G2P-4380 DNS issue fix for base

pjoshi751 · pjoshi751 · commit bf20f67a5154 · 2026-03-24T15:07:13.000+05:30
diff --git a/automation/lib/env-phase1.sh b/automation/lib/env-phase1.sh
@@ -525,6 +525,46 @@ env_phase1_step7_keycloak_secret() {
     mark_step_done "$step_id"
 }
 
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 1.8: CA certificate ConfigMap (local mode only)
+# ─────────────────────────────────────────────────────────────────────────────
+# In local mode, services inside pods need to trust our self-signed CA
+# when talking to https://keycloak.openg2p.test. We create a ConfigMap
+# with the CA cert so it can be mounted into pods and added to trust stores.
+env_phase1_step8_ca_configmap() {
+    local domain_mode=$(cfg "domain_mode" "custom")
+    [[ "$domain_mode" == "local" ]] || return 0
+
+    local env_name=$(cfg "environment")
+    log_step "E1.8" "Creating CA certificate ConfigMap in namespace '${env_name}'"
+
+    ensure_kubeconfig || return 1
+
+    local ca_cert="/etc/openg2p/ca/ca.crt"
+    if [[ ! -f "$ca_cert" ]]; then
+        log_error "CA certificate not found at ${ca_cert}" \
+                  "The infra script should have created the CA" \
+                  "Re-run openg2p-infra.sh phase 1"
+        return 1
+    fi
+
+    if kubectl -n "$env_name" get configmap openg2p-ca-cert &>/dev/null; then
+        log_info "ConfigMap 'openg2p-ca-cert' already exists — updating..."
+        kubectl -n "$env_name" create configmap openg2p-ca-cert \
+            --from-file=ca.crt="$ca_cert" --dry-run=client -o yaml | \
+            kubectl apply -f - > /dev/null 2>&1
+    else
+        kubectl -n "$env_name" create configmap openg2p-ca-cert \
+            --from-file=ca.crt="$ca_cert" || {
+            log_error "Failed to create CA cert ConfigMap" \
+                      "kubectl create configmap failed"
+            return 1
+        }
+    fi
+
+    log_success "ConfigMap 'openg2p-ca-cert' created with CA certificate."
+}
+
 # ─────────────────────────────────────────────────────────────────────────────
 # Run all Phase 1 steps
 # ─────────────────────────────────────────────────────────────────────────────
@@ -540,6 +580,7 @@ run_env_phase1() {
     env_phase1_step5_rancher_project
     env_phase1_step6_istio_gateway
     env_phase1_step7_keycloak_secret
+    env_phase1_step8_ca_configmap
 
     log_success "Phase 1 complete — environment infrastructure for '${env_name}' is ready."
 }
diff --git a/automation/lib/phase1.sh b/automation/lib/phase1.sh
@@ -728,81 +728,85 @@ EOF
 
     log_success "dnsmasq configured. All *.${local_domain} resolves to ${node_ip}."
 
-    # Configure CoreDNS to forward local domain queries to dnsmasq.
-    # Pods use CoreDNS (kube-system/rke2-coredns-rke2-coredns) for DNS, which
-    # doesn't know about our local domains. We add a custom server block that
-    # forwards *.openg2p.test to dnsmasq on the node IP.
-    # This runs after dnsmasq is up but before K8s is necessarily ready,
-    # so we save the config and apply it after RKE2 starts (in run_phase1).
-    log_info "Preparing CoreDNS custom config for ${local_domain} -> dnsmasq..."
+    # Save local domain and node IP for the CoreDNS patching step (step 7b).
+    # CoreDNS patching requires kubectl, which is available after RKE2 starts.
     mkdir -p /var/lib/openg2p/deploy-state
-    cat > /var/lib/openg2p/deploy-state/coredns-custom.yaml <<DNSEOF
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: rke2-coredns-rke2-coredns-custom
-  namespace: kube-system
-data:
-  openg2p.server: |
-    ${local_domain}:53 {
-      errors
-      cache 30
-      forward . ${node_ip}
-    }
-DNSEOF
-    log_info "CoreDNS custom config saved. Will be applied after RKE2 starts."
+    echo "${local_domain}" > /var/lib/openg2p/deploy-state/coredns-local-domain
+    echo "${node_ip}" > /var/lib/openg2p/deploy-state/coredns-node-ip
 
     mark_step_done "$step_id"
 }
 
 # ─────────────────────────────────────────────────────────────────────────────
-# Step 7b: Apply CoreDNS custom config (local mode only)
+# Step 7b: Patch CoreDNS Corefile for local domain forwarding
 # ─────────────────────────────────────────────────────────────────────────────
-# In local mode, pods inside the cluster need to resolve *.openg2p.test.
-# CoreDNS only knows about cluster.local — we add a custom server block
-# that forwards local domain queries to dnsmasq on the node.
-# RKE2's CoreDNS watches the ConfigMap rke2-coredns-rke2-coredns-custom
-# and auto-reloads when it changes.
+# In local mode, pods use CoreDNS which only knows about cluster.local.
+# We patch the main CoreDNS Corefile to add a server block that forwards
+# *.openg2p.test queries to dnsmasq on the node IP.
+#
+# Note: RKE2's CoreDNS does NOT mount a custom ConfigMap volume by default,
+# so the "import custom/*.server" approach doesn't work. We inject the
+# server block directly into the main rke2-coredns-rke2-coredns ConfigMap.
 phase1_step7b_coredns_custom() {
     local domain_mode=$(cfg "domain_mode" "custom")
     [[ "$domain_mode" == "local" ]] || return 0
 
