diff --git a/apps/knotdns/README.md b/apps/knotdns/README.md new file mode 100644 index 0000000..6b89ed0 --- /dev/null +++ b/apps/knotdns/README.md @@ -0,0 +1,165 @@ +## Authoritative DNS for ungleich + +* DNS zones are stored in git repository +* All zones are Bind/Knot compatible below zones/ +* Filenames starting with a dot should be ignored + * They are symlinked by some zones, as zones are the same + +## Reload mechansim constraints + +* If possible stay with the regular/upstream container + * Rebuilding causes a delay and extra work + * We want to base the work on czniz/knot image +* Need to generate config file from zones + * Very easy to generate + * However needs to include synthrecord directives + * This step *might* also use kustomize edit? +* "Double commits" are somewhat ugly + * App 1 commits a zone file change + * App 2 / CI/CD modifies the configuration file - commits again + * The pipeline needs to analyse *what* changed to prevent a circle + of commits + * git might be smart enough already and failing to commit again, + as there is no change + * Then we need to +* Time to deploy should be low + * Seconds, not minutes + * Rebuilding containers seems to be excessive + * Flux might need to get triggered instead of relying only on + periodic updates + * Might be possible with flux using + https://fluxcd.io/docs/components/notification/ + * Might require https://github.com/fluxcd/notification-controller/issues/230 + +## Reload using CI/CD pipeline + +Theorethical flow: + +* Git repository is pushed to CI/CD +* We need to select a CI/CD system first + * Ongoing work in https://redmine.ungleich.ch/issues/9565 + * Might be bit overkill "just for DNS" + * Might be usable for other workflows, too +* CI/CD "builds" on trigger "something" + * A helm chart + * A container + * Jenkins would be suited for this + * A configmap + * This overlaps 80% of flux/kustomize + + +## Reload using helm / configmap + +Theorethical flow: + +* git push triggers creating a new helm chart + * Might need a CI pipeline in between + * Might be Jenkins/Buildbot/etc. +* helm chart is uploaded to a (local) chartmuseum +* flux updates itself to the latest chart using semversion constraints +* Might be easy to include a webhook + +## Reload using git cloning inside the pod + +* It's easy to write a shell script that does git pull && checkzone && + reload +* Needs ssh keys or token inside the pods + * Could be injected via env +* Could use a *git-hook* to reload knot, if the zone files are working +* Needs git inside the container +* additional files could be injected via configmap +* No direct webhook for trigger support + * Might have a webhook pod that triggers reload in one or the other way + +Sample git +``` +git clone https://nico:@gitea.default.svc.c2.k8s.ooo/nico/ungleich-k8s.git +``` + +Sketch shell script: + + +``` +#!/bin/sh + + + + +### Relooad using Flux/git repository + +**TL;DR** + +This approach does not work because of shortcomings of +kubectl/kustomize. + +The idea: + +* Flux has native support for git pulling +* In theory, k8s has everything in place +* We could generate a configmap from the DNS files (and a + configuration file!) +* We can checksum that configmap (helm feature or kustomize hashing) +* Triggers a new deployment +* We can add liveliness checks + + +Testing config: + +``` +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: GitRepository +metadata: + name: dns-zones + namespace: default +spec: + interval: 1m + url: https://code.ungleich.ch/ungleich-intern/ungleich-dns-zones.git + secretRef: + name: https-credentials-dnszones + ref: + branch: master +--- +apiVersion: v1 +kind: Secret +metadata: + name: https-credentials-dnszones + namespace: default +type: Opaque +stringData: + username: nico + password: ..... +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 +kind: Kustomization +metadata: + name: dns-zone-kustomization + namespace: default +spec: + interval: 1m + path: "./" + prune: true + sourceRef: + kind: GitRepository + name: dns-zones +``` + +Using: + +``` +kubectl apply -f gitrepo.yaml +``` + +**This could do everything** with the right kustomization.yaml inside +the ungleich-dns-zones repository. However there is a problem: + +- configmapgenerator cannot use a glob / wildcard + +And we have a lot of different zones below the `zones/` directory in +the ungleich-dns-zones repository. + +This in theory very elegant approach only worked if there was an +intermediate `kustomize edit add configmap configmapname +--from-file='./zones/*'` in between. However even that would not work, +as it includes dotfiles, as can be seen on + +https://github.com/kubernetes-sigs/kustomize/issues/4108