ungleich-k8s/apps/knotdns
2021-08-13 18:29:20 +02:00
..
templates knotdns: minus line break 2021-08-13 18:23:20 +02:00
zones [dns] add test zone to check sync time 2021-08-13 18:29:20 +02:00
.helmignore Add working knot variant + various other stuff 2021-07-18 00:16:35 +02:00
Chart.yaml knot: quote to make 3->3.0 2021-07-21 14:09:48 +02:00
README.md ++knotdns readme 2021-08-08 13:33:53 +02:00
values.yaml Add working knot variant + various other stuff 2021-07-18 00:16:35 +02:00

Authoritative DNS for ungleich

  • DNS zones are stored in git repository
  • All zones are Bind/Knot compatible below zones/
  • Filenames starting with a dot should be ignored
    • They are symlinked by some zones, as zones are the same

Reload mechansim constraints

  • If possible stay with the regular/upstream container
    • Rebuilding causes a delay and extra work
    • We want to base the work on czniz/knot image
  • Need to generate config file from zones
    • Very easy to generate
    • However needs to include synthrecord directives
    • This step might also use kustomize edit?
  • "Double commits" are somewhat ugly
    • App 1 commits a zone file change
    • App 2 / CI/CD modifies the configuration file - commits again
    • The pipeline needs to analyse what changed to prevent a circle of commits
      • git might be smart enough already and failing to commit again, as there is no change
      • Then we need to
  • Time to deploy should be low

Reload using CI/CD pipeline

Theorethical flow:

  • Git repository is pushed to CI/CD
  • We need to select a CI/CD system first
  • CI/CD "builds" on trigger "something"
    • A helm chart
    • A container
      • Jenkins would be suited for this
    • A configmap
      • This overlaps 80% of flux/kustomize

Reload using helm / configmap

Theorethical flow:

  • git push triggers creating a new helm chart
    • Might need a CI pipeline in between
    • Might be Jenkins/Buildbot/etc.
  • helm chart is uploaded to a (local) chartmuseum
  • flux updates itself to the latest chart using semversion constraints
  • Might be easy to include a webhook

Reload using git cloning inside the pod

  • It's easy to write a shell script that does git pull && checkzone && reload
  • Needs ssh keys or token inside the pods
    • Could be injected via env
  • Could use a git-hook to reload knot, if the zone files are working
  • Needs git inside the container
  • additional files could be injected via configmap
  • No direct webhook for trigger support
    • Might have a webhook pod that triggers reload in one or the other way

Sample git

git clone https://nico:<TOKEN>@gitea.default.svc.c2.k8s.ooo/nico/ungleich-k8s.git

Sketch shell script:

#!/bin/sh




### Relooad using Flux/git repository

**TL;DR**

This approach does not work because of shortcomings of
kubectl/kustomize.

The idea:

* Flux has native support for git pulling
* In theory, k8s has everything in place
* We could generate a configmap from the DNS files (and a
  configuration file!)
* We can checksum that configmap (helm feature or kustomize hashing)
* Triggers a new deployment
* We can add liveliness checks


Testing config:

apiVersion: source.toolkit.fluxcd.io/v1beta1 kind: GitRepository metadata: name: dns-zones namespace: default spec: interval: 1m url: https://code.ungleich.ch/ungleich-intern/ungleich-dns-zones.git secretRef: name: https-credentials-dnszones ref: branch: master

apiVersion: v1 kind: Secret metadata: name: https-credentials-dnszones namespace: default type: Opaque stringData: username: nico password: .....

apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 kind: Kustomization metadata: name: dns-zone-kustomization namespace: default spec: interval: 1m path: "./" prune: true sourceRef: kind: GitRepository name: dns-zones


Using:

kubectl apply -f gitrepo.yaml


**This could do everything** with the right kustomization.yaml inside
the ungleich-dns-zones repository. However there is a problem:

- configmapgenerator cannot use a glob / wildcard

And we have a lot of different zones below the `zones/` directory in
the ungleich-dns-zones repository.

This in theory very elegant approach only worked if there was an
intermediate `kustomize edit add configmap configmapname
--from-file='./zones/*'` in between. However even that would not work,
as it includes dotfiles, as can be seen on

https://github.com/kubernetes-sigs/kustomize/issues/4108