Skip to content

opentelekomcloud/external-dns-t-cloud-public-webhook

BranchesTags
 
 

Repository files navigation

ExternalDNS - T-Cloud Public DNS Webhook

This is an ExternalDNS provider for T-Cloud Public DNS. It replaces the former in-tree OpenStack Designate provider that never left Alpha and was later removed from ExternalDNS (kubernetes-sigs/external-dns#5126). The webhook is already a drop-in replacement for that provider, but it is still evolving. If you find bugs or missing features, please open an issue or send a PR.

Installation

This webhook provider is run easiest as sidecar within the external-dns pod. This can be achieved using the official external-dns Helm chart and its support for the webhook provider type.

Setting the provider.name to webhook allows configuration of the external-dns-t-cloud-public-webhook via a few additional values:

provider:
  name: webhook
  webhook:
    image:
      repository: ghcr.io/opentelekomcloud/external-dns-t-cloud-public-webhook
      tag: 1.1.3
    extraVolumeMounts:
      - name: tcloudpubliccloudsyaml
        mountPath: /etc/openstack/
    resources: {}
extraVolumes:
  - name: tcloudpubliccloudsyaml
    secret:
      secretName: tcloudpubliccloudsyaml

The referenced extraVolumeMount points to a Secret containing a clouds.yaml file, which provides the T-Cloud Public IAM credentials to the webhook provider. OS_* environment variables are not supported for configuration, since the use of a clouds.yaml file offers more structure, capabilities and allows for better validation. The one exception to this is OS_CLOUD for setting the name of the cloud in clouds.yaml to use.

Note: custom TLS settings from clouds.yaml, such as cacert, cert, key, or disabled certificate verification, are not explicitly supported by the current webhook auth bootstrap yet. Environments that rely on private trust roots or client-certificate TLS may require a future dedicated implementation.

Zone selection

The webhook can manage public and private Designate zones from one ExternalDNS instance.

By default, endpoints are created in public DNS zones. To target a private zone for a specific Kubernetes object, set the webhook provider-specific annotation:

metadata:
  annotations:
    external-dns.alpha.kubernetes.io/webhook-zone-type: private

Supported values are public and private. If the annotation is omitted, public is used.

When managing the same DNS name in both public and private zones, add distinct ExternalDNS set identifiers so the Service source does not merge the endpoints before they reach the webhook:

metadata:
  annotations:
    external-dns.alpha.kubernetes.io/hostname: split-horizon.example.com
    external-dns.alpha.kubernetes.io/target: 192.0.2.20
    external-dns.alpha.kubernetes.io/set-identifier: public
---
metadata:
  annotations:
    external-dns.alpha.kubernetes.io/hostname: split-horizon.example.com
    external-dns.alpha.kubernetes.io/target: 10.0.0.20
    external-dns.alpha.kubernetes.io/set-identifier: private
    external-dns.alpha.kubernetes.io/webhook-zone-type: private

Examples

An end-to-end Kubernetes example with ExternalDNS, the webhook sidecar, credentials Secret, RBAC, public/private Services, CNAMEs, and split-horizon records is available at examples.

The example requires these zones to exist in T-Cloud Public before applying the manifest:

  • public-zone.webhook.com. as public
  • private-zone.webhook.internal. as private
  • shared-zone.webhook.test. as public
  • shared-zone.webhook.test. as private

The manifest is intended as a test fixture. Review image tags, credentials, domain names, and ownership settings before using it in a real cluster.

Credentials

The following example is a basic example of a clouds.yaml file, using openstack as the cloud name (the default used by this webhook):

clouds:
  openstack:
    auth:
      auth_url: https://iam.eu-de.otc.t-systems.com/v3
      user_domain_name: "OTC000000000010000XXXXX"
      project_name: "eu-de_project"
      password: secret
      username: name
    identity_api_version: 3
    region_name: "eu-de"
    interface: "public"

An existing file can be converted into a Secret via kubectl:

kubectl create secret generic tcloudpubliccloudsyaml --namespace external-dns --from-file=clouds.yaml

Bugs or feature requests

This webhook certainly still contains bugs or lacks certain features. In such cases, please raise a GitHub issue with as much detail as possible. PRs with fixes and features are also very welcome.

Development

To run the webhook locally, you'll also require a clouds.yaml file in one of the standard-locations. The name of the entry to use must be provided via the OS_CLOUD environment variable. You can then start the webhook server using:

go run cmd/webhook/main.go

Private-zone selection is controlled through endpoint annotations, so the local webhook command is the same for public and private zones.

About

ExternalDNS - T Cloud Public DNS Webhook

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 5

v1.1.3 Latest
May 29, 2026
+ 4 releases

Packages

 
 
 

Contributors

Languages

  • Go 84.8%
  • Python 7.2%
  • Shell 6.8%
  • Other 1.2%