CoreDNS and StepCA with Kubernetes Using Quadlet

Table of Contents#

Overview#

This guide demonstrates how to deploy CoreDNS and Smallstep Certificate Authority (StepCA) on Kubernetes using Podman Quadlet. This approach provides a robust DNS and PKI infrastructure for Kubernetes clusters, enabling secure internal communications with automated certificate management.

Architecture Overview#

1
graph TB
2
    subgraph "Kubernetes Infrastructure"
3
        subgraph "DNS Namespace"
4
            A[CoreDNS Deployment]
5
            B[CoreDNS Service]
6
            C[ConfigMap]
7
        end
8

9
        subgraph "PKI Namespace"
10
            D[StepCA Deployment]
11
            E[StepCA Service]
12
            F[Secret]
13
            G[PVC]
14
        end
15
    end
16

17
    subgraph "Quadlet Integration"
18
        H[DNS Quadlet File]
19
        I[PKI Quadlet File]
20
        J[systemd Services]
21
    end
22

23
    H --> A
24
    I --> D
25
    J --> H
26
    J --> I
27

28
    style A fill:#4ecdc4,stroke:#087f5b,stroke-width:2px
29
    style D fill:#74c0fc,stroke:#1971c2,stroke-width:2px
30
    style J fill:#ffd43b,stroke:#fab005,stroke-width:2px

Complete Quadlet Configuration Files#

DNS Deployment Quadlet#

Create /etc/containers/systemd/dns-deployment.kube:

1
#
2
# CoreDNS Kubernetes Deployment via Quadlet
3
#
4
[Unit]
5
Description=CoreDNS Kubernetes Deployment
6
After=network-online.target
7
Wants=network-online.target
8

9
[Kube]
10
# Namespace for DNS services
11
Namespace=dns
12

13
# The manifest for CoreDNS
14
Yaml='''
15
apiVersion: v1
16
kind: Namespace
17
metadata:
18
  name: dns
19
---
20
apiVersion: v1
21
kind: ConfigMap
22
metadata:
23
  name: coredns-config
24
  namespace: dns
25
data:
26
  Corefile: |
27
    .:53 {
28
        forward . 8.8.8.8 8.8.4.4
29
        log
30
        errors
31
    }
32
    invinsense:53 {
33
        file /etc/coredns/invinsense.db
34
        log
35
        errors
36
    }
37
  invinsense.db: |
38
    $ORIGIN invinsense.
39
    @       3600 IN SOA  coredns.invinsense. admin.invinsense. (
40
            2023062001 ; serial
41
            7200       ; refresh
42
            3600       ; retry
43
            1209600    ; expire
44
            3600       ; minimum
45
    )
46
    @       3600 IN NS  coredns.invinsense.
47
    coredns   IN A     192.168.122.16
48
    ca        IN A     192.168.122.76
49
---
50
apiVersion: apps/v1
51
kind: Deployment
52
metadata:
53
  name: coredns
54
  namespace: dns
55
spec:
56
  replicas: 1
57
  selector:
58
    matchLabels:
59
      app: coredns
60
  template:
61
    metadata:
62
      labels:
63
        app: coredns
64
    spec:
65
      containers:
66
      - name: coredns
67
        image: docker.io/coredns/coredns:1.11.1
68
        args: ["-conf", "/etc/coredns/Corefile"]
69
        ports:
70
        - containerPort: 53
71
          name: dns
72
          protocol: UDP
73
        - containerPort: 53
74
          name: dns-tcp
75
          protocol: TCP
76
        volumeMounts:
77
        - name: config-volume
78
          mountPath: /etc/coredns
79
      volumes:
80
      - name: config-volume
81
        configMap:
82
          name: coredns-config
83
---
84
apiVersion: v1
85
kind: Service
86
metadata:
87
  name: coredns
88
  namespace: dns
89
spec:
90
  selector:
91
    app: coredns
92
  ports:
93
  - name: dns
94
    port: 53
95
    protocol: UDP
96
  - name: dns-tcp
97
    port: 53
98
    protocol: TCP
99
  type: LoadBalancer
100
'''
101

