From ee2193d4cfc66821c183ee4905062adb50c523b1 Mon Sep 17 00:00:00 2001
From: ERIK <bo.jiang@daocloud.io>
Date: Tue, 24 Jan 2023 09:42:15 +0800
Subject: [PATCH] Add dns configuration for cert manager (#9673)

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
---
 inventory/sample/group_vars/k8s_cluster/addons.yml         | 6 ++++++
 .../ingress_controller/cert_manager/defaults/main.yml      | 3 +++
 .../cert_manager/templates/cert-manager.yml.j2             | 7 +++++++
 3 files changed, 16 insertions(+)

diff --git a/inventory/sample/group_vars/k8s_cluster/addons.yml b/inventory/sample/group_vars/k8s_cluster/addons.yml
index b40da6c75..7177803a0 100644
--- a/inventory/sample/group_vars/k8s_cluster/addons.yml
+++ b/inventory/sample/group_vars/k8s_cluster/addons.yml
@@ -161,6 +161,12 @@ cert_manager_enabled: false
 #   -----END CERTIFICATE-----
 # cert_manager_leader_election_namespace: kube-system
 
+# cert_manager_dns_policy: "ClusterFirst"
+# cert_manager_dns_config:
+#   nameservers:
+#     - "1.1.1.1"
+#     - "8.8.8.8"
+
 # MetalLB deployment
 metallb_enabled: false
 metallb_speaker_enabled: "{{ metallb_enabled }}"
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml b/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml
index b12a1a97c..bd3d2fefa 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml
@@ -4,6 +4,9 @@ cert_manager_user: 1001
 cert_manager_tolerations: []
 cert_manager_affinity: {}
 cert_manager_nodeselector: {}
+cert_manager_dns_policy: "ClusterFirst"
+cert_manager_dns_config: {}
+
 
 ## Change leader election namespace when deploying on GKE Autopilot that forbid the changes on kube-system namespace.
 ## See https://github.com/jetstack/cert-manager/issues/3717
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
index a5185ae7d..9696d5156 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
@@ -976,6 +976,13 @@ spec:
       affinity:
         {{ cert_manager_affinity | to_nice_yaml | indent(width=8) }}
 {% endif %}
+{% if cert_manager_dns_policy %}
+      dnsPolicy: {{ cert_manager_dns_policy }}
+{% endif %}
+{% if cert_manager_dns_config %}
+      dnsConfig:
+        {{ cert_manager_dns_config | to_nice_yaml | indent(width=8) }}
+{% endif %}
 {% if cert_manager_trusted_internal_ca is defined %}
           volumeMounts:
           - mountPath: /etc/ssl/certs/internal-ca.pem