fix dns integration via external-dns deployment

2025-05-23 13:05:08 +03:00 · 2025-05-23 13:05:08 +03:00 · f6e52e1f65
commit f6e52e1f65
parent 74ae2c4694
5 changed files with 19 additions and 37 deletions
--- a/inventory/ghp/sample/group_vars/knot_dns.yaml
+++ b/inventory/ghp/sample/group_vars/knot_dns.yaml
@ -12,20 +12,14 @@ knot_conf: |
      any: debug
  key:
-    - id: k8s
+    - id: k8s-{{ k8s_cluster_name }}-{{ namespace }}
      algorithm: hmac-sha512
      secret: {{ k8s_tsig }}
-    - id: vps
+    - id: ddclient-{{ k8s_cluster_name }}-{{ namespace }}
      algorithm: hmac-sha512
      secret: {{ ddclient_tsig }}
  remote:
  #  - id: slave
  #    address: 192.168.1.1@53
  #
  #  - id: master
  #    address: 192.168.2.1@53
  remote:
    - id: dns_server
      address: 127.0.0.1@53
@ -34,24 +28,15 @@ knot_conf: |
    - id: dns_zone_sbm
      parent: [dns_server]
  acl:
    - id: deny_all
      deny: on # no action specified and deny on implies denial of all actions
    - id: key_rule
-      key: [vps, k8s]                # Access based just on TSIG key
+      key: [k8s-{{ k8s_cluster_name }}-{{ namespace }},ddclient-{{ k8s_cluster_name }}-{{ namespace }}] # Access based just on TSIG key
      address: 192.168.0.0/16
      action: [transfer, notify, update]
  #  - id: acl_slave
  #    address: 192.168.1.1
  #    action: transfer
  #  - id: acl_master
  #    address: 192.168.2.1
  #    action: notify
  template:
    - id: default
      storage: "/var/lib/knot"
@ -73,14 +58,3 @@ knot_conf: |
      dnssec-signing: on
      dnssec-policy: rsa
      zonefile-load: difference
  #    # Master zone
  #  - domain: example.com
  #    notify: slave
  #    acl: acl_slave
  #    # Slave zone
  #  - domain: example.net
  #    master: master
  #    acl: acl_master
--- a/roles/external-dns/defaults/main.yaml
+++ b/roles/external-dns/defaults/main.yaml
@ -1,4 +1,6 @@
 external_dns_chart_ref: "bitnami/external-dns"
 external_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
 external_dns_tsigSecretAlg: "hmac-sha512"
 external_dns_default_values:
  fullnameOverride: "{{ external_dns_name | default(namespace + '-external-dns') }}"
  ingressClassFilters: ["{{ external_ingress_class }}"]
@ -9,8 +11,8 @@ external_dns_default_values:
    port: 53
    zone: "{{ external_domain | default(domain) }}"
    tsigSecret: "{{ k8s_tsig }}"
-    tsigSecretAlg: "{{ external_dns_tsigSecretAlg | default('hmac-sha512') }}"
+    tsigSecretAlg: "{{ external_dns_tsigSecretAlg }}"
-    tsigKeyname: "{{ external_dns_tsigKeyname | default('k8s') }}"
+    tsigKeyname: "{{ external_dns_tsigKeyname }}"
    tsigAxfr: true
    ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
    minTTL: "30s"
--- a/roles/internal-dns/defaults/main.yaml
+++ b/roles/internal-dns/defaults/main.yaml
@ -1,4 +1,6 @@
 internal_dns_chart_ref: "bitnami/external-dns"
 internal_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
 internal_dns_tsigSecretAlg: "hmac-sha512"
 internal_dns_default_values:
  fullnameOverride: "{{ internal_dns_name | default(namespace + '-internal-dns') }}"
  ingressClassFilters: ["{{ internal_ingress_class }}"]
@ -9,8 +11,8 @@ internal_dns_default_values:
    port: 53
    zone: "{{ internal_domain | default(domain) }}"
    tsigSecret: "{{ k8s_tsig }}"
-    tsigSecretAlg: "{{ internal_dns_tsigSecretAlg | default('hmac-sha512') }}"
+    tsigSecretAlg: "{{ internal_dns_tsigSecretAlg }}"
-    tsigKeyname: "{{ internal_dns_tsigKeyname | default(namespace) }}"
+    tsigKeyname: "{{ internal_dns_tsigKeyname }}"
    tsigAxfr: true
    ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
    minTTL: "30s"
--- a/roles/local-dns/defaults/main.yaml
+++ b/roles/local-dns/defaults/main.yaml
@ -1,4 +1,6 @@
 local_dns_chart_ref: "bitnami/external-dns"
 local_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
 local_dns_tsigSecretAlg: "hmac-sha512"
 local_dns_default_values:
  fullnameOverride: "{{ local_dns_name | default(namespace + '-local-dns') }}"
  ingressClassFilters: ["{{ local_ingress_class }}"]
@ -9,8 +11,8 @@ local_dns_default_values:
    port: 53
    zone: "{{ local_domain }}"
    tsigSecret: "{{ k8s_tsig }}"
-    tsigSecretAlg: "{{ local_dns_tsigSecretAlg | default('hmac-sha512') }}"
+    tsigSecretAlg: "{{ local_dns_tsigSecretAlg }}"
-    tsigKeyname: "{{ local_dns_tsigKeyname | default(namespace) }}"
+    tsigKeyname: "{{ local_dns_tsigKeyname }}"
    tsigAxfr: true
    ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
    minTTL: "30s"
--- a/roles/service-dns/defaults/main.yaml
+++ b/roles/service-dns/defaults/main.yaml
@ -1,4 +1,6 @@
 service_dns_chart_ref: "bitnami/external-dns"
 service_dns_tsigKeyname: "k8s-{{ k8s_cluster_name }}-{{ namespace }}"
 service_dns_tsigSecretAlg: "hmac-sha512"
 service_dns_default_values:
  fullnameOverride: "{{ service_dns_name | default(namespace + '-service-dns') }}"
  domainFilters: ["{{ service_domain | default(domain) }}"]
@ -9,8 +11,8 @@ service_dns_default_values:
    port: 53
    zone: "{{ service_domain | default(domain) }}"
    tsigSecret: "{{ k8s_tsig }}"
-    tsigSecretAlg: "{{ service_dns_tsigSecretAlg | default('hmac-sha512') }}"
+    tsigSecretAlg: "{{ service_dns_tsigSecretAlg }}"
-    tsigKeyname: "{{ service_dns_tsigKeyname | default(namespace) }}"
+    tsigKeyname: "{{ service_dns_tsigKeyname }}"
    tsigAxfr: true
    ## Possible units [ns, us, ms, s, m, h], see more https://golang.org/pkg/time/#ParseDuration
    minTTL: "30s"