ungleich-k8s

History

Nico Schottelius 9ef1e8e4b3 [dns] add test zone to check sync time		2021-08-13 18:29:20 +02:00
..
templates	knotdns: minus line break	2021-08-13 18:23:20 +02:00
zones	[dns] add test zone to check sync time	2021-08-13 18:29:20 +02:00
.helmignore	Add working knot variant + various other stuff	2021-07-18 00:16:35 +02:00
Chart.yaml	knot: quote to make 3->3.0	2021-07-21 14:09:48 +02:00
README.md	++knotdns readme	2021-08-08 13:33:53 +02:00
values.yaml	Add working knot variant + various other stuff	2021-07-18 00:16:35 +02:00

README.md

Authoritative DNS for ungleich

DNS zones are stored in git repository
All zones are Bind/Knot compatible below zones/
Filenames starting with a dot should be ignored
- They are symlinked by some zones, as zones are the same

Reload mechansim constraints

If possible stay with the regular/upstream container
- Rebuilding causes a delay and extra work
- We want to base the work on czniz/knot image
Need to generate config file from zones
- Very easy to generate
- However needs to include synthrecord directives
- This step might also use kustomize edit?
"Double commits" are somewhat ugly
- App 1 commits a zone file change
- App 2 / CI/CD modifies the configuration file - commits again
- The pipeline needs to analyse what changed to prevent a circle of commits
  - git might be smart enough already and failing to commit again, as there is no change
  - Then we need to
Time to deploy should be low
- Seconds, not minutes
- Rebuilding containers seems to be excessive
- Flux might need to get triggered instead of relying only on periodic updates
  - Might be possible with flux using https://fluxcd.io/docs/components/notification/
    - Might require https://github.com/fluxcd/notification-controller/issues/230

Reload using CI/CD pipeline

Theorethical flow:

Git repository is pushed to CI/CD
We need to select a CI/CD system first
- Ongoing work in https://redmine.ungleich.ch/issues/9565
- Might be bit overkill "just for DNS"
- Might be usable for other workflows, too
CI/CD "builds" on trigger "something"
- A helm chart
- A container
  - Jenkins would be suited for this
- A configmap
  - This overlaps 80% of flux/kustomize

Reload using helm / configmap

Theorethical flow:

git push triggers creating a new helm chart
- Might need a CI pipeline in between
- Might be Jenkins/Buildbot/etc.
helm chart is uploaded to a (local) chartmuseum
flux updates itself to the latest chart using semversion constraints
Might be easy to include a webhook

Reload using git cloning inside the pod

It's easy to write a shell script that does git pull && checkzone && reload
Needs ssh keys or token inside the pods
- Could be injected via env
Could use a git-hook to reload knot, if the zone files are working
Needs git inside the container
additional files could be injected via configmap
No direct webhook for trigger support
- Might have a webhook pod that triggers reload in one or the other way

Sample git

git clone https://nico:<TOKEN>@gitea.default.svc.c2.k8s.ooo/nico/ungleich-k8s.git

Sketch shell script:

#!/bin/sh




### Relooad using Flux/git repository

**TL;DR**

This approach does not work because of shortcomings of
kubectl/kustomize.

The idea:

* Flux has native support for git pulling
* In theory, k8s has everything in place
* We could generate a configmap from the DNS files (and a
  configuration file!)
* We can checksum that configmap (helm feature or kustomize hashing)
* Triggers a new deployment
* We can add liveliness checks


Testing config:

apiVersion: source.toolkit.fluxcd.io/v1beta1 kind: GitRepository metadata: name: dns-zones namespace: default spec: interval: 1m url: https://code.ungleich.ch/ungleich-intern/ungleich-dns-zones.git secretRef: name: https-credentials-dnszones ref: branch: master

apiVersion: v1 kind: Secret metadata: name: https-credentials-dnszones namespace: default type: Opaque stringData: username: nico password: .....

apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 kind: Kustomization metadata: name: dns-zone-kustomization namespace: default spec: interval: 1m path: "./" prune: true sourceRef: kind: GitRepository name: dns-zones


Using:

kubectl apply -f gitrepo.yaml


**This could do everything** with the right kustomization.yaml inside
the ungleich-dns-zones repository. However there is a problem:

- configmapgenerator cannot use a glob / wildcard

And we have a lot of different zones below the `zones/` directory in
the ungleich-dns-zones repository.

This in theory very elegant approach only worked if there was an
intermediate `kustomize edit add configmap configmapname
--from-file='./zones/*'` in between. However even that would not work,
as it includes dotfiles, as can be seen on

https://github.com/kubernetes-sigs/kustomize/issues/4108