-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure Private DNS will replace Azure DNS Private Zones #1073
Comments
They’re going to be changing the top-level resource provider to separate it from the current DNS zones. At the moment they’re both covered under the same one. https://azure.microsoft.com/en-gb/updates/announcing-preview-refresh-for-azure-dns-private-zones-2/ In a month or so, this functionality with Private DNS zones will break. |
@t0mmyt |
There needs to be code changes done to support it, private zone is a different top level resource and uses a different API and needs a new SDK version... |
Anyone that would like to work on this issue? |
Happy to make the change, but ideally upgrading client-go and the azure-sdk too first would make this easier I already tried to update it awhile ago, but I had trouble updating the dependencies |
@timja I used: diff --git a/go.mod b/go.mod
index db42b9b9..c6e98b33 100644
--- a/go.mod
+++ b/go.mod
@@ -4,8 +4,8 @@ go 1.12
require (
cloud.google.com/go v0.37.4
- github.com/Azure/azure-sdk-for-go v10.0.4-beta+incompatible
- github.com/Azure/go-autorest v10.9.0+incompatible
+ github.com/Azure/azure-sdk-for-go v33.2.0+incompatible
+ github.com/Azure/go-autorest v13.0.1+incompatible
github.com/alecthomas/assert v0.0.0-20170929043011-405dbfeb8e38 // indirect
github.com/alecthomas/colour v0.0.0-20160524082231-60882d9e2721 // indirect
github.com/alecthomas/kingpin v2.2.5+incompatible
diff --git a/provider/azure.go b/provider/azure.go
index 3f887e55..2fb19c2a 100644
--- a/provider/azure.go
+++ b/provider/azure.go
@@ -26,7 +26,7 @@ import (
yaml "gopkg.in/yaml.v2"
- "github.com/Azure/azure-sdk-for-go/arm/dns"
+ "github.com/Azure/azure-sdk-for-go/services/dns/mgmt/2018-05-01/dns"
"github.com/Azure/go-autorest/autorest"
"github.com/Azure/go-autorest/autorest/adal"
"github.com/Azure/go-autorest/autorest/azure"
diff --git a/provider/azure_test.go b/provider/azure_test.go
index 36d69766..b1124e40 100644
--- a/provider/azure_test.go
+++ b/provider/azure_test.go
@@ -20,7 +20,7 @@ import (
"context"
"testing"
- "github.com/Azure/azure-sdk-for-go/arm/dns"
+ "github.com/Azure/azure-sdk-for-go/services/dns/mgmt/2018-05-01/dns"
"github.com/Azure/go-autorest/autorest"
"github.com/Azure/go-autorest/autorest/azure"
"github.com/Azure/go-autorest/autorest/to" |
It was awhile ago I'll try to have another look soon, could you create a PR with your change? |
Compilation fails on this with those changes:
Think I just went down a rabbit hole trying to update the tests last time, will try have another look |
Started on it in: #1195 |
Great you started to work on it. I see you are quite far. Can I help to complete it? |
See if you can figure out why it’s not compiling right now that would be much appreciated, I’ve got compatible Sdks working but the mock interface isn’t quite working, some go ism that I don’t understand... |
FYI: I work on it. I hope I am able to push some first idea today. Compilation works. I upgraded the azure dependencies once again. Maybee (or very probably), we should about splitting those changes in various PRs. |
I wouldn't change the authentication in the PR unless it's required to make it work, can re-work it separately |
Agreed. I will figure that out. But I am afraid, that code around ADAL/Manual token creation is at least deprecated if not more. |
@stsaid how're you getting on? |
I didn't work on it the last two days. Maybee you can have a look on my changes? See the PR on the branch in your forked repo. |
I took a look and managed to fix the tests, they now pass but need a CLA signature from you @stsaid as I merged your commit in. |
I care for that today. Thanks for continuing work on the PR. |
FYI: I've signed up at the Linux Foundation. So far, I haven't received the mail with the CLA Confirmation. Have filed a ticket requesting for support. |
@timja, already thought how to handle the different types that come with Azure Private DNS? So far, tests, services methods etc. are all bound to the specific types of Azure DNS. Alternatively, I tried to come up with an interlayer which does not embed Azure Types but exists separately. Example: Instead of Records()-function going straight to service methods of the Azure Clients, it invokes a "generic" function which again invokes both Azure DNS Client and Azure Private DNS client and returns "generic" types. Lastly, one could even think of two distinct providers. Opinions? |
From what I can remember from implementing support for it in terraform all the models and api calls are different and the api is different under the hood (less consistent at least on the zone side) I would lean on the side of a separate provider side |
I think so too.... Regarding provider-names we could go like... I will start on it this week. |
Please check this out: saidst@07e46bc I copy&pasted the existing provider but changed the Authorizer. In the meantime, I try to figure out the credentials issues. |
