From 0fa178106a79d88bb42c4e4f125bc2fefd1413c0 Mon Sep 17 00:00:00 2001 From: Jim Barber Date: Thu, 28 Apr 2022 19:00:18 +0800 Subject: [PATCH] Add a nameservers parameter for cert-manager Provide a way to override the pod's list of DNS nameservers to use so that split-view DNS zones still work for things like DNS01 challenges. Without this the DNS TXT records are searched for in the private DNS zone instead of the public one and the challenge will never succeed. --- docs/addons.md | 16 ++++++++++++++++ k8s/crds/kops.k8s.io_clusters.yaml | 6 ++++++ pkg/apis/kops/componentconfig.go | 4 ++++ pkg/apis/kops/v1alpha2/componentconfig.go | 4 ++++ .../kops/v1alpha2/zz_generated.conversion.go | 2 ++ pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go | 5 +++++ pkg/apis/kops/v1alpha3/componentconfig.go | 4 ++++ .../kops/v1alpha3/zz_generated.conversion.go | 2 ++ pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go | 5 +++++ pkg/apis/kops/zz_generated.deepcopy.go | 5 +++++ .../addons/certmanager.io/k8s-1.16.yaml.template | 8 ++++++++ 11 files changed, 61 insertions(+) diff --git a/docs/addons.md b/docs/addons.md index c895b1c4f3..5fc8a9f6b2 100644 --- a/docs/addons.md +++ b/docs/addons.md @@ -92,6 +92,22 @@ spec: managed: false ``` +##### DNS nameserver configuration for cert-manager pod +{{ kops_feature_table(kops_added_default='1.23.3', k8s_min='1.16') }} + +Optional list of DNS nameserver IP addresses for the cert-manager pod to use. +This is useful if you have a public and private DNS zone for the same domain to ensure that cert-manager can access ingress, or DNS01 challenge TXT records at all times. + +You can set pod DNS nameserver configuration for cert-manager like so: +```yaml +spec: + certManager: + enabled: true + nameservers: + - 1.1.1.1 + - 8.8.8.8 +``` + Read more about cert-manager in the [official documentation](https://cert-manager.io/docs/) diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml index 60b61e15a9..53d01b9540 100644 --- a/k8s/crds/kops.k8s.io_clusters.yaml +++ b/k8s/crds/kops.k8s.io_clusters.yaml @@ -289,6 +289,12 @@ spec: by kOps. The deployment of cert-manager is skipped if this is set to false. type: boolean + nameservers: + description: 'nameservers is a list of nameserver IP addresses + to use instead of the pod defaults. Default: none' + items: + type: string + type: array type: object channel: description: The Channel we are following diff --git a/pkg/apis/kops/componentconfig.go b/pkg/apis/kops/componentconfig.go index 5749ad7706..6882512f25 100644 --- a/pkg/apis/kops/componentconfig.go +++ b/pkg/apis/kops/componentconfig.go @@ -1050,6 +1050,10 @@ type CertManagerConfig struct { // defaultIssuer sets a default clusterIssuer // Default: none DefaultIssuer *string `json:"defaultIssuer,omitempty"` + + // nameservers is a list of nameserver IP addresses to use instead of the pod defaults. + // Default: none + Nameservers []string `json:"nameservers,omitempty"` } // AWSLoadBalancerControllerConfig determines the AWS LB controller configuration. diff --git a/pkg/apis/kops/v1alpha2/componentconfig.go b/pkg/apis/kops/v1alpha2/componentconfig.go index d7f5a36d69..5c020bda08 100644 --- a/pkg/apis/kops/v1alpha2/componentconfig.go +++ b/pkg/apis/kops/v1alpha2/componentconfig.go @@ -1076,6 +1076,10 @@ type CertManagerConfig struct { // defaultIssuer sets a default clusterIssuer // Default: none DefaultIssuer *string `json:"defaultIssuer,omitempty"` + + // nameservers is a list of nameserver IP addresses to use instead of the pod defaults. + // Default: none + Nameservers []string `json:"nameservers,omitempty"` } // AWSLoadBalancerControllerConfig determines the AWS LB controller configuration. diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 6e51dc434c..a779f6a7e9 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -1882,6 +1882,7 @@ func autoConvert_v1alpha2_CertManagerConfig_To_kops_CertManagerConfig(in *CertMa out.Managed = in.Managed out.Image = in.Image out.DefaultIssuer = in.DefaultIssuer + out.Nameservers = in.Nameservers return nil } @@ -1895,6 +1896,7 @@ func autoConvert_kops_CertManagerConfig_To_v1alpha2_CertManagerConfig(in *kops.C out.Managed = in.Managed out.Image = in.Image out.DefaultIssuer = in.DefaultIssuer + out.Nameservers = in.Nameservers return nil } diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go index d983f068ad..f60d397cc0 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go @@ -519,6 +519,11 @@ func (in *CertManagerConfig) DeepCopyInto(out *CertManagerConfig) { *out = new(string) **out = **in } + if in.Nameservers != nil { + in, out := &in.Nameservers, &out.Nameservers + *out = make([]string, len(*in)) + copy(*out, *in) + } return } diff --git a/pkg/apis/kops/v1alpha3/componentconfig.go b/pkg/apis/kops/v1alpha3/componentconfig.go index badc72bba5..85e4998dda 100644 --- a/pkg/apis/kops/v1alpha3/componentconfig.go +++ b/pkg/apis/kops/v1alpha3/componentconfig.go @@ -1047,6 +1047,10 @@ type CertManagerConfig struct { // defaultIssuer sets a default clusterIssuer // Default: none DefaultIssuer *string `json:"defaultIssuer,omitempty"` + + // nameservers is a list of nameserver IP addresses to use instead of the pod defaults. + // Default: none + Nameservers []string `json:"nameservers,omitempty"` } // AWSLoadBalancerControllerConfig determines the AWS LB controller configuration. diff --git a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go index ddbe7d315b..273fe61e81 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go @@ -1908,6 +1908,7 @@ func autoConvert_v1alpha3_CertManagerConfig_To_kops_CertManagerConfig(in *CertMa out.Managed = in.Managed out.Image = in.Image out.DefaultIssuer = in.DefaultIssuer + out.Nameservers = in.Nameservers return nil } @@ -1921,6 +1922,7 @@ func autoConvert_kops_CertManagerConfig_To_v1alpha3_CertManagerConfig(in *kops.C out.Managed = in.Managed out.Image = in.Image out.DefaultIssuer = in.DefaultIssuer + out.Nameservers = in.Nameservers return nil } diff --git a/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go index d64f580b50..bbaaf308c0 100644 --- a/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go @@ -536,6 +536,11 @@ func (in *CertManagerConfig) DeepCopyInto(out *CertManagerConfig) { *out = new(string) **out = **in } + if in.Nameservers != nil { + in, out := &in.Nameservers, &out.Nameservers + *out = make([]string, len(*in)) + copy(*out, *in) + } return } diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go index ced51ac76f..7caaf3d202 100644 --- a/pkg/apis/kops/zz_generated.deepcopy.go +++ b/pkg/apis/kops/zz_generated.deepcopy.go @@ -535,6 +535,11 @@ func (in *CertManagerConfig) DeepCopyInto(out *CertManagerConfig) { *out = new(string) **out = **in } + if in.Nameservers != nil { + in, out := &in.Nameservers, &out.Nameservers + *out = make([]string, len(*in)) + copy(*out, *in) + } return } diff --git a/upup/models/cloudup/resources/addons/certmanager.io/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/certmanager.io/k8s-1.16.yaml.template index aec654afb6..c17b69cedf 100644 --- a/upup/models/cloudup/resources/addons/certmanager.io/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/certmanager.io/k8s-1.16.yaml.template @@ -5215,6 +5215,14 @@ spec: - matchExpressions: - key: node-role.kubernetes.io/master operator: Exists + {{ if .CertManager.Nameservers }} + dnsConfig: + nameservers: + {{ range $nameserver := .CertManager.Nameservers }} + - "{{ $nameserver }}" + {{ end }} + dnsPolicy: None + {{ end }} priorityClassName: system-cluster-critical serviceAccountName: cert-manager securityContext: