Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix headings, whitespace #4457

Merged
merged 1 commit into from
May 11, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 11 additions & 9 deletions docs/tutorials/rfc2136.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,8 @@ To use external-dns with BIND: generate/procure a key, configure DNS and add a
deployment of external-dns.

### Server credentials:
- RFC2136 was developed for and tested with
[BIND](https://www.isc.org/downloads/bind/) DNS server. This documentation
assumes that you already have a configured and working server. If you don't,
- RFC2136 was developed for and tested with [BIND](https://www.isc.org/downloads/bind/) DNS server.
This documentation assumes that you already have a configured and working server. If you don't,
please check BIND documents or tutorials.
- If your DNS is provided for you, ask for a TSIG key authorized to update and
transfer the zone you wish to update. The key will look something like below.
Expand Down Expand Up @@ -134,7 +133,11 @@ tutorial and are covered in the main documentation.

### Test with external-dns installed on local machine (optional)
You may install external-dns and test on a local machine by running:
```external-dns --txt-owner-id k8s --provider rfc2136 --rfc2136-host=192.168.0.1 --rfc2136-port=53 --rfc2136-zone=k8s.example.org --rfc2136-tsig-secret=96Ah/a2g0/nLeFGK+d/0tzQcccf9hCEIy34PoXX2Qg8= --rfc2136-tsig-secret-alg=hmac-sha256 --rfc2136-tsig-keyname=externaldns-key --rfc2136-tsig-axfr --source ingress --once --domain-filter=k8s.example.org --dry-run```

```
external-dns --txt-owner-id k8s --provider rfc2136 --rfc2136-host=192.168.0.1 --rfc2136-port=53 --rfc2136-zone=k8s.example.org --rfc2136-tsig-secret=96Ah/a2g0/nLeFGK+d/0tzQcccf9hCEIy34PoXX2Qg8= --rfc2136-tsig-secret-alg=hmac-sha256 --rfc2136-tsig-keyname=externaldns-key --rfc2136-tsig-axfr --source ingress --once --domain-filter=k8s.example.org --dry-run
```

- host should be the IP of your master DNS server.
- tsig-secret should be changed to match your secret.
- tsig-keyname needs to match the keyname you used (if you changed it).
Expand Down Expand Up @@ -309,7 +312,7 @@ You'll want to configure `external-dns` similarly to the following:

### Secure Updates Using RFC3645 (GSS-TSIG)

### DNS-side configuration
#### DNS-side configuration

1. Create a DNS zone
2. Enable secure dynamic updates for the zone
Expand All @@ -318,7 +321,7 @@ You'll want to configure `external-dns` similarly to the following:
If you see any error messages which indicate that `external-dns` was somehow not able to fetch
existing DNS records from your DNS server, this could mean that you forgot about step 3.

#### Kerberos Configuration
##### Kerberos Configuration

DNS with secure updates relies upon a valid Kerberos configuration running within the `external-dns` container. At this time, you will need to create a ConfigMap for the `external-dns` container to use and mount it in your deployment. Below is an example of a working Kerberos configuration inside a ConfigMap definition. This may be different depending on many factors in your environment:

Expand Down Expand Up @@ -356,8 +359,7 @@ data:
yourdomain.com = YOUR-REALM.COM
.yourdomain.com = YOUR-REALM.COM
```
In most cases, the realm name will probably be the same as the domain name, so you can simply replace
`YOUR-REALM.COM` with something like `YOURDOMAIN.COM`.
In most cases, the realm name will probably be the same as the domain name, so you can simply replace `YOUR-REALM.COM` with something like `YOURDOMAIN.COM`.

Once the ConfigMap is created, the container `external-dns` container needs to be told to mount that ConfigMap as a volume at the default Kerberos configuration location. The pod spec should include a similar configuration to the following:

Expand All @@ -376,7 +378,7 @@ Once the ConfigMap is created, the container `external-dns` container needs to b
...
```

#### `external-dns` configuration
##### `external-dns` configuration

You'll want to configure `external-dns` similarly to the following:

Expand Down
Loading