Add CoreDNS configuration and update setup script; remove split-horizon config

2025-05-05 09:41:47 -07:00
parent 9faa0eccf4
commit 8898976651
4 changed files with 53 additions and 87 deletions
--- a/infrastructure_setup/coredns/README.md
+++ b/infrastructure_setup/coredns/README.md
@@ -0,0 +1,18 @@
+# CoreDNS
+
+- https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
+- https://github.com/kubernetes/dns/blob/master/docs/specification.md
+- https://coredns.io/
+
+CoreDNS has the `kubernetes` plugin, so it returns all k8s service endpoints in well-known format.
+
+All services and pods are registered in CoreDNS.
+
+- <service-name>.<namespace>.svc.cluster.local
+- <service-name>.<namespace>
+- <service-name> (if in the same namespace)
+
+- <pod-ipv4-address>.<namespace>.pod.cluster.local
+- <pod-ipv4-address>.<service-name>.<namespace>.svc.cluster.local
+
+Anything wuery for a resource in the `internal.$DOMAIN` domain will be given the IP of the Traefik proxy. We expose the CoreDNS server in the LAN via MetalLB just for this capability.
--- a/infrastructure_setup/coredns/coredns-config.yaml
+++ b/infrastructure_setup/coredns/coredns-config.yaml
@@ -5,44 +5,39 @@ metadata:
  namespace: kube-system
 data:
  Corefile: |
-    .:53 {
-        errors
-        health
-        ready
-        kubernetes cluster.local in-addr.arpa ip6.arpa {
-          pods insecure
-          fallthrough in-addr.arpa ip6.arpa
-        }
-        hosts {
-          192.168.8.218 box-01
-          192.168.8.222 civil
-          192.168.8.240 traefik.${DOMAIN}
-          192.168.8.241 dns.internal.${DOMAIN}
-          
-          # Test records
-          192.168.8.240 test.${DOMAIN}
-          192.168.8.240 example-app.${DOMAIN}
-          192.168.8.240 civilsociety.${DOMAIN}
-          192.168.8.241 test.internal.${DOMAIN}
-          192.168.8.240 example-admin.internal.${DOMAIN}
-          192.168.8.240 dashboard.internal.${DOMAIN}
-          192.168.8.240 kubernetes-dashboard.internal.${DOMAIN}
-          
-          ttl 60
-          reload 15s
-          fallthrough
-        }
-        prometheus :9153
-        forward . 8.8.8.8 8.8.4.4 {
-          max_concurrent 1000
-        }
-        cache 30
-        loop
-        reload
-        loadbalance
-        import /etc/coredns/custom/*.override
+    # LAN DNS. All internal domains should resolve to the proxy.
+    internal.cloud.payne.io:53 {
+      errors
+      cache 30
+      reload
+      template IN A {
+        match (.*)\.internal\.cloud\.payne\.io\.
+        answer "{{ .Name }} 60 IN A 192.168.8.240"
+      }
    }
-    import /etc/coredns/custom/*.server
+
+    # In-cloud DNS
+    .:53 {
+      health
+      errors
+      cache 30
+      reload
+      loop
+      ready
+      loadbalance
+      kubernetes cluster.local in-addr.arpa ip6.arpa {
+          fallthrough in-addr.arpa ip6.arpa
+      }
+      hosts /etc/coredns/NodeHosts {
+          fallthrough
+      }
+      forward . 1.1.1.1 8.8.8.8 {
+        max_concurrent 1000
+      }
+    }
+
  NodeHosts: |
-    # This field needs to remain for compatibility, even if empty
-    # Host entries are now in the Corefile hosts section
+    192.168.8.218 box-01
+    192.168.8.222 civil
+
+    # 192.168.8.240 dashboard.internal.${DOMAIN}
--- a/infrastructure_setup/coredns/split-horizon.yaml
+++ b/infrastructure_setup/coredns/split-horizon.yaml
@@ -1,41 +0,0 @@
---
-# Split-horizon DNS configuration for CoreDNS
-# This allows different DNS responses for internal vs external domains
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: coredns-custom
-  namespace: kube-system
-data:
-  internal-zones.server: |
-    # Internal zone configuration for *.internal.${DOMAIN}
-    internal.${DOMAIN} {
-      errors
-      log
-      hosts {
-        192.168.8.240 example-admin.internal.${DOMAIN}
-        192.168.8.240 dashboard.internal.${DOMAIN}
-        192.168.8.241 test.internal.${DOMAIN}
-        fallthrough
-      }
-      cache 30
-      # Use kubernetes service discovery for internal services
-      kubernetes cluster.local {
-        pods insecure
-        fallthrough in-addr.arpa ip6.arpa
-      }
-      # Forward to Google DNS if not found locally
-      forward . 8.8.8.8 8.8.4.4
-    }
-  
-  external-zones.server: |
-    # External zone configuration for *.${DOMAIN}
-    ${DOMAIN} {
-      errors
-      log
-      cache 30
-      # For external services, forward to Cloudflare for correct public resolution
-      forward . 1.1.1.1 8.8.8.8 {
-        max_concurrent 1000
-      }
-    }
--- a/infrastructure_setup/setup-coredns.sh
+++ b/infrastructure_setup/setup-coredns.sh
@@ -16,14 +16,8 @@ echo "Current directory: $(pwd)"

 # Apply the custom config for the k3s-provided CoreDNS
 echo "Applying CoreDNS configuration..."
-echo "Looking for file: ${SCRIPT_DIR}/coredns/coredns-config.yaml"
-# Simply use envsubst for variable expansion and apply
 cat "${SCRIPT_DIR}/coredns/coredns-config.yaml" | envsubst | kubectl apply -f -

-# Apply the split-horizon configuration
-echo "Applying split-horizon DNS configuration..."
-cat "${SCRIPT_DIR}/coredns/split-horizon.yaml" | envsubst | kubectl apply -f -
-
 # Apply the LoadBalancer service for external access to CoreDNS
 echo "Applying CoreDNS service configuration..."
 cat "${SCRIPT_DIR}/coredns/coredns-service.yaml" | envsubst | kubectl apply -f -