Please let us know if there is any update on this. Thanks! |
First version incl. tutorials have been completed 2-3 weeks ago. |
no I haven't, I'll test your changes out once you're able to open a PR and let me know if there's anything you're stuck on |
I finally got this working. Here's the parameters file that I used to create the Nginx ingress controller. I needed to add the controller.publishService.enabled: true parameter. After doing that and redeploying, Ingress resources are creating records in my private DNS zone. I've also included the sample service that I used for testing. Helm parameters file:
Sample service:
|
Sorry, I made a wrong suggestion because I overlooked my on scripts. For ingresses we just need this:
Annotating the ingress-controller has no effect on the ingresses. I must have been too fast two days ago... I think this page confirms it: https://github.com/kubernetes-sigs/external-dns/blob/9418e3acd83db8066d07efb80131c9c3ede03f82/docs/tutorials/aws.md#alias |
So is the new version of external-dns with azure private dns support being released anytime soon? PR was merged a couple of weeks ago, not sure if there is a release cycle in the project |
No, I cloned master and built the Docker image locally and pushed it |
From the Slack channel (2.12.2019):
|
v0.5.18 was finally released yesterday containing this fix :) |
@guitmz does this work for the stable/external-dns helm chart as well? If yes, I'm not able to make it work for some reason, is there a documentation for the values.yml? I'm doing: provider: azure-private-dns
azure:
resourceGroup:
tenantId:
subscriptionId:
aadClientId:
aadClientSecret: Of course its filled with values. But I'm getting this error:
The subscription id and the resource group are not being picked. I'm using this image: image:
registry: docker.io
repository: bitnami/external-dns
tag: 0.5.18 |
@IbraheemAlSaady I'm currently updating my local chart with the changes of this new release and I should be able to test this week and let you know |
I have a weird issue when using
with this, the
If I do the same but with |
Have you cared for also setting the subscription via an cli-arg?
|
also, looks like theres more to it @IbraheemAlSaady .. I have added the missing I think its related to the comment in your issue where it says that private dns is relying only on env-args at this moment, also just did like @saidst just said and worked, its also necessary in the chart |
I was able to make it work without env vars, just by adding the subscription argument and fixing the if statement as you mentioned in your issue @IbraheemAlSaady , just FYI |
Can you paste the (created) manifest for the deployment (of course without credentials) ? |
@guitmz weird, it didn't work for me without the env, it was throwing a 403 error |
heres the My modifications are:
heres my values file for currently I have 2 deploys of external-dns, one for each provider since apparently theres no way of using multiple providers at once rendered deployment for external-dns: http://dpaste.com/35D8MWQ perhaps it works in my case because of pod-identity |
Thx! The args look OK (complete). Do you use the managed-identity-extension for Azure Kubernetes Service (preview feature)? If so, great. I've not tested that so far. But yes, in theory, the private-dns provider is able to pick up MSI. This is due to the used sdk's from microsoft. I think you need to handle the case of not using msi. If not seen that while skimming through the code. In this case, you need to set the following env-vars:
|
@saidst yeah, created a managed-identity in azure, gave it DNS zone contributor permissions, used this https://github.com/Azure/aad-pod-identity to attach to my external-dns pods and it works.. I haven't tested without MSI because my end goal is to use it, but I gave a second look at the chart and yeah, I believe it will fail without MSI if the env-vars are not included. Handling it should probably be included of the PR that fixes the chart in upstream if possible |
Changes have been merged Use version |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
were you able to get MSI working with |
The current method of creating a private zone in Azure (a regular DNS zone set to type private) is going to be deprecated in coming months and the new method will be out of private preview in the next few weeks I am told.
I've had a quick look at what's involved and it will require a much newer version of the Azure SDK which in turn requires a new Azure rest client which in turn requires updating client-go.
I am happy to take on the Azure specific changes (updating the existing provider and adding a new one for private DNS) but updating to client-go v11.0.0 will require significantly more work than I have time to take on.
Is anyone able to get the client-go and k8s machinary up to date?
The text was updated successfully, but these errors were encountered: