Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add DNSStaticResolver option #7336

Merged
merged 7 commits into from
Feb 23, 2024
Merged

Add DNSStaticResolver option #7336

merged 7 commits into from
Feb 23, 2024

Conversation

mcpherrinm
Copy link
Contributor

@mcpherrinm mcpherrinm commented Feb 23, 2024

We run the RVAs in AWS, where we don't have all the same service discovery infrastructure we do for the primary VAs and the rest of Boulder. The solution for populating SRV records we have today hasn't been reliable, so we'd like to experiment with bringing up RVAs paired 1:1 with a local DNS resolver. This brings back some of the previous static DNS resolver configuration, though it's not a clean revert because other configuration has changed in the meantime

@mcpherrinm mcpherrinm closed this Feb 23, 2024
@mcpherrinm mcpherrinm deleted the mattm-rva-dns branch February 23, 2024 18:50
@mcpherrinm mcpherrinm restored the mattm-rva-dns branch February 23, 2024 19:07
@mcpherrinm mcpherrinm reopened this Feb 23, 2024
Copy link
Contributor

@mcpherrinm, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.

@mcpherrinm
Copy link
Contributor Author

I'd thought about reverting the removal of the DNSResolvers config, but that ended up gnarlier for a few reasons: It was removed before config validation, so we'd end up resolving conflicts and then editing to make it more like this anyways. Also, I think it's clearer if we explicitly name the config option as "static" to make sure it's distinguished from the dynamic provider we use with consul-discovered dns servers

@mcpherrinm mcpherrinm marked this pull request as ready for review February 23, 2024 19:45
@mcpherrinm mcpherrinm requested a review from a team as a code owner February 23, 2024 19:45
Copy link
Member

@beautifulentropy beautifulentropy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just a couple of comments. Also, we should probably remove the "doh" service from consul if it's no longer in use. The bit you're looking for is here:

services {
  id      = "doh-a"
  name    = "doh"
  address = "10.77.77.77"
  port    = 8343
  tags    = ["tcp"]
}

services {
  id      = "doh-b"
  name    = "doh"
  address = "10.77.77.77"
  port    = 8443
  tags    = ["tcp"]
}

cmd/boulder-va/main.go Outdated Show resolved Hide resolved
cmd/boulder-va/main.go Outdated Show resolved Hide resolved
@beautifulentropy beautifulentropy requested a review from a team February 23, 2024 22:22
Co-authored-by: Samantha <hello@entropy.cat>
@jsha
Copy link
Contributor

jsha commented Feb 23, 2024

we should probably remove the "doh" service from consul if it's no longer in use.

The idea here is to use the static resolver for the RVAs (which will have colocated Unbounds), and the SRV resolver for the on-prem VAs. So we'll be exercising both code paths and still want DOH configured.

@beautifulentropy
Copy link
Member

we should probably remove the "doh" service from consul if it's no longer in use.

The idea here is to use the static resolver for the RVAs (which will have colocated Unbounds), and the SRV resolver for the on-prem VAs. So we'll be exercising both code paths and still want DOH configured.

Cool, thanks for clearing that up!

Copy link
Contributor

@jsha jsha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me modulo @beautifulentropy's remaining open comment #7336 (comment).

@jsha jsha merged commit 313e3b9 into main Feb 23, 2024
20 checks passed
@jsha jsha deleted the mattm-rva-dns branch February 23, 2024 22:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants