Deploy bind-operator + three BIND DNS tiers #216

Closed
unkinben wants to merge 3 commits from benvin/add-bind-operator into main
Owner

HOLD — do not merge until the operator image git.unkin.net/unkin/bind-operator:v0.1.0 is published (bind-operator PR #1 merged + tagged v0.1.0). On merge the platform ApplicationSet auto-syncs these apps.

Why

Migrates the Puppet-managed BIND estate to Kubernetes: three operator-managed BindClusters replacing 3x authoritative masters, 3x only-resolvers and 3x external-dns servers.

Changes

  • apps/base/bind-system: the 9 bind.unkin.net CRDs, operator Deployment and RBAC (namespace bind-system, matches the *-system project destination)
  • apps/base/binddns-auth: authoritative BindCluster (3 replicas, pod-0 primary) + BindCatalogZone + transfer BindTSIGKey
  • apps/base/binddns-resolver: recursive-resolver BindCluster with forwarders
  • apps/base/binddns-externaldns: dynamic (RFC2136 TSIG) BindCluster + BindTSIGKey
  • au-syd1 overlays for all four apps
  • register the four apps in argocd/applicationsets/platform.yaml
  • add binddns-* namespaces to argocd/projects/platform.yaml destinations
  • add schemas/bind.unkin.net/*.json so kubeconform validates the new CRs

Notes

  • DNS Services are LoadBalancer via PureLB (auth/resolver on common, external-dns on dmz); pin addresses via purelb.io/addresses if fixed resolver IPs are needed.
  • BIND image is internetsystemsconsortium/bind9:9.20 (docker.io, like kanidm).
  • TSIG key material is generated by the operator into Secrets at runtime — no plain Secrets in git.
  • Zones are added later as BindZone/DNSRecord CRs (not part of this infra PR).

Validated

kubectl kustomize builds all four overlays; kubeconform accepts every BindCluster/BindTSIGKey/BindCatalogZone against the new schemas; pre-commit (yamllint, no-plain-secrets) passes.

**HOLD — do not merge until the operator image `git.unkin.net/unkin/bind-operator:v0.1.0` is published** (bind-operator PR #1 merged + tagged `v0.1.0`). On merge the platform ApplicationSet auto-syncs these apps. ## Why Migrates the Puppet-managed BIND estate to Kubernetes: three operator-managed `BindCluster`s replacing 3x authoritative masters, 3x only-resolvers and 3x external-dns servers. ## Changes - `apps/base/bind-system`: the 9 bind.unkin.net CRDs, operator Deployment and RBAC (namespace `bind-system`, matches the `*-system` project destination) - `apps/base/binddns-auth`: authoritative `BindCluster` (3 replicas, pod-0 primary) + `BindCatalogZone` + transfer `BindTSIGKey` - `apps/base/binddns-resolver`: recursive-resolver `BindCluster` with forwarders - `apps/base/binddns-externaldns`: dynamic (RFC2136 TSIG) `BindCluster` + `BindTSIGKey` - au-syd1 overlays for all four apps - register the four apps in `argocd/applicationsets/platform.yaml` - add `binddns-*` namespaces to `argocd/projects/platform.yaml` destinations - add `schemas/bind.unkin.net/*.json` so kubeconform validates the new CRs ## Notes - DNS Services are `LoadBalancer` via PureLB (auth/resolver on `common`, external-dns on `dmz`); pin addresses via `purelb.io/addresses` if fixed resolver IPs are needed. - BIND image is `internetsystemsconsortium/bind9:9.20` (docker.io, like kanidm). - TSIG key material is generated by the operator into Secrets at runtime — no plain Secrets in git. - Zones are added later as `BindZone`/`DNSRecord` CRs (not part of this infra PR). ## Validated `kubectl kustomize` builds all four overlays; `kubeconform` accepts every BindCluster/BindTSIGKey/BindCatalogZone against the new schemas; pre-commit (yamllint, no-plain-secrets) passes.
unkinben added 2 commits 2026-07-03 18:37:03 +10:00
Adds the bind-operator and the three BindClusters that replace the
Puppet-managed BIND estate (authoritative / resolver / external-dns).

- add apps/base/bind-system: 9 CRDs, operator Deployment, RBAC (ns bind-system)
- add apps/base/binddns-auth: authoritative BindCluster + catalog zone + TSIG key
- add apps/base/binddns-resolver: recursive-resolver BindCluster with forwarders
- add apps/base/binddns-externaldns: dynamic (RFC2136) BindCluster + TSIG key
- add au-syd1 overlays for all four apps
- register the four apps in the platform ApplicationSet
- add binddns-* namespaces to the platform AppProject destinations
- add schemas/bind.unkin.net/*.json so kubeconform validates the new CRs

DNS Services are LoadBalancer via PureLB. TSIG key material is generated by
the operator into Secrets at runtime (no plain Secrets in git).
Make external-dns tier authoritative (drop dynamic mode)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
c57b115400
The dynamic cluster mode was removed from the operator; RFC2136 update
capability is a per-zone property, not a cluster role. The external-dns
tier is an authoritative cluster whose zones set dynamicUpdate.

- switch binddns-externaldns BindCluster to mode authoritative
- regenerate bindcluster schema (enum: authoritative, resolver)
unkinben added 1 commit 2026-07-03 18:56:51 +10:00
Pull bind CRDs from operator repo instead of vendoring
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline failed
01e73c3a21
References the CRD bundle from the bind-operator repo by a stable raw URL
so the CRDs never drift from the operator, matching how other apps import
upstream manifests.

- replace the nine vendored crds/*.yaml with a single remote resource:
  git.unkin.net/unkin/bind-operator raw config/crd/install.yaml at v0.1.1
- bump the operator image to v0.1.1 so the running operator and its CRDs
  come from the same tag
Author
Owner

Superseded by the 4-PR split: #219 (operator) then #220 (binddns-auth), #221 (binddns-resolver), #222 (binddns-externaldns). Closing.

Superseded by the 4-PR split: #219 (operator) then #220 (binddns-auth), #221 (binddns-resolver), #222 (binddns-externaldns). Closing.
unkinben closed this pull request 2026-07-03 19:55:43 +10:00
Some required checks failed
ci/woodpecker/pr/pre-commit Pipeline was successful
Required
Details
ci/woodpecker/pr/kubeconform Pipeline failed
Required
Details

Pull request closed

Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#216