# ExternalDNS — Dynamic DNS Records from Kubernetes Resources

> ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with external DNS providers such as Route53, Cloudflare, Google Cloud DNS, and RFC2136, so hostnames stay in lockstep with cluster state.

## Install

Save as a script file and run:

# ExternalDNS — Dynamic DNS Records from Kubernetes Resources

## Quick Use
```bash
# Install via Helm (Route53 example)
helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
helm upgrade --install external-dns external-dns/external-dns 
  --namespace external-dns --create-namespace 
  --set provider=aws 
  --set aws.zoneType=public 
  --set txtOwnerId=my-cluster 
  --set domainFilters[0]=example.com 
  --set policy=sync

# Annotate a Service — ExternalDNS will create the A/CNAME record
kubectl annotate svc my-web 
  external-dns.alpha.kubernetes.io/hostname=app.example.com
```

## Introduction
Before ExternalDNS, teams wrote custom glue to take the LoadBalancer address assigned by their cloud provider and push it into their DNS zone. ExternalDNS makes that a controller: watch Services, Ingresses, Gateways, and CRDs in the cluster, and reconcile the matching records in whichever DNS backend you use. It supports a large catalog of providers (AWS, GCP, Azure, Cloudflare, DigitalOcean, Hetzner, RFC2136, and dozens more) and cleanly handles ownership so multiple clusters can share a zone without trampling each other.

## What ExternalDNS Does
- Watches Services of type LoadBalancer, Ingresses, and Gateway API resources.
- Creates, updates, and deletes A, AAAA, CNAME, TXT, and SRV records in the backing provider.
- Maintains a TXT heritage record (`external-dns,txt-owner-id`) so safe concurrent operation across clusters is possible.
- Supports weighted, latency, geo, and failover routing in providers that expose them (Route53).
- Reconciles on an interval and on Kubernetes events for near-real-time updates.

## Architecture Overview
ExternalDNS is a single Go controller that runs in-cluster with a provider plugin compiled in (or external via the new webhook provider model). It queries the Kubernetes API for sources (Service, Ingress, HTTPRoute, custom CRDs), computes a desired set of DNS endpoints, diffs that against the live state in the provider, and applies the minimal change set. Ownership is enforced through companion TXT records that encode the controller''s txt-owner-id and the record kind, preventing two clusters from fighting over the same FQDN.

## Self-Hosting & Configuration
- Provide cloud credentials via IRSA (AWS), Workload Identity (GCP), or a namespaced secret.
- Set `--domain-filter` to constrain blast radius; `--zone-id-filter` scopes to specific zones.
- Use `--policy=sync` in prod so deleted Kubernetes objects also remove their DNS records.
- The `--txt-owner-id` must be unique per cluster; collisions cause flapping records.
- Prefer the new webhook provider pattern for out-of-tree providers to keep the core image small.

## Key Features
- 40+ supported DNS providers, from hyperscalers to self-hosted PowerDNS and CoreDNS.
- Source plugins for Service, Ingress, Gateway API, Istio VirtualService, Contour HTTPProxy, and CRDs.
- Multi-cluster safe via TXT ownership records and configurable policies.
- Annotation-driven customization: hostname, TTL, target, set-identifier, controller override.
- Dry-run mode for previewing changes in CI before applying.

## Comparison with Similar Tools
- **cert-manager** — Solves TLS cert provisioning, not DNS-record management; often deployed alongside.
- **cloud-provider controller-manager** — Creates LoadBalancers but does not touch DNS zones.
- **CoreDNS with k8s_gateway** — Answers DNS inside the cluster mesh; does not publish to public DNS.
- **octoDNS** — Declarative DNS-as-code from a repo; great for static zones but not event-driven.
- **Route53 + custom Lambda** — Works but reinvents what ExternalDNS ships out of the box.

## FAQ
**Q:** Can two clusters share one zone?
A: Yes — give each a unique `--txt-owner-id`. The TXT heritage records prevent cross-cluster deletes.

**Q:** Does it support Gateway API?
A: Yes — as of recent versions, HTTPRoute, TLSRoute, TCPRoute, and UDPRoute are first-class sources.

**Q:** Can I run it with least-privilege IAM?
A: Yes — AWS ships an example IAM policy scoped to specific hosted zones and the change-resource-record-sets action.

**Q:** How fast does it propagate?
A: Reconcile loop defaults to once a minute; combined with provider TTLs (often 300s) total propagation is a few minutes.

## Sources
- https://github.com/kubernetes-sigs/external-dns
- https://kubernetes-sigs.github.io/external-dns/


---
Source: https://tokrepo.com/en/workflows/03056e6f-3929-11f1-9bc6-00163e2b0d79
Author: Script Depot