Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ingress only mode provides incorrect apex #57

Open
jpiper opened this issue Oct 28, 2021 · 7 comments
Open

Ingress only mode provides incorrect apex #57

jpiper opened this issue Oct 28, 2021 · 7 comments

Comments

@jpiper
Copy link

jpiper commented Oct 28, 2021
edited
Loading

In ingress-only mode, the apex record cannot be self-referential as

e.g.

k8s_gateway subdomain.example.com {
    resources Ingress
    apex exdns-1-k8s-gateway.kube-system
    secondary exdns-2-k8s-gateway.kube-system
}

exdns-1-k8s-gateway.kube-system.subdomain.example.com won't be a valid record on this NS as this NS is only serving ingress resources.

can I suggest that we make it possible to fully override the apex/secondary values by putting a domain with a . at the end...

k8s_gateway subdomain.example.com {
    resources Ingress
    apex ns1.something.example.com.
    secondary ns2.something.example.com.
}

and then A records can be created that actually point to this ingress-only deployment?
@networkop
Copy link
Collaborator

I think this should already be possible.
Will this work https://github.com/ori-edge/k8s_gateway/blob/master/charts/k8s-gateway/values.yaml#L20-L23 ?

@jpiper
Copy link
Author

jpiper commented Oct 28, 2021

the subdomain gets appended, e.g.

k8s_gateway subdomain.example.com {
    resources Ingress
    apex ns1.example.com.
}

just returns ns1.example.com.subdomain.example.com

@networkop
Copy link
Collaborator

ah right, I see, you want it to honour the final dot and not append a subdomain in that case, yeah?

@networkop
Copy link
Collaborator

but then where would you create an A record for ns1.something.example.com? DNS server must be aware of this record and be able to resolve it, e.g. dig ns1.something.example.com @ns1.something.example.com should return a valid response.

@jpiper
Copy link
Author

jpiper commented Nov 1, 2021

In the end I've just manually added some stuff to my corefile which seems to get the job done

hosts domain.example.com {
  ttl 600
  # respond for our own NS1
  <IP_ADDRESS> ns1.domain.example.com
  # We need to hardcode this as the plugin is only watching ingress resources here, otherwise
  # the server won't return a valid A record for it's own apex
  <IP_ADDRESS> gateway-dns.kube-system.domain.example.com
  fallthrough
}
# Respond to NS correctly
template IN NS {
  rcode NOERROR
  answer "domain.example.com. 600 IN NS ns1.domain.example.com."
  additional "ns1.domain.example.com. 600 IN A <IP_ADDRESS>"
}

@networkop
Copy link
Collaborator

this is neat! I like solutions that don't involve any code changes.
What is your use case for this? Do you just not want to expose LB services or is it something more complicated?

@jpiper
Copy link
Author

jpiper commented Nov 2, 2021

In this case, I just wanted to have a separate zone for loadbalancer and ingress resources, e.g. X.lb.example.com and X.ing.example.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jpiper @networkop