Compare commits

..

5 Commits

Author SHA1 Message Date
unkinben 8a9cdf35fd Bump bind-operator to v0.2.3 (deterministic render) (#255)
## Why

v0.2.2's config-hash rolling restart exposed a latent non-determinism: `client.List` returns cache-ordered results, so the resolver's forward zones reshuffled every reconcile, flipping the config hash and rolling `bind-resolvers-2` endlessly. v0.2.3 (bind-operator #11) sorts every rendered list so `named.conf` is byte-identical across reconciles and the hash is stable.

## Changes

- Bump the operator image (`bind-system/deployment.yaml`) and the pulled CRD bundle URL (`bind-system/kustomization.yaml`) to `v0.2.3`.
- Bump the `bind-tsig-api` image (`bind-internal/tsig-api/tsig-api.yaml`) to `v0.2.3`.

CRDs are unchanged from v0.2.2 (controller-only change), so the generated kubeconform schemas need no update.

## Validation

- `bind-system` renders with the v0.2.3 CRD bundle; `bind-internal` passes `kubeconform` (56/56); pre-commit clean.

## Deploy note

On deploy the deterministic operator stops churning the ConfigMap; the config hash stabilizes and the stuck resolver rolling update completes, leaving all three pods Ready on one revision.

Reviewed-on: #255
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-12 23:22:04 +10:00
unkinben 1f4c0e11bb Wire ArgoCD to Authentik OIDC (#253)
## Why

ArgoCD had no external ingress and only local admin auth. This exposes `argocd-server` behind the traefik-internal gateway and enables Authentik SSO, so operators log in with their Authentik identity and group membership. Pairs with unkin/terraform-authentik#3 (creates the OAuth2 provider).

## Changes

- **argocd-cm**: set `url` and `oidc.config` (Authentik issuer `identity.unkin.net/application/o/argocd/`, `argocd` client, openid/profile/email scopes). Client secret resolved from the `argocd-oidc` Secret via `$argocd-oidc:client_secret`.
- **argocd-rbac-cm**: match RBAC on the `groups` claim; default `role:readonly`; map the `argocd-admins` Authentik group to `role:admin`.
- **argocd-cmd-params-cm**: `server.insecure=true` so `argocd-server` serves HTTP behind the TLS-terminating gateway.
- Add **Gateway + HTTPRoutes** for `argocd.k8s.syd1.au.unkin.net` (mirrors the grafana pattern: traefik-internal, vault-issuer cert, external-dns).
- Add **VaultAuth + VaultStaticSecret** sourcing the OIDC client secret from `kv/kubernetes/namespace/argocd/default/oauth-credentials` into the `argocd-oidc` Secret (labelled `part-of=argocd` so ArgoCD will resolve the `$` reference).

## Notes / rollout

- Seed the client secret in Vault out of band (same path terraform-authentik reads).
- The argocd namespace `default` SA already has Vault read access via the `default` k8s role, so no terraform-vault change is needed.
- `argocd-server` needs a one-time rollout restart to pick up `server.insecure`.

Validated with `kustomize build --enable-helm clusters/au-syd1/bootstrap`, `make kubeconform`, and pre-commit (yamllint + no-plain-secrets).

Reviewed-on: #253
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-12 23:04:53 +10:00
unkinben 1f22ec2aa7 Bump bind-operator to v0.2.2 (config-hash rolling restart) (#254)
## Why

v0.2.2 (bind-operator #10) stamps a `bind.unkin.net/config-hash` on the pod template, so a ConfigMap or `keys.conf` change flips the hash and triggers an operator-driven rolling restart. This fixes the class of bug where config edits (ACLs, forwarders, `validate-except`, primary address, TSIG rotation) never reached running pods — they held a startup snapshot and needed manual pod deletes.

## Changes

- Bump the operator image (`bind-system/deployment.yaml`) and the pulled CRD bundle URL (`bind-system/kustomization.yaml`) to `v0.2.2`.
- Bump the `bind-tsig-api` image (`bind-internal/tsig-api/tsig-api.yaml`) to `v0.2.2`.

CRDs are unchanged from v0.2.1 (controller-only change), so the generated kubeconform schemas need no update.

## Validation

- `bind-system` renders with the v0.2.2 CRD bundle; pre-commit clean.

## Deploy note

When the v0.2.2 operator first reconciles it stamps the config-hash annotation, triggering **one rolling restart per bind StatefulSet** — expected, and it also pulls in any already-pending config. From then on, config changes roll pods automatically.

Reviewed-on: #254
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-12 22:52:19 +10:00
unkinben 69788a967c Fix validate-except syntax (resolver crash-loop) (#252)
## Why — urgent

PR #251 added `validate-except` to the resolver `BindCluster` but the list omitted the trailing semicolon after the final entry. `named` requires **every** entry in a list to be semicolon-terminated, including the last before the closing brace, so it fails config parse and the resolver pods crash-loop:

```
/run/named/named.conf:18: missing ';' before '}'
loading configuration: failure
exiting (due to fatal error)
```

The resolvers (`.7`) are down until this lands; the authoritative (`.6`/`.9`) and externaldns (`.8`) are unaffected.

## Fix

```diff
- validate-except { unkin.net; 18.198.in-addr.arpa; consul }
+ validate-except { unkin.net; 18.198.in-addr.arpa; consul; }
```

Renders to `validate-except { unkin.net; 18.198.in-addr.arpa; consul; };` — valid.

## Recovery

On merge + ArgoCD sync, the operator re-renders the ConfigMap with valid config and the crash-looping pods self-heal on their next restart (no manual `rollout restart` needed). Validated: `bind-internal` renders and pre-commit clean.

Reviewed-on: #252
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-12 22:26:23 +10:00
unkinben 5e7dc580b7 Exempt internal split-horizon zones from resolver DNSSEC validation (#251)
## Why

Resolving any `unkin.net` record through the resolver (`.7`) returns **SERVFAIL**, while the authoritative (`.6`) answers fine. Confirmed from the resolver's querylog:

```
view openforwarder:   validating unkin.net/SOA: got insecure response; parent indicates it should be secure
broken trust chain resolving 'ausyd1nxvm2120.main.unkin.net/A/IN': 198.18.200.6#53
query failed (broken trust chain)
```

The resolver runs `dnssec-validation auto`. The public `unkin.net` is DNSSEC-signed (the `.net` parent publishes a DS), but the in-cluster split-horizon authoritative serves `unkin.net` **unsigned**. The validator sees "parent says secure" + an insecure answer → treats it as spoofing → SERVFAIL. The authoritative works directly because it does no validation.

## Fix

Add `validate-except` (via `spec.extraOptions`) for the forwarded internal domains, so the resolver treats them as insecure and skips validation:

```
validate-except { unkin.net; 18.198.in-addr.arpa; consul }
```

- `unkin.net` covers all `*.unkin.net` (incl. `main.unkin.net`, `k8s.syd1.au.unkin.net`)
- `18.198.in-addr.arpa` covers every `NN.18.198.in-addr.arpa` reverse zone (subtree)
- `consul` covers the consul TLD

This also makes internal resolution independent of Internet egress (no DNSSEC chain-walk needed). External-name validation is unchanged. No operator change required.

## Validation

`bind-internal` renders and passes `kubeconform` (56/56); pre-commit clean.

## Activation

After merge + operator reconcile, the resolver ConfigMap re-renders; the running pods hold a startup snapshot, so they need a reload: `kubectl -n bind-internal rollout restart statefulset/bind-resolvers`.

Reviewed-on: #251
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-12 22:17:16 +10:00
11 changed files with 192 additions and 3 deletions
@@ -13,7 +13,7 @@ metadata:
name: bind-tsig-api
namespace: bind-internal
spec:
image: git.unkin.net/unkin/bind-tsig-api:v0.2.1
image: git.unkin.net/unkin/bind-tsig-api:v0.2.3
replicas: 1
port: 8443
# targetNamespace defaults to this resource's namespace (bind-internal), where
+1 -1
View File
@@ -21,7 +21,7 @@ spec:
runAsNonRoot: true
containers:
- name: operator
image: git.unkin.net/unkin/bind-operator:v0.2.1
image: git.unkin.net/unkin/bind-operator:v0.2.3
args:
- --metrics-bind-address=:8080
- --health-probe-bind-address=:8081
+1 -1
View File
@@ -6,6 +6,6 @@ resources:
- namespace.yaml
# CRDs are pulled from the bind-operator repo at the matching tag rather than
# vendored here, so they never drift from the operator.
- https://git.unkin.net/unkin/bind-operator/raw/tag/v0.2.1/config/crd/install.yaml
- https://git.unkin.net/unkin/bind-operator/raw/tag/v0.2.3/config/crd/install.yaml
- rbac.yaml
- deployment.yaml
@@ -6,3 +6,20 @@ metadata:
namespace: argocd
data:
kustomize.buildOptions: "--enable-helm"
# External URL ArgoCD serves on (TLS terminated at the traefik-internal gateway).
url: https://argocd.k8s.syd1.au.unkin.net
# OIDC login via Authentik. The client secret is seeded in Vault out of band
# and surfaced as the `argocd-oidc` Secret (labelled part-of=argocd) by VSO;
# `$argocd-oidc:client_secret` resolves the key from that Secret.
oidc.config: |
name: Authentik
issuer: https://identity.unkin.net/application/o/argocd/
clientID: argocd
clientSecret: $argocd-oidc:client_secret
requestedScopes:
- openid
- profile
- email
requestedIDTokenClaims:
groups:
essential: true
@@ -0,0 +1,10 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmd-params-cm
namespace: argocd
data:
# argocd-server serves plain HTTP; TLS is terminated at the traefik-internal
# gateway in front of it. Required so the gateway can route to port 80.
server.insecure: "true"
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: argocd
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- argocd
kubernetes:
role: default
serviceAccount: default
audiences:
- vault
tokenExpirationSeconds: 600
@@ -0,0 +1,23 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: argocd-oidc
namespace: argocd
spec:
vaultAuthRef: default
mount: kv
type: kv-v2
# Seeded out of band; same secret is read by terraform-authentik to configure
# the provider's client_secret. Key: client_secret.
path: kubernetes/namespace/argocd/default/oauth-credentials
refreshAfter: 5m
hmacSecretData: true
destination:
name: argocd-oidc
create: true
overwrite: true
# ArgoCD only resolves `$secret:key` references against Secrets carrying
# this label.
labels:
app.kubernetes.io/part-of: argocd
@@ -0,0 +1,14 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
data:
# Match RBAC subjects against the `groups` claim from Authentik.
scopes: "[groups]"
# Authenticated users with no matching group get read-only access.
policy.default: role:readonly
# Authentik group -> ArgoCD role.
policy.csv: |
g, argocd-admins, role:admin
@@ -0,0 +1,39 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: argocd-server
namespace: argocd
labels:
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: argocd.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: argocd.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
spec:
gatewayClassName: traefik-internal
listeners:
- name: http
port: 80
protocol: HTTP
hostname: argocd.k8s.syd1.au.unkin.net
allowedRoutes:
namespaces:
from: Same
- name: https
port: 443
protocol: HTTPS
hostname: argocd.k8s.syd1.au.unkin.net
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- group: ""
kind: Secret
name: argocd-server-tls
@@ -0,0 +1,55 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: argocd-server-http-redirect
namespace: argocd
labels:
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
spec:
hostnames:
- argocd.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: argocd-server
sectionName: http
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: argocd-server
namespace: argocd
labels:
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
spec:
hostnames:
- argocd.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: argocd-server
sectionName: https
rules:
- backendRefs:
- group: ""
kind: Service
name: argocd-server
port: 80
weight: 1
matches:
- path:
type: PathPrefix
value: /
@@ -7,12 +7,25 @@ resources:
- https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
- au-syd1-apps.yaml
- argocd-self-app.yaml
# Authentik OIDC: expose argocd-server and wire the client secret from Vault.
- argocd-server-gateway.yaml
- argocd-server-httproute.yaml
- argocd-oidc-vaultauth.yaml
- argocd-oidc-vaultstaticsecret.yaml
patches:
- path: argocd-cm-patch.yaml
target:
kind: ConfigMap
name: argocd-cm
- path: argocd-rbac-cm-patch.yaml
target:
kind: ConfigMap
name: argocd-rbac-cm
- path: argocd-cmd-params-cm-patch.yaml
target:
kind: ConfigMap
name: argocd-cmd-params-cm
- path: argocd-tls-certs-patch.yaml
target:
kind: ConfigMap