diff --git a/README.md b/README.md index 412a8fa..3f1031c 100644 --- a/README.md +++ b/README.md @@ -19,8 +19,8 @@ of your STACKIT domains within your Kubernetes cluster using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). For utilizing ExternalDNS with STACKIT, it is mandatory to establish a STACKIT project, a service account -within the project, generate an authentication token for the service account, authorize the service account -to create and read dns zones, and finally, establish a STACKIT zone. +within the project, generate a service account key, authorize the service account with DNS Admin role, +and finally establish a STACKIT zone. ## Kubernetes Deployment @@ -32,9 +32,10 @@ demonstrates the deployment as a within the ExternalDNS pod. ```shell -# We create a Secret from an auth token. Alternatively, you can also -# use keys to authenticate the webhook - see "Authentication" below. -kubectl create secret generic external-dns-stackit-webhook --from-literal=auth-token='' +# Create a Secret containing the STACKIT service-account key JSON (as a file). +# This Secret will be mounted into the webhook container; AUTH_KEY_PATH will point to that mounted file. +kubectl -n default create secret generic external-dns-stackit-webhook \ + --from-file=sa.json=/path/to/stackit-service-account-key.json ``` ```shell @@ -129,6 +130,13 @@ spec: serviceAccountName: external-dns securityContext: fsGroup: 65534 + volumes: + - name: stackit-sa-key + secret: + secretName: external-dns-stackit-webhook + items: + - key: sa.json + path: sa.json containers: - name: external-dns securityContext: @@ -205,11 +213,12 @@ spec: successThreshold: 1 timeoutSeconds: 5 env: - - name: AUTH_TOKEN - valueFrom: - secretKeyRef: - name: external-dns-stackit-webhook - key: auth-token + - name: AUTH_KEY_PATH + value: /var/run/secrets/stackit/sa.json + volumeMounts: + - name: stackit-sa-key + mountPath: /var/run/secrets/stackit + readOnly: true EOF ``` @@ -219,8 +228,9 @@ The configuration of the STACKIT webhook can be accomplished through command lin Below are the options that are available. - `--project-id`/`PROJECT_ID` (required): Specifies the project id of the STACKIT project. -- `--auth-token`/`AUTH_TOKEN` (required if `auth-key-path` is not set): Defines the authentication token for the STACKIT API. Mutually exclusive with 'auth-key-path'. -- `--auth-key-path`/`AUTH_KEY_PATH` (required if `auth-token` is not set): Defines the file path of the service account key for the STACKIT API. Mutually exclusive with 'auth-token'. +- `--auth-key-path`/`AUTH_KEY_PATH` (required): Defines the file path of the service account key for the STACKIT API. + Prefer using a Kubernetes Secret mounted as a file and set `AUTH_KEY_PATH` to the in-container path + (e.g. `/var/run/secrets/stackit/sa.json`). - `--worker`/`WORKER` (optional): Specifies the number of workers to employ for querying the API. Given that we need to iterate over all zones and records, it can be parallelized. However, it is important to avoid setting this number excessively high to prevent receiving 429 rate limiting from the API (default 10). @@ -334,7 +344,7 @@ Run the app: ```bash export BASE_URL="https://dns.api.stackit.cloud" export PROJECT_ID="c158c736-0300-4044-95c4-b7d404279b35" -export AUTH_TOKEN="your-auth-token" +export AUTH_KEY_PATH="/absolute/path/to/stackit-service-account-key.json" make run ```