From 1d39827375873b89cb0f1ee02e09e9eb46027c1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Wed, 14 Aug 2024 10:04:41 +0300 Subject: [PATCH] bind, cert-manager: Cleanups --- bind/README.md | 41 +++++++++-------- bind/bind-secondary.yaml | 10 ++--- bind/external-dns-k-space.yaml | 1 + bind/external-dns-k6.yaml | 54 ++++++++++++----------- bind/external-dns-kspace.yaml | 48 ++++++++++---------- bind/external-dns.yaml | 76 ++++++++++++++++---------------- cert-manager/README.md | 29 +++++++++--- cert-manager/default-issuer.yaml | 21 +++++++++ cert-manager/issuer.yml | 19 -------- 9 files changed, 160 insertions(+), 139 deletions(-) create mode 100644 cert-manager/default-issuer.yaml delete mode 100644 cert-manager/issuer.yml diff --git a/bind/README.md b/bind/README.md index 79fdd23..fc68a70 100644 --- a/bind/README.md +++ b/bind/README.md @@ -1,32 +1,31 @@ -#TODO: +# Bind namespace -- cert-manager talks to master to add domain names, and DNS-01 TLS through ns1.k-space.ee -^ both-side link to cert-manager +The Bind secondary servers and `external-dns` service pods are running in this namespace. +The `external-dns` pods are used to declaratively update DNS records on the +[Bind primary](https://git.k-space.ee/k-space/ansible/src/branch/main/authoritative-nameserver.yaml). -bind-services (zone transfer to HA replicas from ns1.k-space.ee) - -### ns1.k-space.ee -Primary authoritive nameserver replica. Other replicas live on Kube nodes -Idea to move it to Zone. - -dns.yaml files add DNS records - - -# Bind setup - -The Bind primary resides outside Kubernetes at `193.40.103.2` and +The Bind primary `ns1.k-space.ee` resides outside Kubernetes at `193.40.103.2` and it's internally reachable via `172.20.0.2`. - +Bind secondaries perform AXFR (zone transfer) from `ns1.k-space.ee` using +shared secret autentication. +The primary triggers notification events to `172.20.53.{1..3}` +which are internally exposed IP-s of the secondaries. Bind secondaries are hosted inside Kubernetes, load balanced behind `62.65.250.2` and under normal circumstances managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/bind). -Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee` -are picked up automatically by `external-dns` and updated on primary. +Note that [cert-manager](https://git.k-space.ee/k-space/kube/src/branch/master/cert-manager/issuer.yml) also performs DNS updates on the Bind primary. -The primary triggers notification events to `172.20.53.{1..3}` -which are internally exposed IP-s of the secondaries. -# Secrets +# For user + +`Ingresses` and `DNSEndpoint` resources under `k-space.ee`, `kspace.ee`, `k6.ee` +domains are picked up automatically by `external-dns` and updated on the Bind primary. +To find usage examples in this repository use +`grep -r -A25 "^kind: Ingress" .` and +`grep -R -r -A100 "^kind: DNSEndpoint" .` + + +# For administrator To configure TSIG secrets: diff --git a/bind/bind-secondary.yaml b/bind/bind-secondary.yaml index 9fa8f13..1d4203f 100644 --- a/bind/bind-secondary.yaml +++ b/bind/bind-secondary.yaml @@ -1,8 +1,10 @@ +# yamllint disable rule:line-length --- apiVersion: v1 kind: ConfigMap metadata: name: bind-secondary-config-local + namespace: bind data: named.conf.local: | zone "codemowers.ee" { type slave; masters { 172.20.0.2 key readonly; }; }; @@ -13,6 +15,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: bind-secondary-config + namespace: bind data: named.conf: | include "/etc/bind/named.conf.local"; @@ -36,6 +39,7 @@ metadata: name: bind-secondary namespace: bind spec: + revisionHistoryLimit: 0 replicas: 3 selector: