Add primary (write) Services to authoritative + externaldns #229

Merged
benvin merged 3 commits from benvin/wire-primary-service into main 2026-07-05 16:37:49 +10:00
Owner

Stacked on #228 (needs operator v0.1.5). Merge #228 first; the diff collapses to just this after.

Why

Writes (RFC2136/nsupdate) must go to pod-0 — the round-robin read Service would land them on a secondary (rejected). Adds a dedicated write endpoint per cluster (operator v0.1.5 primaryService).

Changes

  • bind-authoritative: LoadBalancer write endpoint on 198.18.200.9 (bind-authoritative-primary)
  • bind-externaldns: ClusterIP write endpoint (bind-externaldns-primary, for in-cluster writers)
  • regenerate the bindcluster kubeconform schema (primaryService + externalTrafficPolicy)

Deferred

external-dns is not repointed at bind-externaldns-primary yet: it authenticates with the existing TSIG key, which the operator-generated key won't match until the planned Vault-sync + secret-reflection features exist. Until then external-dns keeps writing to the puppet externaldns.

Validated

kustomize build + kubeconform (3 BindClusters valid against the v0.1.5 schema).

**Stacked on #228** (needs operator v0.1.5). Merge #228 first; the diff collapses to just this after. ## Why Writes (RFC2136/nsupdate) must go to pod-0 — the round-robin read Service would land them on a secondary (rejected). Adds a dedicated write endpoint per cluster (operator v0.1.5 `primaryService`). ## Changes - `bind-authoritative`: LoadBalancer write endpoint on **198.18.200.9** (`bind-authoritative-primary`) - `bind-externaldns`: ClusterIP write endpoint (`bind-externaldns-primary`, for in-cluster writers) - regenerate the bindcluster kubeconform schema (primaryService + externalTrafficPolicy) ## Deferred external-dns is **not** repointed at `bind-externaldns-primary` yet: it authenticates with the existing TSIG key, which the operator-generated key won't match until the planned Vault-sync + secret-reflection features exist. Until then external-dns keeps writing to the puppet externaldns. ## Validated kustomize build + kubeconform (3 BindClusters valid against the v0.1.5 schema).
unkinben added 2 commits 2026-07-04 23:16:22 +10:00
Use externalTrafficPolicy: Local on the DNS services
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline failed
4d1041925c
Preserves client source IPs so the authoritative/resolver source-IP ACLs
actually apply to external clients (Cluster SNATs them to node IPs).

- externalTrafficPolicy: Local on bind-authoritative/resolvers/externaldns
- bump operator to v0.1.5 (CRD link + image) for the new service field
Add primary (write) Services to the authoritative + externaldns clusters
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
4cdf9cef37
Writes (RFC2136/nsupdate) must hit pod-0; the round-robin read Service
would land them on a secondary. Add a dedicated write endpoint per
cluster (operator v0.1.5 primaryService field).

- bind-authoritative: LoadBalancer write endpoint on 198.18.200.9
- bind-externaldns: ClusterIP write endpoint (in-cluster writers)
- regenerate bindcluster kubeconform schema (primaryService +
  externalTrafficPolicy)

external-dns is NOT yet repointed at bind-externaldns-primary: it
authenticates with the existing key, which the operator-generated key
doesn't match until the planned Vault-sync / secret-reflection features
land.
benvin added 1 commit 2026-07-05 16:09:24 +10:00
Merge branch 'main' into benvin/wire-primary-service
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
a52b5ad629
benvin merged commit e030f07986 into main 2026-07-05 16:37:49 +10:00
benvin deleted branch benvin/wire-primary-service 2026-07-05 16:37:50 +10:00
Sign in to join this conversation.
No Reviewers
No Label
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#229