This is a Kubernetes service that polls services and ingresses (in all namespaces) that are configured
with the label dns=route53
and adds the appropriate alias to the domain specified by
the annotation domainName=sub.mydomain.io
. Multiple domains and top level domains are also supported:
domainName=.mydomain.io,sub1.mydomain.io,sub2.mydomain.io
The following is an example ReplicationController definition for route53-kubernetes:
Create the ReplicationController via kubectl create -f <name_of_route53-kubernetes-rc.yaml>
Note: We don't currently sign our docker images. So, please use our images at your own risk.
apiVersion: v1
kind: ReplicationController
metadata:
name: route53-kubernetes
namespace: kube-system
labels:
app: route53-kubernetes
spec:
replicas: 1
selector:
app: route53-kubernetes
template:
metadata:
labels:
app: route53-kubernetes
spec:
containers:
- image: quay.io/molecule/route53-kubernetes:v1.3.0
name: route53-kubernetes
env:
- name: INGRESS_SERVICE_SELECTOR
value: ingress=endpoint
- name: DNS_RECORD_TYPE
value: CNAME
- name: DNS_RECORD_TTL
value: 300
This service expects that it's running on a Kubernetes node on AWS and that the IAM profile for that node is set up to allow the following, along with the default permissions needed by Kubernetes:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:DescribeLoadBalancers",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "*"
}
]
}
Service support ingress k8s resources.
Because nginx ingress controller create on service for all ingress resources
we use selector (configurable with INGRESS_SERVICE_SELECTOR
environment variable)
to find valid k8s service.
Default selector: ingress=endpoint
Service support "A" and "CNAME" record types.
By default service create "A" record for each domain record.
To specify default record type use DNS_RECORD_TYPE
environment variable.
Each k8s service \ ingress can override dns record type by annotation.
Service support TTL (in seconds) configuration for dns records.
Default value is 300
seconds.
Default value can be overridden with DNS_RECORD_TTL
environment variable.
You can use annotation dnsRecordType
to provide service \ ingress specific ttl value.
Given the following Kubernetes service definition:
apiVersion: v1
kind: Service
metadata:
name: my-app
labels:
app: my-app
role: web
dns: route53
annotations:
domainName: "test.mydomain.com"
dnsRecordType: "CNAME"
dnsRecordTTL: 600
spec:
selector:
app: my-app
role: web
ports:
- name: web
port: 80
protocol: TCP
targetPort: web
- name: web-ssl
port: 443
protocol: TCP
targetPort: web-ssl
type: LoadBalancer
A "CNAME" record for test.mydomain.com
will be created which points to the ELB that is
configured by kubernetes. This assumes that a hosted zone exists in Route53 for mydomain.com
.
Any record that previously existed for that dns record will be updated.
dnsRecordType
and dnsRecordTTL
annotations are optional.
Given the following Kubernetes ingress definition:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-ingress
labels:
dns: route53
annotations:
domainName: "test.mydomain.com"
dnsRecordType: "A"
dnsRecordTTL: 300
spec:
backend:
serviceName: testsvc
servicePort: 80
An "A" record for test.mydomain.com
will be created as an alias to the ELB that is used by
ingress controller service by kubernetes. This assumes that a hosted zone exists in Route53 for mydomain.com.
Any record that previously existed for that dns record will be updated.
dnsRecordType
and dnsRecordTTL
annotations are optional.
This setup shows some alternative ways to configure route53-kubernetes. First, you can specify kubernetes certs manually if you do not have service accounts enabled. Second, access to AWS can be configured through a Shared Credentials File.
apiVersion: v1
kind: ReplicationController
metadata:
name: route53-kubernetes
namespace: kube-system
labels:
app: route53-kubernetes
spec:
replicas: 1
selector:
app: route53-kubernetes
template:
metadata:
labels:
app: route53-kubernetes
spec:
volumes:
- name: ssl-cert
secret:
secretName: kube-ssl
- name: aws-creds
secret:
secretName: aws-creds
containers:
- image: quay.io/molecule/route53-kubernetes:v1.3.0
name: route53-kubernetes
volumeMounts:
- name: ssl-cert
mountPath: /opt/certs
readOnly: true
- name: aws-creds
mountPath: /opt/creds
readOnly: true
env:
- name: "CA_FILE_PATH"
value: "/opt/certs/ca.pem"
- name: "CERT_FILE_PATH"
value: "/opt/certs/cert.pem"
- name: "KEY_FILE_PATH"
value: "/opt/certs/key.pem"
- name: "AWS_SHARED_CREDENTIALS_FILE"
value: "/opt/creds/credentials"
We use glide to manage dependencies. To fetch the dependencies to your local vendor/
folder please run:
glide install -v
You may choose to use Docker images for route53-kubernetes on our Quay namespace or to build the binary, docker image, and push the docker image from scratch. See the Makefile for more information on doing this process manually.