ExternalDNS Deployment Guide

ExternalDNS automatically manages DNS records for applications exposed through your ingress controller. Configuration depends on whether the ingress controller is deployed as a Deployment (Option 1) or a DaemonSet (Option 2). Popular DNS providers: Cloudflare, Route 53, Google Cloud DNS, DigitalOcean, Vultr, etc.

Deploy ExternalDNS

Choose one of the following examples based on your DNS provide:Example for Cloudflare with API Token (Recommended)

API tokens are more secure than API keys as they can be scoped to specific zones and permissions.

Show Example

kubectl create namespace external-dns
kubectl create secret generic cloudflare-api-token -n external-dns --from-literal=apiToken=YOUR_API_TOKEN

helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
helm repo update

helm upgrade --install external-dns external-dns/external-dns \
  --namespace external-dns \
  --set txtOwnerId=mycluster \
  --set provider.name=cloudflare \
  --set 'env[0].name=CF_API_TOKEN' \
  --set 'env[0].valueFrom.secretKeyRef.name=cloudflare-api-token' \
  --set 'env[0].valueFrom.secretKeyRef.key=apiToken'

Example for Cloudflare with API KeyReference: https://kubernetes-sigs.github.io/external-dns/latest/docs/tutorials/cloudflare/

Show Example

kubectl create namespace external-dns
kubectl create secret generic cloudflare-api-key -n external-dns --from-literal=apiKey=YOUR_API_KEY --from-literal=email=YOUR_CLOUDFLARE_EMAIL

helm repo add external-dns https://kubernetes-sigs.github.io/external-dns/
helm repo update

helm upgrade --install external-dns external-dns/external-dns \
  --namespace external-dns \
  --set txtOwnerId=mycluster \
  --set provider.name=cloudflare \
  --set 'env[0].name=CF_API_KEY' \
  --set 'env[0].valueFrom.secretKeyRef.name=cloudflare-api-key' \
  --set 'env[0].valueFrom.secretKeyRef.key=apiKey' \
  --set 'env[1].name=CF_API_EMAIL' \
  --set 'env[1].valueFrom.secretKeyRef.name=cloudflare-api-key' \
  --set 'env[1].valueFrom.secretKeyRef.key=email'

By default, ExternalDNS runs with the upsert-only policy, which allows it to create and update DNS records but not delete them. To enable record deletion, change the policy to sync.--set policy=sync

Annotate the Ingress Controller Service

The annotations you need depend on which ingress controller option you chose.Option 1 (Deployment with the LoadBalancer Service)

kubectl annotate svc ingress-nginx-controller \
  -n ingress-nginx \
  external-dns.alpha.kubernetes.io/hostname="*.example.com"

Wildcard domains simplify DNS management for multiple applications.
Eliminates the need to annotate each Ingress resource individually.
DNS records are automatically updated when the Service’s externalIPs change.
ExternalDNS monitors the LoadBalancer Service and creates DNS A records that point to the configured externalIPs.

Option 2 (DaemonSet with hostNetwork)

kubectl annotate svc ingress-nginx-controller \
  -n ingress-nginx \
  external-dns.alpha.kubernetes.io/hostname="*.example.com" \
  external-dns.alpha.kubernetes.io/endpoints-type=NodeExternalIP

The endpoints-type=NodeExternalIP annotation instructs ExternalDNS to use the external IPs of nodes where the DaemonSet pods are running.
This results in DNS A records pointing to the external IPs of all worker nodes.
DNS records are automatically updated as nodes are added to, or removed from, the cluster.

For an end-to-end HTTPS application example, refer to Quick Start: Hello World with HTTPS.

Getting Started with IO Cloud

IO Cloud Payments

Run Jobs on Clusters

ExternalDNS Deployment Guide

Deploy ExternalDNS

Annotate the Ingress Controller Service