Added native CoreDNS system for recursive DNS
This will get native DNS out of the box for users and it will use DNS
over TLS as well to ensure requests go over the network securely.
Sem-Ver: feature
Change-Id: I3046fc1bf775afc86d60695d7ebe175799b9159f
diff --git a/playbooks/generate_workspace.yml b/playbooks/generate_workspace.yml
index 982078e..c072d94 100644
--- a/playbooks/generate_workspace.yml
+++ b/playbooks/generate_workspace.yml
@@ -277,9 +277,6 @@
gateway_ip: 10.96.250.10
allocation_pool_start: 10.96.250.200
allocation_pool_end: 10.96.250.220
- dns_nameservers:
- - 1.1.1.1
- - 1.0.0.1
enable_dhcp: true
- name: Write new Neutron configuration file to disk
diff --git a/playbooks/openstack.yml b/playbooks/openstack.yml
index 4736047..29b21c6 100644
--- a/playbooks/openstack.yml
+++ b/playbooks/openstack.yml
@@ -113,6 +113,10 @@
tags:
- openstack-helm-infra-libvirt
+ - role: coredns
+ tags:
+ - coredns
+
- role: openstack_helm_neutron
tags:
- openstack-helm-neutron
diff --git a/releasenotes/notes/add-coredns-forwarder-14bb2a1830cc57e6.yaml b/releasenotes/notes/add-coredns-forwarder-14bb2a1830cc57e6.yaml
new file mode 100644
index 0000000..2ba9d10
--- /dev/null
+++ b/releasenotes/notes/add-coredns-forwarder-14bb2a1830cc57e6.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - Added native deployment of CoreDNS dedicated for forwarding and caching DNS
+ requests for the cloud. By default, it's enabled to use DNS over TLS using
+ both CloudFlare and Google DNS.
diff --git a/roles/coredns/tasks/main.yml b/roles/coredns/tasks/main.yml
new file mode 100644
index 0000000..51a94be
--- /dev/null
+++ b/roles/coredns/tasks/main.yml
@@ -0,0 +1,89 @@
+# Copyright (c) 2022 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Deploy Helm chart
+ kubernetes.core.k8s:
+ state: present
+ definition:
+ - apiVersion: source.toolkit.fluxcd.io/v1beta2
+ kind: HelmRepository
+ metadata:
+ name: coredns
+ namespace: openstack
+ spec:
+ interval: 60s
+ url: https://coredns.github.io/helm
+
+ - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+ kind: HelmRelease
+ metadata:
+ name: neutron-coredns
+ namespace: openstack
+ spec:
+ interval: 60s
+ chart:
+ spec:
+ chart: coredns
+ version: 1.19.4
+ sourceRef:
+ kind: HelmRepository
+ name: coredns
+ values:
+ replicaCount: 3
+ service:
+ name: neutron-coredns
+ clusterIP: 10.96.0.20
+ isClusterService: false
+ servers:
+ - port: 53
+ zones:
+ - zone: .
+ plugins:
+ - name: errors
+ - name: ready
+ - name: health
+ configBlock: |-
+ lameduck 5s
+ - name: prometheus
+ parameters: 0.0.0.0:9153
+ - name: cache
+ - name: reload
+ - name: loadbalance
+ - name: forward
+ parameters: . 127.0.0.1:5301 127.0.0.1:5302
+ - port: 5301
+ zones:
+ - zone: .
+ plugins:
+ - name: forward
+ parameters: . tls://1.1.1.1 tls://1.0.0.1
+ configBlock: |-
+ tls_servername cloudflare-dns.com
+ health_check 5s
+ - port: 5302
+ zones:
+ - zone: .
+ plugins:
+ - name: forward
+ parameters: . tls://8.8.8.8 tls://8.8.4.4
+ configBlock: |-
+ tls_servername dns.google
+ health_check 5s
+ nodeSelector:
+ openstack-control-plane: enabled
+ customLabels:
+ application: neutron
+ component: coredns
+ deployment:
+ name: neutron-coredns
diff --git a/roles/openstack_helm_neutron/vars/main.yml b/roles/openstack_helm_neutron/vars/main.yml
index 91e2e30..352f973 100644
--- a/roles/openstack_helm_neutron/vars/main.yml
+++ b/roles/openstack_helm_neutron/vars/main.yml
@@ -62,7 +62,7 @@
service_provider: VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
dhcp_agent:
DEFAULT:
- dnsmasq_dns_servers: 1.1.1.1
+ dnsmasq_dns_servers: 10.96.0.20
enable_isolated_metadata: true
l3_agent:
AGENT: