabled enables rate limiter for DNS provider requests of controller compound
--compound.aws-route53.ratelimiter.qps int maximum requests/queries per second of controller compound
--compound.azure-dns.advanced.batch-size int batch size for change requests (currently only used for aws-route53) of controller compound
--compound.azure-dns.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53) of controller compound
--compound.azure-dns.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing. of controller compound
--compound.azure-dns.ratelimiter.burst int number of burst requests for rate limiter of controller compound
--compound.azure-dns.ratelimiter.enabled enables rate limiter for DNS provider requests of controller compound
--compound.azure-dns.ratelimiter.qps int maximum requests/queries per second of controller compound
--compound.azure-private-dns.advanced.batch-size int batch size for change requests (currently only used for aws-route53) of controller compound
--compound.azure-private-dns.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53) of controller compound
--compound.azure-private-dns.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing. of controller compound
--compound.azure-private-dns.ratelimiter.burst int number of burst requests for rate limiter of controller compound
--compound.azure-private-dns.ratelimiter.enabled enables rate limiter for DNS provider requests of controller compound
--compound.azure-private-dns.ratelimiter.qps int maximum requests/queries per second of controller compound
--compound.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing. of controller compound
--compound.cache-ttl int Time-to-live for provider hosted zone cache of controller compound
--compound.cloudflare-dns.advanced.batch-size int batch size for change requests (currently only used for aws-route53) of controller compound
--compound.cloudflare-dns.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53) of controller compound
--compound.cloudflare-dns.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing. of controller compound
--compound.cloudflare-dns.ratelimiter.burst int number of burst requests for rate limiter of controller compound
--compound.cloudflare-dns.ratelimiter.enabled enables rate limiter for DNS provider requests of controller compound
--compound.cloudflare-dns.ratelimiter.qps int maximum requests/queries per second of controller compound
--compound.default.pool.size int Worker pool size for pool default of controller compound
--compound.disable-dnsname-validation disable validation of domain names according to RFC 1123. of controller compound
--compound.disable-zone-state-caching disable use of cached dns zone state on changes of controller compound
--compound.dns-class string Class identifier used to differentiate responsible controllers for entry resources of controller compound
--compound.dns-delay duration delay between two dns reconciliations of controller compound
--compound.dns.pool.resync-period duration Period for resynchronization for pool dns of controller compound
--compound.dns.pool.size int Worker pool size for pool dns of controller compound
--compound.dry-run just check, don't modify of controller compound
--compound.google-clouddns.advanced.batch-size int batch size for change requests (currently only used for aws-route53) of controller compound
--compound.google-clouddns.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53) of controller compound
--compound.google-clouddns.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing. of controller compound
--compound.google-clouddns.ratelimiter.burst int number of burst requests for rate limiter of controller compound
--compound.google-clouddns.ratelimiter.enabled enables rate limiter for DNS provider requests of controller compound
--compound.google-clouddns.ratelimiter.qps int maximum requests/queries per second of controller compound
--compound.identifier string Identifier used to mark DNS entries in DNS system of controller compound
--compound.infoblox-dns.advanced.batch-size int batch size for change requests (currently only used for aws-route53) of controller compound
--compound.infoblox-dns.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53) of controller compound
--compound.infoblox-dns.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing. of controller compound
--compound.infoblox-dns.ratelimiter.burst int number of burst requests for rate limiter of controller compound
--compound.infoblox-dns.ratelimiter.enabled enables rate limiter for DNS provider requests of controller compound
--compound.infoblox-dns.ratelimiter.qps int maximum requests/queries per second of controller compound
--compound.lock-status-check-period duration interval for dns lock status checks of controller compound
--compound.netlify-dns.advanced.batch-size int batch size for change requests (currently only used for aws-route53) of controller compound
