ExternalDNS - OpenStack Designate Webhook

This is an ExternalDNS provider for OpenStack's Designate DNS server. It serves as a replacment for the former in-tree OpenStack Designate provider which never left the Alpha state and has since been removed (kubernetes-sigs/external-dns#5126). The webhook, while already a drop in replacement, is not perfect (yet)! If you have bugfixes and new feature suggestions - please kindly open issues and send in PRs if you feel there is something missing / broken.

Installation

This webhook provider is run easiest as sidecar within the external-dns pod. This can be achieved using the official external-dns Helm chart and its support for the webhook provider type.

Setting the provider.name to webhook allows configuration of the external-dns-openstack-webhook via a few additional values:

provider:
  name: webhook
  webhook:
    image:
      repository: ghcr.io/inovex/external-dns-openstack-webhook
      tag: 2.1.0
    extraVolumeMounts:
      - name: oscloudsyaml
        mountPath: /etc/openstack/
    resources: {}
extraVolumes:
  - name: oscloudsyaml
    secret:
      secretName: oscloudsyaml

The referenced extraVolumeMount points to a Secret containing a clouds.yaml file, which provides the OpenStack Keystone credentials to the webhook provider. OS_* environment variables are not supported for configuration, since the use of a clouds.yaml file offers more structure, capabilities and allows for better validation. The one exception to this is OS_CLOUD for setting the name of the cloud in clouds.yaml to use.

The following example is a basic example of a clouds.yaml file, using openstack as the cloud name (the default used by this webhook):

clouds:
  openstack:
    auth:
      auth_url: https://auth.cloud.example.com
      application_credential_id: "TOP"
      application_credential_secret: "SECRET"
    region_name: "earth"
    interface: "public"
    auth_type: "v3applicationcredential"

An existing file can be converted into a Secret via kubectl:

kubectl create secret generic oscloudsyaml --namespace external-dns --from-file=clouds.yaml

Debugging

The webhook provider itself logs most / all of its actions. If debugging the communication with then OpenStack (Designate) API is required one can set the environment variable. OS_DEBUG=1 to have all of the API requests logged. As this might leak sensitive data, use for bug hunting only.

Bugs or feature requests

This webhook certainly still contains bugs or lacks certain features. In such cases, please raise a GitHub issue with as much detail as possible. PRs with fixes and features are also very welcome.

Development

To run the webhook locally, you'll also require a clouds.yaml file in one of the standard-locations. Also the name of the entry to be used has be given via OS_CLOUD environment variable. You can then start the webhook server using:

go run cmd/webhook/main.go