wip

Signed-off-by: Daichi Sakaue <[email protected]>

images.go

@@ -15,7 +15,7 @@ const (
 	ToolsImage           = Image("quay.io/cybozu/cke-tools:1.26.0")
 	PauseImage           = Image("quay.io/cybozu/pause:3.9.0.1")
 	CoreDNSImage         = Image("quay.io/cybozu/coredns:1.10.1.1")
-	UnboundImage         = Image("quay.io/cybozu/unbound:1.17.1.4")
+	UnboundImage         = Image("ghcr.io/cybozu/unbound:1.18.0.2")
 	UnboundExporterImage = Image("quay.io/cybozu/unbound_exporter:0.4.1.5")
 )
 

mtest/kubernetes_test.go

@@ -149,6 +149,19 @@ func testKubernetes() {
 			}
 			return nil
 		}).Should(Succeed())
+
+		Eventually(func() error {
+			stdout, stderr, err := kubectl("get", "service", "-n="+namespace, "httpd", "-o", "jsonpath='{.spec.clusterIP}'")
+			if err != nil {
+				return fmt.Errorf("%v: stderr=%s", err, stderr)
+			}
+			ip := string(stdout)
+
+			_, stderr, err = kubectl("exec", "-n="+namespace, "client", "getent", "hosts", ip)
+			if err != nil {
+				return fmt.Errorf("%v: stderr=%s", err, stderr)
+			}
+		}).Should(Succeed())
 	})
 
 	It("updates unbound config", func() {
@@ -245,6 +258,12 @@ func testKubernetes() {
 			return err
 		}).Should(Succeed())
 
+		By("querying www.dnssec-failed.org using node DNS from ubuntu pod")
+		Consistently(func() error {
+			_, _, err := kubectl("exec", "-n="+namespace, "client", "getent", "hosts", "www.dnssec-failed.org")
+			return err
+		}).WithTimeout(time.Second * 5).WithPolling(time.Second * 1).ShouldNot(Succeed())
+
 		By("getting metrics from unbound_exporter")
 		Eventually(func() error {
 			stdout, _, err := kubectl("exec", "-n=kube-system", "daemonset/node-dns", "-c", "unbound", "--", "curl", "-sSf", "http://127.0.0.1:9167/metrics")

op/nodedns/nodedns.go

@@ -69,6 +69,26 @@ server:
   local-zone: "29.172.in-addr.arpa." transparent
   local-zone: "30.172.in-addr.arpa." transparent
   local-zone: "31.172.in-addr.arpa." transparent
+  trust-anchor-file: "/usr/local/unbound/etc/unbound/root.key"
+  domain-insecure: "{{ .Domain }}"
+  domain-insecure: "10.in-addr.arpa."
+  domain-insecure: "168.192.in-addr.arpa."
+  domain-insecure: "16.172.in-addr.arpa."
+  domain-insecure: "17.172.in-addr.arpa."
+  domain-insecure: "18.172.in-addr.arpa."
+  domain-insecure: "19.172.in-addr.arpa."
+  domain-insecure: "20.172.in-addr.arpa."
+  domain-insecure: "21.172.in-addr.arpa."
+  domain-insecure: "22.172.in-addr.arpa."
+  domain-insecure: "23.172.in-addr.arpa."
+  domain-insecure: "24.172.in-addr.arpa."
+  domain-insecure: "25.172.in-addr.arpa."
+  domain-insecure: "26.172.in-addr.arpa."
+  domain-insecure: "27.172.in-addr.arpa."
+  domain-insecure: "28.172.in-addr.arpa."
+  domain-insecure: "29.172.in-addr.arpa."
+  domain-insecure: "30.172.in-addr.arpa."
+  domain-insecure: "31.172.in-addr.arpa."
 remote-control:
   control-enable: yes
   control-interface: {{ if .LocalControl }} /var/run/unbound/unbound.sock {{ else }} 127.0.0.1 {{ end }}