Helm chart updated for ExternalDNS, rfc2136 provider, in order to support GSS-TSIG authentication configuration.

README.md

@@ -106,6 +106,7 @@ Internal k8gb architecture and its components are described [here](/docs/compone
 * [General deployment with Infoblox integration](/docs/deploy_infoblox.md)
 * [AWS based deployment with Route53 integration](/docs/deploy_route53.md)
 * [AWS based deployment with NS1 integration](/docs/deploy_ns1.md)
+* [Azure based deployment with Windows DNS integration](/docs/deploy_windowsdns.md)
 * [Local playground for testing and development](/docs/local.md)
 * [Local playground with Kuar web app](/docs/local-kuar.md)
 * [Metrics](/docs/metrics.md)

chart/k8gb/README.md

@@ -98,8 +98,15 @@ For Kubernetes `< 1.19` use this chart and k8gb in version `0.8.8` or lower.
 | rfc2136.enabled | bool | `false` |  |
 | rfc2136.rfc2136Opts[0].host | string | `"host.k3d.internal"` |  |
 | rfc2136.rfc2136Opts[1].port | int | `1053` |  |
-| rfc2136.rfc2136Opts[2].tsig-secret-alg | string | `"hmac-sha256"` |  |
-| rfc2136.rfc2136Opts[3].tsig-keyname | string | `"externaldns-key"` |  |
+| rfc2136.rfc2136auth.insecure.enabled | bool | `false` | Set to True if insecure updates to the DNS provided can be executed by ExternalDNS |
+| rfc2136.rfc2136auth.tsig.enabled | bool | `false` | Set to True if the DNS server uses TSIG authentication for DNS updates by ExternalDNS |
+| rfc2136.rfc2136auth.tsig.tsigCreds[0].tsig-secret-alg | string | `"hmac-sha256"` | Algorithm used to generate the token for TSIG |
+| rfc2136.rfc2136auth.tsig.tsigCreds[1].tsig-keyname | string | `"externaldns-key"` |  |
+| rfc2136.rfc2136auth.gssTsig.enabled | bool | `false` | Set to True if the DNS server uses GSS-TSIG (Kerberos) authentication for DNS updates by ExternalDNS |
+| rfc2136.rfc2136auth.gssTsig.kerberosConfigMap | string | `"kerberos-configmap"` | When using GSS-TSIG, a ConfigMap with a valid krb5.conf configuration should be provided |
+| rfc2136.rfc2136auth.gssTsig.gssTsigCreds[0].kerberos-username | string | `"ad-user-account"` | AD user account with permissions for DNS updates |
+| rfc2136.rfc2136auth.gssTsig.gssTsigCreds[1].kerberos-password | string | `"ad-user-account-password"` | Passowrd of the AD user account |
+| rfc2136.rfc2136auth.gssTsig.gssTsigCreds[2].kerberos-realm | string | `"REALM.DOMAIN"` | Kerberos REALM that should be used for authentication |
 | route53.assumeRoleArn | string | `nil` | specify IRSA Role in AWS ARN format for assume role permissions or disable it by setting to `null` |
 | route53.enabled | bool | `false` | Enable Route53 provider |
 | route53.hostedZoneID | string | `"ZXXXSSS"` | Route53 ZoneID |