102
[Install]
103
WantedBy=default.target

PKI Deployment Quadlet#

Create /etc/containers/systemd/pki-deployment.kube:

1
#
2
# StepCA Kubernetes Deployment via Quadlet
3
#
4
[Unit]
5
Description=StepCA Kubernetes Deployment
6
After=network-online.target
7
Wants=network-online.target
8

9
[Kube]
10
# Namespace for PKI services
11
Namespace=pki
12

13
# The manifest for StepCA
14
Yaml='''
15
apiVersion: v1
16
kind: Namespace
17
metadata:
18
  name: pki
19
---
20
apiVersion: v1
21
kind: Secret
22
metadata:
23
  name: stepca-secret
24
  namespace: pki
25
type: Opaque
26
data:
27
  password: ${STEPCA_PASSWORD_BASE64}  # This will be replaced during setup
28
---
29
apiVersion: v1
30
kind: PersistentVolumeClaim
31
metadata:
32
  name: stepca-data
33
  namespace: pki
34
spec:
35
  accessModes:
36
    - ReadWriteOnce
37
  resources:
38
    requests:
39
      storage: 1Gi
40
---
41
apiVersion: apps/v1
42
kind: Deployment
43
metadata:
44
  name: stepca
45
  namespace: pki
46
spec:
47
  replicas: 1
48
  selector:
49
    matchLabels:
50
      app: stepca
51
  template:
52
    metadata:
53
      labels:
54
        app: stepca
55
    spec:
56
      containers:
57
      - name: stepca
58
        image: smallstep/step-ca:0.24.0
59
        ports:
60
        - containerPort: 443
61
        env:
62
        - name: STEPCA_INIT_NAME
63
          value: "Invinsense CA"
64
        - name: STEPCA_INIT_DNS_NAMES
65
          value: "ca.invinsense"
66
        - name: STEPCA_INIT_ADDRESS
67
          value: ":443"
68
        - name: STEPCA_PASSWORD
69
          valueFrom:
70
            secretKeyRef:
71
              name: stepca-secret
72
              key: password
73
        volumeMounts:
74
        - name: stepca-data
75
          mountPath: /home/step
76
      volumes:
77
      - name: stepca-data
78
        persistentVolumeClaim:
79
          claimName: stepca-data
80
---
81
apiVersion: v1
82
kind: Service
83
metadata:
84
  name: stepca
85
  namespace: pki
86
spec:
87
  selector:
88
    app: stepca
89
  ports:
90
  - port: 443
91
    targetPort: 443
92
  type: LoadBalancer
93
'''
94

95
[Install]
96
WantedBy=default.target

Setup Process#

1. Prerequisites#

1
# Check CoreOS version and kubectl
2
rpm-ostree status
3
kubectl version
4

5
# Install kubectl if not present
6
rpm-ostree install kubectl

2. Create Configuration Directory#

1
sudo mkdir -p /etc/containers/systemd

3. Generate StepCA Password#

1
# Generate password and encode
2
STEPCA_PASSWORD=$(openssl rand -base64 32)
3
STEPCA_PASSWORD_BASE64=$(echo -n "$STEPCA_PASSWORD" | base64)
4

5
# Save password securely
6
echo "$STEPCA_PASSWORD" | sudo tee /etc/containers/stepca.password
7
sudo chmod 600 /etc/containers/stepca.password

4. Create Quadlet Files#

1
# Replace password in PKI deployment
2
sed "s/\${STEPCA_PASSWORD_BASE64}/$STEPCA_PASSWORD_BASE64/" pki-deployment.kube | \
3
    sudo tee /etc/containers/systemd/pki-deployment.kube
4

5
# Copy CoreDNS deployment
6
sudo cp dns-deployment.kube /etc/containers/systemd/

