sources for e1e0 website
git clone https://git.e1e0.net/e1e0.net.git
Log | Files | Refs

commit 3568728baca823b59d6c49a9dd43ea222ea215a9
parent 95ae9fdbed45b7fe56c6f095c0d9f45ba0b167c5
Author: Paco Esteban <paco@e1e0.net>
Date:   Fri,  5 Jun 2020 17:44:38 +0200

update "manage k8s from openbsd" article

we now have kubectl in ports

Asrc/easy-dns-zone-management-accross-providers.md | 142+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Msrc/manage-k8s-from-openbsd.md | 11++++++++---
2 files changed, 150 insertions(+), 3 deletions(-)

diff --git a/src/easy-dns-zone-management-accross-providers.md b/src/easy-dns-zone-management-accross-providers.md @@ -0,0 +1,142 @@ +# Easy DNS zone management across providers +2020-05-31 + +For personal projects and at work I have to manage some DNS zones. They are +not that many, but I would say that if they are more than 2 or 3, or if the +management interface is not _extremely_ easy and comfortable, a way to automate +this process as much as possible is really beneficial. + +There are many alternatives out there, like Github's [Octodns][1] or +StackExchange's [dnscontrol][2]. I personally use the latter. + +Using tools like these bring a couple of benefits. For one, you can have your +DNS zones under version control. Ok, you can do that too with BIND zone files. +But it's more difficult to do that if you use one of the _"cloud providers"_ as +I do at work. Another benefit is that you can wire this with your CI platform +of choice. Again, BIND zones are pretty good at this too. Rsync + reload and +you're set. This is the magic of *the Unix way*. Problem is that one cannot +always choose what one works with, but I digress. + +Dnscontrol is both a [DSL][3] and a cli tool that interprets that and takes the +appropriate actions to ensure that your zones are a reflection of what you have +on disk. Be that API calls to your fancy provider or interactions with +ISC-BIND to update the zones on the fly. + +It's written in Go, so good for your fancy container life and supports a fairly +comprehensive list of providers. + +It also has the ability to export your current zones to dnscontrol's DSL, so +migration is easy. + +And finally, it can be used to issue LetsEncrypt certificates. + +The main problem for me is that the configuration file is JavaScript (or +something pretty similar). Yes, I facepalmed too. + +But, a part from that, is really simple to use and pretty fast. + +I personally only tested it against `GANDI` and Amazon's `R53`, but I assume it +works the same way for other providers. There's a fairly good documentation on +their website. + +What I put here are some notes on a basic setup. The installation process can +take many paths depending on what you want. So take a look at their +documentation. There's a port for OpenBSD, so that's what I used. + +Create a folder that will contain all your zone info and credentials to access +your providers. Remember to ignore the credentials file in your version +control system of choice. + +The credentials file is called `creds.js` by default, but can be anything. +You'll have to pass some info to the cli if you do not use the default. It +looks like this: + +``` +{ + "gandi": { + "apikey": "super-secret-api-key" + }, + "r53": { + "KeyId": "super-secret-key-id", + "SecretKey": "super-secret-secret-key" + } +} +``` + +The main file, which describes your zones, it's called `dnsconfig.js` by +default and looks like this: + +``` +// Providers: + +var REG_NONE = NewRegistrar('none', 'NONE'); // No registrar. +var GANDI = NewDnsProvider("gandi", "GANDI_V5"); // Gandi. + +// Domains: + +D("example.com", REG_NONE, DnsProvider(GANDI), + A('@', '', TTL(86400)), + AAAA('@', '2000:abc:dead:beef::1', TTL(86400)), + CAA('@', 'issue', 'letsencrypt.org'), + MX('@', 10, 'mail01.example.com.'), + TXT('@', 'v=spf1 a mx ~all'), + SRV('_xmpp-client._tcp', 5, 0, 5222, 'example.com.', TTL(86400)), + SRV('_xmpp-server._tcp', 5, 0, 5269, 'example.com.', TTL(86400)), + A('main', '', TTL(86400)), + CNAME('foo', 'example.com.', TTL(600)), + CNAME('bar', 'main.example.com.', TTL(600)) +); +``` + +As you can see, first there's the provider definition. The `REG_NONE` line is +there to define an "empty registrar". I do this because my zones are already +registered with my providers, but you could create the zone and register it +automatically if all your config is correct. + +In fact, the only required parameters to the `D` function are the `fqdn` and +the registrar. + +Each domain has its `D` function that defines it. I usually organize it like +you see on the example. With the 1st line containing the `fqdn`, registrar and +dns provider, and then one line per DNS record. That makes a lot of sense for +visually clean diffs later on. But you can use whatever you want as long as +you respect the syntax. + +There's a complete description list of the DSL functions and modifiers at the +[language reference][4] section of their website. + +Once you have your zones defined, execute `dnscontrol preview`. I would +recommend to set the records as you have them if the zone already exists (more +on this later). In that case the output should be similar to this: + +``` +******************** Domain: example.com +----- Getting nameservers from: gandi +----- DNS Provider: gandi...0 corrections +----- Registrar: none...0 corrections +``` + +When you have changes it may look similar to this: + +``` +******************** Domain: example.com +----- Getting nameservers from: gandi +----- DNS Provider: gandi...2 corrections +#1: CREATE CNAME blah.example.com foo.duckdns.org. ttl=600 +#2: MODIFY CNAME bar.example.com: (main.example.com. ttl=600) -> (abc.duckdns.org. ttl=600) +----- Registrar: none...0 corrections +``` + +To actually apply the changes, execute `dnscontrol push` + +You can specify the location of the credentials file and the zones file using +`--creds file` and `--config file`. Check the command help for more +information. + +_Have any comments ? Send an email to the [comments address][999]._ + +[1]: https://github.com/github/octodns +[2]: https://stackexchange.github.io/dnscontrol/ +[3]: https://en.wikipedia.org/wiki/Domain-specific_language +[4]: https://stackexchange.github.io/dnscontrol/js +[999]: mailto:comments@e1e0.net?Subject=Easy%20DNS%20zone%20management%20across%20providers diff --git a/src/manage-k8s-from-openbsd.md b/src/manage-k8s-from-openbsd.md @@ -5,6 +5,9 @@ _This should work with OpenBSD `6.7`. I write this while the source tree is locked for release, so even if I use `-current` this is as close as `-current` gets to `-release`_ +_Update 2020-06-05: we now have [a port for kubectl][6]. So, at least in +`-current` things get a bit easier._ + ## Intro Some of us have to suffer the pain of the trendy tech and the buzzwords even @@ -72,9 +75,10 @@ Later on you can change projects with: ## kubectl -There's no port for `kubectl` (yet, if you want to step in, I promise to test -it, give feedback and maybe even commit it !), but it can be compiled and -installed manually. +There's no port for `kubectl` ~~(yet, if you want to step in, I promise to test +it, give feedback and maybe even commit it !),~~ on `6.7` but it can be compiled and +installed manually. We have [a port now on -current][6] thanks to +Karlis Mikelsons and _@kn_. I assume that you have a Go environment working. @@ -176,4 +180,5 @@ _Have any comments ? Send an email to the [comments address][999]._ [3]: https://github.com/bitnami-labs/sealed-secrets [4]: https://cloud.google.com/sdk/docs/quickstart-linux#initialize_the_sdk [5]: https://kustomize.io +[6]: https://marc.info/?l=openbsd-ports-cvs&m=159136413409093&w=2 [999]: mailto:comments@e1e0.net?Subject=Manage%20Kubernetes%20from%20OpenBSD