chart/k8gb/templates/_helpers.tpl

@@ -109,6 +109,16 @@ k8gb-{{ .Values.k8gb.dnsZone }}-{{ .Values.k8gb.clusterGeoTag }}
         - --rfc2136-zone={{ .Values.k8gb.edgeDNSZone }}
         - --rfc2136-tsig-axfr
 {{- range $k, $v := .Values.rfc2136.rfc2136Opts }}
+{{- range $kk, $vv := $v }}
+        - --rfc2136-{{ $kk }}={{ $vv }}
+
+{{- end -}}
+{{- end }}
+{{- if .Values.rfc2136.rfc2136auth.insecure.enabled }}
+        - --rfc2136-insecure
+{{- end -}}
+{{- if .Values.rfc2136.rfc2136auth.tsig.enabled }}
+{{- range $k, $v := .Values.rfc2136.rfc2136auth.tsig.tsigCreds }}
 {{- range $kk, $vv := $v }}
         - --rfc2136-{{ $kk }}={{ $vv }}
 {{- end -}}
@@ -119,6 +129,16 @@ k8gb-{{ .Values.k8gb.dnsZone }}-{{ .Values.k8gb.clusterGeoTag }}
             secretKeyRef:
               name: rfc2136
               key: secret
+{{- end -}}
+{{- if .Values.rfc2136.rfc2136auth.gssTsig.enabled }}
+        - --rfc2136-gss-tsig
+{{- range $k, $v := .Values.rfc2136.rfc2136auth.gssTsig.gssTsigCreds }}
+{{- range $kk, $vv := $v }}
+        - --rfc2136-{{ $kk }}={{ $vv }}
+{{- end -}}
+{{- end }}
+{{- end -}}
+
 {{- end -}}
 {{- end -}}
 {{- define "k8gb.metrics_port" -}}

chart/k8gb/templates/external-dns/external-dns.yaml

@@ -44,4 +44,16 @@ spec:
             cpu: "500m"
         securityContext:
           readOnlyRootFilesystem: true
+      {{- if .Values.rfc2136.rfc2136auth.gssTsig.enabled }}
+        volumeMounts:
+          - mountPath: /etc/krb5.conf
+            name: kerberos-config-volume
+            subPath: krb5.conf
+      volumes:
+        - name: kerberos-config-volume
+          configMap:
+            name: {{ .Values.rfc2136.rfc2136auth.gssTsig.kerberosConfigmap }}
+            defaultMode: 420
+      {{- end }}
+
 {{- end }}

chart/k8gb/values.schema.json

@@ -406,6 +406,12 @@
                     "items": {
                         "$ref": "#/definitions/Rfc2136Opt"
                     }
+                },
+                "rfc2136auth": {
+                    "type": "object",
+                    "items": {
+                        "$ref": "#/definitions/Rfc2136auth"
+                    }
                 }
             },
             "required": [
@@ -424,7 +430,65 @@
                     "type": "integer",
                     "minimum": 1,
                     "maximum": 65535
+                }
+            },
+            "title": "Rfc2136Opt"
+        },
+        "Rfc2136auth": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+                "insecure": {
+                    "type": "object",
+                    "items": {
+                        "$ref": "#/definitions/Rfc2136authInsecure"
+                    }
+                },
+                "tsig": {
+                    "type": "object",
+                    "items": {
+                        "$ref": "#/definitions/Rfc2136authTsig"
+                    }
                 },
+                "gssTsig": {
+                    "type": "object",
+                    "items": {
+                        "$ref": "#/definitions/Rfc2136authGssTsig"
+                    }
+                }
+            },
+            "title": "Rfc2136auth"
+        },
+        "Rfc2136authInsecure": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+                "enabled": {
+                    "type": "boolean"
+                }
+            },
+            "title": "Rfc2136authInsecure"
+        },
+        "Rfc2136authTsig": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+                "enabled": {
+                    "type": "boolean"
+                },
+                "tsigCreds": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/Rfc2136authTsigCreds"
+                    }
+                }
+            },
+            "title": "Rfc2136authTsig"
+        },
+        "Rfc2136authTsigCreds": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
                 "tsig-secret-alg": {
                     "type": "string",
                     "minLength": 1
@@ -434,7 +498,46 @@
                     "minLength": 1
                 }
             },
-            "title": "Rfc2136Opt"
+            "title": "Rfc2136authTsigCreds"
+        },
+        "Rfc2136authGssTsig": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+                "enabled": {
+                    "type": "boolean"
+                },
+                "kerberosConfigMap": {
+                    "type": "string",
+                    "minLength": 1
+                },
+                "gssTsigCreds": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/Rfc2136authGssTsigCreds"
+                    }
+                }
+            },
+            "title": "Rfc2136authGssTsig"
+        },
+        "Rfc2136authGssTsigCreds": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+                "kerberos-username": {
+                    "type": "string",
+                    "minLength": 1
+                },
+                "kerberos-password": {
+                    "type": "string",
+                    "minLength": 1
+                },
+                "kerberos-realm": {
+                    "type": "string",
+                    "minLength": 1
+                }
+            },
+            "title": "Rfc2136authGssTsigCreds"
         },
         "Route53": {
             "type": "object",

chart/k8gb/values.yaml

@@ -127,8 +127,21 @@ rfc2136:
   rfc2136Opts:
     - host: host.k3d.internal
     - port: 1053
-    - tsig-secret-alg: hmac-sha256
-    - tsig-keyname: externaldns-key
+  rfc2136auth:
+    insecure: 
+      enabled: false
+    tsig:
+      enabled: false
+      tsigCreds:
+        - tsig-secret-alg: hmac-sha256
+        - tsig-keyname: externaldns-key
+    gssTsig:
+      enabled: false
+      kerberosConfigMap: kerberos-config
+      gssTsigCreds:
+        - kerberos-username: ad-user
+        - kerberos-password: ad-user-pass
+        - kerberos-realm: ad-domain-realm
 
 tracing:
   # -- if the application should be sending the traces to OTLP collector (env var `TRACING_ENABLED`)

docs/deploy_windowsdns.md

@@ -0,0 +1,134 @@
+<h1 align="center" style="margin-top: 0;">Using K8GB on Azure</h1>
+
+## Sample solution
+
+Sample solution will create a common hub and spoke architecture with two AKS clusters in different regions
+
+![GLSB with K8gb on Azure](/docs/examples/azure/images/k8gb_solution.png?raw=true "GLSB with K8gb on Azure")
+
+# Azure based deployment with Windows DNS integration
+
+Here we provide an example of k8gb deployment in Azure environment with Windows DNS as edgeDNS provider.
+
+## Reference Setup
+
+The reference setup includes two AKS clusters that can deployed on two different regions for load balancing or provide a failover solution.
+
+The solution design can be found [here](https://github.com/k8gb-io/k8gb/tree/master/docs/examples/azure/).
+
+Configurable resources:
+
+* Resource groups
+* VNet and subnets
+* Peering
+* Managed Identity
+* Clusters
+
+## Run the sample
+
+* This lab requires a running AD Domain Controller with DNS and KDC services working
+    * There are several tutorials available online, but this Microsoft Learn article will probably help you out 
+    * [Microsoft Learn](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100- "Install Active Directory")
+
+* To run the provided sample, please use the provided Makefile [here](https://github.com/k8gb-io/k8gb/tree/master/docs/examples/azure/).
+    * Deploys all the required infrastructure and configurations
+    * Before execute, please fill all the local variables in the scripts with the correct naming for the resources in order to avoid having problems with your azure policies
+    * Scripts will use AZ CLI, ensure that is installed and logged when trying to execute the command
+        * [Microsoft Learn](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli "Install AZ CLI")
+
+### Deploy infrastructure 
+
+This action will create resource groups, vnets, peering between vnets and AKS clusters to run all required workloads
+
+```sh
+make deploy-infra
+```
+
+### Setup clusters
+
+Install required Ingress controller in both clusters in order to deploy K8GB and demo application
+
+```sh
+make setup-clusters
+```
+
+### Configure GSS-TSIG authentication for DNS updates
+
+Before deploying K8GB and the demo workload, ensure required configurations on Windows DNS 
+
+#### Domain Controller config
+
+* Ensure that the Network Security is configured only for AES256
+
+![Network Policy - Kerberos auth](/docs/examples/azure/images/LocalSecuryPolicyNetworkKerberos.png?raw=true "Network Policy - Kerberos auth")
+* Ensure that the DNS Zone has only Secure updates option enabled
+
+![DNS Secure Updates](/docs/examples/azure/images/DNSSecureUpdates.png "DNS Secure Updates")
