This is a Kubernetes service that polls services (in all namespaces) that are configured
with the label dns=route53
and adds the appropriate alias to the domain specified by
the annotation domainName=sub.mydomain.io
. Multiple domains and top level domains are also supported:
domainName=.mydomain.io,sub1.mydomain.io,sub2.mydomain.io
The following is an example ReplicationController definition for route53-kubernetes:
Create the ReplicationController via kubectl create -f <name_of_route53-kubernetes-rc.yaml>
Note: We don't currently sign our docker images. So, please use our images at your own risk.
apiVersion: v1
kind: ReplicationController
metadata:
name: route53-kubernetes
namespace: kube-system
labels:
app: route53-kubernetes
spec:
replicas: 1
selector:
app: route53-kubernetes
template:
metadata:
labels:
app: route53-kubernetes
spec:
containers:
- image: quay.io/molecule/route53-kubernetes:v1.3.0
name: route53-kubernetes
This service expects that it's running on a Kubernetes node on AWS and that the IAM profile for that node is set up to allow the following, along with the default permissions needed by Kubernetes:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:DescribeLoadBalancers",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "*"
}
]
}
Given the following Kubernetes service definition:
apiVersion: v1
kind: Service
metadata:
name: my-app
labels:
app: my-app
role: web
dns: route53
annotations:
domainName: "test.mydomain.com"
spec:
selector:
app: my-app
role: web
ports:
- name: web
port: 80
protocol: TCP
targetPort: web
- name: web-ssl
port: 443
protocol: TCP
targetPort: web-ssl
type: LoadBalancer
An "A" record for test.mydomain.com
will be created as an alias to the ELB that is
configured by kubernetes. This assumes that a hosted zone exists in Route53 for mydomain.com.
Any record that previously existed for that dns record will be updated.
This setup shows some alternative ways to configure route53-kubernetes. First, you can specify kubernetes certs manually if you do not have service accounts enabled. Second, access to AWS can be configured through a Shared Credentials File.
apiVersion: v1
kind: ReplicationController
metadata:
name: route53-kubernetes
namespace: kube-system
labels:
app: route53-kubernetes
spec:
replicas: 1
selector:
app: route53-kubernetes
template:
metadata:
labels:
app: route53-kubernetes
spec:
volumes:
- name: ssl-cert
secret:
secretName: kube-ssl
- name: aws-creds
secret:
secretName: aws-creds
containers:
- image: quay.io/molecule/route53-kubernetes:v1.3.0
name: route53-kubernetes
volumeMounts:
- name: ssl-cert
mountPath: /opt/certs
readOnly: true
- name: aws-creds
mountPath: /opt/creds
readOnly: true
env:
- name: "CA_FILE_PATH"
value: "/opt/certs/ca.pem"
- name: "CERT_FILE_PATH"
value: "/opt/certs/cert.pem"
- name: "KEY_FILE_PATH"
value: "/opt/certs/key.pem"
- name: "AWS_SHARED_CREDENTIALS_FILE"
value: "/opt/creds/credentials"
We use glide to manage dependencies. To fetch the dependencies to your local vendor/
folder please run:
glide install -v
You may choose to use Docker images for route53-kubernetes on our Quay namespace or to build the binary, docker image, and push the docker image from scratch. See the Makefile for more information on doing this process manually.