3 Commits

Author SHA1 Message Date
unkinben 01e73c3a21 Pull bind CRDs from operator repo instead of vendoring
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline failed
References the CRD bundle from the bind-operator repo by a stable raw URL
so the CRDs never drift from the operator, matching how other apps import
upstream manifests.

- replace the nine vendored crds/*.yaml with a single remote resource:
  git.unkin.net/unkin/bind-operator raw config/crd/install.yaml at v0.1.1
- bump the operator image to v0.1.1 so the running operator and its CRDs
  come from the same tag
2026-07-03 18:56:48 +10:00
unkinben c57b115400 Make external-dns tier authoritative (drop dynamic mode)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
The dynamic cluster mode was removed from the operator; RFC2136 update
capability is a per-zone property, not a cluster role. The external-dns
tier is an authoritative cluster whose zones set dynamicUpdate.

- switch binddns-externaldns BindCluster to mode authoritative
- regenerate bindcluster schema (enum: authoritative, resolver)
2026-07-03 18:36:04 +10:00
unkinben d11c2900de Deploy bind-operator and three BIND DNS tiers
Adds the bind-operator and the three BindClusters that replace the
Puppet-managed BIND estate (authoritative / resolver / external-dns).

- add apps/base/bind-system: 9 CRDs, operator Deployment, RBAC (ns bind-system)
- add apps/base/binddns-auth: authoritative BindCluster + catalog zone + TSIG key
- add apps/base/binddns-resolver: recursive-resolver BindCluster with forwarders
- add apps/base/binddns-externaldns: dynamic (RFC2136) BindCluster + TSIG key
- add au-syd1 overlays for all four apps
- register the four apps in the platform ApplicationSet
- add binddns-* namespaces to the platform AppProject destinations
- add schemas/bind.unkin.net/*.json so kubeconform validates the new CRs

