ExternalDNS

Overview

ExternalDNS is a Kubernetes add-on that configures public DNS servers with information about exposed Kubernetes services to make them discoverable.

ExternalDNS in CRD allows you to control DNS records dynamically via Kubernetes/OSCP resources in a DNS provider-agnostic way.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: "cis.f5.com/v1"
kind: ExternalDNS
metadata:
  name: exdns
  labels:
    f5cr: "true"
spec:
  domainName: example.com
  dnsRecordType: A
  loadBalanceMethod: round-robin
  pools:
  - name: example.site1.com
    dnsRecordType: A
    loadBalanceMethod: round-robin
    dataServerName: /Common/GSLBServer
    monitor:
      type: https
      send: "GET /"
      recv: ""
      interval: 10
      timeout: 10

Example Topologies:

The images below show the use cases and topology for External DNS CRD:

  • Two sites​
  • Each Site will run an Openshift Cluster​
  • Each Site will have 1 pair of BIG-IPs running LTM and DNS​
  • Each Openshift cluster will run a CIS per BIG-IP (traditional deployment): So 2 CIS will be deployed per site.
../../_images/crd-externaldns-topology1.png ../../_images/crd-externaldns-topology2.png

Prerequisites

  • OpenShift/Kubernetes Cluster must be up and running.
  • AS3 version 3.18+.
  • External DNS objects created in the COMMON partition.
  • You must have a fully active/licensed BIG-IP.
  • VXLAN tunnel should be configured from OpenShift/Kubernetes Cluster to BIG-IP.
  • LTM and GTM are mandatory but they do not need to be on the same device.
  • VXLAN tunnel is not mandatory.
  • SDN license is not needed: only DNS license is required.
  • ExternalDNS HTTPS monitor support requires BIG-IP v16.1 and later.

Components

CIS Configuration Parameters for BIG-IP GTM

Parameter Type Required Default Description
gtm-bigip-password String Required N/A Password for the GMT BIG-IP user account. You can secure your GTM BIG-IP credentials using a Kubernetes Secret.
gtm-bigip-url String Required N/A URL for the GTM BIG-IP.
gtm-bigip-username String Required N/A Username for the GTM BIG-IP user account.
gtm-credentials-directory String Optional N/A The directory that contains the GTM BIG-IP username, password, and/or URL files. To be used instead of username, password, and/or URL arguments.

Important

If the same BIG-IP is configured for GTM resources, then the following GTM parameters are not necessary in the CIS deployment:

  • gtm-bigip-password
  • gtm-bigip-url
  • gtm-bigip-username

If the GTM resources are configured by a different BIG-IP, then these GTM parameters are required in the CIS deployment.

ExternalDNS Components

Parameter Type Required Default Description
domainName String Required N/A Domain name of virtual server CRD.
dnsRecordType String Required A DNS record type.
loadBalancerMethod String Required round-robin Load balancing method for DNS traffic.
pools Pool Optional N/A GTM Pools.

Pool Components

Parameter Type Required Default Description
name String Required N/A Name of the GSLB pool.
dnsRecordType String Required N/A DNS record type.
loadBalancerMethod String Required round-robin Load balancing method for DNS traffic.
dataServerName String Optional N/A Name of the GSLB server on BIG-IP. For example: /Common/SiteName
monitor Object Optional N/A Monitor for GSLB Pool.
monitors List Optional N/A List of monitors for GSLB Pool.

Important

The user needs to mention the same GSLB DataServer Name to dataServerName field, which is created on the BIG-IP common partition.

GSLB Monitor Components

Parameter Type Required Default Description
type String Required N/A http or https
send String Required N/A Send string for monitor. For example: GET /health HTTP/1.1\r\nHOST: example.com\r\n
recv String Optional N/A Receive string. This can be empty.
interval Int Required 5 Seconds between health queries.
timeout Int Optional 16 Seconds before query fails.
  • The credentials-directory option is an alternative to using the bigip-username, bigip-password, or bigip-url arguments.
  • When you use this argument, the controller looks for three files in the specified directory: username, password, and url. If any of these files do not exist, the controller falls back to using the CLI arguments as parameters.
  • Each file should contain only the username, password, and url, respectively. You can create and mount the files as Kubernetes Secrets.
  • It is important to not project the Secret keys to specific paths, as the controller looks for the “username”, “password”, and “url” files directly within the credentials directory.

ExternalDNS with BIG-IP GTM

To set up external DNS using BIG-IP GTM, the user needs to first manually configure the following:

In the BIG-IP user interface, go to DNSGSLBData Center and GSLBServers on BIG-IP common partition.

Note

Wide IP, Pool, Pool member, and Health Monitor will be managed with ExternalDNS CRD.

BIG-IP DNS is expected to be setup with Service discovery Enabled (no delete).

../../_images/crd-externaldns-ui.png

From the YAML configuration below, the user can enable the External DNS feature on BIG-IP.

External DNS Example
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: "cis.f5.com/v1"
kind: ExternalDNS
metadata:
  name: exdns
  labels:
    f5cr: "true"
spec:
  domainName: example.com
  dnsRecordType: A
  loadBalanceMethod: round-robin
  pools:
  - name: example.site1.com
    dnsRecordType: A
    loadBalanceMethod: round-robin
    dataServerName: /Common/GSLBServer
    monitor:
      type: https
      send: "GET /"
      recv: ""
      interval: 10
      timeout: 10

externaldns.yaml

Below is an example of the VirtualServer CRD that has to be created to resonate with the EDNS configuration.

VS-CRD Example
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
apiVersion: cis.f5.com/v1
kind: VirtualServer
metadata:
  labels:
    f5cr: "true"
  name: sample-virtual
  namespace: default
spec:
  host: example.com
  pools:
  - monitor:
      interval: 20
      recv: ""
      send: /
      timeout: 10
      type: http
    path: /
    service: svc-1
    servicePort: 80
  virtualServerAddress: 172.16.3.4
  • The name in GSLB → DataServer Name needs to be the same as dataServerName field in the BIG-IP common partition.
  • The domain name should be the same as mentioned in the virtual server CRD.
  • If the same BIG-IP is configured for GTM resources then the GTM parameters (gtm-bigip-password, gtm-bigip-url, gtm-bigip-username) in CIS deployment are not mandatory.
  • If the GTM resources are configured by a different BIG-IP, then the GTM parameters (gtm-bigip-password,gtm-bigip-url,gtm-bigip-username) in CIS are mandatory.

Health Monitors with ExternalDNS CRD

ExternalDNS CRD supports TCP, HTTP, HTTPS type of health monitors. Below are examples for various types of health monitors:

TCP Health Monitor
type: tcp
interval: 10
timeout: 30

HTTP Health Monitor
type: http
send: "GET /tea HTTP/1.1\r\nHost: cafe.example.com\r\n"
recv: ""
interval: 10
timeout: 30

HTTPS Health Monitor
type: https
send: "GET /tea HTTP/1.1\r\nHost: cafe.example.com\r\n"
recv: ""
interval: 10
timeout: 30

Single Health Monitor

To specify a single health monitor for an EDNS pool you can use monitor in the EDNS Spec as shown below:

Single Health Monitor
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
apiVersion: "cis.f5.com/v1"
kind: VirtualServer
metadata:
  name: vs-coffee
  namespace: nginx-ingress
  labels:
    f5cr: "true"
spec:
  host: cafe.example.com
  hostGroup: "cafe"
  ipamLabel: Test
  virtualServerHTTPSPort: 443
  tlsProfileName: reencrypt-tls
  httpTraffic: redirect
  snat: auto
  pools:
  - monitor:
      interval: 20
      recv: ""
      send: "GET /coffee HTTP/1.1\r\nHost: cafe.example.com\r\n"
      timeout: 10
      type: https
    path: /coffee
    service: nginx-ingress
    servicePort: 443

Multiple Health Monitors

To specify multiple health monitors for an EDNS pool you can use monitors in the EDNS Spec as shown below:

Multiple Health monitors
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
apiVersion: "cis.f5.com/v1"
kind: ExternalDNS
metadata:
  name: exdns
  labels:
    f5cr: "true"
spec:
  domainName: cafe.example.com
  dnsRecordType: A
  loadBalanceMethod: round-robin
  pools:
    - dnsRecordType: A
      loadBalanceMethod: round-robin
      dataServerName: /Common/GSLBServer
      monitors:
        - type: https
          send: "GET /tea HTTP/1.1\r\nHost: cafe.example.com\r\n"
          recv: ""
          interval: 10
          timeout: 30
        - type: https
          send: "GET /coffee HTTP/1.1\r\nHost: cafe.example.com\r\n"
          recv: ""
          interval: 10
          timeout: 30
        - type: tcp
          interval: 10
          timeout: 30

ExternalDNS with Custom Resources

To use the EDNS with F5 IngressLink and TransportServer, just create a regular EDNS resource with the required hostname and add the same hostname in IngressLink/TransportServer’s spec as shown below:

IngressLink
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
apiVersion: "cis.f5.com/v1"
kind: IngressLink
metadata:
  name: nginx-ingress
  namespace: nginx-ingress
spec:
  virtualServerAddress: "192.168.10.5"
  host: cafe.example.com
  iRules:
    - /Common/Proxy_Protocol_iRule
  selector:
    matchLabels:
      app: ingresslink

TransportServer
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
apiVersion: "cis.f5.com/v1"
kind: TransportServer
metadata:
  labels:
    f5cr: "true"
  name: svc1-tcp-transport-server
  namespace: default
spec:
  virtualServerAddress: "172.16.3.9"
  virtualServerPort: 8544
  virtualServerName: svc1-tcp-ts
  host: cafe.example.com
  mode: standard
  snat: auto
  allowVlans: ["/Common/devtraffic"]
  persistenceProfile: "destination-address"
  pool:
    service: svc-1
    servicePort: 8181
    monitor:
      type: tcp
      interval: 10
      timeout: 10

Examples Repository

View more examples on GitHub.


Note

To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.