ungleich-k8s/apps/knotdns/README.md

## Authoritative DNS for ungleich

* DNS zones are stored in git repository
* All zones are Bind/Knot compatible below zones/
* Filenames starting with a dot should be ignored
  * They are symlinked by some zones, as zones are the same

## Reload mechansim constraints

* If possible stay with the regular/upstream container
  * Rebuilding causes a delay and extra work
  * We want to base the work on czniz/knot image
* Need to generate config file from zones
  * Very easy to generate
  * However needs to include synthrecord directives
  * This step *might* also use kustomize edit?
* "Double commits" are somewhat ugly
  * App 1 commits a zone file change
  * App 2 / CI/CD modifies the configuration file - commits again
  * The pipeline needs to analyse *what* changed to prevent a circle
    of commits
    * git might be smart enough already and failing to commit again,
      as there is no change
    * Then we need to
* Time to deploy should be low
  * Seconds, not minutes
  * Rebuilding containers seems to be excessive
  * Flux might need to get triggered instead of relying only on
    periodic updates
    * Might be possible with flux using
      https://fluxcd.io/docs/components/notification/
      * Might require https://github.com/fluxcd/notification-controller/issues/230

## Reload using CI/CD pipeline

Theorethical flow:

* Git repository is pushed to CI/CD
* We need to select a CI/CD system first
  * Ongoing work in https://redmine.ungleich.ch/issues/9565
  * Might be bit overkill "just for DNS"
  * Might be usable for other workflows, too
* CI/CD "builds" on trigger "something"
  * A helm chart
  * A container
    * Jenkins would be suited for this
  * A configmap
    * This overlaps 80% of flux/kustomize


## Reload using helm / configmap

Theorethical flow:

* git push triggers creating a new helm chart
  * Might need a CI pipeline in between
  * Might be Jenkins/Buildbot/etc.
* helm chart is uploaded to a (local) chartmuseum
* flux updates itself to the latest chart using semversion constraints
* Might be easy to include a webhook

## Reload using git cloning inside the pod

* It's easy to write a shell script that does git pull && checkzone &&
  reload
* Needs ssh keys or token inside the pods
  * Could be injected via env
* Could use a *git-hook* to reload knot, if the zone files are working
* Needs git inside the container
* additional files could be injected via configmap
* No direct webhook for trigger support
  * Might have a webhook pod that triggers reload in one or the other way

Sample git
```
git clone https://nico:<TOKEN>@gitea.default.svc.c2.k8s.ooo/nico/ungleich-k8s.git
```

Sketch shell script:


```
#!/bin/sh


### Relooad using Flux/git repository

**TL;DR**

This approach does not work because of shortcomings of
kubectl/kustomize.

The idea:

* Flux has native support for git pulling
* In theory, k8s has everything in place
* We could generate a configmap from the DNS files (and a
  configuration file!)
* We can checksum that configmap (helm feature or kustomize hashing)
* Triggers a new deployment
* We can add liveliness checks


Testing config:

```
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
  name: dns-zones
  namespace: default
spec:
  interval: 1m
  url: https://code.ungleich.ch/ungleich-intern/ungleich-dns-zones.git
  secretRef:
    name: https-credentials-dnszones
  ref:
    branch: master
---
apiVersion: v1
kind: Secret
metadata:
  name: https-credentials-dnszones
  namespace: default
type: Opaque
stringData:
  username: nico
  password: .....
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
kind: Kustomization
metadata:
  name: dns-zone-kustomization
  namespace: default
spec:
  interval: 1m
  path: "./"
  prune: true
  sourceRef:
    kind: GitRepository
    name: dns-zones
```

Using:

```
kubectl apply -f gitrepo.yaml
```

**This could do everything** with the right kustomization.yaml inside
the ungleich-dns-zones repository. However there is a problem:

- configmapgenerator cannot use a glob / wildcard

And we have a lot of different zones below the `zones/` directory in
the ungleich-dns-zones repository.

This in theory very elegant approach only worked if there was an
intermediate `kustomize edit add configmap configmapname
--from-file='./zones/*'` in between. However even that would not work,
as it includes dotfiles, as can be seen on

https://github.com/kubernetes-sigs/kustomize/issues/4108
[knot] describe flow that does not work directly 2021-08-08 10:55:08 +00:00			`## Authoritative DNS for ungleich`

++knotdns readme 2021-08-08 11:33:53 +00:00			`* DNS zones are stored in git repository`
			`* All zones are Bind/Knot compatible below zones/`
			`* Filenames starting with a dot should be ignored`
			`* They are symlinked by some zones, as zones are the same`
[knot] describe flow that does not work directly 2021-08-08 10:55:08 +00:00
++knotdns readme 2021-08-08 11:33:53 +00:00			`## Reload mechansim constraints`
[knot] describe flow that does not work directly 2021-08-08 10:55:08 +00:00
			`* If possible stay with the regular/upstream container`
			`* Rebuilding causes a delay and extra work`
++knotdns readme 2021-08-08 11:33:53 +00:00			`* We want to base the work on czniz/knot image`
			`* Need to generate config file from zones`
			`* Very easy to generate`
			`* However needs to include synthrecord directives`
			`* This step might also use kustomize edit?`
			`* "Double commits" are somewhat ugly`
			`* App 1 commits a zone file change`
			`* App 2 / CI/CD modifies the configuration file - commits again`
			`* The pipeline needs to analyse what changed to prevent a circle`
			`of commits`
			`* git might be smart enough already and failing to commit again,`
			`as there is no change`
			`* Then we need to`
			`* Time to deploy should be low`
			`* Seconds, not minutes`
			`* Rebuilding containers seems to be excessive`
			`* Flux might need to get triggered instead of relying only on`
			`periodic updates`
			`* Might be possible with flux using`
			`https://fluxcd.io/docs/components/notification/`
			`* Might require https://github.com/fluxcd/notification-controller/issues/230`

			`## Reload using CI/CD pipeline`

			`Theorethical flow:`

			`* Git repository is pushed to CI/CD`
			`* We need to select a CI/CD system first`
			`* Ongoing work in https://redmine.ungleich.ch/issues/9565`
			`* Might be bit overkill "just for DNS"`
			`* Might be usable for other workflows, too`
			`* CI/CD "builds" on trigger "something"`
			`* A helm chart`
			`* A container`
			`* Jenkins would be suited for this`
			`* A configmap`
			`* This overlaps 80% of flux/kustomize`


			`## Reload using helm / configmap`

			`Theorethical flow:`

			`* git push triggers creating a new helm chart`
			`* Might need a CI pipeline in between`
			`* Might be Jenkins/Buildbot/etc.`
			`* helm chart is uploaded to a (local) chartmuseum`
			`* flux updates itself to the latest chart using semversion constraints`
			`* Might be easy to include a webhook`

			`## Reload using git cloning inside the pod`
[knot] describe flow that does not work directly 2021-08-08 10:55:08 +00:00
			`* It's easy to write a shell script that does git pull && checkzone &&`
			`reload`
			`* Needs ssh keys or token inside the pods`
++knotdns readme 2021-08-08 11:33:53 +00:00			`* Could be injected via env`
			`* Could use a git-hook to reload knot, if the zone files are working`
			`* Needs git inside the container`
			`* additional files could be injected via configmap`
			`* No direct webhook for trigger support`
			`* Might have a webhook pod that triggers reload in one or the other way`

			`Sample git`
[knot] describe flow that does not work directly 2021-08-08 10:55:08 +00:00			```
			`git clone https://nico:<TOKEN>@gitea.default.svc.c2.k8s.ooo/nico/ungleich-k8s.git`
			```

++knotdns readme 2021-08-08 11:33:53 +00:00			`Sketch shell script:`


			```
			`#!/bin/sh`




			`### Relooad using Flux/git repository`
[knot] describe flow that does not work directly 2021-08-08 10:55:08 +00:00
			`TL;DR`

			`This approach does not work because of shortcomings of`
			`kubectl/kustomize.`

			`The idea:`

			`* Flux has native support for git pulling`
			`* In theory, k8s has everything in place`
			`* We could generate a configmap from the DNS files (and a`
			`configuration file!)`
			`* We can checksum that configmap (helm feature or kustomize hashing)`
			`* Triggers a new deployment`
			`* We can add liveliness checks`


			`Testing config:`

			```
			`apiVersion: source.toolkit.fluxcd.io/v1beta1`
			`kind: GitRepository`
			`metadata:`
			`name: dns-zones`
			`namespace: default`
			`spec:`
			`interval: 1m`
			`url: https://code.ungleich.ch/ungleich-intern/ungleich-dns-zones.git`
			`secretRef:`
			`name: https-credentials-dnszones`
			`ref:`
			`branch: master`
			`---`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: https-credentials-dnszones`
			`namespace: default`
			`type: Opaque`
			`stringData:`
			`username: nico`
			`password: .....`
			`---`
			`apiVersion: kustomize.toolkit.fluxcd.io/v1beta1`
			`kind: Kustomization`
			`metadata:`
			`name: dns-zone-kustomization`
			`namespace: default`
			`spec:`
			`interval: 1m`
			`path: "./"`
			`prune: true`
			`sourceRef:`
			`kind: GitRepository`
			`name: dns-zones`
			```

			`Using:`

			```
			`kubectl apply -f gitrepo.yaml`
			```

			`This could do everything with the right kustomization.yaml inside`
			`the ungleich-dns-zones repository. However there is a problem:`

			`- configmapgenerator cannot use a glob / wildcard`

			And we have a lot of different zones below the `zones/` directory in
			`the ungleich-dns-zones repository.`

			`This in theory very elegant approach only worked if there was an`
			intermediate `kustomize edit add configmap configmapname
			--from-file='./zones/*'` in between. However even that would not work,
			`as it includes dotfiles, as can be seen on`

			`https://github.com/kubernetes-sigs/kustomize/issues/4108`