DNS Services are LoadBalancer via PureLB. TSIG key material is generated by
the operator into Secrets at runtime (no plain Secrets in git).
2026-07-03 17:48:45 +10:00
21 changed files with 24 additions and 279 deletions
+1 -1
View File
@@ -35,7 +35,7 @@ spec:
mountPath: /combined-certs mountPath: /combined-certs
containers: containers:
- name: api - name: api
image: git.unkin.net/unkin/artifactapi:v3.7.4 image: git.unkin.net/unkin/artifactapi:v3.7.3
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
ports: ports:
- containerPort: 8000 - containerPort: 8000
+1 -1
View File
@@ -22,7 +22,7 @@ spec:
automountServiceAccountToken: true automountServiceAccountToken: true
containers: containers:
- name: ui - name: ui
image: git.unkin.net/unkin/artifactapi-ui:v3.7.4 image: git.unkin.net/unkin/artifactapi-ui:v3.7.3
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
ports: ports:
- containerPort: 80 - containerPort: 80
+1 -1
View File
@@ -21,7 +21,7 @@ spec:
runAsNonRoot: true runAsNonRoot: true
containers: containers:
- name: operator - name: operator
image: git.unkin.net/unkin/bind-operator:v0.1.2 image: git.unkin.net/unkin/bind-operator:v0.1.1
args: args:
- --metrics-bind-address=:8080 - --metrics-bind-address=:8080
- --health-probe-bind-address=:8081 - --health-probe-bind-address=:8081
@@ -5,7 +5,7 @@ apiVersion: bind.unkin.net/v1alpha1
kind: BindCluster kind: BindCluster
metadata: metadata:
name: auth name: auth
namespace: ns-auth namespace: binddns-auth
spec: spec:
mode: authoritative mode: authoritative
replicas: 3 replicas: 3
@@ -15,7 +15,6 @@ spec:
type: LoadBalancer type: LoadBalancer
annotations: annotations:
purelb.io/service-group: common purelb.io/service-group: common
purelb.io/addresses: 198.18.200.6
external-dns.alpha.kubernetes.io/hostname: ns-auth.k8s.syd1.au.unkin.net external-dns.alpha.kubernetes.io/hostname: ns-auth.k8s.syd1.au.unkin.net
resources: resources:
requests: requests:
@@ -30,7 +29,7 @@ apiVersion: bind.unkin.net/v1alpha1
kind: BindCatalogZone kind: BindCatalogZone
metadata: metadata:
name: auth-catalog name: auth-catalog
namespace: ns-auth namespace: binddns-auth
spec: spec:
clusterRef: auth clusterRef: auth
zoneName: catalog.internal zoneName: catalog.internal
@@ -6,4 +6,3 @@ resources:
- namespace.yaml - namespace.yaml
- tsigkey.yaml - tsigkey.yaml
- cluster.yaml - cluster.yaml
- zones.yaml
@@ -2,4 +2,4 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: ns-resolver name: binddns-auth
@@ -5,6 +5,6 @@ apiVersion: bind.unkin.net/v1alpha1
kind: BindTSIGKey kind: BindTSIGKey
metadata: metadata:
name: transfer-key name: transfer-key
namespace: ns-auth namespace: binddns-auth
spec: spec:
algorithm: hmac-sha256 algorithm: hmac-sha256
@@ -6,7 +6,7 @@ apiVersion: bind.unkin.net/v1alpha1
kind: BindCluster kind: BindCluster
metadata: metadata:
name: externaldns name: externaldns
namespace: ns-externaldns namespace: binddns-externaldns
spec: spec:
mode: authoritative mode: authoritative
replicas: 3 replicas: 3
@@ -15,9 +15,8 @@ spec:
service: service:
type: LoadBalancer type: LoadBalancer
annotations: annotations:
purelb.io/service-group: common purelb.io/service-group: dmz
purelb.io/addresses: 198.18.200.8 external-dns.alpha.kubernetes.io/hostname: ns-ext.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/hostname: ns-externaldns.k8s.syd1.au.unkin.net
resources: resources:
requests: requests:
cpu: 100m cpu: 100m
@@ -25,15 +24,3 @@ spec:
limits: limits:
cpu: "1" cpu: "1"
memory: 512Mi memory: 512Mi
---
# Catalog zone so the dynamic zones replicate onto the cluster's secondaries
# (external-dns writes to the primary; secondaries IXFR the result).
apiVersion: bind.unkin.net/v1alpha1
kind: BindCatalogZone
metadata:
name: externaldns-catalog
namespace: ns-externaldns
spec:
clusterRef: externaldns
zoneName: catalog.externaldns.internal
transferKeyRef: externaldns-key
@@ -6,4 +6,3 @@ resources:
- namespace.yaml - namespace.yaml
- tsigkey.yaml - tsigkey.yaml
- cluster.yaml - cluster.yaml
- zones.yaml
@@ -2,4 +2,4 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: ns-auth name: binddns-externaldns
@@ -5,6 +5,6 @@ apiVersion: bind.unkin.net/v1alpha1
kind: BindTSIGKey kind: BindTSIGKey
metadata: metadata:
name: externaldns-key name: externaldns-key
namespace: ns-externaldns namespace: binddns-externaldns
spec: spec:
algorithm: hmac-sha256 algorithm: hmac-sha256
@@ -5,7 +5,7 @@ apiVersion: bind.unkin.net/v1alpha1
kind: BindCluster kind: BindCluster
metadata: metadata:
name: resolver name: resolver
namespace: ns-resolver namespace: binddns-resolver
spec: spec:
mode: resolver mode: resolver
replicas: 3 replicas: 3
@@ -15,8 +15,7 @@ spec:
type: LoadBalancer type: LoadBalancer
annotations: annotations:
purelb.io/service-group: common purelb.io/service-group: common
purelb.io/addresses: 198.18.200.7 external-dns.alpha.kubernetes.io/hostname: resolver.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/hostname: ns-resolver.k8s.syd1.au.unkin.net
forwarders: forwarders:
- 1.1.1.1 - 1.1.1.1
- 9.9.9.9 - 9.9.9.9
@@ -2,4 +2,4 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: ns-externaldns name: binddns-resolver
-204
View File