--compound.netlify-dns.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53) of controller compound
--compound.netlify-dns.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing. of controller compound
--compound.netlify-dns.ratelimiter.burst int number of burst requests for rate limiter of controller compound
--compound.netlify-dns.ratelimiter.enabled enables rate limiter for DNS provider requests of controller compound
--compound.netlify-dns.ratelimiter.qps int maximum requests/queries per second of controller compound
--compound.openstack-designate.advanced.batch-size int batch size for change requests (currently only used for aws-route53) of controller compound
--compound.openstack-designate.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53) of controller compound
--compound.openstack-designate.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing. of controller compound
--compound.openstack-designate.ratelimiter.burst int number of burst requests for rate limiter of controller compound
--compound.openstack-designate.ratelimiter.enabled enables rate limiter for DNS provider requests of controller compound
--compound.openstack-designate.ratelimiter.qps int maximum requests/queries per second of controller compound
--compound.ownerids.pool.size int Worker pool size for pool ownerids of controller compound
--compound.pool.resync-period duration Period for resynchronization of controller compound
--compound.pool.size int Worker pool size of controller compound
--compound.provider-types string comma separated list of provider types to enable of controller compound
--compound.providers.pool.resync-period duration Period for resynchronization for pool providers of controller compound
--compound.providers.pool.size int Worker pool size for pool providers of controller compound
--compound.ratelimiter.burst int number of burst requests for rate limiter of controller compound
--compound.ratelimiter.enabled enables rate limiter for DNS provider requests of controller compound
--compound.ratelimiter.qps int maximum requests/queries per second of controller compound
--compound.remote-access-cacert string CA who signed client certs file of controller compound
--compound.remote-access-client-id string identifier used for remote access of controller compound
--compound.remote-access-port int port of remote access server for remote-enabled providers of controller compound
--compound.remote-access-server-secret-name string name of secret containing remote access server's certificate of controller compound
--compound.remote.advanced.batch-size int batch size for change requests (currently only used for aws-route53) of controller compound
--compound.remote.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53) of controller compound
--compound.remote.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing. of controller compound
--compound.remote.ratelimiter.burst int number of burst requests for rate limiter of controller compound
--compound.remote.ratelimiter.enabled enables rate limiter for DNS provider requests of controller compound
--compound.remote.ratelimiter.qps int maximum requests/queries per second of controller compound
--compound.reschedule-delay duration reschedule delay after losing provider of controller compound
--compound.rfc2136.advanced.batch-size int batch size for change requests (currently only used for aws-route53) of controller compound
--compound.rfc2136.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53) of controller compound
--compound.rfc2136.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing. of controller compound
--compound.rfc2136.ratelimiter.burst int number of burst requests for rate limiter of controller compound
--compound.rfc2136.ratelimiter.enabled enables rate limiter for DNS provider requests of controller compound
--compound.rfc2136.ratelimiter.qps int maximum requests/queries per second of controller compound
--compound.secrets.pool.size int Worker pool size for pool secrets of controller compound
--compound.setup int number of processors for controller setup of controller compound
--compound.statistic.pool.size int Worker pool size for pool statistic of controller compound
--compound.ttl int Default time-to-live for DNS entries. Defines how long the record is kept in cache by DNS servers or resolvers. of controller compound
--compound.zonepolicies.pool.size int Worker pool size for pool zonepolicies of controller compound
--config string config file
-c, --controllers string comma separated list of controllers to start (<name>,<group>,all)
--cpuprofile string set file for cpu profiling
--default.pool.resync-period duration Period for resynchronization for pool default
--default.pool.size int Worker pool size for pool default
--disable-dnsname-validation disable validation of domain names according to RFC 1123.
