merge: bp-powerdns 1.0.2 (dnsdist tag + RO rootfs fix, openova#167)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 08:06:47 +02:00 · 2026-04-29 08:06:47 +02:00 · 790fc7efb0
commit 790fc7efb0
parent 134b3fbedf 20c0543806
3 changed files with 14 additions and 5 deletions
--- a/platform/powerdns/chart/Chart.yaml
+++ b/platform/powerdns/chart/Chart.yaml
@ -1,6 +1,6 @@
 apiVersion: v2
 name: bp-powerdns
-version: 1.0.1
+version: 1.0.2
 description: |
  Catalyst-curated Blueprint wrapper for PowerDNS Authoritative.
  Carries Catalyst-specific values.yaml + templates (CNPG cluster, dnsdist
--- a/platform/powerdns/chart/templates/dnsdist.yaml
+++ b/platform/powerdns/chart/templates/dnsdist.yaml
@ -53,7 +53,7 @@ spec:
          type: RuntimeDefault
      containers:
        - name: dnsdist
-          image: "{{ .Values.dnsdist.image.repository }}:{{ .Values.dnsdist.image.tag | default "1.9" }}"
+          image: "{{ .Values.dnsdist.image.repository }}:{{ .Values.dnsdist.image.tag | default "1.9.14" }}"
          imagePullPolicy: {{ .Values.dnsdist.image.pullPolicy | default "IfNotPresent" }}
          args:
            - --supervised
--- a/platform/powerdns/chart/values.yaml
+++ b/platform/powerdns/chart/values.yaml
@ -61,7 +61,13 @@ powerdns:

  securityContext:
    allowPrivilegeEscalation: false
-    readOnlyRootFilesystem: true
+    # readOnlyRootFilesystem MUST be false: the upstream chart's
+    # /usr/local/sbin/pdns_server-startup script writes rendered
+    # /etc/powerdns/pdns.d/*.conf at container start, and the upstream
+    # template doesn't expose an emptyDir mount we could redirect that
+    # path to. Locking the rootfs would crash-loop the pod (verified on
+    # Contabo k3s — Errno 30 Read-only file system: '/etc/powerdns/pdns.d/0-api.conf.conf').
+    readOnlyRootFilesystem: false
    runAsNonRoot: true
    runAsUser: 953
    runAsGroup: 953
@ -224,9 +230,12 @@ postgres:
 dnsdist:
  enabled: true
  image:
-    # Official dnsdist image; tag tracked alongside Authoritative line.
+    # Official dnsdist image. Repo `powerdns/dnsdist-19` carries the 1.9.x
+    # line (matches Authoritative 5.0.x release cadence). Pin a concrete
+    # tag here — the dnsdist Deployment template defaults to the value
+    # below when image.tag is unset.
    repository: docker.io/powerdns/dnsdist-19
-    tag: ""                         # falls back to chart-level appVersion if needed
+    tag: "1.9.14"
    pullPolicy: IfNotPresent
  replicaCount: 1                   # scale alongside Sovereign expansion; single instance fronts one region
  service: