fix(external-dns): exclude internal records from Cloudflare, add opt-in filter, set targets
- external-dns-cloudflare: add excludeDomains: [local.mk-labs.cloud] to stop internal subdomain records from leaking to Cloudflare - external-dns-cloudflare: replace hostname annotationFilter with opt-in model (external-dns.alpha.kubernetes.io/public=true) so only explicitly tagged services get public Cloudflare records - external-dns-cloudflare: add extraArgs --target=lb.mk-labs.cloud - external-dns (Technitium/rfc2136): add extraArgs --target=lightning-lane.local.mk-labs.cloud for internal records - couchdb: add external-dns.alpha.kubernetes.io/public: 'true' annotation — first service to opt in to public DNS; will create communicore.mk-labs.cloud pointing to lb.mk-labs.cloud via Cloudflare ExternalDNS URGENT: Cloudflare was creating records for local.mk-labs.cloud hosts. Ryan: manually delete any *.local.mk-labs.cloud records currently in Cloudflare (look for communicore.local.mk-labs.cloud and any other local.* entries).
This commit is contained in:
@@ -61,6 +61,8 @@ ingress:
|
|||||||
cert-manager.io/cluster-issuer: "letsencrypt-prod"
|
cert-manager.io/cluster-issuer: "letsencrypt-prod"
|
||||||
external-dns.alpha.kubernetes.io/hostname: "communicore.local.mk-labs.cloud"
|
external-dns.alpha.kubernetes.io/hostname: "communicore.local.mk-labs.cloud"
|
||||||
external-dns.alpha.kubernetes.io/target: "10.1.71.80"
|
external-dns.alpha.kubernetes.io/target: "10.1.71.80"
|
||||||
|
# Opt in to public Cloudflare DNS — creates communicore.mk-labs.cloud -> lb.mk-labs.cloud
|
||||||
|
external-dns.alpha.kubernetes.io/public: "true"
|
||||||
hosts:
|
hosts:
|
||||||
- communicore.local.mk-labs.cloud
|
- communicore.local.mk-labs.cloud
|
||||||
- communicore.mk-labs.cloud
|
- communicore.mk-labs.cloud
|
||||||
|
|||||||
@@ -23,14 +23,24 @@ env:
|
|||||||
domainFilters:
|
domainFilters:
|
||||||
- mk-labs.cloud
|
- mk-labs.cloud
|
||||||
|
|
||||||
|
# Explicitly exclude internal subdomain — prevents local.mk-labs.cloud from
|
||||||
|
# leaking into Cloudflare (domainFilters matches subdomains by default)
|
||||||
|
excludeDomains:
|
||||||
|
- local.mk-labs.cloud
|
||||||
|
|
||||||
# Sources: ingress and services
|
# Sources: ingress and services
|
||||||
sources:
|
sources:
|
||||||
- ingress
|
- ingress
|
||||||
- service
|
- service
|
||||||
|
|
||||||
# Annotation to opt resources into public DNS management.
|
# Opt-in model: only process resources explicitly annotated for public DNS.
|
||||||
# Use: external-dns.alpha.kubernetes.io/hostname: myservice.mk-labs.cloud
|
# Add annotation external-dns.alpha.kubernetes.io/public: "true" to any
|
||||||
annotationFilter: "external-dns.alpha.kubernetes.io/hostname"
|
# ingress/service that should get a public Cloudflare record.
|
||||||
|
annotationFilter: "external-dns.alpha.kubernetes.io/public=true"
|
||||||
|
|
||||||
|
# Override the target for all Cloudflare-managed records to the public LB CNAME.
|
||||||
|
extraArgs:
|
||||||
|
- --target=lb.mk-labs.cloud
|
||||||
|
|
||||||
# Log level
|
# Log level
|
||||||
logLevel: info
|
logLevel: info
|
||||||
|
|||||||
@@ -45,6 +45,10 @@ sources:
|
|||||||
# external-dns.alpha.kubernetes.io/hostname: myservice.local.mk-labs.cloud
|
# external-dns.alpha.kubernetes.io/hostname: myservice.local.mk-labs.cloud
|
||||||
annotationFilter: "external-dns.alpha.kubernetes.io/hostname"
|
annotationFilter: "external-dns.alpha.kubernetes.io/hostname"
|
||||||
|
|
||||||
|
# Override the target for all Technitium-managed records to the internal LB hostname.
|
||||||
|
extraArgs:
|
||||||
|
- --target=lightning-lane.local.mk-labs.cloud
|
||||||
|
|
||||||
# Log level — info in normal ops, debug when troubleshooting
|
# Log level — info in normal ops, debug when troubleshooting
|
||||||
logLevel: info
|
logLevel: info
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user