ExternalDNS - IONOS Webhook

ExternalDNS is a Kubernetes add-on for automatically managing Domain Name System (DNS) records for Kubernetes services by using different DNS providers. By default, Kubernetes manages DNS records internally, but ExternalDNS takes this functionality a step further by delegating the management of DNS records to an external DNS provider such as IONOS. Therefore, the IONOS webhook allows to manage your IONOS domains inside your kubernetes cluster with ExternalDNS.

To use ExternalDNS with IONOS, you need your IONOS API key or token of the account managing your domains. For detailed technical instructions on how the IONOS webhook is deployed using the Bitnami Helm charts for ExternalDNS, seedeployment instructions.

Kubernetes Deployment

The IONOS webhook is provided as a regular Open Container Initiative (OCI) image released in the GitHub container registry. The deployment can be performed in every way Kubernetes supports. The following example shows the deployment as a sidecar container in the ExternalDNS pod using the Bitnami Helm charts for ExternalDNS.

helm repo add bitnami https://charts.bitnami.com/bitnami
kubectl create secret generic ionos-credentials --from-literal=api-key='<EXAMPLE_PLEASE_REPLACE>'

# create the helm values file
cat <<EOF > external-dns-ionos-values.yaml
image:
  registry: registry.k8s.io
  repository: external-dns/external-dns
  tag: v0.14.0

# restrict to namespace
# namespace: external-dns 

provider: webhook

extraArgs:
  webhook-provider-url: http://localhost:8888

sidecars:
  - name: ionos-webhook
    image: ghcr.io/ionos-cloud/external-dns-ionos-webhook:v0.6.0
    ports:
      - containerPort: 8888
        name: http
    livenessProbe:
      httpGet:
        path: /health
        port: http
      initialDelaySeconds: 10
      timeoutSeconds: 5
    readinessProbe:
      httpGet:
        path: /health
        port: http
      initialDelaySeconds: 10
      timeoutSeconds: 5
    env:
      - name: LOG_LEVEL
        value: debug
      - name: IONOS_API_KEY
        valueFrom:
          secretKeyRef:
            name: ionos-credentials
            key: api-key
      - name: SERVER_HOST
        value: "0.0.0.0" 
      - name: IONOS_DEBUG
        value: "true"  
EOF
# install external-dns with helm
helm install external-dns-ionos bitnami/external-dns -f external-dns-ionos-values.yaml

See here for all available configuration options of webhook sidecar.

Verify the image resource integrity

All official webhooks provided by IONOS are signed using Cosign. The Cosign public key can be found in the cosign.pub file.

Note: Due to the early development stage of the webhook, the image is not yet signed by sigstores transparency log.

export RELEASE_VERSION=latest
cosign verify --insecure-ignore-tlog --key cosign.pub ghcr.io/ionos-cloud/external-dns-ionos-webhook:$RELEASE_VERSION

Development

The basic development tasks are provided by make. Run make help to see the available targets.

Local deployment

The webhook can be deployed locally with a kind cluster. As a prerequisite, you need to install:

Docker,
Helm with the repos:

 helm repo add bitnami https://charts.bitnami.com/bitnami
 helm repo add mockserver https://www.mock-server.com
 helm repo update

kind
kubectl

# setup the kind cluster and deploy external-dns with ionos webhook and a dns mockserver
./scripts/deploy_on_kind.sh

# check if the webhook is running
kubectl get pods -l app.kubernetes.io/name=external-dns -o wide

# trigger a DNS change e.g. with annotating the ingress controller service
kubectl -n ingress-nginx annotate service  ingress-nginx-controller "external-dns.alpha.kubernetes.io/internal-hostname=nginx.internal.example.org." 
 
# cleanup
./scripts/deploy_on_kind.sh clean

Local acceptance tests

The acceptance tests are run against a kind cluster with ExternalDNS and the webhook deployed. The DNS mock server is used to verify the DNS changes. The following diagram shows the test setup:

flowchart LR
subgraph local-machine
  T[<h3>acceptance-test with hurl</h3><ul><li>create HTTP requests</li><li>check HTTP responses</li></ul>] -- 1. create expectations --> M
  T -- 2. create annotations/ingress --> K
  T -- 3. verify expectations --> M

  subgraph k8s kind
    E("external-dns") -. checks .-> K[k8s resources]
    E -. apply record changes .-> M[dns-mockserver]
  end
end

For running the acceptance tests locally you need to install hurl. To check the test run execution, see the Hurl files. To view the test reports, see the ./build/reports/hurl directory.

scripts/acceptance-tests.sh

Wrong check on Content Type header

Hi, I'm @Raffo, the author of the ExternalDNS plugin provider. I want to thank you again for giving me access to this plugin and to IONOS to test it out.

I have tried to adapt my end to end testing framework to include this plugin and I hit a problem which I think is a bug in the code.

The docs of the plugin provider say:

Additionally, the server needs to respond to GET requests on / to negotiate versions by content type as described in this document. The server needs to respond to those requests by reading the Accept header and responding with a corresponding Vary header including the value Content-Type and a Content-Type header specifying the supported media type format and version.

But your code is checking this: https://github.com/ionos-cloud/external-dns-ionos-plugin/blob/main/pkg/plugin/plugin.go#L199

func (p *Plugin) ApplyChanges(w http.ResponseWriter, r *http.Request) {
	if p.hasContentHeader(w, r) {

The content type should be set by the "server" which in this case is the IONOS provider. ExternalDNS is not setting any Content Type for all requests. I'm following those instructions for the logic: http://opensource.zalando.com/restful-api-guidelines/#114

I did instead add a commit that adds the accept header to all requests even though I originally had it only for the negotiation phase. I think it makes sense and this plugin helped me spot that problem.

Let me know what you think of this and if it makes sense.

Thanks!

/cc @akrieg-ionos @mspoeri

ionos-cloud / external-dns-ionos-webhook Goto Github PK