--disable-namespace-restriction disable access restriction for namespace local access only
--disable-zone-state-caching disable use of cached dns zone state on changes
--dns-class string identifier used to differentiate responsible controllers for providers, identifier used to differentiate responsible controllers for entries, Class identifier used to differentiate responsible controllers for entry resources
--dns-delay duration delay between two dns reconciliations
--dns-target-class string identifier used to differentiate responsible dns controllers for target providers, identifier used to differentiate responsible dns controllers for target entries
--dns.pool.resync-period duration Period for resynchronization for pool dns
--dns.pool.size int Worker pool size for pool dns
--dnsentry-source.default.pool.resync-period duration Period for resynchronization for pool default of controller dnsentry-source
--dnsentry-source.default.pool.size int Worker pool size for pool default of controller dnsentry-source
--dnsentry-source.dns-class string identifier used to differentiate responsible controllers for entries of controller dnsentry-source
--dnsentry-source.dns-target-class string identifier used to differentiate responsible dns controllers for target entries of controller dnsentry-source
--dnsentry-source.exclude-domains stringArray excluded domains of controller dnsentry-source
--dnsentry-source.key string selecting key for annotation of controller dnsentry-source
--dnsentry-source.pool.resync-period duration Period for resynchronization of controller dnsentry-source
--dnsentry-source.pool.size int Worker pool size of controller dnsentry-source
--dnsentry-source.target-creator-label-name string label name to store the creator for generated DNS entries of controller dnsentry-source
--dnsentry-source.target-creator-label-value string label value for creator label of controller dnsentry-source
--dnsentry-source.target-name-prefix string name prefix in target namespace for cross cluster generation of controller dnsentry-source
--dnsentry-source.target-namespace string target namespace for cross cluster generation of controller dnsentry-source
--dnsentry-source.target-owner-id string owner id to use for generated DNS entries of controller dnsentry-source
--dnsentry-source.target-owner-object string owner object to use for generated DNS entries of controller dnsentry-source
--dnsentry-source.target-realms string realm(s) to use for generated DNS entries of controller dnsentry-source
--dnsentry-source.target-set-ignore-owners mark generated DNS entries to omit owner based access control of controller dnsentry-source
--dnsentry-source.targets.pool.size int Worker pool size for pool targets of controller dnsentry-source
--dnsprovider-replication.default.pool.resync-period duration Period for resynchronization for pool default of controller dnsprovider-replication
--dnsprovider-replication.default.pool.size int Worker pool size for pool default of controller dnsprovider-replication
--dnsprovider-replication.dns-class string identifier used to differentiate responsible controllers for providers of controller dnsprovider-replication
--dnsprovider-replication.dns-target-class string identifier used to differentiate responsible dns controllers for target providers of controller dnsprovider-replication
--dnsprovider-replication.pool.resync-period duration Period for resynchronization of controller dnsprovider-replication
--dnsprovider-replication.pool.size int Worker pool size of controller dnsprovider-replication
--dnsprovider-replication.target-creator-label-name string label name to store the creator for replicated DNS providers of controller dnsprovider-replication
--dnsprovider-replication.target-creator-label-value string label value for creator label of controller dnsprovider-replication
--dnsprovider-replication.target-name-prefix string name prefix in target namespace for cross cluster replication of controller dnsprovider-replication
--dnsprovider-replication.target-namespace string target namespace for cross cluster generation of controller dnsprovider-replication
--dnsprovider-replication.target-realms string realm(s) to use for replicated DNS provider of controller dnsprovider-replication
--dnsprovider-replication.targets.pool.size int Worker pool size for pool targets of controller dnsprovider-replication
--dry-run just check, don't modify
--enable-profiling enables profiling server at path /debug/pprof (needs option --server-port-http)
--exclude-domains stringArray excluded domains
--force-crd-update enforce update of crds even they are unmanaged
--google-clouddns.advanced.batch-size int batch size for change requests (currently only used for aws-route53)
--google-clouddns.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53)
--google-clouddns.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing.
--google-clouddns.ratelimiter.burst int number of burst requests for rate limiter
--google-clouddns.ratelimiter.enabled enables rate limiter for DNS provider requests
--google-clouddns.ratelimiter.qps int maximum requests/queries per second
--grace-period duration inactivity grace period for detecting end of cleanup for shutdown
-h, --help help for dns-controller-manager
--httproutes.pool.size int Worker pool size for pool httproutes
--identifier string Identifier used to mark DNS entries in DNS system
--infoblox-dns.advanced.batch-size int batch size for change requests (currently only used for aws-route53)
--infoblox-dns.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53)
--infoblox-dns.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing.
--infoblox-dns.ratelimiter.burst int number of burst requests for rate limiter
--infoblox-dns.ratelimiter.enabled enables rate limiter for DNS provider requests
--infoblox-dns.ratelimiter.qps int maximum requests/queries per second
--ingress-dns.default.pool.resync-period duration Period for resynchronization for pool default of controller ingress-dns
--ingress-dns.default.pool.size int Worker pool size for pool default of controller ingress-dns
--ingress-dns.dns-class string identifier used to differentiate responsible controllers for entries of controller ingress-dns
--ingress-dns.dns-target-class string identifier used to differentiate responsible dns controllers for target entries of controller ingress-dns
--ingress-dns.exclude-domains stringArray excluded domains of controller ingress-dns
--ingress-dns.key string selecting key for annotation of controller ingress-dns
--ingress-dns.pool.resync-period duration Period for resynchronization of controller ingress-dns
--ingress-dns.pool.size int Worker pool size of controller ingress-dns
--ingress-dns.target-creator-label-name string label name to store the creator for generated DNS entries of controller ingress-dns
--ingress-dns.target-creator-label-value string label value for creator label of controller ingress-dns
--ingress-dns.target-name-prefix string name prefix in target namespace for cross cluster generation of controller ingress-dns
--ingress-dns.target-namespace string target namespace for cross cluster generation of controller ingress-dns
--ingress-dns.target-owner-id string owner id to use for generated DNS entries of controller ingress-dns
--ingress-dns.target-owner-object string owner object to use for generated DNS entries of controller ingress-dns
--ingress-dns.target-realms string realm(s) to use for generated DNS entries of controller ingress-dns
--ingress-dns.target-set-ignore-owners mark generated DNS entries to omit owner based access control of controller ingress-dns
--ingress-dns.targets.pool.size int Worker pool size for pool targets of controller ingress-dns
--istio-gateways-dns.default.pool.resync-period duration Period for resynchronization for pool default of controller istio-gateways-dns
--istio-gateways-dns.default.pool.size int Worker pool size for pool default of controller istio-gateways-dns
--istio-gateways-dns.dns-class string identifier used to differentiate responsible controllers for entries of controller istio-gateways-dns
--istio-gateways-dns.dns-target-class string identifier used to differentiate responsible dns controllers for target entries of controller istio-gateways-dns
--istio-gateways-dns.exclude-domains stringArray excluded domains of controller istio-gateways-dns
--istio-gateways-dns.key string selecting key for annotation of controller istio-gateways-dns
--istio-gateways-dns.pool.resync-period duration Period for resynchronization of controller istio-gateways-dns
--istio-gateways-dns.pool.size int Worker pool size of controller istio-gateways-dns
--istio-gateways-dns.target-creator-label-name string label name to store the creator for generated DNS entries of controller istio-gateways-dns
--istio-gateways-dns.target-creator-label-value string label value for creator label of controller istio-gateways-dns
--istio-gateways-dns.target-name-prefix string name prefix in target namespace for cross cluster generation of controller istio-gateways-dns
--istio-gateways-dns.target-namespace string target namespace for cross cluster generation of controller istio-gateways-dns
--istio-gateways-dns.target-owner-id string owner id to use for generated DNS entries of controller istio-gateways-dns
--istio-gateways-dns.target-owner-object string owner object to use for generated DNS entries of controller istio-gateways-dns
--istio-gateways-dns.target-realms string realm(s) to use for generated DNS entries of controller istio-gateways-dns
--istio-gateways-dns.target-set-ignore-owners mark generated DNS entries to omit owner based access control of controller istio-gateways-dns
--istio-gateways-dns.targets.pool.size int Worker pool size for pool targets of controller istio-gateways-dns
--istio-gateways-dns.targetsources.pool.size int Worker pool size for pool targetsources of controller istio-gateways-dns
--istio-gateways-dns.virtualservices.pool.size int Worker pool size for pool virtualservices of controller istio-gateways-dns
--k8s-gateways-dns.default.pool.resync-period duration Period for resynchronization for pool default of controller k8s-gateways-dns
--k8s-gateways-dns.default.pool.size int Worker pool size for pool default of controller k8s-gateways-dns
--k8s-gateways-dns.dns-class string identifier used to differentiate responsible controllers for entries of controller k8s-gateways-dns
--k8s-gateways-dns.dns-target-class string identifier used to differentiate responsible dns controllers for target entries of controller k8s-gateways-dns
--k8s-gateways-dns.exclude-domains stringArray excluded domains of controller k8s-gateways-dns
--k8s-gateways-dns.httproutes.pool.size int Worker pool size for pool httproutes of controller k8s-gateways-dns
--k8s-gateways-dns.key string selecting key for annotation of controller k8s-gateways-dns
--k8s-gateways-dns.pool.resync-period duration Period for resynchronization of controller k8s-gateways-dns
--k8s-gateways-dns.pool.size int Worker pool size of controller k8s-gateways-dns
--k8s-gateways-dns.target-creator-label-name string label name to store the creator for generated DNS entries of controller k8s-gateways-dns
--k8s-gateways-dns.target-creator-label-value string label value for creator label of controller k8s-gateways-dns
--k8s-gateways-dns.target-name-prefix string name prefix in target namespace for cross cluster generation of controller k8s-gateways-dns
--k8s-gateways-dns.target-namespace string target namespace for cross cluster generation of controller k8s-gateways-dns
--k8s-gateways-dns.target-owner-id string owner id to use for generated DNS entries of controller k8s-gateways-dns
--k8s-gateways-dns.target-owner-object string owner object to use for generated DNS entries of controller k8s-gateways-dns
--k8s-gateways-dns.target-realms string realm(s) to use for generated DNS entries of controller k8s-gateways-dns
--k8s-gateways-dns.target-set-ignore-owners mark generated DNS entries to omit owner based access control of controller k8s-gateways-dns
--k8s-gateways-dns.targets.pool.size int Worker pool size for pool targets of controller k8s-gateways-dns
--key string selecting key for annotation
--kubeconfig string default cluster access
--kubeconfig.disable-deploy-crds disable deployment of required crds for cluster default
--kubeconfig.id string id for cluster default
--kubeconfig.migration-ids string migration id for cluster default
--lease-duration duration lease duration
--lease-name string name for lease object
--lease-renew-deadline duration lease renew deadline
--lease-resource-lock string determines which resource lock to use for leader election, defaults to 'leases'
--lease-retry-period duration lease retry period
--lock-status-check-period duration interval for dns lock status checks
-D, --log-level string logrus log level
--maintainer string maintainer key for crds (default "dns-controller-manager")
--name string name used for controller manager (default "dns-controller-manager")
--namespace string namespace for lease (default "kube-system")
-n, --namespace-local-access-only enable access restriction for namespace local access only (deprecated)
--netlify-dns.advanced.batch-size int batch size for change requests (currently only used for aws-route53)
--netlify-dns.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53)
--netlify-dns.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing.
--netlify-dns.ratelimiter.burst int number of burst requests for rate limiter
--netlify-dns.ratelimiter.enabled enables rate limiter for DNS provider requests
--netlify-dns.ratelimiter.qps int maximum requests/queries per second
--omit-lease omit lease for development
--openstack-designate.advanced.batch-size int batch size for change requests (currently only used for aws-route53)
--openstack-designate.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53)
--openstack-designate.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing.
--openstack-designate.ratelimiter.burst int number of burst requests for rate limiter
--openstack-designate.ratelimiter.enabled enables rate limiter for DNS provider requests
--openstack-designate.ratelimiter.qps int maximum requests/queries per second
--ownerids.pool.size int Worker pool size for pool ownerids
--plugin-file string directory containing go plugins
--pool.resync-period duration Period for resynchronization
--pool.size int Worker pool size
--provider-types string comma separated list of provider types to enable
--providers string cluster to look for provider objects
--providers.disable-deploy-crds disable deployment of required crds for cluster provider
--providers.id string id for cluster provider
--providers.migration-ids string migration id for cluster provider
--providers.pool.resync-period duration Period for resynchronization for pool providers
--providers.pool.size int Worker pool size for pool providers
--ratelimiter.burst int number of burst requests for rate limiter
--ratelimiter.enabled enables rate limiter for DNS provider requests
--ratelimiter.qps int maximum requests/queries per second
--remote-access-cacert string filename for certificate of client CA, CA who signed client certs file
--remote-access-cakey string filename for private key of client CA
--remote-access-client-id string identifier used for remote access
--remote-access-port int port of remote access server for remote-enabled providers
--remote-access-server-secret-name string name of secret containing remote access server's certificate
--remote.advanced.batch-size int batch size for change requests (currently only used for aws-route53)
--remote.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53)
--remote.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing.
--remote.ratelimiter.burst int number of burst requests for rate limiter
--remote.ratelimiter.enabled enables rate limiter for DNS provider requests
--remote.ratelimiter.qps int maximum requests/queries per second
--remoteaccesscertificates.default.pool.size int Worker pool size for pool default of controller remoteaccesscertificates
--remoteaccesscertificates.pool.size int Worker pool size of controller remoteaccesscertificates
--remoteaccesscertificates.remote-access-cacert string filename for certificate of client CA of controller remoteaccesscertificates
--remoteaccesscertificates.remote-access-cakey string filename for private key of client CA of controller remoteaccesscertificates
--reschedule-delay duration reschedule delay after losing provider
--rfc2136.advanced.batch-size int batch size for change requests (currently only used for aws-route53)
--rfc2136.advanced.max-retries int maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53)
--rfc2136.blocked-zone zone-id Blocks a zone given in the format zone-id from a provider as if the zone is not existing.
--rfc2136.ratelimiter.burst int number of burst requests for rate limiter
--rfc2136.ratelimiter.enabled enables rate limiter for DNS provider requests
--rfc2136.ratelimiter.qps int maximum requests/queries per second
--secrets.pool.size int Worker pool size for pool secrets
--server-port-http int HTTP server port (serving /healthz, /metrics, ...)
--service-dns.default.pool.resync-period duration Period for resynchronization for pool default of controller service-dns
--service-dns.default.pool.size int Worker pool size for pool default of controller service-dns
--service-dns.dns-class string identifier used to differentiate responsible controllers for entries of controller service-dns
--service-dns.dns-target-class string identifier used to differentiate responsible dns controllers for target entries of controller service-dns
--service-dns.exclude-domains stringArray excluded domains of controller service-dns
--service-dns.key string selecting key for annotation of controller service-dns
--service-dns.pool.resync-period duration Period for resynchronization of controller service-dns
--service-dns.pool.size int Worker pool size of controller service-dns
--service-dns.target-creator-label-name string label name to store the creator for generated DNS entries of controller service-dns
--service-dns.target-creator-label-value string label value for creator label of controller service-dns
--service-dns.target-name-prefix string name prefix in target namespace for cross cluster generation of controller service-dns
--service-dns.target-namespace string target namespace for cross cluster generation of controller service-dns
--service-dns.target-owner-id string owner id to use for generated DNS entries of controller service-dns
