k-space/kube
10
1
Fork 3
Code Issues 31 Pull Requests Activity
8d355ff9dc
kube/bind/README.md

2.8 KiB
Raw Blame History

Bind setup

The Bind primary resides outside Kubernetes at 193.40.103.2 and it's internally reachable via 172.20.0.2.

Bind secondaries are hosted inside Kubernetes, load balanced behind 62.65.250.2 and under normal circumstances managed by ArgoCD.

Ingresses and DNSEndpoints referring to k-space.ee, kspace.ee, k6.ee are picked up automatically by external-dns and updated on primary.

The primary triggers notification events to 172.20.53.{1..3} which are internally exposed IP-s of the secondaries.

Secrets

To configure TSIG secrets:

kubectl create secret generic -n bind bind-readonly-secret \
  --from-file=readonly.key
kubectl create secret generic -n bind bind-readwrite-secret \
  --from-file=readwrite.key
kubectl create secret generic -n bind external-dns
kubectl -n bind delete secret tsig-secret
kubectl -n bind create secret generic tsig-secret \
    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
kubectl -n cert-manager delete secret tsig-secret
kubectl -n cert-manager create secret generic tsig-secret \
    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)

Serving additional zones

Bind primary configuration

To serve additional domains from this Bind setup add following section to named.conf.local on primary ns1.k-space.ee:

key "foobar" {
	  algorithm hmac-sha512;
	  secret "...";
};

zone "foobar.com" {
    type master;
    file "/var/lib/bind/db.foobar.com";
    allow-update { !rejected; key foobar; };
    allow-transfer { !rejected; key readonly; key foobar; };
    notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
};

Initiate empty zonefile in /var/lib/bind/db.foobar.com on the primary ns1.k-space.ee:

foobar.com				IN SOA	ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300)
									NS	ns1.foobar.com.
									NS	ns2.foobar.com.
ns1.foobar.com.		A	193.40.103.2
ns2.foobar.com.		A	62.65.250.2

Reload Bind config:

named-checkconf
systemctl reload bind9

Bind secondary config

Add section to bind-secondary-config-local under key named.conf.local:

zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; };

And restart secondaries:

kubectl rollout restart -n bind statefulset/bind-secondary

Registrar config

At your DNS registrar point your glue records to:

foobar.com.				NS ns1.foobar.com.
foobar.com.				NS ns2.foobar.com.
ns1.foobar.com.		A	193.40.103.2
ns2.foobar.com.		A	62.65.250.2

Updating DNS records

With the configured TSIG key foobar you can now:

  • Obtain Let's Encrypt certificates with DNS challenge. Inside Kubernetes use cert-manager with RFC2136 provider.
  • Update DNS records. Inside Kubernetes use external-dns with RFC2136 provider.