onedr0p · onedr0p · Jan 19, 2024 · Jan 19, 2024 · Jan 19, 2024
diff --git a/.github/tests/config-k0s.yaml b/.github/tests/config-k0s.yaml
@@ -21,6 +21,7 @@ bootstrap_kube_api_hostname: fake
 bootstrap_k8s_gateway_addr: 10.10.10.253
 bootstrap_external_ingress_addr: 10.10.10.252
 bootstrap_internal_ingress_addr: 10.10.10.251
+bootstrap_dns_server: 1.1.1.1
 bootstrap_cilium_loadbalancer_mode: dsr
 bootstrap_ipv6_enabled: false
 bootstrap_cluster_cidr: 10.42.0.0/16

diff --git a/.github/tests/config-k3s-ipv4.yaml b/.github/tests/config-k3s-ipv4.yaml
@@ -21,6 +21,7 @@ bootstrap_kube_api_hostname: fake
 bootstrap_k8s_gateway_addr: 10.10.10.253
 bootstrap_external_ingress_addr: 10.10.10.252
 bootstrap_internal_ingress_addr: 10.10.10.251
+bootstrap_dns_server: 1.1.1.1
 bootstrap_cilium_loadbalancer_mode: dsr
 bootstrap_ipv6_enabled: false
 bootstrap_cluster_cidr: 10.42.0.0/16

diff --git a/.github/tests/config-k3s-ipv6.yaml b/.github/tests/config-k3s-ipv6.yaml
@@ -22,6 +22,7 @@ bootstrap_k8s_gateway_addr: 10.10.10.253
 bootstrap_external_ingress_addr: 10.10.10.252
 bootstrap_internal_ingress_addr: 10.10.10.251
 bootstrap_cilium_loadbalancer_mode: dsr
+bootstrap_dns_server: 1.1.1.1
 bootstrap_ipv6_enabled: true
 bootstrap_cluster_cidr: 10.42.0.0/16,fd7f:8f5:e87c:a::/64
 bootstrap_service_cidr: 10.43.0.0/16,fd7f:8f5:e87c:e::/112

diff --git a/.github/tests/config-k3s-no-kube-vip.yaml b/.github/tests/config-k3s-no-kube-vip.yaml
@@ -21,6 +21,7 @@ bootstrap_kube_api_hostname: fake
 bootstrap_k8s_gateway_addr: 10.10.10.253
 bootstrap_external_ingress_addr: 10.10.10.252
 bootstrap_internal_ingress_addr: 10.10.10.251
+bootstrap_dns_server: 1.1.1.1
 bootstrap_cilium_loadbalancer_mode: dsr
 bootstrap_ipv6_enabled: false
 bootstrap_cluster_cidr: 10.42.0.0/16

diff --git a/.github/tests/config-talos.yaml b/.github/tests/config-talos.yaml
@@ -22,6 +22,7 @@ bootstrap_k8s_gateway_addr: 10.10.10.253
 bootstrap_external_ingress_addr: 10.10.10.252
 bootstrap_internal_ingress_addr: 10.10.10.251
 bootstrap_cilium_loadbalancer_mode: dsr
+bootstrap_dns_server: 1.1.1.1
 bootstrap_ipv6_enabled: false
 bootstrap_cluster_cidr: 10.42.0.0/16
 bootstrap_service_cidr: 10.43.0.0/16

diff --git a/bootstrap/tasks/validation/net.yaml b/bootstrap/tasks/validation/net.yaml
@@ -103,6 +103,12 @@
     success_msg: Kube API address {{ bootstrap_kube_api_addr }} is within {{ bootstrap_node_cidr }}.
     fail_msg: Kube API address {{ bootstrap_kube_api_addr }} is not within {{ bootstrap_node_cidr }}.
 
+- name: Check if DNS server is ipv4
+  ansible.builtin.assert:
+    that: bootstrap_dns_server is ansible.utils.ipv4
+    success_msg: DNS server {{ bootstrap_dns_server }} is valid.
+    fail_msg: DNS server {{ bootstrap_dns_server }} is invalid.
+
 - name: Check if all IP addresses are unique
   ansible.builtin.assert:
     that: >

diff --git a/bootstrap/tasks/validation/vars.yaml b/bootstrap/tasks/validation/vars.yaml
@@ -17,6 +17,7 @@
     - bootstrap_cloudflare_tunnel_secret
     - bootstrap_cluster_cidr
     - bootstrap_distribution
+    - bootstrap_dns_server
     - bootstrap_external_ingress_addr
     - bootstrap_flux_github_webhook_token
     - bootstrap_github_repository_branch

diff --git a/bootstrap/templates/ansible/playbooks/cluster-prepare.yaml.j2 b/bootstrap/templates/ansible/playbooks/cluster-prepare.yaml.j2
@@ -79,7 +79,7 @@
             dest: /etc/resolv.conf
             content: |
               search .
-              nameserver 1.1.1.1
+              nameserver #{ bootstrap_dns_server | default('1.1.1.1', true) }#
 
     - name: System Configuration
       notify: Reboot

diff --git a/bootstrap/templates/kubernetes/talos/talconfig.yaml.j2 b/bootstrap/templates/kubernetes/talos/talconfig.yaml.j2
@@ -123,7 +123,7 @@ controlPlane:
       machine:
         network:
           nameservers:
-            - 1.1.1.1
+            - "#{ bootstrap_dns_server | default('1.1.1.1', true) }#"
 
     # Configure NTP
     - &ntpPatch |-

diff --git a/bootstrap/vars/addons.sample.yaml b/bootstrap/vars/addons.sample.yaml
@@ -41,7 +41,7 @@ system_upgrade_controller:
   # WARNING: Only enable this if you also track the version of k3s in the
   # ansible configuration files. Running ansible against an already provisioned
   # cluster with this enabled might cause your cluster to be downgraded.
-  # Note: If bootstrap_distribution is set to k0s this will be ignored.
+  # Note: If bootstrap_distribution is set to k0s or talos this will be ignored.
   enabled: false
 
 # https://github.com/morphy2k/rss-forwarder

diff --git a/bootstrap/vars/config.sample.yaml b/bootstrap/vars/config.sample.yaml
@@ -55,6 +55,13 @@ bootstrap_external_ingress_addr:
 # The Load balancer IP for internal ingress, choose an available IP in your nodes network that is not being used
 bootstrap_internal_ingress_addr:
 
+# The DNS server to use for the cluster, this can be an existing local DNS server or a public one
+# If using a local DNS server make sure it meets the following requirements:
+#   1. your nodes can reach it
+#   2. it is configured to forward requests to a public DNS server
+#   3. you are not force redirecting DNS requests to it - this will break cert generation over DNS01
+bootstrap_dns_server: 1.1.1.1
+
 # (Advanced) Cilium load balancer mode, choose either 'dsr' or 'snat'
 # Due to unknown reasons some people need this set to 'snat' in order
 # for Cilium L2 announcements to work properly. Keep this dsr unless