From f6e52e1f65aad935d29145914d9cb92447af46fe Mon Sep 17 00:00:00 2001 From: ace Date: Fri, 23 May 2025 13:05:08 +0300 Subject: [PATCH] fix dns integration via external-dns deployment --- inventory/ghp/sample/group_vars/knot_dns.yaml | 32 ++----------------- roles/external-dns/defaults/main.yaml | 6 ++-- roles/internal-dns/defaults/main.yaml | 6 ++-- roles/local-dns/defaults/main.yaml | 6 ++-- roles/service-dns/defaults/main.yaml | 6 ++-- 5 files changed, 19 insertions(+), 37 deletions(-) diff --git a/inventory/ghp/sample/group_vars/knot_dns.yaml b/inventory/ghp/sample/group_vars/knot_dns.yaml index 9182231..b6c5004 100644 --- a/inventory/ghp/sample/group_vars/knot_dns.yaml +++ b/inventory/ghp/sample/group_vars/knot_dns.yaml @@ -12,20 +12,14 @@ knot_conf: | any: debug key: - - id: k8s + - id: k8s-{{ k8s_cluster_name }}-{{ namespace }} algorithm: hmac-sha512 secret: {{ k8s_tsig }} - - id: vps + - id: ddclient-{{ k8s_cluster_name }}-{{ namespace }} algorithm: hmac-sha512 secret: {{ ddclient_tsig }} - remote: - # - id: slave - # address: 192.168.1.1@53 - # - # - id: master - # address: 192.168.2.1@53 remote: - id: dns_server address: 127.0.0.1@53 @@ -34,24 +28,15 @@ knot_conf: | - id: dns_zone_sbm parent: [dns_server] - acl: - id: deny_all deny: on # no action specified and deny on implies denial of all actions - id: key_rule - key: [vps, k8s] # Access based just on TSIG key + key: [k8s-{{ k8s_cluster_name }}-{{ namespace }},ddclient-{{ k8s_cluster_name }}-{{ namespace }}] # Access based just on TSIG key address: 192.168.0.0/16 action: [transfer, notify, update] - # - id: acl_slave - # address: 192.168.1.1 - # action: transfer - - # - id: acl_master - # address: 192.168.2.1 - # action: notify - template: - id: default storage: "/var/lib/knot" @@ -73,14 +58,3 @@ knot_conf: | dnssec-signing: on dnssec-policy: rsa zonefile-load: difference - - # # Master zone - # - domain: example.com - # notify: slave - # acl: acl_slave - - # # Slave zone - # - domain: example.net - # master: master - # acl: acl_master - diff --git a/roles/external-dns/defaults/main.yaml b/roles/external-dns/defaults/main.yaml index b6fda34..c107d72 100644 --- a/roles/external-dns/defaults/main.yaml +++ b/roles/external-dns/defaults/main.yaml @@ -1,4 +1,6 @@ external_dns_chart_ref: "bitnami/external-dns" +external_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}" +external_dns_tsigSecretAlg: "hmac-sha512" external_dns_default_values: fullnameOverride: "{{ external_dns_name | default(namespace + '-external-dns') }}" ingressClassFilters: ["{{ external_ingress_class }}"] @@ -9,8 +11,8 @@ external_dns_default_values: port: 53 zone: "{{ external_domain | default(domain) }}" tsigSecret: "{{ k8s_tsig }}" - tsigSecretAlg: "{{ external_dns_tsigSecretAlg | default('hmac-sha512') }}" - tsigKeyname: "{{ external_dns_tsigKeyname | default('k8s') }}" + tsigSecretAlg: "{{ external_dns_tsigSecretAlg }}" + tsigKeyname: "{{ external_dns_tsigKeyname }}" tsigAxfr: true ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration minTTL: "30s" diff --git a/roles/internal-dns/defaults/main.yaml b/roles/internal-dns/defaults/main.yaml index 21bb614..5326a36 100644 --- a/roles/internal-dns/defaults/main.yaml +++ b/roles/internal-dns/defaults/main.yaml @@ -1,4 +1,6 @@ internal_dns_chart_ref: "bitnami/external-dns" +internal_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}" +internal_dns_tsigSecretAlg: "hmac-sha512" internal_dns_default_values: fullnameOverride: "{{ internal_dns_name | default(namespace + '-internal-dns') }}" ingressClassFilters: ["{{ internal_ingress_class }}"] @@ -9,8 +11,8 @@ internal_dns_default_values: port: 53 zone: "{{ internal_domain | default(domain) }}" tsigSecret: "{{ k8s_tsig }}" - tsigSecretAlg: "{{ internal_dns_tsigSecretAlg | default('hmac-sha512') }}" - tsigKeyname: "{{ internal_dns_tsigKeyname | default(namespace) }}" + tsigSecretAlg: "{{ internal_dns_tsigSecretAlg }}" + tsigKeyname: "{{ internal_dns_tsigKeyname }}" tsigAxfr: true ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration minTTL: "30s" diff --git a/roles/local-dns/defaults/main.yaml b/roles/local-dns/defaults/main.yaml index 2e72c2a..475afd4 100644 --- a/roles/local-dns/defaults/main.yaml +++ b/roles/local-dns/defaults/main.yaml @@ -1,4 +1,6 @@ local_dns_chart_ref: "bitnami/external-dns" +local_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}" +local_dns_tsigSecretAlg: "hmac-sha512" local_dns_default_values: fullnameOverride: "{{ local_dns_name | default(namespace + '-local-dns') }}" ingressClassFilters: ["{{ local_ingress_class }}"] @@ -9,8 +11,8 @@ local_dns_default_values: port: 53 zone: "{{ local_domain }}" tsigSecret: "{{ k8s_tsig }}" - tsigSecretAlg: "{{ local_dns_tsigSecretAlg | default('hmac-sha512') }}" - tsigKeyname: "{{ local_dns_tsigKeyname | default(namespace) }}" + tsigSecretAlg: "{{ local_dns_tsigSecretAlg }}" + tsigKeyname: "{{ local_dns_tsigKeyname }}" tsigAxfr: true ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration minTTL: "30s" diff --git a/roles/service-dns/defaults/main.yaml b/roles/service-dns/defaults/main.yaml index efc262e..63a990c 100644 --- a/roles/service-dns/defaults/main.yaml +++ b/roles/service-dns/defaults/main.yaml @@ -1,4 +1,6 @@ service_dns_chart_ref: "bitnami/external-dns" +service_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}" +service_dns_tsigSecretAlg: "hmac-sha512" service_dns_default_values: fullnameOverride: "{{ service_dns_name | default(namespace + '-service-dns') }}" domainFilters: ["{{ service_domain | default(domain) }}"] @@ -9,8 +11,8 @@ service_dns_default_values: port: 53 zone: "{{ service_domain | default(domain) }}" tsigSecret: "{{ k8s_tsig }}" - tsigSecretAlg: "{{ service_dns_tsigSecretAlg | default('hmac-sha512') }}" - tsigKeyname: "{{ service_dns_tsigKeyname | default(namespace) }}" + tsigSecretAlg: "{{ service_dns_tsigSecretAlg }}" + tsigKeyname: "{{ service_dns_tsigKeyname }}" tsigAxfr: true ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration minTTL: "30s"