matchLabels: @@ -45,15 +49,9 @@ spec: labels: app: bind-secondary spec: - volumes: - - name: run - emptyDir: {} containers: - name: bind-secondary image: internetsystemsconsortium/bind9:9.20 - volumeMounts: - - mountPath: /run/named - name: run workingDir: /var/bind command: - named diff --git a/bind/external-dns-k-space.yaml b/bind/external-dns-k-space.yaml index 90f8da0..90ab301 100644 --- a/bind/external-dns-k-space.yaml +++ b/bind/external-dns-k-space.yaml @@ -3,6 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: external-dns-k-space + namespace: bind spec: revisionHistoryLimit: 0 selector: diff --git a/bind/external-dns-k6.yaml b/bind/external-dns-k6.yaml index e0ea85e..f769df6 100644 --- a/bind/external-dns-k6.yaml +++ b/bind/external-dns-k6.yaml @@ -3,6 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: external-dns-k6 + namespace: bind spec: revisionHistoryLimit: 0 selector: @@ -41,31 +42,32 @@ apiVersion: externaldns.k8s.io/v1alpha1 kind: DNSEndpoint metadata: name: k6 + namespace: bind spec: endpoints: - - dnsName: k6.ee - recordTTL: 300 - recordType: SOA - targets: - - "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)" - - dnsName: k6.ee - recordTTL: 300 - recordType: NS - targets: - - ns1.k-space.ee - - ns2.k-space.ee - - dnsName: ns1.k-space.ee - recordTTL: 300 - recordType: A - targets: - - 193.40.103.2 - - dnsName: ns2.k-space.ee - recordTTL: 300 - recordType: A - targets: - - 62.65.250.2 - - dnsName: k-space.ee - recordTTL: 300 - recordType: MX - targets: - - 10 mail.k-space.ee + - dnsName: k6.ee + recordTTL: 300 + recordType: SOA + targets: + - "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)" + - dnsName: k6.ee + recordTTL: 300 + recordType: NS + targets: + - ns1.k-space.ee + - ns2.k-space.ee + - dnsName: ns1.k-space.ee + recordTTL: 300 + recordType: A + targets: + - 193.40.103.2 + - dnsName: ns2.k-space.ee + recordTTL: 300 + recordType: A + targets: + - 62.65.250.2 + - dnsName: k-space.ee + recordTTL: 300 + recordType: MX + targets: + - 10 mail.k-space.ee diff --git a/bind/external-dns-kspace.yaml b/bind/external-dns-kspace.yaml index 5452d61..7111f03 100644 --- a/bind/external-dns-kspace.yaml +++ b/bind/external-dns-kspace.yaml @@ -3,6 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: external-dns-kspace + namespace: bind spec: revisionHistoryLimit: 0 selector: @@ -18,8 +19,8 @@ spec: - name: external-dns image: registry.k8s.io/external-dns/external-dns:v0.14.2 envFrom: - - secretRef: - name: tsig-secret + - secretRef: + name: tsig-secret args: - --events - --registry=noop @@ -41,26 +42,27 @@ apiVersion: externaldns.k8s.io/v1alpha1 kind: DNSEndpoint metadata: name: kspace + namespace: bind spec: endpoints: - - dnsName: kspace.ee - recordTTL: 300 - recordType: SOA - targets: - - "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)" - - dnsName: kspace.ee - recordTTL: 300 - recordType: NS - targets: - - ns1.k-space.ee - - ns2.k-space.ee - - dnsName: ns1.k-space.ee - recordTTL: 300 - recordType: A - targets: - - 193.40.103.2 - - dnsName: ns2.k-space.ee - recordTTL: 300 - recordType: A - targets: - - 62.65.250.2 + - dnsName: kspace.ee + recordTTL: 300 + recordType: SOA + targets: + - "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)" + - dnsName: kspace.ee + recordTTL: 300 + recordType: NS + targets: + - ns1.k-space.ee + - ns2.k-space.ee + - dnsName: ns1.k-space.ee + recordTTL: 300 + recordType: A + targets: + - 193.40.103.2 + - dnsName: ns2.k-space.ee + recordTTL: 300 + recordType: A + targets: + - 62.65.250.2 diff --git a/bind/external-dns.yaml b/bind/external-dns.yaml index 5360660..508eff5 