Service Contract: ExternalDNS
Purpose
Automate internal DNS records by reconciling annotated Kubernetes resources into Technitium with clear ownership boundaries.
Exposure
- Category: Internal (cluster-only)
- Ingress: Internal
- DNS names: None (API-driven)
Identity
- AuthN: Kubernetes service account
- AuthZ: ClusterRole scoped to read ingress/service resources
- Break-glass account: Not applicable
Data
- Persistence: Ephemeral
- Data class: Standard
- Estimated storage growth: None
Network
- Allowed source networks: Cluster nodes
- Egress requirements: Technitium Service IP/VIP; Kubernetes API
Availability
- HA required: No (automation only)
- Acceptable downtime: Hours; existing records continue to resolve
Backup
- Tier: None (state is declarative via Kubernetes + Technitium registry)
- Restore test cadence: Not required
Dependencies
- Needs database: No
- Needs object storage: No
- Needs SMTP: No
- Other: Stable Technitium IP/VIP; domain filters/ownership registry configured
Observability
- Metrics: Reconciliation success/fail counts
- Logs: Controller logs for record changes
- Alerts: Persistent reconciliation failures
Change Control
- Deployment method: Kubernetes deployment/helm/manifest
- Rollback plan: Revert deployment manifest/helm release
Notes / Risks
Restrict domain filters and ownership to internal hostnames to avoid accidental public zone changes.