External Dns Cert Manager
This section contains example Resource Definitions for using External DNS and Cert Manager by setting annotations in the Ingress
dns.yamlgenerates a DNS subdomain that can then be used by External DNS to create the DNS record.ingress.yamlcreates a Kubernetes Ingress resource with the following annotations:cert-manager.io/cluster-issuer- set to the cluster issuer already defined in the cluster. ( Cert Manager Ingress Annotations )external-dns.alpha.kubernetes.io/hostname- set to a resource reference to the DNS that the ingress is for. ( External DNS Ingress Annotation Hostname )
Before using the above examples, ensure that:
- External DNS and Cert Manager operators are installed and configured in the cluster,
- matching criteria in both resource definitions are updated,
- the Cluster Issuer Annotation in the Ingress resource is updated and
- the super domain in the dns resource definition.
Resource Definitions
dns.yaml
(
view on GitHub
)
:
apiVersion: entity.humanitec.io/v1b1
kind: Definition
metadata:
id: external-dns-cert-manager-dns
entity:
driver_type: humanitec/dns-wildcard
driver_inputs:
values:
# Update to your DNS superdomain
domain: staging.hosted-domain.com
# Update to your preferred template for the subdomain
template: "${context.env.id}-${context.app.id}"
name: external-dns-cert-manager-dns
type: dns
provision:
ingress: {}
criteria:
# Change to match the name of the app you want this to apply to
- app_id: external-dns-cert-manager-example-app
ingress.yaml
(
view on GitHub
)
:
apiVersion: entity.humanitec.io/v1b1
kind: Definition
metadata:
id: external-dns-cert-manager-ingress
entity:
driver_type: humanitec/ingress
driver_inputs:
values:
annotations:
# Replace with your Cert Manager Cluster Issuer
cert-manager.io/cluster-issuer: my-cluster-certificate-issue
external-dns.alpha.kubernetes.io/hostname: ${resources.dns.outputs.host}
class: nginx
# Use the Globally Unique RESource ID of the DNS resource in order to
# have a secret name that is unique to the DNS. Cert Manager will create
# a secret with this name.
tls_secret_name: tls-cert-${resources.dns.guresid}
name: external-dns-cert-manager-ingress
type: ingress
criteria:
# Change to match the name of the app you want this to apply to
- app_id: external-dns-cert-manager-example-app
dns.tf
(
view on GitHub
)
:
resource "humanitec_resource_definition" "external-dns-cert-manager-dns" {
driver_type = "humanitec/dns-wildcard"
id = "external-dns-cert-manager-dns"
name = "external-dns-cert-manager-dns"
type = "dns"
driver_inputs = {
values_string = jsonencode({
"domain" = "staging.hosted-domain.com"
"template" = "$${context.env.id}-$${context.app.id}"
})
}
provision = {
"ingress" = {
}
}
}
resource "humanitec_resource_definition_criteria" "external-dns-cert-manager-dns_criteria_0" {
resource_definition_id = resource.humanitec_resource_definition.external-dns-cert-manager-dns.id
app_id = "external-dns-cert-manager-example-app"
}
ingress.tf
(
view on GitHub
)
:
resource "humanitec_resource_definition" "external-dns-cert-manager-ingress" {
driver_type = "humanitec/ingress"
id = "external-dns-cert-manager-ingress"
name = "external-dns-cert-manager-ingress"
type = "ingress"
driver_inputs = {
values_string = jsonencode({
"annotations" = {
"cert-manager.io/cluster-issuer" = "my-cluster-certificate-issue"
"external-dns.alpha.kubernetes.io/hostname" = "$${resources.dns.outputs.host}"
}
"class" = "nginx"
"tls_secret_name" = "tls-cert-$${resources.dns.guresid}"
})
}
}
resource "humanitec_resource_definition_criteria" "external-dns-cert-manager-ingress_criteria_0" {
resource_definition_id = resource.humanitec_resource_definition.external-dns-cert-manager-ingress.id
app_id = "external-dns-cert-manager-example-app"
}