2.1 KiB
2.1 KiB
Authoritative DNS for ungleich
- Zone are stored in git
Reload mechansim
Constraints
- If possible stay with the regular/upstream container
- Rebuilding causes a delay and extra work
Git cloning inside the pod
- It's easy to write a shell script that does git pull && checkzone && reload
- Needs ssh keys or token inside the pods
git clone https://nico:<TOKEN>@gitea.default.svc.c2.k8s.ooo/nico/ungleich-k8s.git
Flux/git repository
TL;DR
This approach does not work because of shortcomings of kubectl/kustomize.
The idea:
- Flux has native support for git pulling
- In theory, k8s has everything in place
- We could generate a configmap from the DNS files (and a configuration file!)
- We can checksum that configmap (helm feature or kustomize hashing)
- Triggers a new deployment
- We can add liveliness checks
Testing config:
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
name: dns-zones
namespace: default
spec:
interval: 1m
url: https://code.ungleich.ch/ungleich-intern/ungleich-dns-zones.git
secretRef:
name: https-credentials-dnszones
ref:
branch: master
---
apiVersion: v1
kind: Secret
metadata:
name: https-credentials-dnszones
namespace: default
type: Opaque
stringData:
username: nico
password: .....
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
kind: Kustomization
metadata:
name: dns-zone-kustomization
namespace: default
spec:
interval: 1m
path: "./"
prune: true
sourceRef:
kind: GitRepository
name: dns-zones
Using:
kubectl apply -f gitrepo.yaml
This could do everything with the right kustomization.yaml inside the ungleich-dns-zones repository. However there is a problem:
- configmapgenerator cannot use a glob / wildcard
And we have a lot of different zones below the zones/ directory in
the ungleich-dns-zones repository.
This in theory very elegant approach only worked if there was an
intermediate kustomize edit add configmap configmapname --from-file='./zones/*' in between. However even that would not work,
as it includes dotfiles, as can be seen on