100644 --- a/bind/external-dns.yaml +++ b/bind/external-dns.yaml @@ -4,55 +4,57 @@ kind: ClusterRole metadata: name: external-dns rules: -- apiGroups: - - "" - resources: - - services - - endpoints - - pods - - nodes - verbs: - - get - - watch - - list -- apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - externaldns.k8s.io - resources: - - dnsendpoints - verbs: - - get - - watch - - list -- apiGroups: - - externaldns.k8s.io - resources: - - dnsendpoints/status - verbs: - - update + - apiGroups: + - "" + resources: + - services + - endpoints + - pods + - nodes + verbs: + - get + - watch + - list + - apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - externaldns.k8s.io + resources: + - dnsendpoints + verbs: + - get + - watch + - list + - apiGroups: + - externaldns.k8s.io + resources: + - dnsendpoints/status + verbs: + - update --- apiVersion: v1 kind: ServiceAccount metadata: name: external-dns + namespace: bind --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: external-dns-viewer + namespace: bind roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: external-dns subjects: -- kind: ServiceAccount - name: external-dns - namespace: bind + - kind: ServiceAccount + name: external-dns + namespace: bind diff --git a/cert-manager/README.md b/cert-manager/README.md index 53b787c..2eed19c 100644 --- a/cert-manager/README.md +++ b/cert-manager/README.md @@ -1,18 +1,33 @@ # cert-manager `cert-manager` is used to obtain TLS certificates from Let's Encrypt. +It uses DNS-01 challenge in conjunction with Bind primary +at `ns1.k-space.ee`. +Refer to the [Bind primary Ansible playbook](https://git.k-space.ee/k-space/ansible/src/branch/main/authoritative-nameserver.yaml) and +[Bind namespace on Kubernetes cluster](https://git.k-space.ee/k-space/kube/src/branch/master/bind) +for more details -Added manifest with: +# For user + +Use `Certificate` CRD of cert-manager, refer to +[official documentation](https://cert-manager.io/docs/usage/certificate/). + +To find usage examples in this repository use +`grep -r -A10 "^kind: Certificate" .` + +# For administrator + +Deployed with: ``` curl -L https://github.com/jetstack/cert-manager/releases/download/v1.15.1/cert-manager.yaml -O -``` - -To update certificate issuer - -``` kubectl apply -f cert-manager.yaml -kubectl apply -f issuer.yml +``` + +To update the issuer configuration or TSIG secret: + +``` +kubectl apply -f default-issuer.yml kubectl -n cert-manager create secret generic tsig-secret \ --from-literal=TSIG_SECRET= ``` diff --git a/cert-manager/default-issuer.yaml b/cert-manager/default-issuer.yaml new file mode 100644 index 0000000..00469c5 --- /dev/null +++ b/cert-manager/default-issuer.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: default + namespace: cert-manager +spec: + acme: + email: info@k-space.ee + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: example-issuer-account-key + solvers: + - dns01: + rfc2136: + nameserver: 193.40.103.2 + tsigKeyName: readwrite. + tsigAlgorithm: HMACSHA512 + tsigSecretSecretRef: + name: tsig-secret + key: TSIG_SECRET diff --git a/cert-manager/issuer.yml b/cert-manager/issuer.yml deleted file mode 100644 index f3a00d2..0000000 --- a/cert-manager/issuer.yml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: default -spec: - acme: - email: info@k-space.ee - server: https://acme-v02.api.letsencrypt.org/directory - privateKeySecretRef: - name: example-issuer-account-key - solvers: - - dns01: - rfc2136: - nameserver: 193.40.103.2 - tsigKeyName: acme. - tsigAlgorithm: HMACSHA512 - tsigSecretSecretRef: - name: tsig-secret - key: TSIG_SECRET