Update whole Bind setup
This commit is contained in:
parent
aacbb20e13
commit
883da46a3b
65
ansible-bind-primary.yml
Normal file
65
ansible-bind-primary.yml
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
- name: Setup primary nameserver
|
||||||
|
hosts: ns1.k-space.ee
|
||||||
|
tasks:
|
||||||
|
- name: Make sure bind9 is installed
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: bind9
|
||||||
|
state: present
|
||||||
|
- name: Configure Bind
|
||||||
|
register: bind
|
||||||
|
copy:
|
||||||
|
dest: /etc/bind/named.conf
|
||||||
|
content: |
|
||||||
|
# This file is managed by Ansible
|
||||||
|
# https://git.k-space.ee/k-space/kube/src/branch/master/ansible-bind-primary.yml
|
||||||
|
# Do NOT modify manually
|
||||||
|
|
||||||
|
include "/etc/bind/named.conf.options";
|
||||||
|
include "/etc/bind/named.conf.local";
|
||||||
|
include "/etc/bind/readwrite.key";
|
||||||
|
include "/etc/bind/readonly.key";
|
||||||
|
|
||||||
|
# https://kb.isc.org/docs/aa-00723
|
||||||
|
|
||||||
|
acl allowed {
|
||||||
|
172.20.3.0/24;
|
||||||
|
172.20.4.0/24;
|
||||||
|
};
|
||||||
|
|
||||||
|
acl rejected { !allowed; any; };
|
||||||
|
|
||||||
|
zone "." {
|
||||||
|
type hint;
|
||||||
|
file "/var/lib/bind/db.root";
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "k-space.ee" {
|
||||||
|
type master;
|
||||||
|
file "/var/lib/bind/db.k-space.ee";
|
||||||
|
allow-update { !rejected; key readwrite; };
|
||||||
|
allow-transfer { !rejected; key readonly; key readwrite; };
|
||||||
|
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "k6.ee" {
|
||||||
|
type master;
|
||||||
|
file "/var/lib/bind/db.k6.ee";
|
||||||
|
allow-update { !rejected; key readwrite; };
|
||||||
|
allow-transfer { !rejected; key readonly; key readwrite; };
|
||||||
|
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "kspace.ee" {
|
||||||
|
type master;
|
||||||
|
file "/var/lib/bind/db.kspace.ee";
|
||||||
|
allow-update { !rejected; key readwrite; };
|
||||||
|
allow-transfer { !rejected; key readonly; key readwrite; };
|
||||||
|
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
|
||||||
|
};
|
||||||
|
- name: Check Bind config
|
||||||
|
ansible.builtin.shell: "named-checkconf"
|
||||||
|
- name: Reload Bind config
|
||||||
|
service:
|
||||||
|
name: bind9
|
||||||
|
state: reloaded
|
||||||
|
when: bind.changed
|
31
bind/README.md
Normal file
31
bind/README.md
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
# Bind setup
|
||||||
|
|
||||||
|
The Bind primary resides outside Kubernetes at `193.40.103.2` and
|
||||||
|
it's internally reachable via `172.20.0.2`
|
||||||
|
|
||||||
|
Bind secondaries are hosted inside Kubernetes and load balanced behind `62.65.250.2`
|
||||||
|
|
||||||
|
Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee`
|
||||||
|
are picked up automatically by `external-dns` and updated on primary.
|
||||||
|
|
||||||
|
The primary triggers notification events to `172.20.53.{1..3}`
|
||||||
|
which are internally exposed IP-s of the secondaries.
