From 0d80181a2666d9cdd8001eca69bbefbb3b16e4dc Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Sat, 16 May 2026 15:22:06 +0300
Subject: f3s/registry: add coredns-custom ConfigMap for in-cluster registry
 DNS

Trivy scan jobs do their own DNS lookups for image names and need
registry.lan.buetow.org to resolve from inside the cluster. Adds a
coredns-custom server block pointing the hostname at r0's WireGuard IP
(which matches the k3s registries.yaml mirror target).
---
 .../helm-chart/templates/coredns-custom.yaml       | 23 ++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 f3s/registry/helm-chart/templates/coredns-custom.yaml

diff --git a/f3s/registry/helm-chart/templates/coredns-custom.yaml b/f3s/registry/helm-chart/templates/coredns-custom.yaml
new file mode 100644
index 0000000..4747272
--- /dev/null
+++ b/f3s/registry/helm-chart/templates/coredns-custom.yaml
@@ -0,0 +1,23 @@
+---
+# Make `registry.lan.buetow.org` resolvable from inside the cluster so that
+# pods (notably trivy-operator scan jobs) can pull/inspect images from the
+# in-cluster Docker Registry NodePort.
+#
+# The k3s registries.yaml on each node mirrors `registry.lan.buetow.org:30001`
+# to `r0.lan.buetow.org:30001`, so containerd image pulls work without DNS.
+# Pods that issue their own image-name DNS lookups (trivy) still need an
+# A record. We point them at r0's WireGuard IP, which is what NodeHosts
+# uses for r0.lan.buetow.org and what the registries.yaml mirror targets.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns-custom
+  namespace: kube-system
+data:
+  registry.server: |
+    registry.lan.buetow.org:53 {
+        hosts {
+            192.168.2.120 registry.lan.buetow.org
+            fallthrough
+        }
+    }
-- 
cgit v1.2.3