Update example docs

Signed-off-by: rasel <rasel@appscode.com>

examples/azure-credential.md

@@ -1,15 +1,53 @@
-### Create credential file
-You have to create a JSON credential file for Azure Provider:
+### Create configuration file
+* Create `Resource Group` and `DNS Zone`
+```bash
+az group create --name "MyDnsResourceGroup" --location "eastus"
+az network dns zone create --resource-group "MyDnsResourceGroup" --name "example.com"
+```
+* Create a `Service Principal`
+```bash
+EXTERNALDNS_NEW_SP_NAME="ExternalDnsServicePrincipal" # name of the service principal
+AZURE_DNS_ZONE_RESOURCE_GROUP="MyDnsResourceGroup" # name of resource group where dns zone is hosted
+AZURE_DNS_ZONE="example.com" # DNS zone name like example.com or sub.example.com
+
+# Create the service principal
+DNS_SP=$(az ad sp create-for-rbac --name $EXTERNALDNS_NEW_SP_NAME)
+EXTERNALDNS_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId')
+EXTERNALDNS_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')
+```
+* Grant access to Azure DNS zone for the service principal.
+```bash
+# fetch DNS id used to grant access to the service principal
+DNS_ID=$(az network dns zone show --name $AZURE_DNS_ZONE \
+ --resource-group $AZURE_DNS_ZONE_RESOURCE_GROUP --query "id" --output tsv)
+
+# 1. as a reader to the resource group
+# az role assignment create --role "Reader" --assignee $EXTERNALDNS_SP_APP_ID --scope $DNS_ID
+
+# 2. as a contributor to DNS Zone itself
+az role assignment create --role "Contributor" --assignee $EXTERNALDNS_SP_APP_ID --scope $DNS_ID
+```
+* Write the credentials to a local path
 ```bash
 cat <<-EOF > /local/path/to/azure.json
+{
+  "tenantId": "$(az account show --query tenantId -o tsv)",
+  "subscriptionId": "$(az account show --query id -o tsv)",
+  "resourceGroup": "$AZURE_DNS_ZONE_RESOURCE_GROUP",
+  "aadClientId": "$EXTERNALDNS_SP_APP_ID",
+  "aadClientSecret": "$EXTERNALDNS_SP_PASSWORD"
+}
+EOF
+```
+* Once you have completed all the process you will have a json file in `/local/path/to/azure.json` path
+```json
 {
   "tenantId": "your-azure-tenant-id",
   "subscriptionId": "your-azure-subscription-id",
   "resourceGroup": "your-azure-resource-group-name",
   "aadClientId": "your-azure-client-id",
   "aadClientSecret": "your-azure-client-password"
 }
-EOF
 ```
 
 ### Create secret from file

examples/google-credential.md

@@ -1,5 +1,23 @@
+### Create static credentials
+* Create a Google Service Account(GSA) that has access to the CloudDNS Zone
+```bash
+GKE_PROJECT_ID="your-organization-project-id"
+DNS_SA_NAME="external-dns-sa"
+DNS_SA_EMAIL="$DNS_SA_NAME@${GKE_PROJECT_ID}.iam.gserviceaccount.com"
+
+# create GSA used to access the Cloud DNS zone
+gcloud iam service-accounts create $DNS_SA_NAME --display-name $DNS_SA_NAME
+
+# assign google service account to dns.admin role in cloud-dns project
+gcloud projects add-iam-policy-binding $DNS_PROJECT_ID --member serviceAccount:$DNS_SA_EMAIL --role "roles/dns.admin"
+```
+* Generate static credential from the ExternalDNS GSA
+```bash
+# download static credentials
+gcloud iam service-accounts keys create /local/path/to/credentials.json --iam-account $DNS_SA_EMAIL
+```
 ### Create Secret from
-Create a Kubernetes secret with the credentials in the same namespace of External-DNS operator. 
+Create a Kubernetes secret with the credentials in the `same namespace of External-DNS` operator. 
 ```shell
 kubectl create secret generic google-credential --namespace demo --from-file /local/path/to/credentials.json
 ```

examples/node-cloudflare.yaml

@@ -10,9 +10,9 @@ spec:
       version: v1
       kind: Node
     node:
-      labelFilter: app=demo-node
-      annotationFilter: lke.linode.com/wgip=0.0.0.0
-      fqdnTemplate: "{{.Name}}.example.com"
+#      labelFilter: app=demo-node
+#      annotationFilter: lke.linode.com/wgip=0.0.0.0
+      fqdnTemplate: "nodes.example.com"
   registry: txt
   txtOwnerID: external-dns
   txtPrefix: xyz
@@ -21,5 +21,5 @@ spec:
   provider: cloudflare
   cloudflare:
     secretRef:
-      name: cloudflare-credentials
-      apiToken: CF_API_TOKEN
+      name: cloudflare-credential
+      apiTokenKey: CF_API_TOKEN

examples/nodes-google.yaml

@@ -4,17 +4,15 @@ metadata:
   name: google-nodes
   namespace: demo
 spec:
-  providerSecretRef:
-    name: google-credential
   source:
     type:
       group: ""
       version: v1
       kind: Node
     node:
       #multiple label filter, comma separated
-      labelFilter: "node-pool-id=123xyz,beta.kubernetes.io/arch=amd64"
-      annotationFilter: lke.linode.com/wgip=0.0.0.1
+#      labelFilter: "node-pool-id=123xyz,beta.kubernetes.io/arch=amd64"
+#      annotationFilter: lke.linode.com/wgip=0.0.0.1
       fqdnTemplate: node.example.com
   registry: txt
   txtOwnerID: external-dns

pkg/plan/plan.go

@@ -658,9 +658,9 @@ func createProviderFromCfg(ctx context.Context, cfg *externaldns.Config, endpoin
 		}
 		p, err = awssd.NewAWSSDProvider(domainFilter, cfg.AWSZoneType, cfg.DryRun, cfg.AWSSDServiceCleanup, cfg.TXTOwnerID, sd.New(awsSession))
 	case "azure-dns", "azure":
-		p, err = azure.NewAzureProvider(cfg.AzureConfigFile, domainFilter, zoneNameFilter, zoneIDFilter, "FIX -- subscriptionID", cfg.AzureResourceGroup, cfg.AzureUserAssignedIdentityClientID, cfg.DryRun)
+		p, err = azure.NewAzureProvider(cfg.AzureConfigFile, domainFilter, zoneNameFilter, zoneIDFilter, cfg.AzureSubscriptionID, cfg.AzureResourceGroup, cfg.AzureUserAssignedIdentityClientID, cfg.DryRun)
 	case "azure-private-dns":
-		p, err = azure.NewAzurePrivateDNSProvider(cfg.AzureConfigFile, domainFilter, zoneIDFilter, "FIX -- subscriptionID", cfg.AzureResourceGroup, cfg.AzureUserAssignedIdentityClientID, cfg.DryRun)
+		p, err = azure.NewAzurePrivateDNSProvider(cfg.AzureConfigFile, domainFilter, zoneIDFilter, cfg.AzureSubscriptionID, cfg.AzureResourceGroup, cfg.AzureUserAssignedIdentityClientID, cfg.DryRun)
 	case "bluecat":
 		p, err = bluecat.NewBluecatProvider(cfg.BluecatConfigFile, cfg.BluecatDNSConfiguration, cfg.BluecatDNSServerName, cfg.BluecatDNSDeployType, cfg.BluecatDNSView, cfg.BluecatGatewayHost, cfg.BluecatRootZone, cfg.TXTPrefix, cfg.TXTSuffix, domainFilter, zoneIDFilter, cfg.DryRun, cfg.BluecatSkipTLSVerify)
 	case "vinyldns":
@@ -750,7 +750,15 @@ func createProviderFromCfg(ctx context.Context, cfg *externaldns.Config, endpoin
 			p, err = oci.NewOCIProvider(*config, domainFilter, zoneIDFilter, cfg.OCIZoneScope, cfg.DryRun)
 		}
 	case "rfc2136":
-		p, err = rfc2136.NewRfc2136Provider(cfg.RFC2136Host, cfg.RFC2136Port, cfg.RFC2136Zone, cfg.RFC2136Insecure, cfg.RFC2136TSIGKeyName, cfg.RFC2136TSIGSecret, cfg.RFC2136TSIGSecretAlg, cfg.RFC2136TAXFR, domainFilter, cfg.DryRun, cfg.RFC2136MinTTL, cfg.RFC2136GSSTSIG, cfg.RFC2136KerberosUsername, cfg.RFC2136KerberosPassword, cfg.RFC2136KerberosRealm, cfg.RFC2136BatchChangeSize /* FIX */, rfc2136.TLSConfig{}, nil)
+		tlsConfig := rfc2136.TLSConfig{
+			UseTLS:                cfg.RFC2136UseTLS,
+			SkipTLSVerify:         cfg.RFC2136SkipTLSVerify,
+			CAFilePath:            cfg.TLSCA,
+			ClientCertFilePath:    cfg.TLSClientCert,
+			ClientCertKeyFilePath: cfg.TLSClientCertKey,
+			ServerName:            "",
+		}
+		p, err = rfc2136.NewRfc2136Provider(cfg.RFC2136Host, cfg.RFC2136Port, cfg.RFC2136Zone, cfg.RFC2136Insecure, cfg.RFC2136TSIGKeyName, cfg.RFC2136TSIGSecret, cfg.RFC2136TSIGSecretAlg, cfg.RFC2136TAXFR, domainFilter, cfg.DryRun, cfg.RFC2136MinTTL, cfg.RFC2136GSSTSIG, cfg.RFC2136KerberosUsername, cfg.RFC2136KerberosPassword, cfg.RFC2136KerberosRealm, cfg.RFC2136BatchChangeSize, tlsConfig, nil)
 	case "ns1":
 		p, err = ns1.NewNS1Provider(
 			ns1.NS1Config{
@@ -789,7 +797,7 @@ func createRegistry(cfg *externaldns.Config, p provider.Provider) (registry.Regi
 	case "noop":
 		r, err = registry.NewNoopRegistry(p)
 	case "txt":
-		r, err = registry.NewTXTRegistry(p, cfg.TXTPrefix, cfg.TXTSuffix, cfg.TXTOwnerID, cfg.TXTCacheInterval, cfg.TXTWildcardReplacement, cfg.ManagedDNSRecordTypes /* FIX */, nil, false, nil)
+		r, err = registry.NewTXTRegistry(p, cfg.TXTPrefix, cfg.TXTSuffix, cfg.TXTOwnerID, cfg.TXTCacheInterval, cfg.TXTWildcardReplacement, cfg.ManagedDNSRecordTypes, cfg.ExcludeDNSRecordTypes, cfg.TXTEncryptEnabled, []byte(cfg.TXTEncryptAESKey))
 	case "aws-sd":
 		r, err = registry.NewAWSSDRegistry(p.(*awssd.AWSSDProvider), cfg.TXTOwnerID)
 	default: