fix(dns): Swap out bitnami helm chart for direct configuration

contexts/_template/blueprint.jsonnet

@@ -155,39 +155,39 @@ local concat(arrays) = std.foldl(function(x, y) x + y, arrays, []);
                 [
                   "nginx",
                   if vmDriver == "docker-desktop" then "nginx/nodeport" else null,
-                  // "nginx/coredns",
+                  "nginx/coredns",
                   "nginx/flux-webhook",
                   "nginx/web",
                 ]
               ),
           dependsOn: ["pki-resources"],
           cleanup: ["loadbalancers", "ingresses"],
         },
-        // {
-        //   name: "dns",
-        //   path: "dns",
-        //   components:
-        //     if provider == "aws" then [
-        //       "external-dns",
-        //       "external-dns/route53",
-        //     ]
-        //     else if vmDriver == "docker-desktop" then [
-        //       "coredns",
-        //       "coredns/etcd",
-        //       "external-dns",
-        //       "external-dns/localhost",
-        //       "external-dns/coredns",
-        //       "external-dns/ingress",
-        //     ]
-        //     else [
-        //       "coredns",
-        //       "coredns/etcd",
-        //       "external-dns",
-        //       "external-dns/coredns",
-        //       "external-dns/ingress",
-        //     ],
-        //   dependsOn: if provider == "aws" then [] else ["pki-base"],
-        // },
+        {
+          name: "dns",
+          path: "dns",
+          components:
+            if provider == "aws" then [
+              "external-dns",
+              "external-dns/route53",
+            ]
+            else if vmDriver == "docker-desktop" then [
+              "coredns",
+              "coredns/etcd",
+              "external-dns",
+              "external-dns/localhost",
+              "external-dns/coredns",
+              "external-dns/ingress",
+            ]
+            else [
+              "coredns",
+              "coredns/etcd",
+              "external-dns",
+              "external-dns/coredns",
+              "external-dns/ingress",
+            ],
+          dependsOn: if provider == "aws" then [] else ["pki-base"],
+        },
         {
           name: "gitops",
           path: "gitops/flux",

kustomize/dns/coredns/etcd/certificates.yaml

@@ -9,12 +9,12 @@ spec:
   issuerRef:
     name: private
     kind: ClusterIssuer
-  commonName: etcd-peer-coredns
+  commonName: etcd-peer
   dnsNames:
-    - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
-    - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
-    - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
-    - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "*.etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "etcd-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "*.etcd-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
   usages:
     - digital signature
     - key encipherment
@@ -31,12 +31,12 @@ spec:
   issuerRef:
     name: private
     kind: ClusterIssuer
-  commonName: etcd-coredns
+  commonName: etcd
   dnsNames:
-    - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
-    - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
-    - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
-    - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "*.etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "etcd-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "*.etcd-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
   usages:
     - server auth
     - client auth
@@ -51,6 +51,6 @@ spec:
   issuerRef:
     name: private
     kind: ClusterIssuer
-  commonName: etcd-coredns
+  commonName: etcd-client
   usages:
     - client auth

kustomize/dns/coredns/etcd/kustomization.yaml

@@ -1,15 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 resources:
+  - statefulset.yaml
+  - service.yaml
   - certificates.yaml
-  - helm-repository.yaml
-  - helm-release.yaml
+  - rbac.yaml
+  - network-policy.yaml
 patches:
-  - path: patches/patch.yaml
-    target:
-      group: helm.toolkit.fluxcd.io
-      version: v2
-      kind: HelmRelease
-      name: coredns
-      namespace: system-dns
   - path: patches/helm-release.yaml

kustomize/dns/coredns/etcd/network-policy.yaml

@@ -0,0 +1,54 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: etcd
+  namespace: system-dns
+spec:
+  podSelector:
+    matchLabels:
+      app: etcd
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Allow etcd peer communication
+  - from:
+    - podSelector:
+        matchLabels:
+          app: etcd
+    ports:
+    - protocol: TCP
+      port: 2380
+  # Allow client connections from CoreDNS
+  - from:
+    - podSelector:
+        matchLabels:
+          app: coredns
+    ports:
+    - protocol: TCP
+      port: 2379
+  egress:
+  # Allow DNS resolution
+  - to: []
+    ports:
+    - protocol: UDP
+      port: 53
+    - protocol: TCP
+      port: 53
+  # Allow etcd peer communication
+  - to:
+    - podSelector:
+        matchLabels:
+          app: etcd
+    ports:
+    - protocol: TCP
+      port: 2380
+  # Allow client connections to other etcd instances
+  - to:
+    - podSelector:
+        matchLabels:
+          app: etcd
+    ports:
+    - protocol: TCP
+      port: 2379

kustomize/dns/coredns/etcd/patches/helm-release.yaml

@@ -6,27 +6,36 @@ metadata:
   namespace: system-dns
 spec:
   values:
+    extraVolumes:
+      - name: etcd-client-tls
+        secret:
+          secretName: etcd-client-tls
+    extraVolumeMounts:
+      - name: etcd-client-tls
+        mountPath: /etc/etcd/tls
+        readOnly: true
     servers:
       - zones:
           - zone: .
         port: 53
         plugins:
-          - name: log
-            parameters: stdout
           - name: errors
           - name: health
             configBlock: |-
               lameduck 5s
-          - name: ready
           - name: etcd
             configBlock: |
               path /skydns
-              endpoint etcd-coredns.system-dns.svc.cluster.local:2379
-              tls /etc/coredns/tls/tls.crt /etc/coredns/tls/tls.key /etc/coredns/tls/ca.crt
+              endpoint etcd.system-dns.svc.cluster.local:2379
+              tls /etc/etcd/tls/tls.crt /etc/etcd/tls/tls.key /etc/etcd/tls/ca.crt
               fallthrough
           - name: forward
             parameters: . 1.1.1.1 8.8.8.8
-          - name: loop
-          - name: reload
+          - name: ready
           - name: prometheus
             parameters: 0.0.0.0:9153
+          - name: cache
+            parameters: 30
+          - name: loop
+          - name: reload
+          - name: loadbalance

kustomize/dns/coredns/etcd/rbac.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: etcd
+  namespace: system-dns
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: etcd
+  namespace: system-dns
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: etcd
+  namespace: system-dns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: etcd
+subjects:
+- kind: ServiceAccount
+  name: etcd
+  namespace: system-dns