--service-dns.target-owner-object string owner object to use for generated DNS entries of controller service-dns
--service-dns.target-realms string realm(s) to use for generated DNS entries of controller service-dns
--service-dns.target-set-ignore-owners mark generated DNS entries to omit owner based access control of controller service-dns
--service-dns.targets.pool.size int Worker pool size for pool targets of controller service-dns
--setup int number of processors for controller setup
--statistic.pool.size int Worker pool size for pool statistic
--target string target cluster for dns requests
--target-creator-label-name string label name to store the creator for replicated DNS providers, label name to store the creator for generated DNS entries
--target-creator-label-value string label value for creator label
--target-name-prefix string name prefix in target namespace for cross cluster replication, name prefix in target namespace for cross cluster generation
--target-namespace string target namespace for cross cluster generation
--target-owner-id string owner id to use for generated DNS entries
--target-owner-object string owner object to use for generated DNS entries
--target-realms string realm(s) to use for replicated DNS provider, realm(s) to use for generated DNS entries
--target-set-ignore-owners mark generated DNS entries to omit owner based access control
--target.disable-deploy-crds disable deployment of required crds for cluster target
--target.id string id for cluster target
--target.migration-ids string migration id for cluster target
--targets.pool.size int Worker pool size for pool targets
--targetsources.pool.size int Worker pool size for pool targetsources
--ttl int Default time-to-live for DNS entries. Defines how long the record is kept in cache by DNS servers or resolvers.
-v, --version version for dns-controller-manager
--virtualservices.pool.size int Worker pool size for pool virtualservices
--watch-gateways-crds.default.pool.size int Worker pool size for pool default of controller watch-gateways-crds
--watch-gateways-crds.pool.size int Worker pool size of controller watch-gateways-crds
--zonepolicies.pool.size int Worker pool size for pool zonepolicies
This project can also be used as library to implement own source and provisioning controllers.
Based on the provided source controller library a source controller must
implement the source.DNSSource
interface and
provide an appropriate creator function.
A source controller can be implemented following this example:
package service
import (
"github.com/gardener/controller-manager-library/pkg/resources"
"github.com/gardener/external-dns-management/pkg/dns/source"
)
var _MAIN_RESOURCE = resources.NewGroupKind("core", "Service")
func init() {
source.DNSSourceController(source.NewDNSSouceTypeForExtractor("service-dns", _MAIN_RESOURCE, GetTargets),nil).
FinalizerDomain("dns.gardener.cloud").
MustRegister(source.CONTROLLER_GROUP_DNS_SOURCES)
}
Complete examples can be found in the sub packages of pkg/controller/source
.
Provisioning controllers can be implemented based on the provisioning controller library
in this repository and must implement the
provider.DNSHandlerFactory
interface.
This factory returns implementations of the provider.DNSHandler
interface
that does the effective work for a dedicated set of hosted zones.
These factories can be embedded into a final controller manager (the runnable instance) in several ways:
A provisioning controller can be implemented following this example:
package controller
import (
"github.com/gardener/external-dns-management/pkg/dns/provider"
)
const CONTROLLER_NAME = "route53-dns-controller"
func init() {
provider.DNSController(CONTROLLER_NAME, &Factory{}).
FinalizerDomain("dns.gardener.cloud").
MustRegister(provider.CONTROLLER_GROUP_DNS_CONTROLLERS)
}
This controller can be embedded into a controller manager just by using an anonymous import of the controller package in the main package of a dedicated controller manager.
Complete examples are available in the sub packages of pkg/controller/provider
.
They also show a typical set of implementation structures that help
to structure the implementation of such controllers.
The provider implemented in this project always follow the same structure:
controller
, which contains the embedding of
the factory into a dedicated controllerA provisioning controller based on a Compound Factory can be extended by
a new provider factory by registering this factory at the compound factory.
