Cluster Domains and CIDRs
Cluster-level domain and CIDR allocation for the dc-lab fleet — root domain, app wildcard, cluster ingress, and pod/service CIDRs.
DNS domains and CIDRs at the cluster level for the dc-lab fleet
(hub-dc-v6 + spoke-dc-v6). The lab uses a single root authoritative
zone with a wildcard for platform-VM apps and per-cluster wildcards for
OpenShift ingress. CIDR allocation is described at the /24 (and bigger)
granularity; specific host IPs are not republished here.
Domain plane
The whiteboard below shows how the root zone divides into the
platform-VM wildcard (*.apps.sub.comptech-lab.com -> HAProxy edge) and the
per-cluster wildcards (*.apps.<cluster>.sub.comptech-lab.com -> cluster
ingress VIPs).
Domains
| Domain | Purpose | Resolves to |
|---|---|---|
sub.comptech-lab.com | Lab root zone (authoritative on pdns VM) | — (delegation point) |
*.apps.sub.comptech-lab.com | Platform-VM wildcard fronted by HAProxy | HAProxy edge (public + lab binds) |
*.mon.sub.comptech-lab.com | Monitoring sandbox exposure (added 2026-05-09) | HAProxy edge with wildcard-mon.pem cert |
api.hub-dc-v6.sub.comptech-lab.com:6443 | hub-dc-v6 OpenShift API | hub API VIP (cluster network) |
*.apps.hub-dc-v6.sub.comptech-lab.com | hub-dc-v6 ingress | hub ingress VIP |
api.spoke-dc-v6.sub.comptech-lab.com:6443 | spoke-dc-v6 OpenShift API | spoke API VIP (cluster network) |
*.apps.spoke-dc-v6.sub.comptech-lab.com | spoke-dc-v6 ingress | spoke ingress VIP |
CIDR allocation
| Item | Value | Notes |
|---|---|---|
| Lab bridge / machine network | 30.30.0.0/16 | Private br30 bridge; all platform VMs and OpenShift nodes attach here. |
| OpenShift node subnet | 30.30.75.0/24 | Allocated for hub + spoke control planes and spoke workers. |
| OpenShift cluster pod CIDR | OpenShift installer default | Not customized in cluster install artifacts. |
| OpenShift service CIDR | OpenShift installer default | Not customized in cluster install artifacts. |
| IPv6 | disabled | Lab is IPv4-only by policy. |
OpenShift VIPs (per cluster)
| Cluster | API VIP (logical) | Ingress VIP (logical) |
|---|---|---|
hub-dc-v6 | hub API VIP on 30.30.75.0/24 | hub ingress VIP on 30.30.75.0/24 |
spoke-dc-v6 | spoke API VIP on 30.30.75.0/24 | spoke ingress VIP on 30.30.75.0/24 |
Exact VIP addresses are held in
opp-full-plat/connection-details/platform-admin-handoff.md.
DNS resolver behavior
- Default lab resolver runs on the
pdnsVM (recursor). - Recursor forwards
sub.comptech-lab.comto the locally-running authoritative on the same VM. - Everything else recurses through Google + Cloudflare.
- Recursor refuses queries from outside the lab
/16.
Gateway
- Default gateway for the lab
/16is allocated at.0.1on the bridge. - Specific IP held in
connection-details/platform-admin-handoff.md.
Why this domain split
| Decision | Rationale |
|---|---|
| Single root zone | Single SQLite-backed PowerDNS instance keeps zone maintenance to one VM. |
*.apps.sub.* for platform VMs | Reuses the LE wildcard cert across many platform-VM hostnames with a single TLS terminator (HAProxy). |
*.apps.<cluster>.sub.* for clusters | OpenShift install creates this wildcard automatically. Avoids overlap with the platform wildcard. |
*.mon.sub.* sibling | Lets the monitoring sandbox have its own cert + cleaner identity without polluting *.apps.*. |
| HAProxy not in OpenShift path | OpenShift cluster APIs and routes bind to dedicated public IPs — no double-hop. See feedback_haproxy_scope.md. |
Internal only
Specific API VIP and ingress VIP addresses, exact gateway IP, and per-host A records are kept in
opp-full-plat/connection-details/platform-admin-handoff.mdand on thepdnsVM.
Last regenerated from
connection-details/platform-admin-handoff.md,
reference_lab_infrastructure.md,
reference_pdns_vm.md,
reference_haproxy_vm.md.