@@ -1,204 +0,0 @@
# Authoritative zones migrated from puppet-prod
# (profiles::dns::master::zones in hieradata/roles/infra/dns/master.yaml).
# type primary, static (puppet dynamic:false); TTL 600 as in the puppet zone header.
# Record data is populated by PuppetDB exported resources upstream, so it is
# NOT in this repo — migrate it into these zones (AXFR from the current masters,
# or DNSRecord CRs) as a follow-up. The zones start with SOA+NS only.
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: unkin-net
namespace: ns-auth
spec:
clusterRef: auth
zoneName: unkin.net
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: main-unkin-net
namespace: ns-auth
spec:
clusterRef: auth
zoneName: main.unkin.net
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 13-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 13.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 14-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 14.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 15-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 15.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 16-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 16.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 17-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 17.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 19-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 19.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 20-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 20.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 21-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 21.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 22-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 22.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 23-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 23.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 24-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 24.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 25-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 25.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 26-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 26.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 27-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 27.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 28-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 28.18.198.in-addr.arpa
type: primary
defaultTTL: 600
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 29-18-198-in-addr-arpa
namespace: ns-auth
spec:
clusterRef: auth
zoneName: 29.18.198.in-addr.arpa
type: primary
defaultTTL: 600
-34
View File
@@ -1,34 +0,0 @@
# k8s external-dns zones migrated from puppet-prod
# (externaldns::k8s_zones in hieradata/roles/infra/dns/externaldns.yaml).
# Primary + dynamicUpdate: the Kubernetes external-dns controller writes
# records here via RFC2136 authenticated with externaldns-key.
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: k8s-syd1-au-unkin-net
namespace: ns-externaldns
spec:
clusterRef: externaldns
zoneName: k8s.syd1.au.unkin.net
type: primary
defaultTTL: 600
dynamicUpdate: true
updateKeyRef: externaldns-key
allowTransfer:
- key externaldns-key
---
apiVersion: bind.unkin.net/v1alpha1
kind: BindZone
metadata:
name: 200-18-198-in-addr-arpa
namespace: ns-externaldns
spec:
clusterRef: externaldns
zoneName: 200.18.198.in-addr.arpa
type: primary
defaultTTL: 600
dynamicUpdate: true
updateKeyRef: externaldns-key
allowTransfer:
- key externaldns-key
@@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ../../../base/ns-resolver - ../../../base/binddns-auth
@@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ../../../base/ns-externaldns - ../../../base/binddns-externaldns
@@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ../../../base/ns-auth - ../../../base/binddns-resolver
+3 -3
View File
@@ -13,9 +13,9 @@ spec:
- path: apps/overlays/*/authentik - path: apps/overlays/*/authentik
- path: apps/overlays/*/artifactapi - path: apps/overlays/*/artifactapi
- path: apps/overlays/*/bind-system - path: apps/overlays/*/bind-system
- path: apps/overlays/*/ns-auth - path: apps/overlays/*/binddns-auth
- path: apps/overlays/*/ns-resolver - path: apps/overlays/*/binddns-resolver
- path: apps/overlays/*/ns-externaldns - path: apps/overlays/*/binddns-externaldns
- path: apps/overlays/*/age-api - path: apps/overlays/*/age-api
- path: apps/overlays/*/cattle-system - path: apps/overlays/*/cattle-system
- path: apps/overlays/*/cert-manager - path: apps/overlays/*/cert-manager
+3 -3
View File
@@ -21,11 +21,11 @@ spec:
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'authentik' - namespace: 'authentik'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'ns-auth' - namespace: 'binddns-auth'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'ns-resolver' - namespace: 'binddns-resolver'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'ns-externaldns' - namespace: 'binddns-externaldns'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'cert-manager' - namespace: 'cert-manager'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc