3.2 KiB
#TODO:
- cert-manager talks to master to add domain names, and DNS-01 TLS through ns1.k-space.ee ^ both-side link to cert-manager
bind-services (zone transfer to HA replicas from ns1.k-space.ee)
ns1.k-space.ee
Primary authoritive nameserver replica. Other replicas live on Kube nodes Idea to move it to Zone.
dns.yaml files add DNS records
Bind setup
The Bind primary resides outside Kubernetes at 193.40.103.2
and
it's internally reachable via 172.20.0.2
.
Bind secondaries are hosted inside Kubernetes, load balanced behind 62.65.250.2
and
under normal circumstances managed by ArgoCD.
Ingresses and DNSEndpoints referring to k-space.ee
, kspace.ee
, k6.ee
are picked up automatically by external-dns
and updated on primary.
The primary triggers notification events to 172.20.53.{1..3}
which are internally exposed IP-s of the secondaries.
Secrets
To configure TSIG secrets:
kubectl create secret generic -n bind bind-readonly-secret \
--from-file=readonly.key
kubectl create secret generic -n bind bind-readwrite-secret \
--from-file=readwrite.key
kubectl create secret generic -n bind external-dns
kubectl -n bind delete secret tsig-secret
kubectl -n bind create secret generic tsig-secret \
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
kubectl -n cert-manager delete secret tsig-secret
kubectl -n cert-manager create secret generic tsig-secret \
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
Serving additional zones
Bind primary configuration
To serve additional domains from this Bind setup add following
section to named.conf.local
on primary ns1.k-space.ee
:
key "foobar" {
algorithm hmac-sha512;
secret "...";
};
zone "foobar.com" {
type master;
file "/var/lib/bind/db.foobar.com";
allow-update { !rejected; key foobar; };
allow-transfer { !rejected; key readonly; key foobar; };
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
};
Initiate empty zonefile in /var/lib/bind/db.foobar.com
on the primary ns1.k-space.ee
:
foobar.com IN SOA ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300)
NS ns1.foobar.com.
NS ns2.foobar.com.
ns1.foobar.com. A 193.40.103.2
ns2.foobar.com. A 62.65.250.2
Reload Bind config:
named-checkconf
systemctl reload bind9
Bind secondary config
Add section to bind-secondary-config-local
under key named.conf.local
:
zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; };
And restart secondaries:
kubectl rollout restart -n bind statefulset/bind-secondary
Registrar config
At your DNS registrar point your glue records to:
foobar.com. NS ns1.foobar.com.
foobar.com. NS ns2.foobar.com.
ns1.foobar.com. A 193.40.103.2
ns2.foobar.com. A 62.65.250.2
Updating DNS records
With the configured TSIG key foobar
you can now:
- Obtain Let's Encrypt certificates with DNS challenge.
Inside Kubernetes use
cert-manager
with RFC2136 provider. - Update DNS records.
Inside Kubernetes use
external-dns
with RFC2136 provider.