This could be done, for example, by using the default compound factory provided
in package pkg/controller/provider/compound
as shown
here, where NewHandler
is a function creating
a dedicated handler for a dedicated provider type:
package aws
import (
"github.com/gardener/external-dns-management/pkg/controller/provider/compound"
"github.com/gardener/external-dns-management/pkg/dns/provider"
)
const TYPE_CODE = "aws-route53"
var Factory = provider.NewDNSHandlerFactory(TYPE_CODE, NewHandler)
func init() {
compound.MustRegister(Factory)
}
The compound factory is then again embedded into a provisioning controller as shown
in the previous section (see the controller
sub package).
One or multiple controller packages can be bundled into a controller manager, by implementing a main package like this:
package main
import (
"github.com/gardener/controller-manager-library/pkg/controllermanager"
_ "github.com/<your controller package>"
...
)
func main() {
controllermanager.Start("my-dns-controller-manager", "dns controller manager", "some description")
}
If the standard Compound Provisioning Controller should be used it is required to additionally add the anonymous imports for the providers intended to be embedded into the compound factory like this:
The controller implementations provided in this project are prepared to work with multiple clusters by using the features of the used controller manager library.
The DNS Source Controllers support two clusters:
target
is used to maintain the DNSEnry
objects.The DNS Provisioning Controllers also support two clusters:
DNSEntry
objects. It is mapped
to the logical cluster target
provider
is used to look to the DNSProvider
objects
and their related secrets.If those controller types should be combined in a single controller manager, it can be configured to support three potential clusters with the source objects, the one for the entry objects and the one with provider objects using cluster mappings.
This is shown in a complete example using the dns source controllers, the compound provisioning controller configured to support all the included DNS provider type factories:
Those clusters can the be separated by registering their names together with command line option names. These can be used to specify different kubeconfig files for those clusters.
By default all logical clusters are mapped to the default physical cluster
specified via --kubeconfig
or default cluster access.
If multiple physical clusters are defined they can be specified by a corresponding cluster option defining the kubeconfig file used to access this cluster. If no such option is specified the default is used.
Therefore, even if the configuration is prepared for multiple clusters, such a controller manager can easily work on a single cluster if no special options are given on the command line.
Some of the reasons are context-specific, i.e. relate to Gardener's highly dynamic requirements.
DNS entries are explicitly specified as custom resources. As an important side effect, each DNS entry provides an own status. Simply by querying the Kubernetes API, a client can check if a requested DNS entry has been successfully added to the DNS backend, or if an update has already been deployed, or if not to reason about the cause. It also opens for easy extensibility, as DNS entries can be created directly via the Kubernetes API. And it simplifies Day 2 operations, e.g. automatic cleanup of unused entries if a DNS provider is deleted.
The Gardener DNS controller uses a custom resource DNSProvider to dynamically manage the backend DNS services. While with external-dns you have to specify the single provider during startup, in the Gardener DNS controller you can add/update/delete providers during runtime with different credentials and/or backends. This is important for a multi-tenant environment as in Gardener, where users can bring their own accounts.
A DNS provider can also restrict its actions on subset of the DNS domains (includes and excludes) for which the credentials are capable to edit.
Each provider can define a separate “owner” identifier, to differentiate DNS entries in the same DNS zone from different providers.
The Gardener DNS controller distinguish three different logical Kubernetes clusters: Source cluster, target cluster and runtime cluster. The source cluster is monitored by the DNS source controllers for annotations on ingress and service resources. These controllers then create DNS entries in the target cluster. DNS entries in the target cluster are then reconciliated/synchronized with the corresponding DNS backend service by the provider controller. The runtime cluster is the cluster the DNS controller runs on. For example, this enables needed flexibility in the Gardener deployment. The DNS controller runs on the seed cluster. This is also the target cluster. DNS providers and entries resources are created in the corresponding namespace of the shoot control plane, while the source cluster is the shoot cluster itself.
Some DNS backend services are restricted on the API calls per second (e.g. the AWS Route 53 API). To manage hundreds of DNS entries it is important to minimize the number of API calls. The Gardener DNS controller heavily makes usage of caches and batch processing for this reason.