viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

coredns: pods get internal split-horizon answers for viktorbarzin.me [ci skip]

Browse source 
Forward the viktorbarzin.me:53 pod block to the Technitium ClusterIP
(10.96.0.53, same as the .lan block) instead of 8.8.8.8/1.1.1.1. Pods
become ordinary internal clients (CNAME -> apex -> live Traefik LB;
mail -> 10.0.20.1), fixing the 27 non-proxied [External] uptime-kuma
monitors that rode the TP-Link NAT loopback (hard-down since 06-09;
loopback refuses flows whose source equals the reflection target, which
all pfSense-SNAT'd cluster traffic does).

Enabled by re-testing a stale premise: on k8s 1.34 pods DO reach the
ETP=Local Traefik LB IP (kube-proxy short-circuits in-cluster traffic
to LB IPs; verified from pods on three non-Traefik nodes) — re-verify
after major k8s upgrades; canary = [External] fleet going red. The
NAT-layer alternatives (pfSense rdr, SNAT-drop) were rejected: both
fight return-path asymmetry and deepen TP-Link dependency.

Verified in-pod: immich -> .203 + HTTPS 200, mail -> 10.0.20.1,
forgejo -> Traefik ClusterIP (pin kept for Technitium-outage
resilience). Proxied [External] monitors now test the internal path —
true edge fidelity moves to the external vantage (ha-london, next fix).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-10 16:21:34 +00:00
parent 35c89fa90c
commit 59a531b8e0
5 changed files with 36 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

7
modules/create-template-vm/cloud_init.yaml
View file

@ -99,9 +99,10 @@ runcmd:
# host to the apex A record that auto-tracks the live Traefik LB IP — so
# every VLAN client, nodes included, gets internal answers with zero
# per-host config (2026-06-10; runbook: docs/runbooks/pfsense-unbound.md).
# Pods are carved out separately (CoreDNS `viktorbarzin.me:53` block:
# public answers + forgejo pinned to Traefik's ClusterIP — the LB IP is
# ETP=Local and unreachable from pods; stacks/technitium).
# Pods get the SAME internal answers via CoreDNS's `viktorbarzin.me:53`
# block forwarding to the Technitium ClusterIP (+ forgejo pinned to
# Traefik's ClusterIP for Technitium-outage resilience; stacks/technitium.
# Pods reach the ETP=Local LB IP fine on k8s 1.34 — verified 2026-06-10).
# History: a global-dns.conf drop-in (public DNS primary) lived here until
# 2026-06-10. Its rationale ("Technitium NXDOMAINs forgejo.viktorbarzin.me")
# had long been obsolete, and it steered fresh forgejo pulls onto the broken