Red Hat SummitChapter 5. Configuring DNS provider credentials
If you want to configure DNS policies in Connectivity Link, you must configure credentials for at least one of the following supported cloud-based DNS providers:
- Amazon Route 53
- Google Cloud DNS
Microsoft Azure DNS
NoteYou must perform the steps for your chosen DNS provider on each OpenShift cluster that you want to use Connectivity Link on. You must configure the secret for the DNS provider in the same namespace that will include your Gateway.
Prerequisites
- See Chapter 1, Connectivity Link prerequisites and permissions.
You have access to the namespace in which your Gateway will be created, for example,
api-gateway.NoteThis guide uses environment variables for convenience only. If you know the environment variable values, you can set up the required
.yamlfiles in a way that suits your needs.
5.1. Configuring Amazon DNS provider credentials
Procedure
Set up your environment variables as follows:
export AWS_ACCESS_KEY_ID=xxxxxxx export AWS_SECRET_ACCESS_KEY=xxxxxxx export AWS_REGION=your-aws-region
export AWS_ACCESS_KEY_ID=xxxxxxx export AWS_SECRET_ACCESS_KEY=xxxxxxx export AWS_REGION=your-aws-regionCopy to Clipboard Copied! These variable values are described as follows:
-
AWS_ACCESS_KEY_ID: Key ID from AWS with Route 53 access. -
AWS_SECRET_ACCESS_KEY: Key from AWS with Route 53 access. -
AWS_REGION: Your AWS region, for example,us-east-2oreu-west-1.
-
Create a
Secretresource for your credentials as follows:kubectl create secret generic aws-credentials \ --namespace=api-gateway \ --type=kuadrant.io/aws \ --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \ --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \ --from-literal=AWS_REGION=$AWS_REGION
kubectl create secret generic aws-credentials \ --namespace=api-gateway \ --type=kuadrant.io/aws \ --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \ --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \ --from-literal=AWS_REGION=$AWS_REGIONCopy to Clipboard Copied! In this case, you must set the secret
typetoaws.
Additional resources
5.2. Configuring Google DNS provider credentials
Procedure
Set up your environment variables as follows:
export GOOGLE=xxxxxxx export PROJECT_ID=xxxxxxx
export GOOGLE=xxxxxxx export PROJECT_ID=xxxxxxxCopy to Clipboard Copied! These variable values are described as follows:
-
GOOGLE: Google credentials JSON file. PROJECT_ID: Google project ID.The
GOOGLEvariable specifies the JSON credentials generated by thegcloudCLI or by the service account. For example,$HOME/.config/gcloud/application_default_credentials.json, which contains the following:{"client_id": "***","client_secret": "***","refresh_token": "***","type": "authorized_user"}{"client_id": "***","client_secret": "***","refresh_token": "***","type": "authorized_user"}Copy to Clipboard Copied!
-
Create a
Secretresource for your credentials as follows:kubectl create secret generic test-gcp-credentials \ --namespace=api-gateway \ --type=kuadrant.io/gcp \ --from-literal=PROJECT_ID=$PROJECT_ID \ --from-file=GOOGLE=$GOOGLE
kubectl create secret generic test-gcp-credentials \ --namespace=api-gateway \ --type=kuadrant.io/gcp \ --from-literal=PROJECT_ID=$PROJECT_ID \ --from-file=GOOGLE=$GOOGLECopy to Clipboard Copied! In this case, you must set the secret
typetogcp.
Additional resources
5.3. Configuring Azure DNS provider credentials
Procedure
Create a new Azure service principal for managing DNS as follows:
DNS_NEW_SP_NAME=kuadrantDnsPrincipal DNS_SP=$(az ad sp create-for-rbac --name $DNS_NEW_SP_NAME) DNS_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId') DNS_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')
DNS_NEW_SP_NAME=kuadrantDnsPrincipal DNS_SP=$(az ad sp create-for-rbac --name $DNS_NEW_SP_NAME) DNS_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId') DNS_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')Copy to Clipboard Copied! For more details on service principals, see the Microsoft Azure documentation.
To grant read and contributor access to the zones that you want managed for the service principal you are using, perform the following steps:
Fetch the DNS ID used to grant access to the service principal as follows:
DNS_ID=$(az network dns zone show --name example.com \ --resource-group ExampleDNSResourceGroup --query "id" --output tsv) # Get your resource group ID RESOURCE_GROUP_ID=az group show --resource-group ExampleDNSResourceGroup | jq ".id" -r
DNS_ID=$(az network dns zone show --name example.com \ --resource-group ExampleDNSResourceGroup --query "id" --output tsv) # Get your resource group ID RESOURCE_GROUP_ID=az group show --resource-group ExampleDNSResourceGroup | jq ".id" -rCopy to Clipboard Copied! Provide reader access to the resource group as follows:
az role assignment create --role "Reader" --assignee $DNS_SP_APP_ID --scope $DNS_ID
az role assignment create --role "Reader" --assignee $DNS_SP_APP_ID --scope $DNS_IDCopy to Clipboard Copied! Provide contributor access to the DNS zone as follows:
az role assignment create --role "Contributor" --assignee $DNS_SP_APP_ID --scope $DNS_ID
az role assignment create --role "Contributor" --assignee $DNS_SP_APP_ID --scope $DNS_IDCopy to Clipboard Copied!
Because you are setting up advanced traffic rules for geographic and weighted responses, you must also grant traffic manager and DNS zone access as follows:
az role assignment create --role "Traffic Manager Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID az role assignment create --role "DNS Zone Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID cat <<-EOF > /local/path/to/azure.json { "tenantId": "$(az account show --query tenantId -o tsv)", "subscriptionId": "$(az account show --query id -o tsv)", "resourceGroup": "ExampleDNSResourceGroup", "aadClientId": "$DNS_SP_APP_ID", "aadClientSecret": "$DNS_SP_PASSWORD" } EOFaz role assignment create --role "Traffic Manager Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID az role assignment create --role "DNS Zone Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID cat <<-EOF > /local/path/to/azure.json { "tenantId": "$(az account show --query tenantId -o tsv)", "subscriptionId": "$(az account show --query id -o tsv)", "resourceGroup": "ExampleDNSResourceGroup", "aadClientId": "$DNS_SP_APP_ID", "aadClientSecret": "$DNS_SP_PASSWORD" } EOFCopy to Clipboard Copied! Create a
Secretresource for your credentials as follows:kubectl create secret generic test-azure-credentials \ --namespace=api-gateway \ --type=kuadrant.io/azure \ --from-file=azure.json=/local/path/to/azure.json
kubectl create secret generic test-azure-credentials \ --namespace=api-gateway \ --type=kuadrant.io/azure \ --from-file=azure.json=/local/path/to/azure.jsonCopy to Clipboard Copied! In this case, you must set the secret
typetoazure.
Additional resources
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}