此内容没有您所选择的语言版本。

Chapter 4. Configuring DNS provider credentials

If you want to configure DNS policies in Connectivity Link, you must configure credentials for at least one of the following supported cloud-based DNS providers:

Amazon Route 53
Google Cloud DNS
Microsoft Azure DNS
Note
- You must perform the steps for your chosen DNS provider on each OpenShift cluster that you want to use Connectivity Link on.
- You must configure the secret for the DNS provider in the same namespace that includes your Gateway.
- You must configure a DNS hosted zone. The credentials for your DNS provider must have permissions to update DNS records within this zone.

Prerequisites

See Chapter 1, Connectivity Link prerequisites and permissions.
You have access to the namespace in which your Gateway will be created, for example, api-gateway.
Note
This guide uses environment variables for convenience only. If you know the environment variable values, you can set up the required .yaml files in a way that suits your needs.

4.1. Configuring Amazon DNS provider credentials
复制链接

Procedure

Set up your environment variables as follows:
```
export AWS_ACCESS_KEY_ID=xxxxxxx
export AWS_SECRET_ACCESS_KEY=xxxxxxx
export AWS_REGION=your-aws-region
```
```
export AWS_ACCESS_KEY_ID=xxxxxxx
export AWS_SECRET_ACCESS_KEY=xxxxxxx
export AWS_REGION=your-aws-region
```
Copy to Clipboard Toggle word wrap
These variable values are described as follows:
- AWS_ACCESS_KEY_ID: Key ID from AWS with Route 53 access.
- AWS_SECRET_ACCESS_KEY: Key from AWS with Route 53 access.
- AWS_REGION: Your AWS region, for example, us-east-2 or eu-west-1.

Create a Secret resource for your credentials as follows:

kubectl create secret generic aws-credentials \
  --namespace=api-gateway \
  --type=kuadrant.io/aws \
  --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
  --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
  --from-literal=AWS_REGION=$AWS_REGION

kubectl create secret generic aws-credentials \
  --namespace=api-gateway \
  --type=kuadrant.io/aws \
  --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
  --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
  --from-literal=AWS_REGION=$AWS_REGION

Copy to Clipboard

Toggle word wrap

In this case, you must set the secret type to aws.

Additional resources

4.2. Configuring Google DNS provider credentials
复制链接

Procedure

Set up your environment variables as follows:
```
export GOOGLE=xxxxxxx
export PROJECT_ID=xxxxxxx
```
```
export GOOGLE=xxxxxxx
export PROJECT_ID=xxxxxxx
```
Copy to Clipboard Toggle word wrap
These variable values are described as follows:
- GOOGLE: Google credentials JSON file.
- PROJECT_ID: Google project ID.
  The GOOGLE variable specifies the JSON credentials generated by the gcloud CLI or by the service account. For example, $HOME/.config/gcloud/application_default_credentials.json, which contains the following:
  {"client_id": "***","client_secret": "***","refresh_token": "***","type": "authorized_user"}
  Copy to Clipboard Toggle word wrap

Create a Secret resource for your credentials as follows:

kubectl create secret generic test-gcp-credentials \
  --namespace=api-gateway \
  --type=kuadrant.io/gcp \
  --from-literal=PROJECT_ID=$PROJECT_ID \
  --from-file=GOOGLE=$GOOGLE

kubectl create secret generic test-gcp-credentials \
  --namespace=api-gateway \
  --type=kuadrant.io/gcp \
  --from-literal=PROJECT_ID=$PROJECT_ID \
  --from-file=GOOGLE=$GOOGLE

Copy to Clipboard

Toggle word wrap

In this case, you must set the secret type to gcp.

Additional resources

Google Cloud DNS documentation.

4.3. Configuring Azure DNS provider credentials
复制链接

Procedure

Create a new Azure service principal for managing DNS as follows:

DNS_NEW_SP_NAME=kuadrantDnsPrincipal
DNS_SP=$(az ad sp create-for-rbac --name $DNS_NEW_SP_NAME)
DNS_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId')
DNS_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')

DNS_NEW_SP_NAME=kuadrantDnsPrincipal
DNS_SP=$(az ad sp create-for-rbac --name $DNS_NEW_SP_NAME)
DNS_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId')
DNS_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')

Copy to Clipboard

Toggle word wrap

For more details on service principals, see the Microsoft Azure documentation.

