Integrate kube-external-dns with pihole for autonomous dns

This commit is contained in:
Ibrahim Mkusa 2024-11-20 20:54:55 -05:00
parent 8f89896394
commit 7e521afe6b
3 changed files with 88 additions and 2 deletions

View File

@ -0,0 +1,11 @@
External DNS with pihole
Make sure to run where `somesecret` will be the password for your pihole
```
kubectl create secret generic external-dns-pihole-password \
--from-literal EXTERNAL_DNS_PIHOLE_PASSWORD=somesecret
```
Add the annotation `external-dns.alpha.kubernetes.io/hostname:
\ nginx.external-dns-test.homelab.local` to your services, so external dns can
pick up the service and a dns entry in pihole automatically.

View File

@ -0,0 +1,74 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-dns
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-dns
rules:
- apiGroups: [""]
resources: ["services","endpoints","pods"]
verbs: ["get","watch","list"]
- apiGroups: ["extensions","networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get","watch","list"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: external-dns-viewer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-dns
subjects:
- kind: ServiceAccount
name: external-dns
namespace: default
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: external-dns
spec:
strategy:
type: Recreate
selector:
matchLabels:
app: external-dns
template:
metadata:
labels:
app: external-dns
spec:
serviceAccountName: external-dns
containers:
- name: external-dns
image: registry.k8s.io/external-dns/external-dns:v0.15.0
# If authentication is disabled and/or you didn't create
# a secret, you can remove this block.
envFrom:
- secretRef:
# Change this if you gave the secret a different name
name: external-dns-pihole-password
args:
- --source=service
- --source=ingress
# Pihole only supports A/AAAA/CNAME records so there is no mechanism to track ownership.
# You don't need to set this flag, but if you leave it unset, you will receive warning
# logs when ExternalDNS attempts to create TXT records.
- --registry=noop
# IMPORTANT: If you have records that you manage manually in Pi-hole, set
# the policy to upsert-only so they do not get deleted.
- --policy=upsert-only
- --provider=pihole
# Change this to the actual address of your Pi-hole web server
- --pihole-server=http://pihole-web.default.svc.cluster.local
securityContext:
fsGroup: 65534 # For ExternalDNS to be able to read Kubernetes token files

View File

@ -118,13 +118,13 @@ serviceWeb:
nodePort: ""
# -- `spec.type` for the web interface Service
type: ClusterIP
type: LoadBalancer
# -- `spec.externalTrafficPolicy` for the web interface Service
externalTrafficPolicy: Local
# -- A fixed `spec.loadBalancerIP` for the web interface Service
loadBalancerIP: ""
loadBalancerIP: "192.168.0.239"
# -- A fixed `spec.loadBalancerIP` for the IPv6 web interface Service
loadBalancerIPv6: ""
@ -404,6 +404,7 @@ regex: {}
ftl: {}
# Add values for pihole-FTL.conf
# MAXDBDAYS: 14
#StartLimitBurst: 25
# -- port the container should use to expose HTTP traffic
webHttp: "80"