added provider for azure private dns; updated docs, examples, and charts

gardener · Nov 25, 2021 · ea54c34 · ea54c34
1 parent e06fe9e
commit ea54c34
Show file tree

Hide file tree

Showing 237 changed files with 12,804 additions and 13,623 deletions.
diff --git a/README.md b/README.md
@@ -7,7 +7,7 @@ It contains provisioning controllers for creating DNS records in one of the DNS
   - [_Amazon Route53_](/docs/aws-route53/README.md),
   - [_Google CloudDNS_](/docs/google-cloud-dns/README.md),
   - [_AliCloud DNS_](/docs/alicloud-dns/README.md),
-  - [_Azure DNS_](/docs/azure-dns/README.md),
+  - [_Azure DNS_](/docs/azure-dns/README.md) and [_Azure Private_DNS_](/docs/azure-private-dns/README.md),
   - [_OpenStack Designate_](/docs/openstack-designate/README.md),
   - [_Cloudflare DNS_](/docs/cloudflare/README.md),
   - [_Infoblox_](/docs/infoblox/README.md),
@@ -421,6 +421,12 @@ Flags:
       --azure-dns.ratelimiter.burst int                               number of burst requests for rate limiter
       --azure-dns.ratelimiter.enabled                                 enables rate limiter for DNS provider requests
       --azure-dns.ratelimiter.qps int                                 maximum requests/queries per second
+      --azure-private-dns.advanced.batch-size int                     batch size for change requests (currently only used for aws-route53)
+      --azure-private-dns.advanced.max-retries int                    maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53)
+      --azure-private-dns.blocked-zone zone-id                        Blocks a zone given in the format zone-id from a provider as if the zone is not existing.
+      --azure-private-dns.ratelimiter.burst int                       number of burst requests for rate limiter
+      --azure-private-dns.ratelimiter.enabled                         enables rate limiter for DNS provider requests
+      --azure-private-dns.ratelimiter.qps int                         maximum requests/queries per second
       --bind-address-http string                                      HTTP server bind address
       --blocked-zone zone-id                                          Blocks a zone given in the format zone-id from a provider as if the zone is not existing.
       --cache-dir string                                              Directory to store zone caches (for reload after restart)
@@ -451,6 +457,12 @@ Flags:
       --compound.azure-dns.ratelimiter.burst int                      number of burst requests for rate limiter of controller compound
       --compound.azure-dns.ratelimiter.enabled                        enables rate limiter for DNS provider requests of controller compound
       --compound.azure-dns.ratelimiter.qps int                        maximum requests/queries per second of controller compound
+      --compound.azure-private-dns.advanced.batch-size int            batch size for change requests (currently only used for aws-route53) of controller compound
+      --compound.azure-private-dns.advanced.max-retries int           maximum number of retries to avoid paging stops on throttling (currently only used for aws-route53) of controller compound
+      --compound.azure-private-dns.blocked-zone zone-id               Blocks a zone given in the format zone-id from a provider as if the zone is not existing. of controller compound
+      --compound.azure-private-dns.ratelimiter.burst int              number of burst requests for rate limiter of controller compound
+      --compound.azure-private-dns.ratelimiter.enabled                enables rate limiter for DNS provider requests of controller compound
+      --compound.azure-private-dns.ratelimiter.qps int                maximum requests/queries per second of controller compound
       --compound.blocked-zone zone-id                                 Blocks a zone given in the format zone-id from a provider as if the zone is not existing. of controller compound
       --compound.cache-dir string                                     Directory to store zone caches (for reload after restart) of controller compound
       --compound.cache-ttl int                                        Time-to-live for provider hosted zone cache of controller compound
@@ -515,9 +527,9 @@ Flags:
       --default.pool.size int                                         Worker pool size for pool default
       --disable-namespace-restriction                                 disable access restriction for namespace local access only
       --disable-zone-state-caching                                    disable use of cached dns zone state on changes
-      --dns-class string                                              identifier used to differentiate responsible controllers for providers, identifier used to differentiate responsible controllers for entries, Class identifier used to differentiate responsible controllers for entry resources
+      --dns-class string                                              identifier used to differentiate responsible controllers for entries, Class identifier used to differentiate responsible controllers for entry resources, identifier used to differentiate responsible controllers for providers
       --dns-delay duration                                            delay between two dns reconciliations
-      --dns-target-class string                                       identifier used to differentiate responsible dns controllers for target providers, identifier used to differentiate responsible dns controllers for target entries
+      --dns-target-class string                                       identifier used to differentiate responsible dns controllers for target entries, identifier used to differentiate responsible dns controllers for target providers
       --dns.pool.resync-period duration                               Period for resynchronization for pool dns
       --dns.pool.size int                                             Worker pool size for pool dns
       --dnsentry-source.default.pool.resync-period duration           Period for resynchronization for pool default of controller dnsentry-source
@@ -533,6 +545,7 @@ Flags:
       --dnsentry-source.target-name-prefix string                     name prefix in target namespace for cross cluster generation of controller dnsentry-source
       --dnsentry-source.target-namespace string                       target namespace for cross cluster generation of controller dnsentry-source
       --dnsentry-source.target-owner-id string                        owner id to use for generated DNS entries of controller dnsentry-source
+      --dnsentry-source.target-owner-object string                    owner object to use for generated DNS entries of controller dnsentry-source
       --dnsentry-source.target-realms string                          realm(s) to use for generated DNS entries of controller dnsentry-source
       --dnsentry-source.target-set-ignore-owners                      mark generated DNS entries to omit owner based access control of controller dnsentry-source
       --dnsentry-source.targets.pool.size int                         Worker pool size for pool targets of controller dnsentry-source
@@ -579,6 +592,7 @@ Flags:
       --ingress-dns.target-name-prefix string                         name prefix in target namespace for cross cluster generation of controller ingress-dns
       --ingress-dns.target-namespace string                           target namespace for cross cluster generation of controller ingress-dns
       --ingress-dns.target-owner-id string                            owner id to use for generated DNS entries of controller ingress-dns
+      --ingress-dns.target-owner-object string                        owner object to use for generated DNS entries of controller ingress-dns
       --ingress-dns.target-realms string                              realm(s) to use for generated DNS entries of controller ingress-dns
       --ingress-dns.target-set-ignore-owners                          mark generated DNS entries to omit owner based access control of controller ingress-dns
       --ingress-dns.targets.pool.size int                             Worker pool size for pool targets of controller ingress-dns
@@ -641,18 +655,20 @@ Flags:
       --service-dns.target-name-prefix string                         name prefix in target namespace for cross cluster generation of controller service-dns
       --service-dns.target-namespace string                           target namespace for cross cluster generation of controller service-dns
       --service-dns.target-owner-id string                            owner id to use for generated DNS entries of controller service-dns
+      --service-dns.target-owner-object string                        owner object to use for generated DNS entries of controller service-dns
       --service-dns.target-realms string                              realm(s) to use for generated DNS entries of controller service-dns
       --service-dns.target-set-ignore-owners                          mark generated DNS entries to omit owner based access control of controller service-dns
       --service-dns.targets.pool.size int                             Worker pool size for pool targets of controller service-dns
       --setup int                                                     number of processors for controller setup
       --statistic.pool.size int                                       Worker pool size for pool statistic
       --target string                                                 target cluster for dns requests
-      --target-creator-label-name string                              label name to store the creator for replicated DNS providers, label name to store the creator for generated DNS entries
+      --target-creator-label-name string                              label name to store the creator for generated DNS entries, label name to store the creator for replicated DNS providers
       --target-creator-label-value string                             label value for creator label
-      --target-name-prefix string                                     name prefix in target namespace for cross cluster replication, name prefix in target namespace for cross cluster generation
+      --target-name-prefix string                                     name prefix in target namespace for cross cluster generation, name prefix in target namespace for cross cluster replication
       --target-namespace string                                       target namespace for cross cluster generation
       --target-owner-id string                                        owner id to use for generated DNS entries
-      --target-realms string                                          realm(s) to use for replicated DNS provider, realm(s) to use for generated DNS entries
+      --target-owner-object string                                    owner object to use for generated DNS entries
+      --target-realms string                                          realm(s) to use for generated DNS entries, realm(s) to use for replicated DNS provider
       --target-set-ignore-owners                                      mark generated DNS entries to omit owner based access control
       --target.disable-deploy-crds                                    disable deployment of required crds for cluster target
       --target.id string                                              id for cluster target

diff --git a/charts/external-dns-management/templates/deployment.yaml b/charts/external-dns-management/templates/deployment.yaml
@@ -123,6 +123,21 @@ spec:
         {{- if .Values.configuration.azureDNSRatelimiterQps }}
         - --azure-dns.ratelimiter.qps={{ .Values.configuration.azureDNSRatelimiterQps }}
         {{- end }}
+        {{- if .Values.configuration.azurePrivateDnsAdvancedBatchSize }}
+        - --azure-private-dns.advanced.batch-size={{ .Values.configuration.azurePrivateDnsAdvancedBatchSize }}
+        {{- end }}
+        {{- if .Values.configuration.azurePrivateDnsAdvancedMaxRetries }}
+        - --azure-private-dns.advanced.max-retries={{ .Values.configuration.azurePrivateDnsAdvancedMaxRetries }}
+        {{- end }}
+        {{- if .Values.configuration.azurePrivateDnsRatelimiterBurst }}
+        - --azure-private-dns.ratelimiter.burst={{ .Values.configuration.azurePrivateDnsRatelimiterBurst }}
+        {{- end }}
+        {{- if .Values.configuration.azurePrivateDnsRatelimiterEnabled }}
+        - --azure-private-dns.ratelimiter.enabled={{ .Values.configuration.azurePrivateDnsRatelimiterEnabled }}
+        {{- end }}
+        {{- if .Values.configuration.azurePrivateDnsRatelimiterQps }}
+        - --azure-private-dns.ratelimiter.qps={{ .Values.configuration.azurePrivateDnsRatelimiterQps }}
+        {{- end }}
         {{- if .Values.configuration.bindAddressHttp }}
         - --bind-address-http={{ .Values.configuration.bindAddressHttp }}
         {{- end }}
@@ -195,6 +210,21 @@ spec:
         {{- if .Values.configuration.compoundAzureDnsRatelimiterQps }}
         - --compound.azure-dns.ratelimiter.qps={{ .Values.configuration.compoundAzureDnsRatelimiterQps }}
         {{- end }}
+        {{- if .Values.configuration.compoundAzurePrivateDnsAdvancedBatchSize }}
+        - --compound.azure-private-dns.advanced.batch-size={{ .Values.configuration.compoundAzurePrivateDnsAdvancedBatchSize }}
+        {{- end }}
+        {{- if .Values.configuration.compoundAzurePrivateDnsAdvancedMaxRetries }}
+        - --compound.azure-private-dns.advanced.max-retries={{ .Values.configuration.compoundAzurePrivateDnsAdvancedMaxRetries }}
+        {{- end }}
+        {{- if .Values.configuration.compoundAzurePrivateDnsRatelimiterBurst }}
+        - --compound.azure-private-dns.ratelimiter.burst={{ .Values.configuration.compoundAzurePrivateDnsRatelimiterBurst }}
+        {{- end }}
+        {{- if .Values.configuration.compoundAzurePrivateDnsRatelimiterEnabled }}
+        - --compound.azure-private-dns.ratelimiter.enabled={{ .Values.configuration.compoundAzurePrivateDnsRatelimiterEnabled }}
+        {{- end }}
+        {{- if .Values.configuration.compoundAzurePrivateDnsRatelimiterQps }}
+        - --compound.azure-private-dns.ratelimiter.qps={{ .Values.configuration.compoundAzurePrivateDnsRatelimiterQps }}
+        {{- end }}
         {{- if .Values.configuration.compoundCacheTtl }}
         - --compound.cache-ttl={{ .Values.configuration.compoundCacheTtl }}
         {{- end }}

