Skip to content

Commit

Permalink
remote zone id from secrets. Add example policy
Browse files Browse the repository at this point in the history
Signed-off-by: craig <[email protected]>
  • Loading branch information
maleck13 committed Aug 20, 2024
1 parent 17d4eda commit 28b1c11
Show file tree
Hide file tree
Showing 3 changed files with 55 additions and 14 deletions.
56 changes: 51 additions & 5 deletions doc/dns.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,9 +90,8 @@ Check out the [API reference](reference/dnspolicy.md) for a full specification o
### DNS Provider Setup
A DNSPolicy acts against a target Gateway by processing its listeners for hostnames that it can create dns records for.
In order for it to do this, it must know about dns providers, and what domains these dns providers are currently hosting.
This is done through the creation of dns provider secrets containing the credentials and configuration for the dns provider
account.
In order for it to do this, it must know about the dns provider.
This is done through the creation of dns provider secrets containing the credentials and configuration for the dns provider account.
If for example a Gateway is created with a listener with a hostname of `echo.apps.hcpapps.net`:
```yaml
Expand Down Expand Up @@ -123,11 +122,58 @@ data:
AWS_ACCESS_KEY_ID: <AWS_ACCESS_KEY_ID>
AWS_REGION: <AWS_REGION>
AWS_SECRET_ACCESS_KEY: <AWS_SECRET_ACCESS_KEY>
ZONE_ID_FILTER: <MY_ZONE_ID>
ZONE_DOMAIN_FILTER: apps.hcpapps.net
type: kuadrant.io/aws
```

By default, Kuadrant will list the available zones and find the matching zone based on the listener host in the gateway listener. If it finds more than one matching zone for a given listener host, it will not update any of those zones.
When providing a credential you should limit that credential down to just have write access to the zones you want Kuadrant to manage. Below is an example of a an AWS policy for doing this type of thing:

```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"route53:ListTagsForResources",
"route53:GetHealthCheckLastFailureReason",
"route53:GetHealthCheckStatus",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets",
"route53:GetHealthCheck",
"route53:UpdateHostedZoneComment",
"route53:UpdateHealthCheck",
"route53:CreateHealthCheck",
"route53:DeleteHealthCheck",
"route53:ListTagsForResource",
"route53:ListHealthChecks",
"route53:GetGeoLocation",
"route53:ListGeoLocations",
"route53:ListHostedZonesByName",
"route53:GetHealthCheckCount"
],
"Resource": [
"arn:aws:route53:::hostedzone/Z08187901Y93585DDGM6K",
"arn:aws:route53:::healthcheck/*",
"arn:aws:route53:::change/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones"
],
"Resource": "*"
}
]
}
```


### Targeting a Gateway networking resource

When a DNSPolicy targets a Gateway, the policy will be enforced on all gateway listeners.
Expand Down
9 changes: 4 additions & 5 deletions doc/user-guides/gateway-dns.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,23 +34,22 @@ kubectl create namespace my-gateways
Export a root domain and hosted zone id:
```shell
export ROOT_DOMAIN=<ROOT_DOMAIN>
export AWS_HOSTED_ZONE_ID=<AWS_HOSTED_ZONE_ID>
```

> **Note:** ROOT_DOMAIN and AWS_HOSTED_ZONE_ID should be set to your AWS hosted zone *name* and *id* respectively.
> **Note:** ROOT_DOMAIN should be set to your AWS hosted zone *name*.
### Create a dns provider secret

Create AWS provider secret
Create AWS provider secret. You should limit the permissions of this credential to only the zones you want us to access.


```shell
export AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID> AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY>

kubectl -n my-gateways create secret generic aws-credentials \
--type=kuadrant.io/aws \
--from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
--from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
--from-literal=ZONE_ID_FILTER=$AWS_HOSTED_ZONE_ID
--from-literal=ZONE_DOMAIN_FILTER=$ROOT_DOMAIN
```

### Create an ingress gateway
Expand Down
4 changes: 0 additions & 4 deletions hack/quickstart-setup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -239,8 +239,6 @@ stringData:
AWS_ACCESS_KEY_ID: ${KUADRANT_AWS_ACCESS_KEY_ID}
AWS_SECRET_ACCESS_KEY: ${KUADRANT_AWS_SECRET_ACCESS_KEY}
AWS_REGION: ${KUADRANT_AWS_REGION}
ZONE_ID_FILTER: ${KUADRANT_AWS_DNS_PUBLIC_ZONE_ID}
ZONE_DOMAIN_FILTER: ${KUADRANT_ZONE_ROOT_DOMAIN}
EOF
}

Expand All @@ -259,8 +257,6 @@ type: "kuadrant.io/gcp"
stringData:
GOOGLE: '${GOOGLE}'
PROJECT_ID: ${PROJECT_ID}
ZONE_ID_FILTER: ${ZONE_NAME}
ZONE_DOMAIN_FILTER: ${ZONE_DNS_NAME}
EOF
}

Expand Down

0 comments on commit 28b1c11

Please sign in to comment.