To grant read and contributor access to the zones that you want managed for the service principal you are using, perform the following steps:

Fetch the DNS ID used to grant access to the service principal as follows:

DNS_ID=$(az network dns zone show --name example.com \
 --resource-group ExampleDNSResourceGroup --query "id" --output tsv)

# Get your resource group ID
RESOURCE_GROUP_ID=az group show --resource-group ExampleDNSResourceGroup | jq ".id" -r

DNS_ID=$(az network dns zone show --name example.com \
 --resource-group ExampleDNSResourceGroup --query "id" --output tsv)

# Get your resource group ID
RESOURCE_GROUP_ID=az group show --resource-group ExampleDNSResourceGroup | jq ".id" -r

Copy to Clipboard

Toggle word wrap

Provide reader access to the resource group as follows:

az role assignment create --role "Reader" --assignee $DNS_SP_APP_ID --scope $DNS_ID

az role assignment create --role "Reader" --assignee $DNS_SP_APP_ID --scope $DNS_ID

Copy to Clipboard

Toggle word wrap

Provide contributor access to the DNS zone as follows:

az role assignment create --role "Contributor" --assignee $DNS_SP_APP_ID --scope $DNS_ID

az role assignment create --role "Contributor" --assignee $DNS_SP_APP_ID --scope $DNS_ID

Copy to Clipboard

Toggle word wrap

Because you are setting up advanced traffic rules for geographic and weighted responses, you must also grant traffic manager and DNS zone access as follows:

az role assignment create --role "Traffic Manager Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID

az role assignment create --role "DNS Zone Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID

cat <<-EOF > /local/path/to/azure.json
{
  "tenantId": "$(az account show --query tenantId -o tsv)",
  "subscriptionId": "$(az account show --query id -o tsv)",
  "resourceGroup": "ExampleDNSResourceGroup",
  "aadClientId": "$DNS_SP_APP_ID",
  "aadClientSecret": "$DNS_SP_PASSWORD"
}
EOF

az role assignment create --role "Traffic Manager Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID

az role assignment create --role "DNS Zone Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID

cat <<-EOF > /local/path/to/azure.json
{
  "tenantId": "$(az account show --query tenantId -o tsv)",
  "subscriptionId": "$(az account show --query id -o tsv)",
  "resourceGroup": "ExampleDNSResourceGroup",
  "aadClientId": "$DNS_SP_APP_ID",
  "aadClientSecret": "$DNS_SP_PASSWORD"
}
EOF

Copy to Clipboard

Toggle word wrap

Create a Secret resource for your credentials as follows:

kubectl create secret generic test-azure-credentials \
  --namespace=api-gateway \
  --type=kuadrant.io/azure \
  --from-file=azure.json=/local/path/to/azure.json

kubectl create secret generic test-azure-credentials \
  --namespace=api-gateway \
  --type=kuadrant.io/azure \
  --from-file=azure.json=/local/path/to/azure.json

Copy to Clipboard

Toggle word wrap

In this case, you must set the secret type to azure.

Additional resources

Microsoft Azure DNS documentation.

此内容没有您所选择的语言版本。

Chapter 4. Configuring DNS provider credentials

4.1. Configuring Amazon DNS provider credentials
复制链接

4.2. Configuring Google DNS provider credentials
复制链接

4.3. Configuring Azure DNS provider credentials
复制链接

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

此内容没有您所选择的语言版本。

Chapter 4. Configuring DNS provider credentials

4.1. Configuring Amazon DNS provider credentials复制链接链接已复制到粘贴板!

4.2. Configuring Google DNS provider credentials复制链接链接已复制到粘贴板!

4.3. Configuring Azure DNS provider credentials复制链接链接已复制到粘贴板!

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

4.1. Configuring Amazon DNS provider credentials
复制链接

4.2. Configuring Google DNS provider credentials
复制链接

4.3. Configuring Azure DNS provider credentials
复制链接