1
0
forked from k-space/kube
kube/bind/README.md
2024-07-30 11:03:00 +03:00

3.2 KiB

#TODO:

  • cert-manager talks to master to add domain names, and DNS-01 TLS through ns1.k-space.ee ^ both-side link to cert-manager

bind-services (zone transfer to HA replicas from ns1.k-space.ee)

ns1.k-space.ee

Primary authoritive nameserver replica. Other replicas live on Kube nodes Idea to move it to Zone.

dns.yaml files add DNS records

Bind setup

The Bind primary resides outside Kubernetes at 193.40.103.2 and it's internally reachable via 172.20.0.2.

Bind secondaries are hosted inside Kubernetes, load balanced behind 62.65.250.2 and under normal circumstances managed by ArgoCD.

Ingresses and DNSEndpoints referring to k-space.ee, kspace.ee, k6.ee are picked up automatically by external-dns and updated on primary.

The primary triggers notification events to 172.20.53.{1..3} which are internally exposed IP-s of the secondaries.

Secrets

To configure TSIG secrets:

kubectl create secret generic -n bind bind-readonly-secret \
  --from-file=readonly.key
kubectl create secret generic -n bind bind-readwrite-secret \
  --from-file=readwrite.key
kubectl create secret generic -n bind external-dns
kubectl -n bind delete secret tsig-secret
kubectl -n bind create secret generic tsig-secret \
    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
kubectl -n cert-manager delete secret tsig-secret
kubectl -n cert-manager create secret generic tsig-secret \
    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)

Serving additional zones

Bind primary configuration

To serve additional domains from this Bind setup add following section to named.conf.local on primary ns1.k-space.ee:

key "foobar" {
	  algorithm hmac-sha512;
	  secret "...";
};

zone "foobar.com" {
    type master;
    file "/var/lib/bind/db.foobar.com";
    allow-update { !rejected; key foobar; };
    allow-transfer { !rejected; key readonly; key foobar; };
    notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
};

Initiate empty zonefile in /var/lib/bind/db.foobar.com on the primary ns1.k-space.ee:

foobar.com				IN SOA	ns1.foobar.com. hostmaster.foobar.com. (1 300 300 2592000 300)
									NS	ns1.foobar.com.
									NS	ns2.foobar.com.
ns1.foobar.com.		A	193.40.103.2
ns2.foobar.com.		A	62.65.250.2

Reload Bind config:

named-checkconf
systemctl reload bind9

Bind secondary config

Add section to bind-secondary-config-local under key named.conf.local:

zone "foobar.com" { type slave; masters { 172.20.0.2 key readonly; }; };

And restart secondaries:

kubectl rollout restart -n bind statefulset/bind-secondary

Registrar config

At your DNS registrar point your glue records to:

foobar.com.				NS ns1.foobar.com.
foobar.com.				NS ns2.foobar.com.
ns1.foobar.com.		A	193.40.103.2
ns2.foobar.com.		A	62.65.250.2

Updating DNS records

With the configured TSIG key foobar you can now:

  • Obtain Let's Encrypt certificates with DNS challenge. Inside Kubernetes use cert-manager with RFC2136 provider.
  • Update DNS records. Inside Kubernetes use external-dns with RFC2136 provider.