d63a8c05d9
Some checks are pending
Vendor-coupling guardrail / Vendor-coupling guardrail (push) Waiting to run
Cluster bootstrap-kit drift guardrail / Detect bootstrap-kit drift (push) Waiting to run
Phase-8a preflight C — Cilium Gateway HTTPRoute admission / Preflight Cilium HTTPRoute admission (push) Waiting to run
Test — Bootstrap Kit (kind cluster + Flux) / dependency-graph-audit (push) Waiting to run
Test — Bootstrap Kit (kind cluster + Flux) / pin-sync-audit (push) Waiting to run
Test — Bootstrap Kit (kind cluster + Flux) / manifest-validation (push) Blocked by required conditions
Test — Bootstrap Kit (kind cluster + Flux) / kind-reconciliation (push) Blocked by required conditions
95 lines
3.2 KiB
YAML
95 lines
3.2 KiB
YAML
# bp-external-dns — Catalyst Blueprint #12 of 13. Per-Sovereign DNS sync —
|
|
# ExternalDNS reconciles Service/Ingress hostnames into the per-Sovereign
|
|
# PowerDNS authoritative server via the native `pdns` provider. Geo +
|
|
# health-checked failover responses are owned by PowerDNS lua-records,
|
|
# NOT by ExternalDNS.
|
|
#
|
|
# Wrapper chart: platform/external-dns/chart/
|
|
#
|
|
# dependsOn:
|
|
# - bp-cert-manager — ExternalDNS HelmRelease only after TLS issuers
|
|
# are reconciled, so any cert-manager-fronted webhook endpoints in
|
|
# downstream overlays come up cleanly.
|
|
# - bp-powerdns — native `pdns` provider points at the in-cluster
|
|
# bp-powerdns Service and reads the `powerdns-api-credentials` Secret
|
|
# it renders. Without bp-powerdns the ExternalDNS pod CrashLoops
|
|
# trying to dial a non-existent DNS API.
|
|
# - bp-reflector — Reflector mirrors the `powerdns-api-credentials`
|
|
# Secret from the `powerdns` namespace to `external-dns` automatically
|
|
# (issue #544). bp-reflector must be running before bp-external-dns
|
|
# installs so the reflected Secret is present when the pod starts.
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: external-dns
|
|
labels:
|
|
catalyst.openova.io/sovereign: ${SOVEREIGN_FQDN}
|
|
---
|
|
apiVersion: source.toolkit.fluxcd.io/v1beta2
|
|
kind: HelmRepository
|
|
metadata:
|
|
name: bp-external-dns
|
|
namespace: flux-system
|
|
spec:
|
|
type: oci
|
|
interval: 15m
|
|
url: oci://registry.t22.omantel.biz/openova-io
|
|
secretRef:
|
|
name: ghcr-pull
|
|
---
|
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
|
kind: HelmRelease
|
|
metadata:
|
|
name: bp-external-dns
|
|
namespace: flux-system
|
|
labels:
|
|
catalyst.openova.io/slot: "12"
|
|
spec:
|
|
interval: 15m
|
|
releaseName: external-dns
|
|
targetNamespace: external-dns
|
|
dependsOn:
|
|
- name: bp-cert-manager
|
|
- name: bp-powerdns
|
|
- name: bp-reflector
|
|
chart:
|
|
spec:
|
|
chart: bp-external-dns
|
|
# 1.1.7: companion CiliumNetworkPolicy with toEntities[kube-apiserver]
|
|
# so external-dns can reach the kube-apiserver on Cilium clusters
|
|
# (default policy-cidr-match-mode=""). Fixes #770 — the vanilla
|
|
# NetworkPolicy 0.0.0.0/0 ipBlock does NOT match apiserver traffic
|
|
# under Cilium's identity model.
|
|
version: 1.1.7
|
|
sourceRef:
|
|
kind: HelmRepository
|
|
name: bp-external-dns
|
|
namespace: flux-system
|
|
# Event-driven install: ExternalDNS pod readiness depends on a
|
|
# successful initial reconcile against the per-Sovereign PowerDNS API
|
|
# (which itself stabilises after pdns-pg CNPG bootstraps) — legitimate
|
|
# slow-Ready cascade. Helm install completes when manifests apply.
|
|
# Replaces PR #221 spec.timeout: 15m.
|
|
install:
|
|
timeout: 15m
|
|
disableWait: true
|
|
remediation:
|
|
retries: 3
|
|
upgrade:
|
|
timeout: 15m
|
|
disableWait: true
|
|
remediation:
|
|
retries: 3
|
|
# Per-Sovereign overrides — txtOwnerId MUST be the Sovereign FQDN so two
|
|
# Sovereigns sharing a parent zone don't fight over the same record set.
|
|
# domainFilters narrow the zones ExternalDNS will manage; per-Sovereign
|
|
# cluster overlays patch this with the actual zone list.
|
|
values:
|
|
external-dns:
|
|
txtOwnerId: ${SOVEREIGN_FQDN}
|
|
txtPrefix: _externaldns.
|
|
domainFilters:
|
|
- ${SOVEREIGN_FQDN}
|