From c8d61205ce6070ccff074faa78ebfc718244ebaa Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 4 Jul 2026 21:55:33 +1000 Subject: [PATCH] Configure resolvers like puppet (openforwarder view + forward zones) (#226) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Why `dig google.com @198.18.200.7` was refused: the resolver never set allow-recursion, so BIND defaulted to localnets/localhost. This mirrors the puppet resolver (/etc/named/views.conf + acls.conf) exactly. ## Changes - `openforwarder` BindView: `match-clients` = the 4 internal ACLs, recursion yes, allow-recursion/allow-query `any` (match-clients gates) - 4 BindACLs from puppet acls.conf (acl-main.unkin.net/acl-dmz/acl-common/acl-nomad-jobs) - 26 conditional forward zones in the view (unkin→198.18.19.15, consul→.14, k8s→.20, dmz/network/prod + 10.10.x reverse → 10.10.16.32/33) - global forwarders 8.8.8.8/1.1.1.1 - operator image → v0.1.4 ## Note Forward-zone upstreams point at the **puppet anycast** servers (still authoritative during migration); flip to the in-cluster authoritative/externaldns LBs once zone data is migrated. ## Validated kustomize build (59 docs), kubeconform clean. Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/226 Co-authored-by: Ben Vincent Co-committed-by: Ben Vincent --- apps/base/bind-internal/resolvers/acls.yaml | 65 ++++ .../base/bind-internal/resolvers/cluster.yaml | 2 +- .../resolvers/forward-zones.yaml | 284 ++++++++++++++++++ .../resolvers/kustomization.yaml | 3 + apps/base/bind-internal/resolvers/view.yaml | 23 ++ apps/base/bind-system/deployment.yaml | 2 +- 6 files changed, 377 insertions(+), 2 deletions(-) create mode 100644 apps/base/bind-internal/resolvers/acls.yaml create mode 100644 apps/base/bind-internal/resolvers/forward-zones.yaml create mode 100644 apps/base/bind-internal/resolvers/view.yaml diff --git a/apps/base/bind-internal/resolvers/acls.yaml b/apps/base/bind-internal/resolvers/acls.yaml new file mode 100644 index 0000000..66b8ad5 --- /dev/null +++ b/apps/base/bind-internal/resolvers/acls.yaml @@ -0,0 +1,65 @@ +# Internal client ACLs, mirrored from puppet /etc/named/acls.conf. +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindACL +metadata: + name: acl-main.unkin.net + namespace: bind-internal +spec: + clusterRef: bind-resolvers + entries: + - 198.18.1.10/32 + - 198.18.2.160/27 + - 198.18.21.160/27 + - 198.18.2.192/27 + - 198.18.21.192/27 + - 198.18.13.0/24 + - 198.18.14.0/24 + - 198.18.15.0/24 + - 198.18.16.0/24 + - 198.18.17.0/24 + - 198.18.18.0/24 + - 198.18.19.0/24 + - 198.18.20.0/24 + - 198.18.21.0/24 + - 198.18.22.0/24 + - 198.18.23.0/24 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindACL +metadata: + name: acl-dmz + namespace: bind-internal +spec: + clusterRef: bind-resolvers + entries: + - 198.18.24.0/24 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindACL +metadata: + name: acl-common + namespace: bind-internal +spec: + clusterRef: bind-resolvers + entries: + - 198.18.25.0/24 + - 198.18.26.0/24 + - 198.18.27.0/24 + - 198.18.28.0/24 + - 198.18.29.0/24 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindACL +metadata: + name: acl-nomad-jobs + namespace: bind-internal +spec: + clusterRef: bind-resolvers + entries: + - 198.18.64.0/24 + - 198.18.65.0/24 + - 198.18.66.0/24 + - 198.18.67.0/24 + - 198.18.68.0/24 + - 198.18.69.0/24 diff --git a/apps/base/bind-internal/resolvers/cluster.yaml b/apps/base/bind-internal/resolvers/cluster.yaml index 83f9035..f99b8b9 100644 --- a/apps/base/bind-internal/resolvers/cluster.yaml +++ b/apps/base/bind-internal/resolvers/cluster.yaml @@ -18,8 +18,8 @@ spec: purelb.io/addresses: 198.18.200.7 external-dns.alpha.kubernetes.io/hostname: bind-resolvers.k8s.syd1.au.unkin.net forwarders: + - 8.8.8.8 - 1.1.1.1 - - 9.9.9.9 resources: requests: cpu: 100m diff --git a/apps/base/bind-internal/resolvers/forward-zones.yaml b/apps/base/bind-internal/resolvers/forward-zones.yaml new file mode 100644 index 0000000..c4c8e82 --- /dev/null +++ b/apps/base/bind-internal/resolvers/forward-zones.yaml @@ -0,0 +1,284 @@ +# Conditional forward zones, from the puppet openforwarder view. +# Upstreams: unkin authoritative 198.18.200.6, consul 198.18.19.14, k8s 198.18.200.8. +# k8s -> in-cluster bind-externaldns 198.18.200.8. +# (Zones that forwarded to 10.10.16.x were dropped; consul left as-is.) +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-unkin-net + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: unkin.net + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-main-unkin-net + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: main.unkin.net + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-consul + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: consul + type: forward + catalog: false + forwarders: + - 198.18.19.14 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-k8s-syd1-au-unkin-net + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: k8s.syd1.au.unkin.net + type: forward + catalog: false + forwarders: + - 198.18.200.8 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-13-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 13.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-14-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 14.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-15-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 15.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-16-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 16.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-17-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 17.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-19-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 19.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-20-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 20.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-21-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 21.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-22-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 22.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-23-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 23.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-24-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 24.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-25-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 25.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-26-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 26.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-27-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 27.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-28-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 28.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: fwd-29-18-198-in-addr-arpa + namespace: bind-internal +spec: + clusterRef: bind-resolvers + viewRef: openforwarder + zoneName: 29.18.198.in-addr.arpa + type: forward + catalog: false + forwarders: + - 198.18.200.6 diff --git a/apps/base/bind-internal/resolvers/kustomization.yaml b/apps/base/bind-internal/resolvers/kustomization.yaml index da7cf1f..51fc92e 100644 --- a/apps/base/bind-internal/resolvers/kustomization.yaml +++ b/apps/base/bind-internal/resolvers/kustomization.yaml @@ -4,3 +4,6 @@ kind: Kustomization resources: - cluster.yaml + - acls.yaml + - view.yaml + - forward-zones.yaml diff --git a/apps/base/bind-internal/resolvers/view.yaml b/apps/base/bind-internal/resolvers/view.yaml new file mode 100644 index 0000000..d0c2a60 --- /dev/null +++ b/apps/base/bind-internal/resolvers/view.yaml @@ -0,0 +1,23 @@ +--- +# openforwarder view, mirrored from puppet /etc/named/views.conf. +# match-clients gates access to internal networks; recursion/query are 'any' +# within the view since match-clients already restricts who reaches it. +apiVersion: bind.unkin.net/v1alpha1 +kind: BindView +metadata: + name: openforwarder + namespace: bind-internal +spec: + clusterRef: bind-resolvers + order: 100 + matchClients: + - acl-main.unkin.net + - acl-nomad-jobs + - acl-common + - acl-dmz + recursion: true + allowQuery: + - any + extraOptions: + - "allow-recursion { any; }" + - "allow-query-cache { any; }" diff --git a/apps/base/bind-system/deployment.yaml b/apps/base/bind-system/deployment.yaml index e8e5d41..c090504 100644 --- a/apps/base/bind-system/deployment.yaml +++ b/apps/base/bind-system/deployment.yaml @@ -21,7 +21,7 @@ spec: runAsNonRoot: true containers: - name: operator - image: git.unkin.net/unkin/bind-operator:v0.1.3 + image: git.unkin.net/unkin/bind-operator:v0.1.4 args: - --metrics-bind-address=:8080 - --health-probe-bind-address=:8081