From c12c5f8b729125166329bf8f33f0d536b87f8174 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 3 Jul 2026 19:54:30 +1000 Subject: [PATCH] Deploy binddns-auth BIND cluster Adds the authoritative masters (pod-0 primary + 2 secondaries via catalog/AXFR); includes the catalog zone and transfer TSIG key. Stacked on the bind-operator deploy so the CRDs and kubeconform schemas are present; merge the operator PR first. - add apps/base/binddns-auth and its au-syd1 overlay --- apps/base/binddns-auth/cluster.yaml | 36 +++++++++++++++++++ apps/base/binddns-auth/kustomization.yaml | 8 +++++ apps/base/binddns-auth/namespace.yaml | 5 +++ apps/base/binddns-auth/tsigkey.yaml | 10 ++++++ .../au-syd1/binddns-auth/kustomization.yaml | 6 ++++ 5 files changed, 65 insertions(+) create mode 100644 apps/base/binddns-auth/cluster.yaml create mode 100644 apps/base/binddns-auth/kustomization.yaml create mode 100644 apps/base/binddns-auth/namespace.yaml create mode 100644 apps/base/binddns-auth/tsigkey.yaml create mode 100644 apps/overlays/au-syd1/binddns-auth/kustomization.yaml diff --git a/apps/base/binddns-auth/cluster.yaml b/apps/base/binddns-auth/cluster.yaml new file mode 100644 index 0000000..ffe0280 --- /dev/null +++ b/apps/base/binddns-auth/cluster.yaml @@ -0,0 +1,36 @@ +--- +# Authoritative masters (replaces the 3x Puppet authoritative servers). +# pod-0 is the primary; pods 1-2 replicate via the catalog zone + AXFR/IXFR. +apiVersion: bind.unkin.net/v1alpha1 +kind: BindCluster +metadata: + name: auth + namespace: binddns-auth +spec: + mode: authoritative + replicas: 3 + storageClassName: cephrbd-fast-delete + storageSize: 2Gi + service: + type: LoadBalancer + annotations: + purelb.io/service-group: common + external-dns.alpha.kubernetes.io/hostname: ns-auth.k8s.syd1.au.unkin.net + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "1" + memory: 512Mi +--- +# Catalog zone so new BindZones auto-provision onto the secondaries. +apiVersion: bind.unkin.net/v1alpha1 +kind: BindCatalogZone +metadata: + name: auth-catalog + namespace: binddns-auth +spec: + clusterRef: auth + zoneName: catalog.internal + transferKeyRef: transfer-key diff --git a/apps/base/binddns-auth/kustomization.yaml b/apps/base/binddns-auth/kustomization.yaml new file mode 100644 index 0000000..753cb3f --- /dev/null +++ b/apps/base/binddns-auth/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - tsigkey.yaml + - cluster.yaml diff --git a/apps/base/binddns-auth/namespace.yaml b/apps/base/binddns-auth/namespace.yaml new file mode 100644 index 0000000..e0c7b2d --- /dev/null +++ b/apps/base/binddns-auth/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: binddns-auth diff --git a/apps/base/binddns-auth/tsigkey.yaml b/apps/base/binddns-auth/tsigkey.yaml new file mode 100644 index 0000000..89fe560 --- /dev/null +++ b/apps/base/binddns-auth/tsigkey.yaml @@ -0,0 +1,10 @@ +--- +# Zone-transfer / catalog key. The operator generates the material into a +# Secret (transfer-key-tsig); nothing sensitive is committed to git. +apiVersion: bind.unkin.net/v1alpha1 +kind: BindTSIGKey +metadata: + name: transfer-key + namespace: binddns-auth +spec: + algorithm: hmac-sha256 diff --git a/apps/overlays/au-syd1/binddns-auth/kustomization.yaml b/apps/overlays/au-syd1/binddns-auth/kustomization.yaml new file mode 100644 index 0000000..9ef4b94 --- /dev/null +++ b/apps/overlays/au-syd1/binddns-auth/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/binddns-auth