Logo Kubeship

Install ExternalDNS on Microsoft Azure Kubernetes Engine (AKS)

az network dns zone create \
        --resource-group test-daniel \
        --name ainareflect.ai
{
  "etag": "b835429c-6567-4d02-8ceb-fdd77ef34154",
  "id": "/subscriptions/27adfb5f-be37-4f18-ab18-d51705bec2ba/resourceGroups/test-daniel/providers/Microsoft.Network/dnszones/ainareflect.ai",
  "location": "global",
  "maxNumberOfRecordSets": 10000,
  "name": "ainareflect.ai",
  "nameServers": [
    "ns1-06.azure-dns.com.",
    "ns2-06.azure-dns.net.",
    "ns3-06.azure-dns.org.",
    "ns4-06.azure-dns.info."
  ],
  "numberOfRecordSets": 2,
  "resourceGroup": "test-daniel",
  "tags": {},
  "type": "Microsoft.Network/dnszones",
  "zoneType": "Public"
}
RESOURCE_GROUP="test-daniel"
IDENTITY_NAME="external-dns"

az identity create \
    --resource-group    $RESOURCE_GROUP \
    --name              $IDENTITY_NAME
{
  "clientId": "20efe579-20f4-4a22-8b03-72941b9a8ca5",
  "id": "/subscriptions/27adfb5f-be37-4f18-ab18-d51705bec2ba/resourcegroups/test-daniel/providers/Microsoft.ManagedIdentity/userAssignedIdentities/external-dns",
  "location": "centralus",
  "name": "external-dns",
  "principalId": "b8c8aee3-8a22-4960-955e-55fd54059521",
  "resourceGroup": "test-daniel",
  "systemData": null,
  "tags": {},
  "tenantId": "6a3ff222-62b9-4ee5-9094-cc1c301bd4fd",
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities"
}
# fetch identity client id from managed identity created earlier
IDENTITY_CLIENT_ID=$(az identity show \
                        --resource-group    $RESOURCE_GROUP \
                        --name              $IDENTITY_NAME \
                        --query             "clientId"  \
                        --output            tsv)

# fetch DNS id used to grant access to the managed identity
DNS_ZONE_ID=$(az network dns zone show \
            --name              ainareflect.ai  \
            --resource-group    $RESOURCE_GROUP \
            --query "id" \
            --output tsv)

RESOURCE_GROUP_ID=$(az group show --name $RESOURCE_GROUP --query "id" --output tsv)

az role assignment create \
    --role "DNS Zone Contributor" \
    --assignee "${IDENTITY_CLIENT_ID}" \
    --scope "${DNS_ZONE_ID}"

$ az role assignment create --role "Reader" \
  --assignee "${IDENTITY_CLIENT_ID}" --scope "${RESOURCE_GROUP_ID}"
OIDC_ISSUER_URL="$(az aks show \
        --name $CLUSTER_NAME \
        --resource-group $RESOURCE_GROUP \
        --query "oidcIssuerProfile.issuerUrl" \
        --output tsv)"

az identity federated-credential create \
    --name ${IDENTITY_NAME} \
    --identity-name ${IDENTITY_NAME} \
    --resource-group $RESOURCE_GROUP \
    --issuer "$OIDC_ISSUER_URL" \
    --subject "system:serviceaccount:default:external-dns"
kubectl patch serviceaccount external-dns \
    --namespace "default" \
    --patch \
 '{\"metadata\": {\"annotations\": {\"azure.workload.identity/client-id\": \"${IDENTITY_CLIENT_ID}\"}}}'

kubectl patch deployment external-dns \
    --namespace "default" \
    --patch \
 '{"spec": {"template": {"metadata": {"labels": {\"azure.workload.identity/use\": \"true\"}}}}}'
Keywords : ExternalDNS