Chapter 5. Configuring DNS provider credentials

Procedure

1. Set up your environment variables as follows:

   export AWS_ACCESS_KEY_ID=xxxxxxx
   export AWS_SECRET_ACCESS_KEY=xxxxxxx
   export AWS_REGION=your-aws-region

   These variable values are described as follows:

   • AWS_ACCESS_KEY_ID: Key ID from AWS with Route 53 access.
   • AWS_SECRET_ACCESS_KEY: Key from AWS with Route 53 access.
   • AWS_REGION: Your AWS region, for example, us-east-2 or eu-west-1.

2. Create a Secret resource for your credentials as follows:

   kubectl create secret generic aws-credentials \
     --namespace=api-gateway \
     --type=kuadrant.io/aws \
     --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
     --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
     --from-literal=AWS_REGION=$AWS_REGION

   In this case, you must set the secret type to aws.

Procedure

1. Set up your environment variables as follows:

   export GOOGLE=xxxxxxx
   export PROJECT_ID=xxxxxxx

   These variable values are described as follows:

   • GOOGLE: Google credentials JSON file.

   • PROJECT_ID: Google project ID.

     The GOOGLE variable specifies the JSON credentials generated by the gcloud CLI or by the service account. For example, $HOME/.config/gcloud/application_default_credentials.json, which contains the following:

     {"client_id": "***","client_secret": "***","refresh_token": "***","type": "authorized_user"}

2. Create a Secret resource for your credentials as follows:

   kubectl create secret generic test-gcp-credentials \
     --namespace=api-gateway \
     --type=kuadrant.io/gcp \
     --from-literal=PROJECT_ID=$PROJECT_ID \
     --from-file=GOOGLE=$GOOGLE

   In this case, you must set the secret type to gcp.

Procedure

1. Create a new Azure service principal for managing DNS as follows:

   DNS_NEW_SP_NAME=kuadrantDnsPrincipal
   DNS_SP=$(az ad sp create-for-rbac --name $DNS_NEW_SP_NAME)
   DNS_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId')
   DNS_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')

   For more details on service principals, see the Microsoft Azure documentation.

2. To grant read and contributor access to the zones that you want managed for the service principal you are using, perform the following steps:

   1. Fetch the DNS ID used to grant access to the service principal as follows:

      DNS_ID=$(az network dns zone show --name example.com \
       --resource-group ExampleDNSResourceGroup --query "id" --output tsv)
      
      # Get your resource group ID
      RESOURCE_GROUP_ID=az group show --resource-group ExampleDNSResourceGroup | jq ".id" -r

   2. Provide reader access to the resource group as follows:

      az role assignment create --role "Reader" --assignee $DNS_SP_APP_ID --scope $DNS_ID

   3. Provide contributor access to the DNS zone as follows:

      az role assignment create --role "Contributor" --assignee $DNS_SP_APP_ID --scope $DNS_ID

3. Because you are setting up advanced traffic rules for geographic and weighted responses, you must also grant traffic manager and DNS zone access as follows:

   az role assignment create --role "Traffic Manager Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID
   
   az role assignment create --role "DNS Zone Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID
   
   cat <<-EOF > /local/path/to/azure.json
   {
     "tenantId": "$(az account show --query tenantId -o tsv)",
     "subscriptionId": "$(az account show --query id -o tsv)",
     "resourceGroup": "ExampleDNSResourceGroup",
     "aadClientId": "$DNS_SP_APP_ID",
     "aadClientSecret": "$DNS_SP_PASSWORD"
   }
   EOF

4. Create a Secret resource for your credentials as follows:

   kubectl create secret generic test-azure-credentials \
     --namespace=api-gateway \
     --type=kuadrant.io/azure \
     --from-file=azure.json=/local/path/to/azure.json

   In this case, you must set the secret type to azure.