     local step_id="phase1.coredns_custom"
-    skip_if_done "$step_id" "CoreDNS custom config" && return 0
+    skip_if_done "$step_id" "CoreDNS local domain forwarding" && return 0
 
-    local coredns_file="/var/lib/openg2p/deploy-state/coredns-custom.yaml"
-    if [[ ! -f "$coredns_file" ]]; then
-        log_info "No CoreDNS custom config found — skipping."
-        return 0
-    fi
+    local local_domain=$(cfg "local_domain" "openg2p.test")
+    local node_ip=$(cfg "node_ip")
 
-    log_info "Applying CoreDNS custom config for local domain forwarding..."
+    log_info "Patching CoreDNS Corefile to forward ${local_domain} -> dnsmasq (${node_ip})..."
     ensure_kubeconfig || return 1
 
-    kubectl apply -f "$coredns_file" || {
-        log_error "Failed to apply CoreDNS custom config" \
-                  "kubectl apply failed" \
-                  "Check CoreDNS ConfigMap" \
-                  "kubectl -n kube-system get configmap rke2-coredns-rke2-coredns-custom -o yaml"
+    # Check if the Corefile already has the local domain block
+    local current_corefile
+    current_corefile=$(kubectl -n kube-system get configmap rke2-coredns-rke2-coredns \
+        -o jsonpath='{.data.Corefile}' 2>/dev/null || true)
+
+    if [[ -z "$current_corefile" ]]; then
+        log_error "CoreDNS ConfigMap not found" \
+                  "rke2-coredns-rke2-coredns ConfigMap missing in kube-system" \
+                  "Check RKE2 CoreDNS deployment" \
+                  "kubectl -n kube-system get configmap"
         return 1
-    }
+    fi
 
-    # Restart CoreDNS to pick up the change immediately
-    kubectl -n kube-system rollout restart deployment rke2-coredns-rke2-coredns > /dev/null 2>&1 || true
-    sleep 5
+    if echo "$current_corefile" | grep -q "${local_domain}:53"; then
+        log_info "CoreDNS Corefile already contains ${local_domain} server block — skipping."
+    else
+        log_info "Injecting ${local_domain} server block into CoreDNS Corefile..."
+        kubectl -n kube-system get configmap rke2-coredns-rke2-coredns -o json | \
+            jq --arg domain "$local_domain" --arg ip "$node_ip" '
+                .data.Corefile = $domain + ":53 {\n    errors\n    cache 30\n    forward . " + $ip + "\n}\n" + .data.Corefile
+            ' | kubectl apply -f - || {
+            log_error "Failed to patch CoreDNS Corefile" \
+                      "jq/kubectl pipeline failed" \
+                      "Check CoreDNS ConfigMap" \
+                      "kubectl -n kube-system get configmap rke2-coredns-rke2-coredns -o yaml"
+            return 1
+        }
 
-    # Verify: resolve the local domain from inside CoreDNS
-    local local_domain=$(cfg "local_domain" "openg2p.test")
-    local node_ip=$(cfg "node_ip")
+        # Restart CoreDNS to pick up the change
+        kubectl -n kube-system rollout restart deployment rke2-coredns-rke2-coredns > /dev/null 2>&1 || true
+        log_info "CoreDNS restarting..."
+        sleep 10
+    fi
+
+    # Verify: resolve the local domain from inside a pod
+    log_info "Verifying DNS resolution from inside a pod..."
     local test_ip
     test_ip=$(kubectl run dns-test --rm -i --restart=Never --image=busybox:1.36 \
-        -- nslookup "keycloak.${local_domain}" 2>/dev/null | grep -A1 "Name:" | tail -1 | awk '{print $2}' || true)
+        -- nslookup "keycloak.${local_domain}" 2>/dev/null | \
+        grep -A1 "Name:" | tail -1 | awk '{print $2}' || true)
 
     if [[ "$test_ip" == "$node_ip" ]]; then
         log_success "CoreDNS resolves keycloak.${local_domain} -> ${node_ip} from inside pods."
     else
         log_warn "CoreDNS verification returned '${test_ip}' (expected ${node_ip})."
-        log_warn "CoreDNS may still be reloading. Pods should resolve after a few seconds."
+        log_warn "Pods may need a few more seconds. Check manually:"
+        log_warn "  kubectl run dns-test --rm -it --restart=Never --image=busybox:1.36 -- nslookup keycloak.${local_domain}"
     fi
 
     mark_step_done "$step_id"
