From 6ff3e03e60bae6acab082bbbd7ab7d81985da426 Mon Sep 17 00:00:00 2001 From: saidst Date: Mon, 27 Jan 2020 15:26:17 +0100 Subject: [PATCH 1/2] correct rejection of azure-private-dns-zones not matching filters. --- provider/azure_private_dns.go | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/provider/azure_private_dns.go b/provider/azure_private_dns.go index 74e1697abe..d66e8cfb54 100644 --- a/provider/azure_private_dns.go +++ b/provider/azure_private_dns.go @@ -175,20 +175,10 @@ func (p *AzurePrivateDNSProvider) zones(ctx context.Context) ([]privatedns.Priva zone := i.Value() log.Debugf("Validating Zone: %v", *zone.Name) - if zone.Name == nil { - continue + if zone.Name != nil && p.domainFilter.Match(*zone.Name) && p.zoneIDFilter.Match(*zone.ID) { + zones = append(zones, zone) } - if !p.domainFilter.Match(*zone.Name) { - continue - } - - if !p.zoneIDFilter.Match(*zone.ID) { - continue - } - - zones = append(zones, zone) - err := i.NextWithContext(ctx) if err != nil { return nil, err From 5340c89756db94120572ccfee37467a09b1809e8 Mon Sep 17 00:00:00 2001 From: saidst Date: Wed, 29 Jan 2020 08:16:58 +0100 Subject: [PATCH 2/2] updated infos on required technical users in azure private dns tutorial. --- docs/tutorials/azure-private-dns.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/tutorials/azure-private-dns.md b/docs/tutorials/azure-private-dns.md index 63999a3802..2aefc0308a 100644 --- a/docs/tutorials/azure-private-dns.md +++ b/docs/tutorials/azure-private-dns.md @@ -101,8 +101,8 @@ $ az network private-dns link vnet create -g externaldns -n mylink \ ExternalDNS needs permissions to make changes in Azure Private DNS. These permissions are roles assigned to the service principal used by ExternalDNS. -A service principal with a minimum access level of `contributor` to the Private DNS zone(s) and `reader` to the resource group containing the Azure Private DNS zone(s) is necessary. -More powerful role-assignments like `owner` or assignments on subscription-level work too. +A service principal with a minimum access level of `Private DNS Zone Contributor` to the Private DNS zone(s) and `Reader` to the resource group containing the Azure Private DNS zone(s) is necessary. +More powerful role-assignments like `Owner` or assignments on subscription-level work too. Start off by **creating the service principal** without role-assignments. ``` @@ -134,7 +134,7 @@ Now, **create role assignments**. $ az role assignment create --role "Reader" --assignee --scope # 2. as a contributor to DNS Zone itself -$ az role assignment create --role "Contributor" --assignee --scope +$ az role assignment create --role "Private DNS Zone Contributor" --assignee --scope ``` ## Deploy ExternalDNS