infra/stacks/nodelocal-dns/main.tf

module "nodelocal_dns" {
  source = "./modules/nodelocal-dns"

  # Canonical link-local IP from upstream NodeLocal DNSCache docs.
  link_local_ip = "169.254.20.10"

  # kube-dns ClusterIP — co-listened so transparent interception works
  # without mutating kubelet clusterDNS on every node.
  kube_dns_ip = "10.96.0.10"

  # Technitium ClusterIP — upstream for .viktorbarzin.lan.
  technitium_ip = "10.96.0.53"

  image = "registry.k8s.io/dns/k8s-dns-node-cache:1.23.1"
  tier  = local.tiers.core
}
[dns] NodeLocal DNSCache — deploy DaemonSet to all nodes (WS C) Adds per-node DNS cache that transparently intercepts pod queries on 10.96.0.10 (kube-dns ClusterIP) AND 169.254.20.10 (link-local) via hostNetwork + NET_ADMIN iptables NOTRACK rules. Pods keep using their existing /etc/resolv.conf (nameserver 10.96.0.10) unchanged — no kubelet rollout needed for transparent mode. Layout mirrors existing stacks (technitium, descheduler, kured): stacks/nodelocal-dns/ main.tf # module wiring + IP params modules/nodelocal-dns/main.tf # SA, Services, ConfigMap, DS Key decisions: - Image: registry.k8s.io/dns/k8s-dns-node-cache:1.23.1 - Co-listens on 169.254.20.10 + 10.96.0.10 (transparent interception) - Upstream path: kube-dns-upstream (new headless svc) → CoreDNS pods (separate ClusterIP avoids cache looping back through itself) - viktorbarzin.lan zone forwards directly to Technitium ClusterIP (10.96.0.53), bypassing CoreDNS for internal names - priorityClassName: system-node-critical - tolerations: operator=Exists (runs on master + all tainted nodes) - No CPU limit (cluster-wide policy); mem requests=32Mi, limit=128Mi - Kyverno dns_config drift suppressed on the DaemonSet - Kubelet clusterDNS NOT changed — transparent mode is sufficient; rolling 5 nodes just to switch to 169.254.20.10 has no additional benefit and expanding blast radius for no reason. Verified: - DaemonSet 5/5 Ready across k8s-master + 4 workers - dig @169.254.20.10 idrac.viktorbarzin.lan -> 192.168.1.4 - dig @169.254.20.10 github.com -> 140.82.121.3 - Deleted all 3 CoreDNS pods; cached queries still resolved via NodeLocal DNSCache (resilience confirmed) Docs: architecture/dns.md — adds NodeLocal DNSCache to Components table, graph diagram, stacks table; rewrites pod DNS resolution paths to show the cache layer; adds troubleshooting entry. Closes: code-2k6 2026-04-19 15:46:41 +00:00			`module "nodelocal_dns" {`
			`source = "./modules/nodelocal-dns"`

			`# Canonical link-local IP from upstream NodeLocal DNSCache docs.`
			`link_local_ip = "169.254.20.10"`

			`# kube-dns ClusterIP — co-listened so transparent interception works`
			`# without mutating kubelet clusterDNS on every node.`
			`kube_dns_ip = "10.96.0.10"`

			`# Technitium ClusterIP — upstream for .viktorbarzin.lan.`
			`technitium_ip = "10.96.0.53"`

			`image = "registry.k8s.io/dns/k8s-dns-node-cache:1.23.1"`
			`tier = local.tiers.core`
			`}`