This brief is to demonstrate how SAP BTP, Kyma runtime makes it easy to set up an istio gateway with a wildcard public custom domain. Pre-requisistes:
|
.kyma.ondemand.com
, which is entirely managed by SAP.kyma-system/kyma-gateway
is configured with this default domain.https://api.<shoot-name>.kyma.ondemand.com
, is bound to that domain as well. Thus, a cluster domain cannot be changed once a cluster has been provisioned.Task A. Bring your own domain (BYOD)
Task B. Set up the domain with an external DNS provider (Google CloudDNS and Azure DNS)
Task C. Configure SAP BTP, Kyma runtime (SKR) cluster DNS resources automation.
|
The BYOD refresher:
|
https://domains.google.com/registrar/
Steps | Google Domains registered domain's custom DNS settings |
Goto DNS settings and switch to Custom name servers. Please make sure the domain, you are about to modify the DNS settings of, is not used for your websites or email. However, If that were the case, you might want to register a different domain dedicated to your kyma workloads | |
The custom name servers will come from either the Google Cloud DNS or Azure DNS provider. As Google Domains does not support APIs you will have apply them manually. | |
After saving the new DNS settings these will be effective after a short while. |
AzureDNS zone: |
Gandi.net domains registrar |
What is a DNS zone? |
|
Steps | Google Network Service/Cloud DNS |
Goto Network Service/Cloud DNS within your project. | |
Create a DNS zone for keeping your Google Domains domain's DNS records. | |
The default SOA and NS records got created.However, additional DNS records for a chosen domain name will be created when configuring the SKR cluster DNS resources. Thus no need to create the records manually. | |
Copy the following name servers to your registrar domain's custom DNS settings (via a click on the Registrar setup button or via Equivalent REST shown below). |
{
"cloudLoggingConfig": {
"enableLogging": false
},
"creationTime": "<creationTime>",
"description": "quovadis-btp",
"dnsName": "quovadis-btp.com.",
"fingerprint": "<fingerprint>",
"id": "<id>",
"location": "global",
"name": "quovadis-btp",
"nameServers": [
"ns-cloud-**.googledomains.com.",
"ns-cloud-**.googledomains.com.",
"ns-cloud-**.googledomains.com.",
"ns-cloud-**.googledomains.com."
],
"visibility": "PUBLIC"
}
{
"id": "/subscriptions/<subscriptionId>/resourceGroups/quovadis/providers/Microsoft.Network/dnszones/quovadis-anywhere.com",
"name": "quovadis-anywhere.com",
"type": "Microsoft.Network/dnszones",
"etag": "<etag>",
"location": "global",
"tags": {},
"properties": {
"maxNumberOfRecordSets": 10000,
"maxNumberOfRecordsPerRecordSet": null,
"nameServers": [
"ns1-**.azure-dns.com.",
"ns2-**.azure-dns.net.",
"ns3-**.azure-dns.org.",
"ns4-**.azure-dns.info."
],
"numberOfRecordSets": 2
}
}
Steps | Google IAM and admin/Service Accounts |
In your Google Cloud project goto Google IAM and admin/Service Accounts and create a service account | |
The service account has been created | |
Create a service key with the service account credentials. The service key will need to passed to the kyma cluster namespace as a secret |
{
"tenantId": "<tenantId>",
"subscriptionId": "<subscriptionId>",
"resourceGroup": "quovadis",
"aadClientId": "8e4ed817-c1b0-4cab-89a0-************",
"aadClientSecret": "c91z*************************"
}
kind: Secret
apiVersion: v1
metadata:
name: quovadis-azure-dns-2
namespace: azure-dns
data:
clientID: <clientID>
clientSecret: <clientSecret>
resourceGroup: cXVvdmFkaXM=
subscriptionID: <subscriptionID>
tenantID: <tenantID>
type: Opaque
The External-DNS-Management project provides examples with more details forDNSProviders
(30-provider-<provider-name>.yaml) and credentialSecrets
(20-secret-<provider-name>.yaml) for all supported provider types.
conn-proxy
. Goto namespace configuration to set up the following DNS resources.$ kubectl create secret generic quovadis-btp-dns --namespace=conn-proxy--from-file=serviceaccount.json=<project name>-11111111111.json
secret/quovadis-btp-dns created
apiVersion: dns.gardener.cloud/v1alpha1
kind: DNSProvider
metadata:
name: quovadis-bpt-dns-provider
namespace: conn-proxy
labels:
app.kubernetes.io/name: quovadis-bpt-dns-provider
annotations:
dns.gardener.cloud/class: garden
spec:
domains:
include:
- quovadis-btp.com
- '*.quovadis-btp.com'
exclude: []
secretRef:
name: quovadis-btp-dns
namespace: conn-proxy
type: google-clouddns
kubectl get svc istio-ingressgateway -n istio-system
apiVersion: dns.gardener.cloud/v1alpha1
kind: DNSEntry
metadata:
name: quovadis-bpt-dns-entry
namespace: conn-proxy
labels:
app.kubernetes.io/name: quovadis-bpt-dns-entry
annotations:
dns.gardener.cloud/class: garden
spec:
dnsName: '*.quovadis-btp.com'
targets:
- **.**.**.**
text: []
ttl: 600
apiVersion: cert.gardener.cloud/v1alpha1
kind: Issuer
metadata:
name: quovadis-btp-ca-issuer
namespace: conn-proxy
labels:
app.kubernetes.io/name: quovadis-btp-ca-issuer
spec:
requestsPerDayQuota: 0
acme:
server: 'https://acme-v02.api.letsencrypt.org/directory'
email: <email address>
autoRegistration: true
privateKeySecretRef:
name: ''
namespace: conn-proxy
domains:
include:
- quovadis-btp.com
- '*.quovadis-btp.com'
istio-system
namespace as follows:apiVersion: cert.gardener.cloud/v1alpha1
kind: Certificate
metadata:
labels:
app.kubernetes.io/name: quovadis-btp-cert
name: quovadis-btp-cert
namespace: istio-system
spec:
commonName: '*.quovadis-btp.com'
issuerRef:
name: quovadis-btp-ca-issuer
namespace: conn-proxy
secretRef:
name: tls-quovadis-btp-cert
namespace: istio-system
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
labels:
app.kubernetes.io/name: quovadis-gateway
name: quovadis-gateway
namespace: conn-proxy
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*.quovadis-btp.com'
port:
name: quovadis-https
number: 443
protocol: HTTPS
tls:
credentialName: tls-quovadis-btp-cert
mode: SIMPLE
- hosts:
- '*.quovadis-btp.com'
port:
name: quovadis-http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
apiVersion: gateway.kyma-project.io/v1alpha1
kind: APIRule
metadata:
labels:
app.kubernetes.io/name: quovadis-s4
name: quovadis-s4
namespace: conn-proxy
spec:
gateway: quovadis-gateway.conn-proxy.svc.cluster.local
rules:
- accessStrategies:
- config:
jwks_urls:
- >-
https://<zone>.authentication.<region>.hana.ondemand.com/token_keys
trusted_issuers:
- >-
https://<zone>.authentication.<region>.hana.ondemand.com/oauth/token
handler: jwt
methods:
- PUT
- POST
- PATCH
- HEAD
- GET
- DELETE
path: /.*
service:
host: ***.quovadis-btp.com
name: test-s4
port: 80
quovadis-gateway.conn-proxy.svc.cluster.local
, can be used from any namespace across your kyma cluster{
"ddLcOs-N9Uo": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
28 | |
13 | |
12 | |
10 | |
10 | |
10 | |
8 | |
7 | |
7 | |
7 |