From 7c9a697452fb804580f3d5a10f2050df2f7d670e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 3 Jul 2026 23:09:36 +1000 Subject: [PATCH] Deploy binddns-externaldns (RFC2136 dynamic cluster) (#222) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Part of the bind rollout split. **Merge #219 (bind-operator) first** — stacked on it; diff reduces to the binddns-externaldns files once #219 merges. ## Why The external-dns tier (replaces 3x Puppet external-dns servers): an authoritative cluster whose zones accept RFC2136 TSIG updates from external-dns. ## Changes - `apps/base/binddns-externaldns`: authoritative `BindCluster` (3 replicas, LoadBalancer/PureLB), `BindTSIGKey` for RFC2136, namespace - au-syd1 `binddns-externaldns` overlay ## Deploy impact Creates the `binddns-externaldns` StatefulSet + LoadBalancer once merged. Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/222 Co-authored-by: Ben Vincent Co-committed-by: Ben Vincent --- apps/base/ns-externaldns/cluster.yaml | 39 +++++++++++++++++++ apps/base/ns-externaldns/kustomization.yaml | 9 +++++ apps/base/ns-externaldns/namespace.yaml | 5 +++ apps/base/ns-externaldns/tsigkey.yaml | 10 +++++ apps/base/ns-externaldns/zones.yaml | 34 ++++++++++++++++ .../au-syd1/ns-externaldns/kustomization.yaml | 6 +++ 6 files changed, 103 insertions(+) create mode 100644 apps/base/ns-externaldns/cluster.yaml create mode 100644 apps/base/ns-externaldns/kustomization.yaml create mode 100644 apps/base/ns-externaldns/namespace.yaml create mode 100644 apps/base/ns-externaldns/tsigkey.yaml create mode 100644 apps/base/ns-externaldns/zones.yaml create mode 100644 apps/overlays/au-syd1/ns-externaldns/kustomization.yaml diff --git a/apps/base/ns-externaldns/cluster.yaml b/apps/base/ns-externaldns/cluster.yaml new file mode 100644 index 0000000..9bf5f8b --- /dev/null +++ b/apps/base/ns-externaldns/cluster.yaml @@ -0,0 +1,39 @@ +--- +# external-dns tier (replaces the 3x Puppet external-dns servers). An ordinary +# authoritative cluster; external-dns writes to its zones via RFC2136 because +# those BindZones set dynamicUpdate (allow-update { key externaldns-key; }). +apiVersion: bind.unkin.net/v1alpha1 +kind: BindCluster +metadata: + name: externaldns + namespace: ns-externaldns +spec: + mode: authoritative + replicas: 3 + storageClassName: cephrbd-fast-delete + storageSize: 1Gi + service: + type: LoadBalancer + annotations: + purelb.io/service-group: common + purelb.io/addresses: 198.18.200.8 + external-dns.alpha.kubernetes.io/hostname: ns-externaldns.k8s.syd1.au.unkin.net + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "1" + memory: 512Mi +--- +# Catalog zone so the dynamic zones replicate onto the cluster's secondaries +# (external-dns writes to the primary; secondaries IXFR the result). +apiVersion: bind.unkin.net/v1alpha1 +kind: BindCatalogZone +metadata: + name: externaldns-catalog + namespace: ns-externaldns +spec: + clusterRef: externaldns + zoneName: catalog.externaldns.internal + transferKeyRef: externaldns-key diff --git a/apps/base/ns-externaldns/kustomization.yaml b/apps/base/ns-externaldns/kustomization.yaml new file mode 100644 index 0000000..b5afd54 --- /dev/null +++ b/apps/base/ns-externaldns/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - tsigkey.yaml + - cluster.yaml + - zones.yaml diff --git a/apps/base/ns-externaldns/namespace.yaml b/apps/base/ns-externaldns/namespace.yaml new file mode 100644 index 0000000..84587ff --- /dev/null +++ b/apps/base/ns-externaldns/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ns-externaldns diff --git a/apps/base/ns-externaldns/tsigkey.yaml b/apps/base/ns-externaldns/tsigkey.yaml new file mode 100644 index 0000000..6fc03f8 --- /dev/null +++ b/apps/base/ns-externaldns/tsigkey.yaml @@ -0,0 +1,10 @@ +--- +# Key that external-dns (and DNSRecord objects) use to send RFC2136 dynamic +# updates to the primary. The operator generates the material into a Secret. +apiVersion: bind.unkin.net/v1alpha1 +kind: BindTSIGKey +metadata: + name: externaldns-key + namespace: ns-externaldns +spec: + algorithm: hmac-sha256 diff --git a/apps/base/ns-externaldns/zones.yaml b/apps/base/ns-externaldns/zones.yaml new file mode 100644 index 0000000..a0aa2d3 --- /dev/null +++ b/apps/base/ns-externaldns/zones.yaml @@ -0,0 +1,34 @@ +# k8s external-dns zones migrated from puppet-prod +# (externaldns::k8s_zones in hieradata/roles/infra/dns/externaldns.yaml). +# Primary + dynamicUpdate: the Kubernetes external-dns controller writes +# records here via RFC2136 authenticated with externaldns-key. +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: k8s-syd1-au-unkin-net + namespace: ns-externaldns +spec: + clusterRef: externaldns + zoneName: k8s.syd1.au.unkin.net + type: primary + defaultTTL: 600 + dynamicUpdate: true + updateKeyRef: externaldns-key + allowTransfer: + - key externaldns-key +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 200-18-198-in-addr-arpa + namespace: ns-externaldns +spec: + clusterRef: externaldns + zoneName: 200.18.198.in-addr.arpa + type: primary + defaultTTL: 600 + dynamicUpdate: true + updateKeyRef: externaldns-key + allowTransfer: + - key externaldns-key diff --git a/apps/overlays/au-syd1/ns-externaldns/kustomization.yaml b/apps/overlays/au-syd1/ns-externaldns/kustomization.yaml new file mode 100644 index 0000000..0efb9f9 --- /dev/null +++ b/apps/overlays/au-syd1/ns-externaldns/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/ns-externaldns