External-dns: allow to specify public/private Route53 zone as annotation

Created on 19 Dec 2017 · 11Comments · Source: kubernetes-sigs/external-dns

Hi,

I've got a public and private Route53 zone for the same domain - x.com.

I'd like to create two Ingress specifications will the following rules:

create a record y.x.com in a public x.com zone, point it to a public ingress controller ELB
create a record y.x.com in a private x.com zone, point it to an internal ingress controller ELB

The general use case is that I've got a whitelisted source range on public y.x.com ELB (resolves through public x.com zone), but anyone who's connected through VPN would be allowed to connect to y.x.z through internal ELB (resolves through private x.com zone).

Something like external-dns.alpha.kubernetes.io/aws-zone-type.

kinfeature

Source

kamsz

👍9

Most helpful comment

Thanks @linki, @krogon-dp, @kamsz, I'll get on it :)

dzoeteman on 25 Jan 2018

👍3

All 11 comments

As I could make good use of this functionality, I'd like to pick this up.

@ members, what would you suggest here, that this always overrides the --aws-zone-type flag or should it respect this flag and for example give an error or just ignore the annotation?

dzoeteman on 23 Jan 2018

@linki can you answer @dzoeteman please?

szuecs on 25 Jan 2018

@dzoeteman Thanks for picking this up.

I think the flag should take precedence: when I start ExternalDNS with --aws-zone-type=private it shouldn't modify any public zones even if they would be a good fit or an ingress is annotated with external-dns.alpha.kubernetes.io/aws-zone-type: public.

linki on 25 Jan 2018

without aws-zone-type - accept all ingress rules
with aws-zone-type=private - accept all ingress rules without annotation and with private annotation external-dns.alpha.kubernetes.io/aws-zone-type: private
with aws-zone-type=public - accept all ingress rules without annotation and with public annotation external-dns.alpha.kubernetes.io/aws-zone-type: public

@kamsz agree?

krogon-dp on 25 Jan 2018

@krogon-dp looks promising and solves my issue.

kamsz on 25 Jan 2018

Thanks @linki, @krogon-dp, @kamsz, I'll get on it :)

dzoeteman on 25 Jan 2018

👍3

I've managed to achieve what I've wanted in the OP.

Solutions for the future reference if someone has a similar use case to mine:

Deploy two external-dns pods, one with:

        - --annotation-filter=external-dns.alpha.kubernetes.io/aws-zone-type-private
        - --aws-zone-type=private

and second one with:

        - --annotation-filter=external-dns.alpha.kubernetes.io/aws-zone-type-public
        - --aws-zone-type=public

Then in Ingress resource add an annotation to mark it as public/private:

    kubernetes.io/ingress.class: "internal-ingress"
    external-dns.alpha.kubernetes.io/aws-zone-type-private: "true"

    kubernetes.io/ingress.class: "external-ingress"
    external-dns.alpha.kubernetes.io/aws-zone-type-public: "true"

This solution requires to specify one of the annotations on all Ingress resources, but that's a minor issue.

kamsz on 31 Jan 2018

And here is a documentation for that feature: https://github.com/kubernetes-incubator/external-dns/blob/master/docs/faq.md#running-an-internal-and-external-dns-service

krogon-dp on 31 Jan 2018

🎉1

Actually docs contain much better solution than mine. Thanks!

kamsz on 31 Jan 2018

@krogon-dp @kamsz Do you still agree it would be good to add this functionality in a way where you can run only one ExternalDNS instance (as explained before)?

dzoeteman on 31 Jan 2018

@dzoeteman ExternalDNS would benefit from this feature for sure.

kamsz on 31 Jan 2018

👍1

Was this page helpful?

0 / 5 - 0 ratings