feat: migrate externaldns from Terraform to ArgoCD (#43)
- Add externaldns base ArgoCD application with namespace and Vault integration - Create externaldns overlay for au-syd1 with Helm chart configuration - Update platform ApplicationSet to include externaldns deployment - Configure external-dns v1.19.0 with RFC2136 provider for DNS updates - Maintain one-to-one migration from Terraform configuration including TSIG secrets Reviewed-on: #43
This commit was merged in pull request #43.
This commit is contained in:
@@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- namespace.yaml
|
||||||
|
- vaultauth.yaml
|
||||||
|
- vaultstaticsecret.yaml
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: externaldns
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
namespace: externaldns
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: k8s/au/syd1
|
||||||
|
vaultConnectionRef: vso-system/default
|
||||||
|
allowedNamespaces:
|
||||||
|
- externaldns
|
||||||
|
kubernetes:
|
||||||
|
role: externaldns
|
||||||
|
serviceAccount: externaldns
|
||||||
|
audiences:
|
||||||
|
- vault
|
||||||
|
tokenExpirationSeconds: 600
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: externaldns-tsig
|
||||||
|
namespace: externaldns
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: default
|
||||||
|
mount: kv
|
||||||
|
type: kv-v2
|
||||||
|
path: service/kubernetes/au/syd1/externaldns/tsig
|
||||||
|
refreshAfter: 5m
|
||||||
|
destination:
|
||||||
|
name: externaldns-tsig
|
||||||
|
create: true
|
||||||
|
rolloutRestartTargets:
|
||||||
|
- kind: Deployment
|
||||||
|
name: externaldns
|
||||||
@@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- ../../../base/externaldns
|
||||||
|
|
||||||
|
helmCharts:
|
||||||
|
- name: external-dns
|
||||||
|
repo: https://kubernetes-sigs.github.io/external-dns/
|
||||||
|
version: "1.19.0"
|
||||||
|
releaseName: externaldns
|
||||||
|
namespace: externaldns
|
||||||
|
valuesFile: values.yaml
|
||||||
@@ -0,0 +1,51 @@
|
|||||||
|
# Service account configuration
|
||||||
|
serviceAccount:
|
||||||
|
create: true
|
||||||
|
name: externaldns
|
||||||
|
annotations: {}
|
||||||
|
|
||||||
|
# Provider configuration - using new format
|
||||||
|
provider:
|
||||||
|
name: rfc2136
|
||||||
|
|
||||||
|
# Domain filtering
|
||||||
|
domainFilters:
|
||||||
|
- "k8s.syd1.au.unkin.net"
|
||||||
|
- "200.18.198.in-addr.arpa"
|
||||||
|
|
||||||
|
# TXT registry configuration
|
||||||
|
txtOwnerId: "k8s"
|
||||||
|
registry: "txt"
|
||||||
|
|
||||||
|
# Enable deletion of records for dedicated DNS server
|
||||||
|
policy: "sync"
|
||||||
|
|
||||||
|
# Keep default sources
|
||||||
|
sources:
|
||||||
|
- service
|
||||||
|
- ingress
|
||||||
|
|
||||||
|
# Environment variables for TSIG secret and algorithm from Vault
|
||||||
|
env:
|
||||||
|
- name: EXTERNAL_DNS_RFC2136_TSIG_SECRET
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: externaldns-tsig
|
||||||
|
key: secret
|
||||||
|
- name: EXTERNAL_DNS_RFC2136_TSIG_ALGORITHM
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: externaldns-tsig
|
||||||
|
key: algorithm
|
||||||
|
|
||||||
|
# RFC2136 configuration as arguments
|
||||||
|
extraArgs:
|
||||||
|
- --rfc2136-host=ausyd1nxvm2127.main.unkin.net
|
||||||
|
- --rfc2136-port=53
|
||||||
|
- --rfc2136-zone=k8s.syd1.au.unkin.net
|
||||||
|
- --rfc2136-zone=200.18.198.in-addr.arpa
|
||||||
|
- --rfc2136-tsig-keyname=externaldns-key
|
||||||
|
- --rfc2136-tsig-secret-alg=$(EXTERNAL_DNS_RFC2136_TSIG_ALGORITHM)
|
||||||
|
- --rfc2136-tsig-axfr
|
||||||
|
- --rfc2136-tsig-secret=$(EXTERNAL_DNS_RFC2136_TSIG_SECRET)
|
||||||
|
- --ingress-class=nginx
|
||||||
@@ -14,6 +14,7 @@ spec:
|
|||||||
- path: apps/overlays/*/cattle-system
|
- path: apps/overlays/*/cattle-system
|
||||||
- path: apps/overlays/*/certificates
|
- path: apps/overlays/*/certificates
|
||||||
- path: apps/overlays/*/cert-manager
|
- path: apps/overlays/*/cert-manager
|
||||||
|
- path: apps/overlays/*/externaldns
|
||||||
- path: apps/overlays/*/reflector-system
|
- path: apps/overlays/*/reflector-system
|
||||||
- path: apps/overlays/*/reloader-system
|
- path: apps/overlays/*/reloader-system
|
||||||
- path: apps/overlays/*/jfrog
|
- path: apps/overlays/*/jfrog
|
||||||
|
|||||||
@@ -12,6 +12,7 @@ spec:
|
|||||||
- oci://ghcr.io/woodpecker-ci/helm/woodpecker
|
- oci://ghcr.io/woodpecker-ci/helm/woodpecker
|
||||||
- https://releases.rancher.com/server-charts/stable
|
- https://releases.rancher.com/server-charts/stable
|
||||||
- https://charts.jetstack.io
|
- https://charts.jetstack.io
|
||||||
|
- https://kubernetes-sigs.github.io/external-dns/
|
||||||
destinations:
|
destinations:
|
||||||
- namespace: '*-system'
|
- namespace: '*-system'
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
@@ -21,6 +22,8 @@ spec:
|
|||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
- namespace: 'certificates'
|
- namespace: 'certificates'
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
|
- namespace: 'externaldns'
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
- namespace: 'jfrog'
|
- namespace: 'jfrog'
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
- namespace: 'puppet'
|
- namespace: 'puppet'
|
||||||
|
|||||||
Reference in New Issue
Block a user