diff --git a/charts/external-dns-management/values.yaml b/charts/external-dns-management/values.yaml
@@ -72,6 +72,11 @@ configuration:
   # azureDNSRatelimiterBurst:
   # azureDNSRatelimiterEnabled:
   # azureDNSRatelimiterQps:
+  # azurePrivateDnsAdvancedBatchSize:
+  # azurePrivateDnsAdvancedMaxRetries:
+  # azurePrivateDnsRatelimiterBurst:
+  # azurePrivateDnsRatelimiterEnabled:
+  # azurePrivateDnsRatelimiterQps:
   # bindAddressHttp:
   # cacheTtl: 120
   # cloudflareDNSAdvancedBatchSize:
@@ -96,6 +101,11 @@ configuration:
   # compoundAzureDnsRatelimiterBurst:
   # compoundAzureDnsRatelimiterEnabled:
   # compoundAzureDnsRatelimiterQps:
+  # compoundAzurePrivateDnsAdvancedBatchSize:
+  # compoundAzurePrivateDnsAdvancedMaxRetries:
+  # compoundAzurePrivateDnsRatelimiterBurst:
+  # compoundAzurePrivateDnsRatelimiterEnabled:
+  # compoundAzurePrivateDnsRatelimiterQps:
   # compoundCacheTtl: 120
   # compoundCloudflareDnsAdvancedBatchSize:
   # compoundCloudflareDnsAdvancedMaxRetries:

diff --git a/cmd/compound/main.go b/cmd/compound/main.go
@@ -31,6 +31,7 @@ import (
 	_ "github.com/gardener/external-dns-management/pkg/controller/provider/alicloud"
 	_ "github.com/gardener/external-dns-management/pkg/controller/provider/aws"
 	_ "github.com/gardener/external-dns-management/pkg/controller/provider/azure"
+	_ "github.com/gardener/external-dns-management/pkg/controller/provider/azure-private"
 	_ "github.com/gardener/external-dns-management/pkg/controller/provider/cloudflare"
 	_ "github.com/gardener/external-dns-management/pkg/controller/provider/compound/controller"
 	_ "github.com/gardener/external-dns-management/pkg/controller/provider/google"

diff --git a/cmd/dedicated/main.go b/cmd/dedicated/main.go
@@ -30,6 +30,7 @@ import (
 	_ "github.com/gardener/external-dns-management/pkg/controller/annotation/annotations"
 	_ "github.com/gardener/external-dns-management/pkg/controller/provider/alicloud/controller"
 	_ "github.com/gardener/external-dns-management/pkg/controller/provider/aws/controller"
+	_ "github.com/gardener/external-dns-management/pkg/controller/provider/azure-private/controller"
 	_ "github.com/gardener/external-dns-management/pkg/controller/provider/azure/controller"
 	_ "github.com/gardener/external-dns-management/pkg/controller/provider/cloudflare/controller"
 	_ "github.com/gardener/external-dns-management/pkg/controller/provider/google/controller"

diff --git a/docs/azure-dns/README.md b/docs/azure-dns/README.md
@@ -1,6 +1,7 @@
 # Azure DNS Provider
 
 This DNS provider allows you to create and manage DNS entries in [Azure DNS](https://docs.microsoft.com/en-us/azure/dns/dns-overview). 
+For private DNS zones, please see use the provider type [azure-private-dns](../azure-private-dns/README.md).
 
 ## Create a service principal account
 

diff --git a/docs/azure-private-dns/README.md b/docs/azure-private-dns/README.md
@@ -0,0 +1,38 @@
+# Azure DNS Provider for Private Zones
+
+This DNS provider allows you to create and manage DNS entries in private zones of [Azure Private DNS](https://docs.microsoft.com/en-us/azure/dns/private-dns-overview).
+For public DNS zones, please see use the provider type [azure-dns](../azure-dns/README.md).
+
+## Create a service principal account
+
+Follow the steps as described in the Azure documentation to [create a service principal account](https://docs.microsoft.com/en-us/azure/dns/dns-sdk#create-a-service-principal-account)
+and grant the service principal account 'Private DNS Zone Contributor' permissions to the resource group. 
+
+See also [How to protect private DNS zones and records](https://docs.microsoft.com/en-us/azure/dns/dns-protect-private-zones-recordsets)
+
+## Using the service principal account
+
+Create a `Secret` resource with the data fields `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, and `AZURE_CLIENT_SECRET`.
+The values need to be base64 encoded.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: azure-credentials
+  namespace: default
+type: Opaque
+data:
+  # replace '...' with values encoded as base64
+  # see https://docs.microsoft.com/en-us/azure/dns/dns-sdk#create-a-service-principal-account
+  AZURE_SUBSCRIPTION_ID: ...
+  AZURE_TENANT_ID: ...
+  AZURE_CLIENT_ID: ...
+  AZURE_CLIENT_SECRET: ...
+
+  # Alternatively use Gardener cloud provider credentials convention
+  #tenantID: ...
+  #subscriptionID: ...
+  #clientID: ...
+  #clientSecret: ...
+``` 
diff --git a/examples/20-secret-azure-private-credentials.yaml b/examples/20-secret-azure-private-credentials.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: azure-private-credentials
+  namespace: default
+type: Opaque
+data:
+  # replace '...' with values encoded as base64
+  # see https://docs.microsoft.com/en-us/azure/dns/dns-sdk#create-a-service-principal-account
+  AZURE_SUBSCRIPTION_ID: ...
+  AZURE_TENANT_ID: ...
+  AZURE_CLIENT_ID: ...
+  AZURE_CLIENT_SECRET: ...
+  # Alternatively use Gardener cloud provider credentials convention
+  #tenantID: ...
+  #subscriptionID: ...
+  #clientID: ...
+  #clientSecret: ...
diff --git a/examples/30-provider-azure-private.yaml b/examples/30-provider-azure-private.yaml
@@ -0,0 +1,20 @@
+apiVersion: dns.gardener.cloud/v1alpha1
+kind: DNSProvider
+metadata:
+  name: azure
+  namespace: default
+spec:
+  type: azure-private-dns
+  secretRef:
+    name: azure-private-credentials
+  domains:
+    include:
+    - my.own.domain.com
+    #exclude:
+    #- my.excluded.domain.com
+  #zones:
+  #  include:
+  #  - myResourceGroup/own.domain.com
+  #  - <resourceGroup>/<dnszone>
+  #  exclude:
+  #  - <resourceGroup>/<dnszone>
diff --git a/go.mod b/go.mod
@@ -3,9 +3,10 @@ module github.com/gardener/external-dns-management
 go 1.16
 
 require (
-	github.com/Azure/azure-sdk-for-go v39.0.0+incompatible
-	github.com/Azure/go-autorest/autorest/azure/auth v0.4.2
-	github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go v59.3.0+incompatible
+	github.com/Azure/go-autorest/autorest v0.11.19
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.9
+	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
 	github.com/ahmetb/gen-crd-api-reference-docs v0.2.0
 	github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190603021944-12ad9f921c0b
 	github.com/aws/aws-sdk-go v1.38.43