diff --git a/ansible-bind-primary.yml b/ansible-bind-primary.yml new file mode 100644 index 0000000..8658f7d --- /dev/null +++ b/ansible-bind-primary.yml @@ -0,0 +1,65 @@ +- name: Setup primary nameserver + hosts: ns1.k-space.ee + tasks: + - name: Make sure bind9 is installed + ansible.builtin.apt: + name: bind9 + state: present + - name: Configure Bind + register: bind + copy: + dest: /etc/bind/named.conf + content: | + # This file is managed by Ansible + # https://git.k-space.ee/k-space/kube/src/branch/master/ansible-bind-primary.yml + # Do NOT modify manually + + include "/etc/bind/named.conf.options"; + include "/etc/bind/named.conf.local"; + include "/etc/bind/readwrite.key"; + include "/etc/bind/readonly.key"; + + # https://kb.isc.org/docs/aa-00723 + + acl allowed { + 172.20.3.0/24; + 172.20.4.0/24; + }; + + acl rejected { !allowed; any; }; + + zone "." { + type hint; + file "/var/lib/bind/db.root"; + }; + + zone "k-space.ee" { + type master; + file "/var/lib/bind/db.k-space.ee"; + allow-update { !rejected; key readwrite; }; + allow-transfer { !rejected; key readonly; key readwrite; }; + notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; }; + }; + + zone "k6.ee" { + type master; + file "/var/lib/bind/db.k6.ee"; + allow-update { !rejected; key readwrite; }; + allow-transfer { !rejected; key readonly; key readwrite; }; + notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; }; + }; + + zone "kspace.ee" { + type master; + file "/var/lib/bind/db.kspace.ee"; + allow-update { !rejected; key readwrite; }; + allow-transfer { !rejected; key readonly; key readwrite; }; + notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; }; + }; + - name: Check Bind config + ansible.builtin.shell: "named-checkconf" + - name: Reload Bind config + service: + name: bind9 + state: reloaded + when: bind.changed diff --git a/external-dns/.gitignore b/bind/.gitignore similarity index 100% rename from external-dns/.gitignore rename to bind/.gitignore diff --git a/bind/README.md b/bind/README.md new file mode 100644 index 0000000..2e99b0b --- /dev/null +++ b/bind/README.md @@ -0,0 +1,31 @@ +# Bind setup + +The Bind primary resides outside Kubernetes at `193.40.103.2` and +it's internally reachable via `172.20.0.2` + +Bind secondaries are hosted inside Kubernetes and load balanced behind `62.65.250.2` + +Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee` +are picked up automatically by `external-dns` and updated on primary. + +The primary triggers notification events to `172.20.53.{1..3}` +which are internally exposed IP-s of the secondaries. + +# Secrets + +To configure TSIG secrets: + +``` +kubectl create secret generic -n bind bind-readonly-secret \ + --from-file=readonly.key +kubectl create secret generic -n bind bind-readwrite-secret \ + --from-file=readwrite.key +kubectl create secret generic -n bind external-dns +kubectl -n bind delete secret tsig-secret +kubectl -n bind create secret generic tsig-secret \ + --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2) +kubectl -n cert-manager delete secret tsig-secret +kubectl -n cert-manager create secret generic tsig-secret \ + --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2) +``` + diff --git a/bind/bind-secondary.yaml b/bind/bind-secondary.yaml new file mode 100644 index 0000000..4b56c67 --- /dev/null +++ b/bind/bind-secondary.yaml @@ -0,0 +1,163 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: bind-secondary-config +data: + named.conf: | + include "/etc/bind/readonly.key"; + options { + recursion no; + pid-file "/var/bind/named.pid"; + allow-query { 0.0.0.0/0; }; + allow-notify { 172.20.0.2; }; + allow-transfer { none; }; + check-names slave ignore; + }; + zone "k-space.ee" { type slave; masters { 172.20.0.2 key readonly; }; }; + zone "k6.ee" { type slave; masters { 172.20.0.2 key readonly; }; }; + zone "kspace.ee" { type slave; masters { 172.20.0.2 key readonly; }; }; +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: bind-secondary + namespace: bind +spec: + replicas: 3 + selector: + matchLabels: + app: bind-secondary + template: + metadata: + labels: + app: bind-secondary + spec: + volumes: + - name: run + emptyDir: {} + containers: + - name: bind-secondary + image: internetsystemsconsortium/bind9:9.19 + volumeMounts: + - mountPath: /run/named + name: run + workingDir: /var/bind + command: + - named + - -g + - -c + - /etc/bind/named.conf + volumeMounts: + - name: bind-secondary-config + mountPath: /etc/bind + readOnly: true + - name: bind-data + mountPath: /var/bind + volumes: + - name: bind-secondary-config + projected: + sources: + - configMap: + name: bind-secondary-config + - secret: + name: bind-readonly-secret + - name: bind-data + emptyDir: {} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - bind-secondary + topologyKey: "kubernetes.io/hostname" +--- +apiVersion: v1 +kind: Service +metadata: + name: bind-secondary + namespace: bind +spec: + type: LoadBalancer + externalTrafficPolicy: Local + loadBalancerIP: 62.65.250.2 + selector: + app: bind-secondary + ports: + - protocol: TCP + port: 53 + name: dns-tcp + targetPort: 53 + - protocol: UDP + port: 53 + name: dns-udp + targetPort: 53 +--- +apiVersion: v1 +kind: Service +metadata: + name: bind-secondary-0 + namespace: bind +spec: + type: LoadBalancer + externalTrafficPolicy: Local + loadBalancerIP: 172.20.53.1 + selector: + app: bind-secondary + statefulset.kubernetes.io/pod-name: bind-secondary-0 + ports: + - protocol: TCP + port: 53 + name: dns-tcp + targetPort: 53 + - protocol: UDP + port: 53 + name: dns-udp + targetPort: 53 +--- +apiVersion: v1 +kind: Service +metadata: + name: bind-secondary-1 + namespace: bind +spec: + type: LoadBalancer + externalTrafficPolicy: Local + loadBalancerIP: 172.20.53.2 + selector: + app: bind-secondary + statefulset.kubernetes.io/pod-name: bind-secondary-1 + ports: + - protocol: TCP + port: 53 + name: dns-tcp + targetPort: 53 + - protocol: UDP + port: 53 + name: dns-udp + targetPort: 53 +--- +apiVersion: v1 +kind: Service +metadata: + name: bind-secondary-2 + namespace: bind +spec: + type: LoadBalancer + externalTrafficPolicy: Local + loadBalancerIP: 172.20.53.3 + selector: + app: bind-secondary + statefulset.kubernetes.io/pod-name: bind-secondary-2 + ports: + - protocol: TCP + port: 53 + name: dns-tcp + targetPort: 53 + - protocol: UDP + port: 53 + name: dns-udp + targetPort: 53 diff --git a/bind/external-dns-k-space.yaml b/bind/external-dns-k-space.yaml new file mode 100644 index 0000000..7364d7c --- /dev/null +++ b/bind/external-dns-k-space.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: external-dns-k-space +spec: + revisionHistoryLimit: 0 + selector: + matchLabels: &selectorLabels + app.kubernetes.io/name: external-dns + domain: k-space.ee + template: + metadata: + labels: *selectorLabels + spec: + serviceAccountName: external-dns + containers: + - name: external-dns + image: registry.k8s.io/external-dns/external-dns:v0.13.5 + envFrom: + - secretRef: + name: tsig-secret + args: + - --events + - --registry=txt + - --txt-prefix=external-dns- + - --txt-owner-id=k8s + - --provider=rfc2136 + - --source=ingress + - --source=service + - --source=crd + - --domain-filter=k-space.ee + - --rfc2136-tsig-axfr + - --rfc2136-host=172.20.0.2 + - --rfc2136-port=53 + - --rfc2136-zone=k-space.ee + - --rfc2136-tsig-keyname=readwrite + - --rfc2136-tsig-secret-alg=hmac-sha512 + - --rfc2136-tsig-secret=$(TSIG_SECRET) + # https://github.com/kubernetes-sigs/external-dns/issues/2446 diff --git a/external-dns/k6.yaml b/bind/external-dns-k6.yaml similarity index 55% rename from external-dns/k6.yaml rename to bind/external-dns-k6.yaml index 515cb86..12dcdab 100644 --- a/external-dns/k6.yaml +++ b/bind/external-dns-k6.yaml @@ -2,8 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: k6 - namespace: external-dns + name: external-dns-k6 spec: revisionHistoryLimit: 0 selector: @@ -16,27 +15,27 @@ spec: spec: serviceAccountName: external-dns containers: - - name: external-dns - image: registry.k8s.io/external-dns/external-dns:v0.13.5 - envFrom: - - secretRef: - name: tsig-secret - args: - - --log-level=debug - - --events - - --registry=noop - - --provider=rfc2136 - - --source=service - - --source=crd - - --domain-filter=k6.ee - - --rfc2136-tsig-axfr - - --rfc2136-host=193.40.103.2 - - --rfc2136-port=53 - - --rfc2136-zone=k6.ee - - --rfc2136-tsig-keyname=acme - - --rfc2136-tsig-secret-alg=hmac-sha512 - - --rfc2136-tsig-secret=$(TSIG_SECRET) - # https://github.com/kubernetes-sigs/external-dns/issues/2446 + - name: external-dns + image: registry.k8s.io/external-dns/external-dns:v0.13.5 + envFrom: + - secretRef: + name: tsig-secret + args: + - --log-level=debug + - --events + - --registry=noop + - --provider=rfc2136 + - --source=service + - --source=crd + - --domain-filter=k6.ee + - --rfc2136-tsig-axfr + - --rfc2136-host=172.20.0.2 + - --rfc2136-port=53 + - --rfc2136-zone=k6.ee + - --rfc2136-tsig-keyname=readwrite + - --rfc2136-tsig-secret-alg=hmac-sha512 + - --rfc2136-tsig-secret=$(TSIG_SECRET) + # https://github.com/kubernetes-sigs/external-dns/issues/2446 --- apiVersion: externaldns.k8s.io/v1alpha1 kind: DNSEndpoint diff --git a/external-dns/kspace.yaml b/bind/external-dns-kspace.yaml similarity index 52% rename from external-dns/kspace.yaml rename to bind/external-dns-kspace.yaml index 35b3886..86125fd 100644 --- a/external-dns/kspace.yaml +++ b/bind/external-dns-kspace.yaml @@ -2,8 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: kspace - namespace: external-dns + name: external-dns-kspace spec: revisionHistoryLimit: 0 selector: @@ -16,27 +15,27 @@ spec: spec: serviceAccountName: external-dns containers: - - name: external-dns - image: registry.k8s.io/external-dns/external-dns:v0.13.5 - envFrom: - - secretRef: - name: tsig-secret - args: - - --events - - --registry=noop - - --provider=rfc2136 - - --source=ingress - - --source=service - - --source=crd - - --domain-filter=kspace.ee - - --rfc2136-tsig-axfr - - --rfc2136-host=193.40.103.2 - - --rfc2136-port=53 - - --rfc2136-zone=kspace.ee - - --rfc2136-tsig-keyname=acme - - --rfc2136-tsig-secret-alg=hmac-sha512 - - --rfc2136-tsig-secret=$(TSIG_SECRET) - # https://github.com/kubernetes-sigs/external-dns/issues/2446 + - name: external-dns + image: registry.k8s.io/external-dns/external-dns:v0.13.5 + envFrom: + - secretRef: + name: tsig-secret + args: + - --events + - --registry=noop + - --provider=rfc2136 + - --source=ingress + - --source=service + - --source=crd + - --domain-filter=kspace.ee + - --rfc2136-tsig-axfr + - --rfc2136-host=172.20.0.2 + - --rfc2136-port=53 + - --rfc2136-zone=kspace.ee + - --rfc2136-tsig-keyname=readwrite + - --rfc2136-tsig-secret-alg=hmac-sha512 + - --rfc2136-tsig-secret=$(TSIG_SECRET) + # https://github.com/kubernetes-sigs/external-dns/issues/2446 --- apiVersion: externaldns.k8s.io/v1alpha1 kind: DNSEndpoint diff --git a/bind/external-dns.yaml b/bind/external-dns.yaml new file mode 100644 index 0000000..5360660 --- /dev/null +++ b/bind/external-dns.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: external-dns +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + - nodes + verbs: + - get + - watch + - list +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - externaldns.k8s.io + resources: + - dnsendpoints + verbs: + - get + - watch + - list +- apiGroups: + - externaldns.k8s.io + resources: + - dnsendpoints/status + verbs: + - update +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: external-dns +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: external-dns-viewer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-dns +subjects: +- kind: ServiceAccount + name: external-dns + namespace: bind diff --git a/external-dns/README.md b/external-dns/README.md deleted file mode 100644 index 33f03b8..0000000 --- a/external-dns/README.md +++ /dev/null @@ -1,15 +0,0 @@ -Before applying replace the secret with the actual one. - -For debugging add `- --log-level=debug`: - -``` -wget https://raw.githubusercontent.com/kubernetes-sigs/external-dns/master/docs/contributing/crd-source/crd-manifest.yaml -O crd.yml -kubectl apply -n external-dns -f application.yml -f crd.yml -``` - -Insert TSIG secret: - -``` - kubectl -n external-dns create secret generic tsig-secret \ - --from-literal=TSIG_SECRET= -``` diff --git a/external-dns/k-space.yaml b/external-dns/k-space.yaml deleted file mode 100644 index 423b87a..0000000 --- a/external-dns/k-space.yaml +++ /dev/null @@ -1,101 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: external-dns - namespace: external-dns -rules: -- apiGroups: - - "" - resources: - - services - - endpoints - - pods - - nodes - verbs: - - get - - watch - - list -- apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - externaldns.k8s.io - resources: - - dnsendpoints - verbs: - - get - - watch - - list -- apiGroups: - - externaldns.k8s.io - resources: - - dnsendpoints/status - verbs: - - update ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: external-dns - namespace: external-dns ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: external-dns-viewer - namespace: external-dns -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: external-dns -subjects: -- kind: ServiceAccount - name: external-dns - namespace: external-dns ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: k-space - namespace: external-dns -spec: - revisionHistoryLimit: 0 - selector: - matchLabels: &selectorLabels - app.kubernetes.io/name: external-dns - domain: k-space.ee - template: - metadata: - labels: *selectorLabels - spec: - serviceAccountName: external-dns - containers: - - name: external-dns - image: registry.k8s.io/external-dns/external-dns:v0.13.5 - envFrom: - - secretRef: - name: tsig-secret - args: - - --events - - --registry=txt - - --txt-prefix=external-dns- - - --txt-owner-id=k8s - - --provider=rfc2136 - - --source=ingress - - --source=service - - --source=crd - - --domain-filter=k-space.ee - - --rfc2136-tsig-axfr - - --rfc2136-host=193.40.103.2 - - --rfc2136-port=53 - - --rfc2136-zone=k-space.ee - - --rfc2136-tsig-keyname=acme - - --rfc2136-tsig-secret-alg=hmac-sha512 - - --rfc2136-tsig-secret=$(TSIG_SECRET) - # https://github.com/kubernetes-sigs/external-dns/issues/2446 diff --git a/inventory.yml b/inventory.yml index c5134b4..7029eba 100644 --- a/inventory.yml +++ b/inventory.yml @@ -1,5 +1,8 @@ all: children: + bind: + hosts: + ns1.k-space.ee: kubernetes: children: masters: diff --git a/inventory/README.md b/inventory/README.md new file mode 100644 index 0000000..223743d --- /dev/null +++ b/inventory/README.md @@ -0,0 +1,21 @@ + +To deploy components: + +``` +kubectl create namespace members-site +kubectl apply -n members-site -f doorboy.yml +``` + + +# Doorboy + +Set up Doorboy UID hashing salt: + +``` + kubectl create secret generic -n members-site doorboy-api \ + --from-literal=DOORBOY_SECRET=hg2NmVlf6JcS3w237ZXn + kubectl create secret generic -n members-site doorboy-uid-hash-salt \ + --from-literal=KDOORPI_UID_SALT=hkRXwLlQKmCJoy5qaahp + kubectl create secret generic -n members-site mongo-application-readwrite \ + --from-literal=connectionString.standard=mongodb://kspace_accounting:dBDCS21pHlZAd5isyfBI@mongodb.infra.k-space.ee:27017/kspace_accounting?replicaSet=kspace-mongo-set +``` diff --git a/metallb-system/application.yml b/metallb-system/application.yml index 3d89eaf..7d0591b 100644 --- a/metallb-system/application.yml +++ b/metallb-system/application.yml @@ -35,7 +35,9 @@ metadata: namespace: metallb-system spec: ipAddressPools: - - zoo + - zoo + - bind-secondary-external + - bind-secondary-internal --- # Slice of public EEnet subnet using MetalLB L3 method apiVersion: metallb.io/v1beta1 @@ -57,6 +59,24 @@ spec: addresses: - 62.65.250.36/30 --- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: bind-secondary-internal + namespace: metallb-system +spec: + addresses: + - 172.20.53.0/24 +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: bind-secondary-external + namespace: metallb-system +spec: + addresses: + - 62.65.250.2/32 +--- apiVersion: metallb.io/v1beta2 kind: BGPPeer metadata: diff --git a/ssh_config b/ssh_config index 901de57..105afbc 100644 --- a/ssh_config +++ b/ssh_config @@ -4,3 +4,5 @@ Host * ControlMaster auto ControlPath ~/.ssh/cm-%r@%h:%p +Host ns1.k-space.ee + Hostname 172.20.0.2