5. Set Permissions#

1
sudo chmod 644 /etc/containers/systemd/*.kube

6. Enable and Start Services#

1
# Reload systemd to detect new Quadlet files
2
sudo systemctl daemon-reload
3

4
# Enable and start CoreDNS
5
sudo systemctl enable --now kube-dns-deployment
6

7
# Enable and start StepCA
8
sudo systemctl enable --now kube-pki-deployment

Verification and Testing#

Check Service Status#

1
# Check systemd services
2
sudo systemctl status kube-dns-deployment
3
sudo systemctl status kube-pki-deployment
4

5
# Check Kubernetes resources
6
kubectl get all -n dns
7
kubectl get all -n pki
8

9
# Check pods
10
kubectl get pods -n dns
11
kubectl get pods -n pki

Configure DNS Resolution#

1
# Get CoreDNS service IP
2
COREDNS_IP=$(kubectl get svc -n dns coredns -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
3

4
# Configure systemd-resolved
5
sudo mkdir -p /etc/systemd/resolved.conf.d/
6
sudo bash -c "cat > /etc/systemd/resolved.conf.d/dns.conf << EOF
7
[Resolve]
8
DNS=$COREDNS_IP
9
Domains=~invinsense
10
EOF"
11

12
# Restart resolved
13
sudo systemctl restart systemd-resolved

Initialize StepCA Client#

1
# Install step CLI if needed
2
sudo rpm-ostree install step-cli
3

4
# Get StepCA service IP
5
STEPCA_IP=$(kubectl get svc -n pki stepca -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
6

7
# Get CA fingerprint
8
CA_POD=$(kubectl get pods -n pki -l app=stepca -o jsonpath='{.items[0].metadata.name}')
9
CA_FINGERPRINT=$(kubectl exec -n pki $CA_POD -- step certificate fingerprint /home/step/certs/root_ca.crt)
10

11
# Bootstrap with CA
12
step ca bootstrap --ca-url https://$STEPCA_IP --fingerprint $CA_FINGERPRINT

Test the Setup#

1
# Test DNS resolution
2
dig @$COREDNS_IP ca.invinsense
3
dig @$COREDNS_IP google.com
4

5
# Test certificate issuance
6
step ca certificate test.invinsense test.crt test.key

Advanced Configuration#

Custom DNS Zones#

1
graph LR
2
    subgraph "DNS Configuration"
3
        A[Corefile] --> B[Zone Files]
4
        B --> C[invinsense.db]
5
        B --> D[internal.db]
6
        B --> E[custom.db]
7
    end
8

9
    subgraph "Resolution Flow"
10
        F[Client Query] --> G[CoreDNS]
11
        G --> H{Zone Match?}
12
        H -->|Yes| I[Local Resolution]
13
        H -->|No| J[Forward to Upstream]
14
    end
15

16
    style A fill:#4ecdc4,stroke:#087f5b,stroke-width:2px
17
    style G fill:#74c0fc,stroke:#1971c2,stroke-width:2px

Certificate Management Flow#

1
sequenceDiagram
2
    participant C as Client
3
    participant S as StepCA
4
    participant K as Kubernetes
5

6
    C->>S: Request Certificate
7
    S->>S: Validate Request
8
    S->>C: Issue Certificate
9
    C->>K: Deploy with Certificate
10
    K->>S: Validate Certificate
11
    S->>K: Certificate Valid
12

13
    Note over C,K: Automatic renewal before expiry

Maintenance Operations#

View Logs#

1
# CoreDNS logs
2
kubectl logs -n dns -l app=coredns
3

4
# StepCA logs
5
kubectl logs -n pki -l app=stepca

Restart Deployments#

1
# Restart CoreDNS
2
kubectl rollout restart deployment -n dns coredns
3

4
# Restart StepCA
5
kubectl rollout restart deployment -n pki stepca

Update Container Images#

1
# Update CoreDNS
2
kubectl set image deployment/coredns -n dns \
3
    coredns=docker.io/coredns/coredns:1.11.1
4

5
# Update StepCA
6
kubectl set image deployment/stepca -n pki \
7
    stepca=smallstep/step-ca:0.24.0

Backup Configuration#

1
# Backup Kubernetes resources
2
kubectl get all -n dns -o yaml > dns-backup.yaml
3
kubectl get all -n pki -o yaml > pki-backup.yaml
4

5
# Backup configurations
6
sudo tar -czf k8s-quadlet-backup.tar.gz \
7
    /etc/containers/systemd/*.kube \
8
    /etc/containers/stepca.password

Security Best Practices#

Network Policies#

1
apiVersion: networking.k8s.io/v1
2
kind: NetworkPolicy
3
metadata:
4
  name: dns-network-policy
5
  namespace: dns
6
spec:
7
  podSelector:
8
    matchLabels:
9
      app: coredns
10
  policyTypes:
11
    - Ingress
12
    - Egress
13
  ingress:
14
    - from:
15
        - podSelector: {}
16
        - namespaceSelector: {}
17
      ports:
18
        - protocol: UDP
19
          port: 53
20
        - protocol: TCP
21
          port: 53
22
  egress:
23
    - to:
24
        - podSelector: {}
25
      ports:
26
        - protocol: UDP
27
          port: 53
28
        - protocol: TCP
29
          port: 53

Certificate Security#

1
graph TD
2
    A[Certificate Security] --> B[Secure Storage]
3
    A --> C[Access Control]
4
    A --> D[Rotation Policy]
5

6
    B --> E[PVC Encryption]
7
    B --> F[Secret Management]
8

9
    C --> G[RBAC Policies]
10
    C --> H[Network Policies]
11

12
    D --> I[Automatic Renewal]
13
    D --> J[Audit Logging]
14

15
    style A fill:#ff6b6b,stroke:#c92a2a,stroke-width:2px
16
    style B fill:#74c0fc,stroke:#1971c2,stroke-width:2px
17
    style D fill:#4ecdc4,stroke:#087f5b,stroke-width:2px

Troubleshooting#

Common Issues#

Service Not Starting

1
# Check Quadlet syntax
2
systemd-analyze verify /etc/containers/systemd/*.kube
3

4
# View detailed logs
5
journalctl -u kube-dns-deployment -n 50

DNS Resolution Failures

1
# Test CoreDNS directly
2
kubectl exec -n dns deployment/coredns -- nslookup ca.invinsense
3

4
# Check CoreDNS configuration
5
kubectl describe configmap -n dns coredns-config

Certificate Issues

1
# Check StepCA status
2
kubectl exec -n pki deployment/stepca -- step ca health
3

4
# View certificate details
5
step certificate inspect test.crt

Integration Examples#

Application Deployment with Certificates#

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: secure-app
5
spec:
6
  template:
7
    spec:
8
      initContainers:
9
        - name: get-cert
10
          image: smallstep/step-cli
11
          command:
12
            - sh
13
            - -c
14
            - |
15
              step ca certificate ${HOSTNAME} /certs/tls.crt /certs/tls.key \
16
                --ca-url https://stepca.pki.svc.cluster.local \
17
                --root /certs/root_ca.crt
18
          volumeMounts:
19
            - name: certs
20
              mountPath: /certs
21
      containers:
22
        - name: app
23
          image: myapp:latest
24
          volumeMounts:
25
            - name: certs
26
              mountPath: /etc/ssl/certs
27
              readOnly: true
28
      volumes:
29
        - name: certs
30
          emptyDir: {}

Conclusion#

Using Quadlet to deploy CoreDNS and StepCA on Kubernetes provides a clean, maintainable approach to managing DNS and PKI infrastructure. This setup offers:

Simplified deployment through declarative Quadlet files
Integrated certificate management with automatic issuance and renewal
Secure DNS resolution for internal services
Easy maintenance with systemd integration

Key benefits:

No manual container management required
Automatic restart on failure
Integration with systemd logging
Version-controlled infrastructure
Scalable and production-ready

By following this guide, you can establish a robust DNS and certificate infrastructure for your Kubernetes cluster, enabling secure service-to-service communication with minimal operational overhead.