dos4dev/kube
1
0
Fork 0
forked from k-space/kube
Code Pull Requests Activity

bind, cert-manager: Cleanups

Browse Source
This commit is contained in:
Lauri Võsandi
2024-08-14 10:04:41 +03:00
parent 3f4d89b4b1
commit 1d39827375
9 changed files with 160 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
bind/README.md
View File

@@ -1,32 +1,31 @@
#TODO:
# Bind namespace
- cert-manager talks to master to add domain names, and DNS-01 TLS through ns1.k-space.ee
^ both-side link to cert-manager
The Bind secondary servers and `external-dns` service pods are running in this namespace.
The `external-dns` pods are used to declaratively update DNS records on the
[Bind primary](https://git.k-space.ee/k-space/ansible/src/branch/main/authoritative-nameserver.yaml).
bind-services (zone transfer to HA replicas from ns1.k-space.ee)
### ns1.k-space.ee
Primary authoritive nameserver replica. Other replicas live on Kube nodes
Idea to move it to Zone.
dns.yaml files add DNS records
# Bind setup
The Bind primary resides outside Kubernetes at `193.40.103.2` and
The Bind primary `ns1.k-space.ee` resides outside Kubernetes at `193.40.103.2` and
it's internally reachable via `172.20.0.2`.
Bind secondaries perform AXFR (zone transfer) from `ns1.k-space.ee` using
shared secret autentication.
The primary triggers notification events to `172.20.53.{1..3}`
which are internally exposed IP-s of the secondaries.
Bind secondaries are hosted inside Kubernetes, load balanced behind `62.65.250.2` and
under normal circumstances managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/bind).
Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee`
are picked up automatically by `external-dns` and updated on primary.
Note that [cert-manager](https://git.k-space.ee/k-space/kube/src/branch/master/cert-manager/issuer.yml) also performs DNS updates on the Bind primary.
The primary triggers notification events to `172.20.53.{1..3}`
which are internally exposed IP-s of the secondaries.
# Secrets
# For user
`Ingresses` and `DNSEndpoint` resources under `k-space.ee`, `kspace.ee`, `k6.ee`
domains are picked up automatically by `external-dns` and updated on the Bind primary.
To find usage examples in this repository use
`grep -r -A25 "^kind: Ingress" .` and
`grep -R -r -A100 "^kind: DNSEndpoint" .`
# For administrator
To configure TSIG secrets: