coredns

rsp2k/coredns

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ryan Malloy	18aa53bdc7	prod-readiness: alpine runtime + uid:gid passthrough + git auto-commit working The final set of fixes to make the rfc2136 plugin truly operational in production: - coredns/Dockerfile: switch runtime stage from gcr.io/distroless to alpine:3.20. Distroless has no package manager and no shell, so `git commit` (called by the plugin's auto-commit code path) had no way to execute. Alpine adds ~10 MB image size but gives us git + a usable shell for debugging. - docker-compose.yml: `user: "${COREDNS_UID:-1003}:${COREDNS_GID:-1004}"`. The container runs as the host's rpm user (uid 1003/gid 1004 on dell01) so zone files the plugin writes are owned by rpm:rpm on the host -- not root. Without this the plugin would write root-owned files we couldn't read or git-edit. Defaults match dell01; override per-host via env if needed. - .env.example: documents COREDNS_IMAGE_TAG (CalVer; bump per build). Add COREDNS_UID/GID if you need to override on a host where rpm has different numeric ids. Combined with the bumped image tag (2026.05.21.2), the full end-to-end flow works: caddy/nsupdate -> TSIG verify -> plugin handler -> atomic file write -> git auto-commit -> auto plugin reload -> query returns new record.	2026-05-21 13:01:36 -06:00
Ryan Malloy	162abedfdd	.env now gitignored; .env.example is the committed template Per standard Docker convention. The active `.env` is per-host (contains the actual TSIG secret + any host-specific port/hostname overrides). The `.env.example` template documents the expected variables with stub values so a fresh checkout knows what to copy. Also: docker-compose.yml now passes ACME_TSIG_SECRET to the coredns container via plain `environment:` directive -- compose auto-reads `.env` for substitution. No --env-file gymnastics needed at the invocation level.	2026-05-21 12:37:23 -06:00

Author

SHA1

Message

Date

Ryan Malloy

18aa53bdc7

prod-readiness: alpine runtime + uid:gid passthrough + git auto-commit working

The final set of fixes to make the rfc2136 plugin truly operational
in production:

- coredns/Dockerfile: switch runtime stage from gcr.io/distroless to
  alpine:3.20. Distroless has no package manager and no shell, so
  `git commit` (called by the plugin's auto-commit code path) had no
  way to execute. Alpine adds ~10 MB image size but gives us git +
  a usable shell for debugging.
- docker-compose.yml: `user: "${COREDNS_UID:-1003}:${COREDNS_GID:-1004}"`.
  The container runs as the host's rpm user (uid 1003/gid 1004 on
  dell01) so zone files the plugin writes are owned by rpm:rpm on
  the host -- not root. Without this the plugin would write
  root-owned files we couldn't read or git-edit. Defaults match
  dell01; override per-host via env if needed.
- .env.example: documents COREDNS_IMAGE_TAG (CalVer; bump per build).
  Add COREDNS_UID/GID if you need to override on a host where rpm
  has different numeric ids.

Combined with the bumped image tag (2026.05.21.2), the full
end-to-end flow works: caddy/nsupdate -> TSIG verify -> plugin
handler -> atomic file write -> git auto-commit -> auto plugin
reload -> query returns new record.

2026-05-21 13:01:36 -06:00

Ryan Malloy

162abedfdd

.env now gitignored; .env.example is the committed template

Per standard Docker convention. The active `.env` is per-host
(contains the actual TSIG secret + any host-specific port/hostname
overrides). The `.env.example` template documents the expected
variables with stub values so a fresh checkout knows what to copy.

Also: docker-compose.yml now passes ACME_TSIG_SECRET to the coredns
container via plain `environment:` directive -- compose auto-reads
`.env` for substitution. No --env-file gymnastics needed at the
invocation level.

2026-05-21 12:37:23 -06:00

2 Commits