Compare commits

..

2 Commits

Author SHA1 Message Date
unkinben 0f8c816235 Fix validate-except syntax: trailing semicolon after last entry
named requires every entry in the list to be semicolon-terminated,
including the last one before the closing brace; without it named fails
config parse (missing ';' before '}') and crash-loops.
2026-07-12 22:21:22 +10:00
unkinben 2706632f54 Exempt internal split-horizon zones from resolver DNSSEC validation
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
Resolver queries for unkin.net records returned SERVFAIL (broken trust
chain): the in-cluster authoritative serves unkin.net UNSIGNED, but the
public parent publishes a DS record (unkin.net is DNSSEC-signed on the
Internet), so the validating resolver rejects the insecure answer.

Add validate-except for the forwarded internal domains so the resolver
treats them as insecure and does not validate them. unkin.net covers all
*.unkin.net (incl. k8s.syd1.au.unkin.net); 18.198.in-addr.arpa covers
every NN.18.198.in-addr.arpa reverse zone; consul covers the consul TLD.
2026-07-12 22:13:50 +10:00
11 changed files with 3 additions and 192 deletions
@@ -13,7 +13,7 @@ metadata:
name: bind-tsig-api name: bind-tsig-api
namespace: bind-internal namespace: bind-internal
spec: spec:
image: git.unkin.net/unkin/bind-tsig-api:v0.2.3 image: git.unkin.net/unkin/bind-tsig-api:v0.2.1
replicas: 1 replicas: 1
port: 8443 port: 8443
# targetNamespace defaults to this resource's namespace (bind-internal), where # targetNamespace defaults to this resource's namespace (bind-internal), where
+1 -1
View File
@@ -21,7 +21,7 @@ spec:
runAsNonRoot: true runAsNonRoot: true
containers: containers:
- name: operator - name: operator
image: git.unkin.net/unkin/bind-operator:v0.2.3 image: git.unkin.net/unkin/bind-operator:v0.2.1
args: args:
- --metrics-bind-address=:8080 - --metrics-bind-address=:8080
- --health-probe-bind-address=:8081 - --health-probe-bind-address=:8081
+1 -1
View File
@@ -6,6 +6,6 @@ resources:
- namespace.yaml - namespace.yaml
# CRDs are pulled from the bind-operator repo at the matching tag rather than # CRDs are pulled from the bind-operator repo at the matching tag rather than
# vendored here, so they never drift from the operator. # vendored here, so they never drift from the operator.
- https://git.unkin.net/unkin/bind-operator/raw/tag/v0.2.3/config/crd/install.yaml - https://git.unkin.net/unkin/bind-operator/raw/tag/v0.2.1/config/crd/install.yaml
- rbac.yaml - rbac.yaml
- deployment.yaml - deployment.yaml
@@ -6,20 +6,3 @@ metadata:
namespace: argocd namespace: argocd
data: data:
kustomize.buildOptions: "--enable-helm" kustomize.buildOptions: "--enable-helm"
# External URL ArgoCD serves on (TLS terminated at the traefik-internal gateway).
url: https://argocd.k8s.syd1.au.unkin.net
# OIDC login via Authentik. The client secret is seeded in Vault out of band
# and surfaced as the `argocd-oidc` Secret (labelled part-of=argocd) by VSO;
# `$argocd-oidc:client_secret` resolves the key from that Secret.
oidc.config: |
name: Authentik
issuer: https://identity.unkin.net/application/o/argocd/
clientID: argocd
clientSecret: $argocd-oidc:client_secret
requestedScopes:
- openid
- profile
- email
requestedIDTokenClaims:
groups:
essential: true
@@ -1,10 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmd-params-cm
namespace: argocd
data:
# argocd-server serves plain HTTP; TLS is terminated at the traefik-internal
# gateway in front of it. Required so the gateway can route to port 80.
server.insecure: "true"
@@ -1,18 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: argocd
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- argocd
kubernetes:
role: default
serviceAccount: default
audiences:
- vault
tokenExpirationSeconds: 600
@@ -1,23 +0,0 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: argocd-oidc
namespace: argocd
spec:
vaultAuthRef: default
mount: kv
type: kv-v2
# Seeded out of band; same secret is read by terraform-authentik to configure
# the provider's client_secret. Key: client_secret.
path: kubernetes/namespace/argocd/default/oauth-credentials
refreshAfter: 5m
hmacSecretData: true
destination:
name: argocd-oidc
create: true
overwrite: true
# ArgoCD only resolves `$secret:key` references against Secrets carrying
# this label.
labels:
app.kubernetes.io/part-of: argocd
@@ -1,14 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
data:
# Match RBAC subjects against the `groups` claim from Authentik.
scopes: "[groups]"
# Authenticated users with no matching group get read-only access.
policy.default: role:readonly
# Authentik group -> ArgoCD role.
policy.csv: |
g, argocd-admins, role:admin
@@ -1,39 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: argocd-server
namespace: argocd
labels:
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: argocd.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: argocd.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
spec:
gatewayClassName: traefik-internal
listeners:
- name: http
port: 80
protocol: HTTP
hostname: argocd.k8s.syd1.au.unkin.net
allowedRoutes:
namespaces:
from: Same
- name: https
port: 443
protocol: HTTPS
hostname: argocd.k8s.syd1.au.unkin.net
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- group: ""
kind: Secret
name: argocd-server-tls
@@ -1,55 +0,0 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: argocd-server-http-redirect
namespace: argocd
labels:
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
spec:
hostnames:
- argocd.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: argocd-server
sectionName: http
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
matches:
- path:
type: PathPrefix
value: /
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: argocd-server
namespace: argocd
labels:
app.kubernetes.io/name: argocd-server
app.kubernetes.io/instance: argocd
spec:
hostnames:
- argocd.k8s.syd1.au.unkin.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: argocd-server
sectionName: https
rules:
- backendRefs:
- group: ""
kind: Service
name: argocd-server
port: 80
weight: 1
matches:
- path:
type: PathPrefix
value: /
@@ -7,25 +7,12 @@ resources:
- https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml - https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/github/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
- au-syd1-apps.yaml - au-syd1-apps.yaml
- argocd-self-app.yaml - argocd-self-app.yaml
# Authentik OIDC: expose argocd-server and wire the client secret from Vault.
- argocd-server-gateway.yaml
- argocd-server-httproute.yaml
- argocd-oidc-vaultauth.yaml
- argocd-oidc-vaultstaticsecret.yaml
patches: patches:
- path: argocd-cm-patch.yaml - path: argocd-cm-patch.yaml
target: target:
kind: ConfigMap kind: ConfigMap
name: argocd-cm name: argocd-cm
- path: argocd-rbac-cm-patch.yaml
target:
kind: ConfigMap
name: argocd-rbac-cm
- path: argocd-cmd-params-cm-patch.yaml
target:
kind: ConfigMap
name: argocd-cmd-params-cm
- path: argocd-tls-certs-patch.yaml - path: argocd-tls-certs-patch.yaml
target: target:
kind: ConfigMap kind: ConfigMap