Add optional unbound DNS caching sidecar to worker deployment#69
Add optional unbound DNS caching sidecar to worker deployment#69
Conversation
mpetrowi
commented
Mar 31, 2026
mpetrowi
commented
- Unbound runs as a K8s 1.29+ native sidecar (initContainer with restartPolicy: Always), starting before check-migrations so DNS is available to all containers
- dnsPolicy switches to None with 127.0.0.1 as nameserver when enabled
- cluster.local forwarded to configurable clusterDnsIP; catch-all zone forwarded to a configurable forwarders list
- msg/rrset cache sizes are top-level values
- Optional Prometheus exporter (kumina/unbound_exporter) with control socket on a Unix domain socket shared via emptyDir volume
- Unbound runs as a K8s 1.29+ native sidecar (initContainer with restartPolicy: Always), starting before check-migrations so DNS is available to all containers - dnsPolicy switches to None with 127.0.0.1 as nameserver when enabled - cluster.local forwarded to configurable clusterDnsIP; catch-all zone forwarded to a configurable forwarders list - msg/rrset cache sizes are top-level values - Optional Prometheus exporter (kumina/unbound_exporter) with control socket on a Unix domain socket shared via emptyDir volume Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
mpetrowi
force-pushed
the
mp/catalyst-dns-sidecar
branch
from
91a0ffc to
e626b0c
Compare
mpetrowi
force-pushed
the
mp/catalyst-dns-sidecar
branch
from
e626b0c to
0ea89e6
Compare
| enabled: false | ||
| # This isn't a common image, so locking to a sha256 | ||
| # I used: podman inspect cyb3rjak3/unbound-exporter:0.5.0 --format '{{.Digest}}' | ||
| image: cyb3rjak3/unbound-exporter:0.5.0@sha256:e4973d36ba6485e5e9378e6d3e72677c177d69a62a11c9da549a71ff9904e09f |
There was a problem hiding this comment.
I wish there was a more official image for this. I'm locking to the sha256 of the manifest, I hope that works.
There was a problem hiding this comment.
What about this one: https://github.com/letsencrypt/unbound_exporter
You can find tons of exporters from the Prometheus docs: https://prometheus.io/docs/instrumenting/exporters/
There was a problem hiding this comment.
Ah, nvm. This is that project, but there's no official container for it, so this is just some rando's. I see
There was a problem hiding this comment.
Yeah. If it works I think we could build the letsencrypt container and push it up to ECR. I'd feel better about that on prod
There was a problem hiding this comment.
A bit odd that they don't build and push it themselves since they have it. Looks like the current container is slightly behind on versions, so I'd feel better about building it ourselves too.
Creates a headless Service and ServiceMonitor (conditional on dnsSidecar.metrics.enabled) that scrapes the unbound exporter on port 9167. Uses a distinct metrics: catalyst-unbound label to avoid overlap with the existing catalyst app/worker ServiceMonitor. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
srphillips
left a comment
srphillips
left a comment
There was a problem hiding this comment.
This all looks like it would work fine. I would definitely feel better about just building the official project's Dockerfile for use ourselves for prod use though. One suggestion about making the upstream DNS configurable as well. Let's see what @blunckr says about the rest of it since it's for his project.
| # Retrieve with: kubectl get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}' | ||
| clusterDnsIP: "10.96.0.10" | ||
| # Upstream forwarders for the catch-all zone ("."). | ||
| forwarders: |
There was a problem hiding this comment.
It would be nice to make this more configurable, so it doesn't require a chart change for pointing to a new upstream DNS forwarder. I'm fine if we set these as a default though if there isn't one defined in the values file.
There was a problem hiding this comment.
Yeah, they are just defaults. Maybe I should have made it 1.1.1.1 to be more generic
2 participants
