forked from k-space/kube
105 lines
2.8 KiB
Markdown
105 lines
2.8 KiB
Markdown
# Bind setup
|
|
|
|
The Bind primary resides outside Kubernetes at `193.40.103.2` and
|
|
it's internally reachable via `172.20.0.2`.
|
|
|
|
Bind secondaries are hosted inside Kubernetes, load balanced behind `62.65.250.2` and
|
|
under normal circumstances managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/bind).
|
|
|
|
Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee`
|
|
are picked up automatically by `external-dns` and updated on primary.
|
|
|
|
The primary triggers notification events to `172.20.53.{1..3}`
|
|
which are internally exposed IP-s of the secondaries.
|
|
|
|
# Secrets
|
|
|
|
To configure TSIG secrets:
|
|
|
|
```
|
|
kubectl create secret generic -n bind bind-readonly-secret \
|
|
--from-file=readonly.key
|
|
kubectl create secret generic -n bind bind-readwrite-secret \
|
|
--from-file=readwrite.key
|
|
kubectl create secret generic -n bind external-dns
|
|
kubectl -n bind delete secret tsig-secret
|
|
kubectl -n bind create secret generic tsig-secret \
|
|
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
|
|
kubectl -n cert-manager delete secret tsig-secret
|
|
kubectl -n cert-manager create secret generic tsig-secret \
|
|
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
|
|
```
|
|
|
|
# Serving additional zones
|
|
|
|
## Bind primary configuration
|
|
|
|
To serve additional domains from this Bind setup add following
|
|
section to `named.conf.local` on primary `ns1.k-space.ee`:
|
|
|
|
```
|
|
key "foobar" {
|
|
algorithm hmac-sha512;
|
|
secret "...";
|
|
};
|
|
|
|
zone "foobar.com" {
|
|
type master;
|
|
file "/var/lib/bind/db.foobar.com";
|
|
allow-update { !rejected; key foobar; };
|
|
allow-transfer { !rejected; key readonly; key foobar; };
|
|
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
|
|
};
|
|
```
|
|
|
|
Initiate empty zonefile in `/var/lib/bind/db.foobar.com` on the primary `ns1.k-space.ee`:
|
|
|
|
```
|
|
foobar.com IN SOA ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300)
|
|
NS ns1.foobar.com.
|
|
NS ns2.foobar.com.
|
|
ns1.foobar.com. A 193.40.103.2
|
|
ns2.foobar.com. A 62.65.250.2
|
|
```
|
|
|
|
Reload Bind config:
|
|
|
|
```
|
|
named-checkconf
|
|
systemctl reload bind9
|
|
```
|
|
|
|
## Bind secondary config
|
|
|
|
Add section to `bind-secondary-config-local` under key `named.conf.local`:
|
|
|
|
```
|
|
zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; };
|
|
```
|
|
|
|
And restart secondaries:
|
|
|
|
```
|
|
kubectl rollout restart -n bind statefulset/bind-secondary
|
|
```
|
|
|
|
## Registrar config
|
|
|
|
At your DNS registrar point your glue records to:
|
|
|
|
```
|
|
foobar.com. NS ns1.foobar.com.
|
|
foobar.com. NS ns2.foobar.com.
|
|
ns1.foobar.com. A 193.40.103.2
|
|
ns2.foobar.com. A 62.65.250.2
|
|
```
|
|
|
|
## Updating DNS records
|
|
|
|
With the configured TSIG key `foobar` you can now:
|
|
|
|
* Obtain Let's Encrypt certificates with DNS challenge.
|
|
Inside Kubernetes use `cert-manager` with RFC2136 provider.
|
|
* Update DNS records.
|
|
Inside Kubernetes use `external-dns` with RFC2136 provider.
|