forked from k-space/kube
125 lines
3.8 KiB
Markdown
125 lines
3.8 KiB
Markdown
# Bind namespace
|
|
|
|
The Bind secondary servers and `external-dns` service pods are running in this namespace.
|
|
The `external-dns` pods are used to declaratively update DNS records on the
|
|
[Bind primary](https://git.k-space.ee/k-space/ansible/src/branch/main/authoritative-nameserver.yaml).
|
|
|
|
The Bind primary `ns1.k-space.ee` resides outside Kubernetes at `193.40.103.2` and
|
|
it's internally reachable via `172.20.0.2`.
|
|
Bind secondaries perform AXFR (zone transfer) from `ns1.k-space.ee` using
|
|
shared secret autentication.
|
|
The primary triggers notification events to `172.20.53.{1..3}`
|
|
which are internally exposed IP-s of the secondaries.
|
|
Bind secondaries are hosted inside Kubernetes, load balanced behind `62.65.250.2` and
|
|
under normal circumstances managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/bind).
|
|
|
|
Note that [cert-manager](https://git.k-space.ee/k-space/kube/src/branch/master/cert-manager/) also performs DNS updates on the Bind primary.
|
|
|
|
|
|
# For user
|
|
|
|
`Ingresses` and `DNSEndpoint` resources under `k-space.ee`, `kspace.ee`, `k6.ee`
|
|
domains are picked up automatically by `external-dns` and updated on the Bind primary.
|
|
To find usage examples in this repository use
|
|
`grep -r -A25 "^kind: Ingress" .` and
|
|
`grep -R -r -A100 "^kind: DNSEndpoint" .`
|
|
|
|
|
|
# For administrator
|
|
Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee`
|
|
are picked up automatically by `external-dns` and updated on primary.
|
|
|
|
The primary triggers notification events to `172.21.53.{1..3}`
|
|
which are internally exposed IP-s of the secondaries.
|
|
|
|
# Secrets
|
|
|
|
To configure TSIG secrets:
|
|
|
|
```
|
|
kubectl create secret generic -n bind bind-readonly-secret \
|
|
--from-file=readonly.key
|
|
kubectl create secret generic -n bind bind-readwrite-secret \
|
|
--from-file=readwrite.key
|
|
kubectl create secret generic -n bind external-dns
|
|
kubectl -n bind delete secret tsig-secret
|
|
kubectl -n bind create secret generic tsig-secret \
|
|
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
|
|
kubectl -n cert-manager delete secret tsig-secret
|
|
kubectl -n cert-manager create secret generic tsig-secret \
|
|
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
|
|
```
|
|
|
|
# Serving additional zones
|
|
|
|
## Bind primary configuration
|
|
|
|
To serve additional domains from this Bind setup add following
|
|
section to `named.conf.local` on primary `ns1.k-space.ee`:
|
|
|
|
```
|
|
key "foobar" {
|
|
algorithm hmac-sha512;
|
|
secret "...";
|
|
};
|
|
|
|
zone "foobar.com" {
|
|
type master;
|
|
file "/var/lib/bind/db.foobar.com";
|
|
allow-update { !rejected; key foobar; };
|
|
allow-transfer { !rejected; key readonly; key foobar; };
|
|
notify explicit; also-notify { 172.21.53.1; 172.21.53.2; 172.21.53.3; };
|
|
};
|
|
```
|
|
|
|
Initiate empty zonefile in `/var/lib/bind/db.foobar.com` on the primary `ns1.k-space.ee`:
|
|
|
|
```
|
|
foobar.com IN SOA ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300)
|
|
NS ns1.foobar.com.
|
|
NS ns2.foobar.com.
|
|
ns1.foobar.com. A 193.40.103.2
|
|
ns2.foobar.com. A 62.65.250.2
|
|
```
|
|
|
|
Reload Bind config:
|
|
|
|
```
|
|
named-checkconf
|
|
systemctl reload bind9
|
|
```
|
|
|
|
## Bind secondary config
|
|
|
|
Add section to `bind-secondary-config-local` under key `named.conf.local`:
|
|
|
|
```
|
|
zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; };
|
|
```
|
|
|
|
And restart secondaries:
|
|
|
|
```
|
|
kubectl rollout restart -n bind statefulset/bind-secondary
|
|
```
|
|
|
|
## Registrar config
|
|
|
|
At your DNS registrar point your glue records to:
|
|
|
|
```
|
|
foobar.com. NS ns1.foobar.com.
|
|
foobar.com. NS ns2.foobar.com.
|
|
ns1.foobar.com. A 193.40.103.2
|
|
ns2.foobar.com. A 62.65.250.2
|
|
```
|
|
|
|
## Updating DNS records
|
|
|
|
With the configured TSIG key `foobar` you can now:
|
|
|
|
* Obtain Let's Encrypt certificates with DNS challenge.
|
|
Inside Kubernetes use `cert-manager` with RFC2136 provider.
|
|
* Update DNS records.
|
|
Inside Kubernetes use `external-dns` with RFC2136 provider.
|