External DNS for ROSA Custom Domain
This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.
Configuring the Custom Domain Operator requires a wildcard CNAME DNS record in your Route53 Hosted Zone. If you do not wish to use a wildcard record, you can use the External DNS Operator to create individual entries for routes.
This document will guide you through deploying and configuring the External DNS Operator with a Custom Domain in ROSA.
Important Note: The ExternalDNS Operator does not support STS yet and uses long lived IAM credentials. This guide will be updated once STS is supported.
Prerequisites
- ROSA Cluster
- AWS CLI
- Route53 Hosted Zone
- A domain
Deploy
Setup Environment
- Set your email and domain
- Set remaining environment variables
Custom Domain
Check out the dynamic certificates guide if you do not want to use a wildcard certificate.
Create TLS Key Pair for custom domain using certbot:
Skip this if you already have a key pair.
Create TLS secret for custom domain:
Note use your own keypair paths if not using certbot.
Create Custom Domain resource:
Wait for the domain to be ready:
External DNS
Deploy the External DNS Operator:
Wait until the Operator is running:
Create IAM Policy document that allows ExternalDNS to update Route53 only in your hosted zone:
Create IAM Policy:
Create IAM user and attach policy:
Note: This will be changed to STS using IRSA in the future.
Create aws keys for IAM user:
Create static credentials:
Create secret from credentials:
Deploy ExternalDNS controller:
Wait until the controller is running:
Test
Create a new route to OpenShift console using your domain:
Check if DNS record was created automatically by ExternalDNS:
It may take a few minutes for the record to appear in Route53
You can also view the TXT records that indicate they were created by ExternalDNS:
Navigate to your custom console domain in the browser and you should see OpenShift login.