+* Ensure that the DNS Zone has the option "Allow zone transfers" check with the option "To any server" under the tab Zone Transfers on the zone properties
+
+![DNS Zone Transfers](/docs/examples/azure/images/DNSZoneTransfers.png "DNS Zone Transfers")
+
+* Create a new Active Directory user
+    * The user should be created with "Encryptions options" for Kerberos AES256 encryption
+    * The user needs to be added to the DNSAdmin group, or,
+    * Select the zone that will have dynamic updates in DNS Manager, right click and select Properties. Under the Security tab, add the created user and add the permissions Write, Create all child objects and Delete all child objects
+
+#### K8GB / ExternalDNS configuration
+
+* ExternalDNS configuration
+    * For communication with WindowsDNS, ExternalDNS should be configured with the RFC2136 provider with GSS-TSIG option
+    * [External DNS - RFC2126](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/rfc2136.md "RFC2136 documentation")
+    * A sample values.yaml for K8GB configuration can be found [here](https://github.com/k8gb-io/k8gb/tree/master/docs/examples/azure/k8gb/).
+        * Ensure that the following properties are updated with your values:
+            * dnsZone
+            * edgeDNSZone
+            * edgeDNSServers
+            * host - always use FQDN with GSS-TSIG, not IP address
+            * kerberos-username
+            * kerberos-password
+            * kerberos-realm
+    * At this moment ExternalDNS doesn't provide a way to use secrets as the source for the kerberos-password setting, so if you store the manifest in a git repo, please ensure that only required persons can access it
+```yaml
+rfc2136:
+  enabled: true
+  rfc2136Opts:
+    - host: AD-DC.mbcpk8gb.local #when using gssTsig, use the FQDN of the host, not an IP
+    - port: 53
+  rfc2136auth:
+    insecure: 
+      enabled: false
+    tsig:
+      enabled: false
+      tsigCreds:
+        - tsig-secret-alg: hmac-sha256
+        - tsig-keyname: externaldns-key
+    gssTsig:
+      enabled: true
+      gssTsigCreds:
+        - kerberos-username: ad-user-account
+        - kerberos-password: ad-user-account-password
+        - kerberos-realm: mbcpcloud.lab
+```
+
+### Install K8gb
+
+This action will install K8gb in both clusters using the provided [sample](https://github.com/k8gb-io/k8gb/tree/master/docs/examples/azure/k8gb/) values.yaml for each cluster. Please ensure that the are correctly updated before execution
+
+```sh
+make deploy-k8gb
+```
+
+### Install demo app
+
+Deploys the sample Podinfo workload with failover GLSB configured using annotations in the Ingress resource [samples](https://github.com/k8gb-io/k8gb/tree/master/docs/examples/azure/demo/).
+Ensure that the hosts on the samples are correctly updated before execution
+
+```sh
+make deploy-demo
+```
+
+### Destroy lab
+* Destroys the lab environment created for this sample
+```sh
+make destroy-infra
+```

docs/examples/azure/Makefile

@@ -0,0 +1,36 @@
+# Copyright 2022 The k8gb Contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Generated by GoLic, for more details see: https://github.com/AbsaOSS/golic
+
+.PHONY: deploy-infra
+deploy-infra:
+	./infra/build.sh
+
+.PHONY: setup-clusters
+setup-clusters:
+	./infra/setup.sh
+
+.PHONY: destroy-infra
+destroy-infra:
+	./infra/destroy.sh
+
+.PHONY: deploy-k8gb
+deploy-k8gb:
+	./k8gb/deploy.sh
+
+.PHONY: deploy-demo
+deploy-demo:
+	./demo/deploy.sh
+