1
0
forked from k-space/kube
kube/bind/README.md

3.8 KiB

Bind namespace

The Bind secondary servers and external-dns service pods are running in this namespace. The external-dns pods are used to declaratively update DNS records on the Bind primary.

The Bind primary ns1.k-space.ee resides outside Kubernetes at 193.40.103.2 and it's internally reachable via 172.20.0.2. Bind secondaries perform AXFR (zone transfer) from ns1.k-space.ee using shared secret autentication. The primary triggers notification events to 172.20.53.{1..3} which are internally exposed IP-s of the secondaries. Bind secondaries are hosted inside Kubernetes, load balanced behind 62.65.250.2 and under normal circumstances managed by ArgoCD.

Note that cert-manager also performs DNS updates on the Bind primary.

For user

Ingresses and DNSEndpoint resources under k-space.ee, kspace.ee, k6.ee domains are picked up automatically by external-dns and updated on the Bind primary. To find usage examples in this repository use grep -r -A25 "^kind: Ingress" . and grep -R -r -A100 "^kind: DNSEndpoint" .

For administrator

Ingresses and DNSEndpoints referring to k-space.ee, kspace.ee, k6.ee are picked up automatically by external-dns and updated on primary.

The primary triggers notification events to 172.21.53.{1..3} which are internally exposed IP-s of the secondaries.

Secrets

To configure TSIG secrets:

kubectl create secret generic -n bind bind-readonly-secret \
  --from-file=readonly.key
kubectl create secret generic -n bind bind-readwrite-secret \
  --from-file=readwrite.key
kubectl create secret generic -n bind external-dns
kubectl -n bind delete secret tsig-secret
kubectl -n bind create secret generic tsig-secret \
    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
kubectl -n cert-manager delete secret tsig-secret
kubectl -n cert-manager create secret generic tsig-secret \
    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)

Serving additional zones

Bind primary configuration

To serve additional domains from this Bind setup add following section to named.conf.local on primary ns1.k-space.ee:

key "foobar" {
	  algorithm hmac-sha512;
	  secret "...";
};

zone "foobar.com" {
    type master;
    file "/var/lib/bind/db.foobar.com";
    allow-update { !rejected; key foobar; };
    allow-transfer { !rejected; key readonly; key foobar; };
    notify explicit; also-notify { 172.21.53.1; 172.21.53.2; 172.21.53.3; };
};

Initiate empty zonefile in /var/lib/bind/db.foobar.com on the primary ns1.k-space.ee:

foobar.com				IN SOA	ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300)
									NS	ns1.foobar.com.
									NS	ns2.foobar.com.
ns1.foobar.com.		A	193.40.103.2
ns2.foobar.com.		A	62.65.250.2

Reload Bind config:

named-checkconf
systemctl reload bind9

Bind secondary config

Add section to bind-secondary-config-local under key named.conf.local:

zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; };

And restart secondaries:

kubectl rollout restart -n bind statefulset/bind-secondary

Registrar config

At your DNS registrar point your glue records to:

foobar.com.				NS ns1.foobar.com.
foobar.com.				NS ns2.foobar.com.
ns1.foobar.com.		A	193.40.103.2
ns2.foobar.com.		A	62.65.250.2

Updating DNS records

With the configured TSIG key foobar you can now:

  • Obtain Let's Encrypt certificates with DNS challenge. Inside Kubernetes use cert-manager with RFC2136 provider.
  • Update DNS records. Inside Kubernetes use external-dns with RFC2136 provider.