feat: manage externaldns bind (#428)

- add module to manage externaldns bind for k8s
- add infra::dns::externaldns role
- add 198.18.19.20 as anycast for k8s external-dns service

Reviewed-on: #428
This commit was merged in pull request #428.
This commit is contained in:
2025-11-22 23:25:55 +11:00
parent 9854403b02
commit 0aec795aec
8 changed files with 187 additions and 0 deletions
+15
View File
@@ -0,0 +1,15 @@
# ExternalDNS BIND module - automatically configures master or slave
class externaldns (
Stdlib::Fqdn $bind_master_hostname,
Array[Stdlib::Fqdn] $k8s_zones = [],
Array[Stdlib::Fqdn] $slave_servers = [],
String $externaldns_key_secret = '',
String $externaldns_key_algorithm = 'hmac-sha256',
) {
if $trusted['certname'] == $bind_master_hostname {
include externaldns::master
} else {
include externaldns::slave
}
}
+45
View File
@@ -0,0 +1,45 @@
# ExternalDNS BIND master server class
class externaldns::master inherits externaldns {
include bind
# Query PuppetDB for slave server IP addresses
$slave_ips = $externaldns::slave_servers.map |$fqdn| {
puppetdb_query("inventory[facts.networking.ip] { certname = '${fqdn}' }")[0]['facts.networking.ip']
}.filter |$ip| { $ip != undef }
# Create TSIG key for ExternalDNS authentication
bind::key { 'externaldns-key':
algorithm => $externaldns::externaldns_key_algorithm,
secret => $externaldns::externaldns_key_secret,
}
# Create ACL for slave servers
if !empty($slave_ips) {
bind::acl { 'dns-slaves':
addresses => $slave_ips,
}
}
# Create master zones for each Kubernetes domain
$externaldns::k8s_zones.each |$zone| {
bind::zone { $zone:
zone_type => 'master',
dynamic => true,
allow_updates => ['key externaldns-key'],
allow_transfers => empty($slave_ips) ? {
true => [],
false => ['dns-slaves'],
},
ns_notify => !empty($slave_ips),
also_notify => $slave_ips,
dnssec => false,
}
}
# Create default view to include the zones
bind::view { 'externaldns':
recursion => false,
zones => $externaldns::k8s_zones,
}
}
+36
View File
@@ -0,0 +1,36 @@
# ExternalDNS BIND slave server class
class externaldns::slave inherits externaldns {
include bind
# Query PuppetDB for master server IP address
$query = "inventory[facts.networking.ip] { certname = '${externaldns::bind_master_hostname}' }"
$master_ip = puppetdb_query($query)[0]['facts.networking.ip']
# Create TSIG key for zone transfers (same as master)
bind::key { 'externaldns-key':
algorithm => $externaldns::externaldns_key_algorithm,
secret => $externaldns::externaldns_key_secret,
}
# Create ACL for master server
bind::acl { 'dns-master':
addresses => [$master_ip],
}
# Create slave zones for each Kubernetes domain
$externaldns::k8s_zones.each |$zone| {
bind::zone { $zone:
zone_type => 'slave',
masters => [$master_ip],
allow_notify => ['dns-master'],
ns_notify => false,
}
}
# Create default view to include the zones
bind::view { 'externaldns':
recursion => false,
zones => $externaldns::k8s_zones,
}
}