From 7e521afe6bacb44f12c50fbe6ec04ac19665fc0a Mon Sep 17 00:00:00 2001 From: Ibrahim Mkusa Date: Wed, 20 Nov 2024 20:54:55 -0500 Subject: [PATCH] Integrate kube-external-dns with pihole for autonomous dns --- manifests/external-dns/README.md | 11 +++++ manifests/external-dns/install.yaml | 74 +++++++++++++++++++++++++++++ manifests/pihole/values.yaml | 5 +- 3 files changed, 88 insertions(+), 2 deletions(-) create mode 100644 manifests/external-dns/README.md create mode 100644 manifests/external-dns/install.yaml diff --git a/manifests/external-dns/README.md b/manifests/external-dns/README.md new file mode 100644 index 0000000..a92454e --- /dev/null +++ b/manifests/external-dns/README.md @@ -0,0 +1,11 @@ +External DNS with pihole + +Make sure to run where `somesecret` will be the password for your pihole +``` +kubectl create secret generic external-dns-pihole-password \ + --from-literal EXTERNAL_DNS_PIHOLE_PASSWORD=somesecret +``` + +Add the annotation `external-dns.alpha.kubernetes.io/hostname: +\ nginx.external-dns-test.homelab.local` to your services, so external dns can +pick up the service and a dns entry in pihole automatically. diff --git a/manifests/external-dns/install.yaml b/manifests/external-dns/install.yaml new file mode 100644 index 0000000..2593afd --- /dev/null +++ b/manifests/external-dns/install.yaml @@ -0,0 +1,74 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: external-dns +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: external-dns +rules: +- apiGroups: [""] + resources: ["services","endpoints","pods"] + verbs: ["get","watch","list"] +- apiGroups: ["extensions","networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get","watch","list"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["list","watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: external-dns-viewer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-dns +subjects: +- kind: ServiceAccount + name: external-dns + namespace: default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: external-dns +spec: + strategy: + type: Recreate + selector: + matchLabels: + app: external-dns + template: + metadata: + labels: + app: external-dns + spec: + serviceAccountName: external-dns + containers: + - name: external-dns + image: registry.k8s.io/external-dns/external-dns:v0.15.0 + # If authentication is disabled and/or you didn't create + # a secret, you can remove this block. + envFrom: + - secretRef: + # Change this if you gave the secret a different name + name: external-dns-pihole-password + args: + - --source=service + - --source=ingress + # Pihole only supports A/AAAA/CNAME records so there is no mechanism to track ownership. + # You don't need to set this flag, but if you leave it unset, you will receive warning + # logs when ExternalDNS attempts to create TXT records. + - --registry=noop + # IMPORTANT: If you have records that you manage manually in Pi-hole, set + # the policy to upsert-only so they do not get deleted. + - --policy=upsert-only + - --provider=pihole + # Change this to the actual address of your Pi-hole web server + - --pihole-server=http://pihole-web.default.svc.cluster.local + securityContext: + fsGroup: 65534 # For ExternalDNS to be able to read Kubernetes token files diff --git a/manifests/pihole/values.yaml b/manifests/pihole/values.yaml index ae8c2bf..0311c5a 100644 --- a/manifests/pihole/values.yaml +++ b/manifests/pihole/values.yaml @@ -118,13 +118,13 @@ serviceWeb: nodePort: "" # -- `spec.type` for the web interface Service - type: ClusterIP + type: LoadBalancer # -- `spec.externalTrafficPolicy` for the web interface Service externalTrafficPolicy: Local # -- A fixed `spec.loadBalancerIP` for the web interface Service - loadBalancerIP: "" + loadBalancerIP: "192.168.0.239" # -- A fixed `spec.loadBalancerIP` for the IPv6 web interface Service loadBalancerIPv6: "" @@ -404,6 +404,7 @@ regex: {} ftl: {} # Add values for pihole-FTL.conf # MAXDBDAYS: 14 + #StartLimitBurst: 25 # -- port the container should use to expose HTTP traffic webHttp: "80"