From 3bcb39fe0ace34eb003b8e485b740e81179646a2 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 3 Jul 2026 20:52:18 +1000 Subject: [PATCH 1/2] Deploy ns-auth BIND cluster --- apps/base/ns-auth/cluster.yaml | 37 +++++++++++++++++++ apps/base/ns-auth/kustomization.yaml | 8 ++++ apps/base/ns-auth/namespace.yaml | 5 +++ apps/base/ns-auth/tsigkey.yaml | 10 +++++ .../au-syd1/ns-auth/kustomization.yaml | 6 +++ 5 files changed, 66 insertions(+) create mode 100644 apps/base/ns-auth/cluster.yaml create mode 100644 apps/base/ns-auth/kustomization.yaml create mode 100644 apps/base/ns-auth/namespace.yaml create mode 100644 apps/base/ns-auth/tsigkey.yaml create mode 100644 apps/overlays/au-syd1/ns-auth/kustomization.yaml diff --git a/apps/base/ns-auth/cluster.yaml b/apps/base/ns-auth/cluster.yaml new file mode 100644 index 0000000..0a9b32a --- /dev/null +++ b/apps/base/ns-auth/cluster.yaml @@ -0,0 +1,37 @@ +--- +# Authoritative masters (replaces the 3x Puppet authoritative servers). +# pod-0 is the primary; pods 1-2 replicate via the catalog zone + AXFR/IXFR. +apiVersion: bind.unkin.net/v1alpha1 +kind: BindCluster +metadata: + name: auth + namespace: ns-auth +spec: + mode: authoritative + replicas: 3 + storageClassName: cephrbd-fast-delete + storageSize: 2Gi + service: + type: LoadBalancer + annotations: + purelb.io/service-group: common + purelb.io/addresses: 198.18.200.6 + external-dns.alpha.kubernetes.io/hostname: ns-auth.k8s.syd1.au.unkin.net + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "1" + memory: 512Mi +--- +# Catalog zone so new BindZones auto-provision onto the secondaries. +apiVersion: bind.unkin.net/v1alpha1 +kind: BindCatalogZone +metadata: + name: auth-catalog + namespace: ns-auth +spec: + clusterRef: auth + zoneName: catalog.internal + transferKeyRef: transfer-key diff --git a/apps/base/ns-auth/kustomization.yaml b/apps/base/ns-auth/kustomization.yaml new file mode 100644 index 0000000..753cb3f --- /dev/null +++ b/apps/base/ns-auth/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - tsigkey.yaml + - cluster.yaml diff --git a/apps/base/ns-auth/namespace.yaml b/apps/base/ns-auth/namespace.yaml new file mode 100644 index 0000000..00181bf --- /dev/null +++ b/apps/base/ns-auth/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ns-auth diff --git a/apps/base/ns-auth/tsigkey.yaml b/apps/base/ns-auth/tsigkey.yaml new file mode 100644 index 0000000..8fe5309 --- /dev/null +++ b/apps/base/ns-auth/tsigkey.yaml @@ -0,0 +1,10 @@ +--- +# Zone-transfer / catalog key. The operator generates the material into a +# Secret (transfer-key-tsig); nothing sensitive is committed to git. +apiVersion: bind.unkin.net/v1alpha1 +kind: BindTSIGKey +metadata: + name: transfer-key + namespace: ns-auth +spec: + algorithm: hmac-sha256 diff --git a/apps/overlays/au-syd1/ns-auth/kustomization.yaml b/apps/overlays/au-syd1/ns-auth/kustomization.yaml new file mode 100644 index 0000000..e339cb8 --- /dev/null +++ b/apps/overlays/au-syd1/ns-auth/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/ns-auth -- 2.47.3 From e8f68b5e75b35a27e67e764b902701e8b0776a3f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 3 Jul 2026 21:17:56 +1000 Subject: [PATCH 2/2] Add authoritative zones from puppet-prod master nameservers Migrates the 18 zones served by the puppet authoritative masters (profiles::dns::master::zones) as BindZone CRs on the auth cluster: unkin.net, main.unkin.net, and the 198.18.{13-29}.0/24 reverse zones. - add apps/base/ns-auth/zones.yaml (type primary, TTL 600); records are migrated separately (not stored in puppet, generated via PuppetDB) --- apps/base/ns-auth/kustomization.yaml | 1 + apps/base/ns-auth/zones.yaml | 204 +++++++++++++++++++++++++++ 2 files changed, 205 insertions(+) create mode 100644 apps/base/ns-auth/zones.yaml diff --git a/apps/base/ns-auth/kustomization.yaml b/apps/base/ns-auth/kustomization.yaml index 753cb3f..b5afd54 100644 --- a/apps/base/ns-auth/kustomization.yaml +++ b/apps/base/ns-auth/kustomization.yaml @@ -6,3 +6,4 @@ resources: - namespace.yaml - tsigkey.yaml - cluster.yaml + - zones.yaml diff --git a/apps/base/ns-auth/zones.yaml b/apps/base/ns-auth/zones.yaml new file mode 100644 index 0000000..c738f2c --- /dev/null +++ b/apps/base/ns-auth/zones.yaml @@ -0,0 +1,204 @@ +# Authoritative zones migrated from puppet-prod +# (profiles::dns::master::zones in hieradata/roles/infra/dns/master.yaml). +# type primary, static (puppet dynamic:false); TTL 600 as in the puppet zone header. +# Record data is populated by PuppetDB exported resources upstream, so it is +# NOT in this repo — migrate it into these zones (AXFR from the current masters, +# or DNSRecord CRs) as a follow-up. The zones start with SOA+NS only. +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: unkin-net + namespace: ns-auth +spec: + clusterRef: auth + zoneName: unkin.net + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: main-unkin-net + namespace: ns-auth +spec: + clusterRef: auth + zoneName: main.unkin.net + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 13-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 13.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 14-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 14.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 15-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 15.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 16-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 16.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 17-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 17.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 19-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 19.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 20-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 20.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 21-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 21.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 22-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 22.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 23-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 23.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 24-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 24.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 25-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 25.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 26-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 26.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 27-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 27.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 28-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 28.18.198.in-addr.arpa + type: primary + defaultTTL: 600 +--- +apiVersion: bind.unkin.net/v1alpha1 +kind: BindZone +metadata: + name: 29-18-198-in-addr-arpa + namespace: ns-auth +spec: + clusterRef: auth + zoneName: 29.18.198.in-addr.arpa + type: primary + defaultTTL: 600 -- 2.47.3