bind, cert-manager: Cleanups
This commit is contained in:
parent
3f4d89b4b1
commit
1d39827375
@ -1,32 +1,31 @@
|
||||
#TODO:
|
||||
# Bind namespace
|
||||
|
||||
- cert-manager talks to master to add domain names, and DNS-01 TLS through ns1.k-space.ee
|
||||
^ both-side link to cert-manager
|
||||
The Bind secondary servers and `external-dns` service pods are running in this namespace.
|
||||
The `external-dns` pods are used to declaratively update DNS records on the
|
||||
[Bind primary](https://git.k-space.ee/k-space/ansible/src/branch/main/authoritative-nameserver.yaml).
|
||||
|
||||
bind-services (zone transfer to HA replicas from ns1.k-space.ee)
|
||||
|
||||
### ns1.k-space.ee
|
||||
Primary authoritive nameserver replica. Other replicas live on Kube nodes
|
||||
Idea to move it to Zone.
|
||||
|
||||
dns.yaml files add DNS records
|
||||
|
||||
|
||||
# Bind setup
|
||||
|
||||
The Bind primary resides outside Kubernetes at `193.40.103.2` and
|
||||
The Bind primary `ns1.k-space.ee` resides outside Kubernetes at `193.40.103.2` and
|
||||
it's internally reachable via `172.20.0.2`.
|
||||
|
||||
Bind secondaries perform AXFR (zone transfer) from `ns1.k-space.ee` using
|
||||
shared secret autentication.
|
||||
The primary triggers notification events to `172.20.53.{1..3}`
|
||||
which are internally exposed IP-s of the secondaries.
|
||||
Bind secondaries are hosted inside Kubernetes, load balanced behind `62.65.250.2` and
|
||||
under normal circumstances managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/bind).
|
||||
|
||||
Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee`
|
||||
are picked up automatically by `external-dns` and updated on primary.
|
||||
Note that [cert-manager](https://git.k-space.ee/k-space/kube/src/branch/master/cert-manager/issuer.yml) also performs DNS updates on the Bind primary.
|
||||
|
||||
The primary triggers notification events to `172.20.53.{1..3}`
|
||||
which are internally exposed IP-s of the secondaries.
|
||||
|
||||
# Secrets
|
||||
# For user
|
||||
|
||||
`Ingresses` and `DNSEndpoint` resources under `k-space.ee`, `kspace.ee`, `k6.ee`
|
||||
domains are picked up automatically by `external-dns` and updated on the Bind primary.
|
||||
To find usage examples in this repository use
|
||||
`grep -r -A25 "^kind: Ingress" .` and
|
||||
`grep -R -r -A100 "^kind: DNSEndpoint" .`
|
||||
|
||||
|
||||
# For administrator
|
||||
|
||||
To configure TSIG secrets:
|
||||
|
||||
|
@ -1,8 +1,10 @@
|
||||
# yamllint disable rule:line-length
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: bind-secondary-config-local
|
||||
namespace: bind
|
||||
data:
|
||||
named.conf.local: |
|
||||
zone "codemowers.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
|
||||
@ -13,6 +15,7 @@ apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: bind-secondary-config
|
||||
namespace: bind
|
||||
data:
|
||||
named.conf: |
|
||||
include "/etc/bind/named.conf.local";
|
||||
@ -36,6 +39,7 @@ metadata:
|
||||
name: bind-secondary
|
||||
namespace: bind
|
||||
spec:
|
||||
revisionHistoryLimit: 0
|
||||
replicas: 3
|
||||
selector:
|
||||
matchLabels:
|
||||
@ -45,15 +49,9 @@ spec:
|
||||
labels:
|
||||
app: bind-secondary
|
||||
spec:
|
||||
volumes:
|
||||
- name: run
|
||||
emptyDir: {}
|
||||
containers:
|
||||
- name: bind-secondary
|
||||
image: internetsystemsconsortium/bind9:9.20
|
||||
volumeMounts:
|
||||
- mountPath: /run/named
|
||||
name: run
|
||||
workingDir: /var/bind
|
||||
command:
|
||||
- named
|
||||
|
@ -3,6 +3,7 @@ apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: external-dns-k-space
|
||||
namespace: bind
|
||||
spec:
|
||||
revisionHistoryLimit: 0
|
||||
selector:
|
||||
|
@ -3,6 +3,7 @@ apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: external-dns-k6
|
||||
namespace: bind
|
||||
spec:
|
||||
revisionHistoryLimit: 0
|
||||
selector:
|
||||
@ -41,31 +42,32 @@ apiVersion: externaldns.k8s.io/v1alpha1
|
||||
kind: DNSEndpoint
|
||||
metadata:
|
||||
name: k6
|
||||
namespace: bind
|
||||
spec:
|
||||
endpoints:
|
||||
- dnsName: k6.ee
|
||||
recordTTL: 300
|
||||
recordType: SOA
|
||||
targets:
|
||||
- "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)"
|
||||
- dnsName: k6.ee
|
||||
recordTTL: 300
|
||||
recordType: NS
|
||||
targets:
|
||||
- ns1.k-space.ee
|
||||
- ns2.k-space.ee
|
||||
- dnsName: ns1.k-space.ee
|
||||
recordTTL: 300
|
||||
recordType: A
|
||||
targets:
|
||||
- 193.40.103.2
|
||||
- dnsName: ns2.k-space.ee
|
||||
recordTTL: 300
|
||||
recordType: A
|
||||
targets:
|
||||
- 62.65.250.2
|
||||
- dnsName: k-space.ee
|
||||
recordTTL: 300
|
||||
recordType: MX
|
||||
targets:
|
||||
- 10 mail.k-space.ee
|
||||
- dnsName: k6.ee
|
||||
recordTTL: 300
|
||||
recordType: SOA
|
||||
targets:
|
||||
- "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)"
|
||||
- dnsName: k6.ee
|
||||
recordTTL: 300
|
||||
recordType: NS
|
||||
targets:
|
||||
- ns1.k-space.ee
|
||||
- ns2.k-space.ee
|
||||
- dnsName: ns1.k-space.ee
|
||||
recordTTL: 300
|
||||
recordType: A
|
||||
targets:
|
||||
- 193.40.103.2
|
||||
- dnsName: ns2.k-space.ee
|
||||
recordTTL: 300
|
||||
recordType: A
|
||||
targets:
|
||||
- 62.65.250.2
|
||||
- dnsName: k-space.ee
|
||||
recordTTL: 300
|
||||
recordType: MX
|
||||
targets:
|
||||
- 10 mail.k-space.ee
|
||||
|
@ -3,6 +3,7 @@ apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: external-dns-kspace
|
||||
namespace: bind
|
||||
spec:
|
||||
revisionHistoryLimit: 0
|
||||
selector:
|
||||
@ -18,8 +19,8 @@ spec:
|
||||
- name: external-dns
|
||||
image: registry.k8s.io/external-dns/external-dns:v0.14.2
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: tsig-secret
|
||||
- secretRef:
|
||||
name: tsig-secret
|
||||
args:
|
||||
- --events
|
||||
- --registry=noop
|
||||
@ -41,26 +42,27 @@ apiVersion: externaldns.k8s.io/v1alpha1
|
||||
kind: DNSEndpoint
|
||||
metadata:
|
||||
name: kspace
|
||||
namespace: bind
|
||||
spec:
|
||||
endpoints:
|
||||
- dnsName: kspace.ee
|
||||
recordTTL: 300
|
||||
recordType: SOA
|
||||
targets:
|
||||
- "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)"
|
||||
- dnsName: kspace.ee
|
||||
recordTTL: 300
|
||||
recordType: NS
|
||||
targets:
|
||||
- ns1.k-space.ee
|
||||
- ns2.k-space.ee
|
||||
- dnsName: ns1.k-space.ee
|
||||
recordTTL: 300
|
||||
recordType: A
|
||||
targets:
|
||||
- 193.40.103.2
|
||||
- dnsName: ns2.k-space.ee
|
||||
recordTTL: 300
|
||||
recordType: A
|
||||
targets:
|
||||
- 62.65.250.2
|
||||
- dnsName: kspace.ee
|
||||
recordTTL: 300
|
||||
recordType: SOA
|
||||
targets:
|
||||
- "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)"
|
||||
- dnsName: kspace.ee
|
||||
recordTTL: 300
|
||||
recordType: NS
|
||||
targets:
|
||||
- ns1.k-space.ee
|
||||
- ns2.k-space.ee
|
||||
- dnsName: ns1.k-space.ee
|
||||
recordTTL: 300
|
||||
recordType: A
|
||||
targets:
|
||||
- 193.40.103.2
|
||||
- dnsName: ns2.k-space.ee
|
||||
recordTTL: 300
|
||||
recordType: A
|
||||
targets:
|
||||
- 62.65.250.2
|
||||
|
@ -4,55 +4,57 @@ kind: ClusterRole
|
||||
metadata:
|
||||
name: external-dns
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- services
|
||||
- endpoints
|
||||
- pods
|
||||
- nodes
|
||||
verbs:
|
||||
- get
|
||||
- watch
|
||||
- list
|
||||
- apiGroups:
|
||||
- extensions
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
- ingresses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- externaldns.k8s.io
|
||||
resources:
|
||||
- dnsendpoints
|
||||
verbs:
|
||||
- get
|
||||
- watch
|
||||
- list
|
||||
- apiGroups:
|
||||
- externaldns.k8s.io
|
||||
resources:
|
||||
- dnsendpoints/status
|
||||
verbs:
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- services
|
||||
- endpoints
|
||||
- pods
|
||||
- nodes
|
||||
verbs:
|
||||
- get
|
||||
- watch
|
||||
- list
|
||||
- apiGroups:
|
||||
- extensions
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
- ingresses
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- externaldns.k8s.io
|
||||
resources:
|
||||
- dnsendpoints
|
||||
verbs:
|
||||
- get
|
||||
- watch
|
||||
- list
|
||||
- apiGroups:
|
||||
- externaldns.k8s.io
|
||||
resources:
|
||||
- dnsendpoints/status
|
||||
verbs:
|
||||
- update
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: external-dns
|
||||
namespace: bind
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: external-dns-viewer
|
||||
namespace: bind
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: external-dns
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: external-dns
|
||||
namespace: bind
|
||||
- kind: ServiceAccount
|
||||
name: external-dns
|
||||
namespace: bind
|
||||
|
@ -1,18 +1,33 @@
|
||||
# cert-manager
|
||||
|
||||
`cert-manager` is used to obtain TLS certificates from Let's Encrypt.
|
||||
It uses DNS-01 challenge in conjunction with Bind primary
|
||||
at `ns1.k-space.ee`.
|
||||
Refer to the [Bind primary Ansible playbook](https://git.k-space.ee/k-space/ansible/src/branch/main/authoritative-nameserver.yaml) and
|
||||
[Bind namespace on Kubernetes cluster](https://git.k-space.ee/k-space/kube/src/branch/master/bind)
|
||||
for more details
|
||||
|
||||
Added manifest with:
|
||||
# For user
|
||||
|
||||
Use `Certificate` CRD of cert-manager, refer to
|
||||
[official documentation](https://cert-manager.io/docs/usage/certificate/).
|
||||
|
||||
To find usage examples in this repository use
|
||||
`grep -r -A10 "^kind: Certificate" .`
|
||||
|
||||
# For administrator
|
||||
|
||||
Deployed with:
|
||||
|
||||
```
|
||||
curl -L https://github.com/jetstack/cert-manager/releases/download/v1.15.1/cert-manager.yaml -O
|
||||
```
|
||||
|
||||
To update certificate issuer
|
||||
|
||||
```
|
||||
kubectl apply -f cert-manager.yaml
|
||||
kubectl apply -f issuer.yml
|
||||
```
|
||||
|
||||
To update the issuer configuration or TSIG secret:
|
||||
|
||||
```
|
||||
kubectl apply -f default-issuer.yml
|
||||
kubectl -n cert-manager create secret generic tsig-secret \
|
||||
--from-literal=TSIG_SECRET=<secret>
|
||||
```
|
||||
|
21
cert-manager/default-issuer.yaml
Normal file
21
cert-manager/default-issuer.yaml
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: default
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
acme:
|
||||
email: info@k-space.ee
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
privateKeySecretRef:
|
||||
name: example-issuer-account-key
|
||||
solvers:
|
||||
- dns01:
|
||||
rfc2136:
|
||||
nameserver: 193.40.103.2
|
||||
tsigKeyName: readwrite.
|
||||
tsigAlgorithm: HMACSHA512
|
||||
tsigSecretSecretRef:
|
||||
name: tsig-secret
|
||||
key: TSIG_SECRET
|
@ -1,19 +0,0 @@
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: default
|
||||
spec:
|
||||
acme:
|
||||
email: info@k-space.ee
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
privateKeySecretRef:
|
||||
name: example-issuer-account-key
|
||||
solvers:
|
||||
- dns01:
|
||||
rfc2136:
|
||||
nameserver: 193.40.103.2
|
||||
tsigKeyName: acme.
|
||||
tsigAlgorithm: HMACSHA512
|
||||
tsigSecretSecretRef:
|
||||
name: tsig-secret
|
||||
key: TSIG_SECRET
|
Loading…
Reference in New Issue
Block a user