|
||||||
|
|
||||||
|
# Secrets
|
||||||
|
|
||||||
|
To configure TSIG secrets:
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl create secret generic -n bind bind-readonly-secret \
|
||||||
|
--from-file=readonly.key
|
||||||
|
kubectl create secret generic -n bind bind-readwrite-secret \
|
||||||
|
--from-file=readwrite.key
|
||||||
|
kubectl create secret generic -n bind external-dns
|
||||||
|
kubectl -n bind delete secret tsig-secret
|
||||||
|
kubectl -n bind create secret generic tsig-secret \
|
||||||
|
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
|
||||||
|
kubectl -n cert-manager delete secret tsig-secret
|
||||||
|
kubectl -n cert-manager create secret generic tsig-secret \
|
||||||
|
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
|
||||||
|
```
|
||||||
|
|
163
bind/bind-secondary.yaml
Normal file
163
bind/bind-secondary.yaml
Normal file
@ -0,0 +1,163 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: bind-secondary-config
|
||||||
|
data:
|
||||||
|
named.conf: |
|
||||||
|
include "/etc/bind/readonly.key";
|
||||||
|
options {
|
||||||
|
recursion no;
|
||||||
|
pid-file "/var/bind/named.pid";
|
||||||
|
allow-query { 0.0.0.0/0; };
|
||||||
|
allow-notify { 172.20.0.2; };
|
||||||
|
allow-transfer { none; };
|
||||||
|
check-names slave ignore;
|
||||||
|
};
|
||||||
|
zone "k-space.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
|
||||||
|
zone "k6.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
|
||||||
|
zone "kspace.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: StatefulSet
|
||||||
|
metadata:
|
||||||
|
name: bind-secondary
|
||||||
|
namespace: bind
|
||||||
|
spec:
|
||||||
|
replicas: 3
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: bind-secondary
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: bind-secondary
|
||||||
|
spec:
|
||||||
|
volumes:
|
||||||
|
- name: run
|
||||||
|
emptyDir: {}
|
||||||
|
containers:
|
||||||
|
- name: bind-secondary
|
||||||
|
image: internetsystemsconsortium/bind9:9.19
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /run/named
|
||||||
|
name: run
|
||||||
|
workingDir: /var/bind
|
||||||
|
command:
|
||||||
|
- named
|
||||||
|
- -g
|
||||||
|
- -c
|
||||||
|
- /etc/bind/named.conf
|
||||||
|
volumeMounts:
|
||||||
|
- name: bind-secondary-config
|
||||||
|
mountPath: /etc/bind
|
||||||
|
readOnly: true
|
||||||
|
- name: bind-data
|
||||||
|
mountPath: /var/bind
|
||||||
|
volumes:
|
||||||
|
- name: bind-secondary-config
|
||||||
|
projected:
|
||||||
|
sources:
|
||||||
|
- configMap:
|
||||||
|
name: bind-secondary-config
|
||||||
|
- secret:
|
||||||
|
name: bind-readonly-secret
|
||||||
|
- name: bind-data
|
||||||
|
emptyDir: {}
|
||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: app
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- bind-secondary
|
||||||
|
topologyKey: "kubernetes.io/hostname"
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: bind-secondary
|
||||||
|
namespace: bind
|
||||||
|
spec:
|
||||||
|
type: LoadBalancer
|
||||||
|
externalTrafficPolicy: Local
|
||||||
|
loadBalancerIP: 62.65.250.2
|
||||||
|
selector:
|
||||||
|
app: bind-secondary
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 53
|
||||||
|
name: dns-tcp
|
||||||
|
targetPort: 53
|
||||||
|
- protocol: UDP
|
||||||
|
port: 53
|
||||||
|
name: dns-udp
|
||||||
|
targetPort: 53
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: bind-secondary-0
|
||||||
|
namespace: bind
|
||||||
|
spec:
|
||||||
|
type: LoadBalancer
|
||||||
|
externalTrafficPolicy: Local
|
||||||
|
loadBalancerIP: 172.20.53.1
|
||||||
|
selector:
|
||||||
|
app: bind-secondary
|
||||||
|
statefulset.kubernetes.io/pod-name: bind-secondary-0
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 53
|
||||||
|
name: dns-tcp
|
||||||
|
targetPort: 53
|
||||||
|
- protocol: UDP
|
||||||
|
port: 53
|
||||||
|
name: dns-udp
|
||||||
|
targetPort: 53
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: bind-secondary-1
|
||||||
|
namespace: bind
|
||||||
|
spec:
|
||||||
|
type: LoadBalancer
|
||||||
|
externalTrafficPolicy: Local
|
||||||
|
loadBalancerIP: 172.20.53.2
|
||||||
|
selector:
|
||||||
|
app: bind-secondary
|
||||||
|
statefulset.kubernetes.io/pod-name: bind-secondary-1
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 53
|
||||||
|
name: dns-tcp
|
||||||
|
targetPort: 53
|
||||||
|
- protocol: UDP
|
||||||
|
port: 53
|
||||||
|
name: dns-udp
|
||||||
|
targetPort: 53
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: bind-secondary-2
|
||||||
|
namespace: bind
|
||||||
|
spec:
|
||||||
|
type: LoadBalancer
|
||||||
|
externalTrafficPolicy: Local
|
||||||
|
loadBalancerIP: 172.20.53.3
|
||||||
|
selector:
|
||||||
|
app: bind-secondary
|
||||||
|
statefulset.kubernetes.io/pod-name: bind-secondary-2
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 53
|
||||||
|
name: dns-tcp
|
||||||
|
targetPort: 53
|
||||||
|
- protocol: UDP
|
||||||
|
port: 53
|
||||||
|
name: dns-udp
|
||||||
|
targetPort: 53
|
40
bind/external-dns-k-space.yaml
Normal file
40
bind/external-dns-k-space.yaml
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: external-dns-k-space
|
||||||
|
spec:
|
||||||
|
revisionHistoryLimit: 0
|
||||||
|
selector:
|
||||||
|
matchLabels: &selectorLabels
|
||||||
|
app.kubernetes.io/name: external-dns
|
||||||
|
domain: k-space.ee
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels: *selectorLabels
|
||||||
|
spec:
|
||||||
|
serviceAccountName: external-dns
|
||||||
|
containers:
|
||||||
|
- name: external-dns
|
||||||
|
image: registry.k8s.io/external-dns/external-dns:v0.13.5
|
||||||
|
envFrom:
|
||||||
|
- secretRef:
|
||||||
|
name: tsig-secret
|
||||||
|
args:
|
||||||
|
- --events
|
||||||
|
- --registry=txt
|
||||||
|
- --txt-prefix=external-dns-
|
||||||
|
- --txt-owner-id=k8s
|
||||||
|
- --provider=rfc2136
|
||||||
|
- --source=ingress
|
||||||
|
- --source=service
|
||||||
|
- --source=crd
|
||||||
|
- --domain-filter=k-space.ee
|
||||||
|
- --rfc2136-tsig-axfr
|
||||||
|
- --rfc2136-host=172.20.0.2
|
||||||
|
- --rfc2136-port=53
|
||||||
|
- --rfc2136-zone=k-space.ee
|
||||||
|
- --rfc2136-tsig-keyname=readwrite
|
||||||
|
- --rfc2136-tsig-secret-alg=hmac-sha512
|
||||||
|
- --rfc2136-tsig-secret=$(TSIG_SECRET)
|
||||||
|
# https://github.com/kubernetes-sigs/external-dns/issues/2446
|
@ -2,8 +2,7 @@
|
|||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
name: k6
|
name: external-dns-k6
|
||||||
namespace: external-dns
|
|
||||||
spec:
|
spec:
|
||||||
revisionHistoryLimit: 0
|
revisionHistoryLimit: 0
|
||||||
selector:
|
selector:
|
||||||
@ -16,27 +15,27 @@ spec:
|
|||||||
spec:
|
spec:
|
||||||
serviceAccountName: external-dns
|
serviceAccountName: external-dns
|
||||||
containers:
|
containers:
|
||||||
- name: external-dns
|
- name: external-dns
|
||||||
image: registry.k8s.io/external-dns/external-dns:v0.13.5
|
image: registry.k8s.io/external-dns/external-dns:v0.13.5
|
||||||
envFrom:
|
envFrom:
|
||||||
- secretRef:
|
- secretRef:
|
||||||
name: tsig-secret
|
name: tsig-secret
|
||||||
args:
|
args:
|
||||||
- --log-level=debug
|
- --log-level=debug
|
||||||
- --events
|
- --events
|
||||||
- --registry=noop
|
- --registry=noop
|
||||||
- --provider=rfc2136
|
- --provider=rfc2136
|
||||||
- --source=service
|
- --source=service
|
||||||
- --source=crd
|
- --source=crd
|
||||||
- --domain-filter=k6.ee
|
- --domain-filter=k6.ee
|
||||||
- --rfc2136-tsig-axfr
|
- --rfc2136-tsig-axfr
|
||||||
- --rfc2136-host=193.40.103.2
|
- --rfc2136-host=172.20.0.2
|
||||||
- --rfc2136-port=53
|
- --rfc2136-port=53
|
||||||
- --rfc2136-zone=k6.ee
|
- --rfc2136-zone=k6.ee
|
||||||
- --rfc2136-tsig-keyname=acme
|
- --rfc2136-tsig-keyname=readwrite
|
||||||
- --rfc2136-tsig-secret-alg=hmac-sha512
|
- --rfc2136-tsig-secret-alg=hmac-sha512
|
||||||
- --rfc2136-tsig-secret=$(TSIG_SECRET)
|
- --rfc2136-tsig-secret=$(TSIG_SECRET)
|
||||||
# https://github.com/kubernetes-sigs/external-dns/issues/2446
|
# https://github.com/kubernetes-sigs/external-dns/issues/2446
|
||||||
---
|
---
|
||||||
apiVersion: externaldns.k8s.io/v1alpha1
|
apiVersion: externaldns.k8s.io/v1alpha1
|
||||||
kind: DNSEndpoint
|
kind: DNSEndpoint
|
@ -2,8 +2,7 @@
|
|||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
name: kspace
|
name: external-dns-kspace
|
||||||
namespace: external-dns
|
|
||||||
spec:
|
spec:
|
||||||
revisionHistoryLimit: 0
|
revisionHistoryLimit: 0
|
||||||
selector:
|
selector:
|
||||||
@ -16,27 +15,27 @@ spec:
|
|||||||
spec:
|
spec:
|
||||||
serviceAccountName: external-dns
|
serviceAccountName: external-dns
|
||||||
containers:
|
containers:
|
||||||
- name: external-dns
|
- name: external-dns
|
||||||
image: registry.k8s.io/external-dns/external-dns:v0.13.5
|
image: registry.k8s.io/external-dns/external-dns:v0.13.5
|
||||||
envFrom:
|
envFrom:
|
||||||
- secretRef:
|
- secretRef:
|
||||||
name: tsig-secret
|
name: tsig-secret
|
||||||
args:
|
args:
|
||||||
- --events
|
- --events
|
||||||
- --registry=noop
|
- --registry=noop
|
||||||
- --provider=rfc2136
|
- --provider=rfc2136
|
||||||
- --source=ingress
|
- --source=ingress
|
||||||
- --source=service
|
- --source=service
|
||||||
- --source=crd
|
- --source=crd
|
||||||
- --domain-filter=kspace.ee
|
- --domain-filter=kspace.ee
|
||||||
- --rfc2136-tsig-axfr
|
- --rfc2136-tsig-axfr
|
||||||
- --rfc2136-host=193.40.103.2
|
- --rfc2136-host=172.20.0.2
|
||||||
- --rfc2136-port=53
|
- --rfc2136-port=53
|
||||||
- --rfc2136-zone=kspace.ee
|
- --rfc2136-zone=kspace.ee
|
||||||
- --rfc2136-tsig-keyname=acme
|
- --rfc2136-tsig-keyname=readwrite
|
||||||
- --rfc2136-tsig-secret-alg=hmac-sha512
|
- --rfc2136-tsig-secret-alg=hmac-sha512
|
||||||
- --rfc2136-tsig-secret=$(TSIG_SECRET)
|
- --rfc2136-tsig-secret=$(TSIG_SECRET)
|
||||||
# https://github.com/kubernetes-sigs/external-dns/issues/2446
|
# https://github.com/kubernetes-sigs/external-dns/issues/2446
|
||||||
---
|
---
|
||||||
apiVersion: externaldns.k8s.io/v1alpha1
|
apiVersion: externaldns.k8s.io/v1alpha1
|
||||||
kind: DNSEndpoint
|
kind: DNSEndpoint
|
58
bind/external-dns.yaml
Normal file
58
bind/external-dns.yaml
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: external-dns
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- services
|
||||||
|
- endpoints
|
||||||
|
- pods
|
||||||
|
- nodes
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- watch
|
||||||
|
- list
|
||||||
|
- apiGroups:
|
||||||
|
- extensions
|
||||||
|
- networking.k8s.io
|
||||||
|
resources:
|
||||||
|
- ingresses
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- externaldns.k8s.io
|
||||||
|
resources:
|
||||||
|
- dnsendpoints
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- watch
|
||||||
|
- list
|
||||||
|
- apiGroups:
|
||||||
|
- externaldns.k8s.io
|
||||||
|
resources:
|
||||||
|
- dnsendpoints/status
|
||||||
|
verbs:
|
||||||
|
- update
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: external-dns
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: external-dns-viewer
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: external-dns
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: external-dns
|
||||||
|
namespace: bind
|
@ -1,15 +0,0 @@
|
|||||||
Before applying replace the secret with the actual one.
|
|
||||||
|
|
||||||
For debugging add `- --log-level=debug`:
|
|
||||||
|
|
||||||
```
|
|
||||||
wget https://raw.githubusercontent.com/kubernetes-sigs/external-dns/master/docs/contributing/crd-source/crd-manifest.yaml -O crd.yml
|
|
||||||
kubectl apply -n external-dns -f application.yml -f crd.yml
|
|
||||||
```
|
|
||||||
|
|
||||||
Insert TSIG secret:
|
|
||||||
|
|
||||||
```
|
|
||||||
kubectl -n external-dns create secret generic tsig-secret \
|
|
||||||
--from-literal=TSIG_SECRET=<secret>
|
|
||||||
```
|
|
@ -1,101 +0,0 @@
|
|||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
name: external-dns
|
|
||||||
namespace: external-dns
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- services
|
|
||||||
- endpoints
|
|
||||||
- pods
|
|
||||||
- nodes
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- watch
|
|
||||||
- list
|
|
||||||
- apiGroups:
|
|
||||||
- extensions
|
|
||||||
- networking.k8s.io
|
|
||||||
resources:
|
|
||||||
- ingresses
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- externaldns.k8s.io
|
|
||||||
resources:
|
|
||||||
- dnsendpoints
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- watch
|
|
||||||
- list
|
|
||||||
- apiGroups:
|
|
||||||
- externaldns.k8s.io
|
|
||||||
resources:
|
|
||||||
- dnsendpoints/status
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: external-dns
|
|
||||||
namespace: external-dns
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
name: external-dns-viewer
|
|
||||||
namespace: external-dns
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: external-dns
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: external-dns
|
|
||||||
namespace: external-dns
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: k-space
|
|
||||||
namespace: external-dns
|
|
||||||
spec:
|
|
||||||
revisionHistoryLimit: 0
|
|
||||||
selector:
|
|
||||||
matchLabels: &selectorLabels
|
|
||||||
app.kubernetes.io/name: external-dns
|
|
||||||
domain: k-space.ee
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels: *selectorLabels
|
|
||||||
spec:
|
|
||||||
serviceAccountName: external-dns
|
|
||||||
containers:
|
|
||||||
- name: external-dns
|
|
||||||
image: registry.k8s.io/external-dns/external-dns:v0.13.5
|
|
||||||
envFrom:
|
|
||||||
- secretRef:
|
|
||||||
name: tsig-secret
|
|
||||||
args:
|
|
||||||
- --events
|
|
||||||
- --registry=txt
|
|
||||||
- --txt-prefix=external-dns-
|
|
||||||
- --txt-owner-id=k8s
|
|
||||||
- --provider=rfc2136
|
|
||||||
- --source=ingress
|
|
||||||
- --source=service
|
|
||||||
- --source=crd
|
|
||||||
- --domain-filter=k-space.ee
|
|
||||||
- --rfc2136-tsig-axfr
|
|
||||||
- --rfc2136-host=193.40.103.2
|
|
||||||
- --rfc2136-port=53
|
|
||||||
- --rfc2136-zone=k-space.ee
|
|
||||||
- --rfc2136-tsig-keyname=acme
|
|
||||||
- --rfc2136-tsig-secret-alg=hmac-sha512
|
|
||||||
- --rfc2136-tsig-secret=$(TSIG_SECRET)
|
|
||||||
# https://github.com/kubernetes-sigs/external-dns/issues/2446
|
|
@ -1,5 +1,8 @@
|
|||||||
all:
|
all:
|
||||||
children:
|
children:
|
||||||
|
bind:
|
||||||
|
hosts:
|
||||||
|
ns1.k-space.ee:
|
||||||
kubernetes:
|
kubernetes:
|
||||||
children:
|
children:
|
||||||
masters:
|
masters:
|
||||||
|
21
inventory/README.md
Normal file
21
inventory/README.md
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
|
||||||
|
To deploy components:
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl create namespace members-site
|
||||||
|
kubectl apply -n members-site -f doorboy.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
# Doorboy
|
||||||
|
|
||||||
|
Set up Doorboy UID hashing salt:
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl create secret generic -n members-site doorboy-api \
|
||||||
|
--from-literal=DOORBOY_SECRET=hg2NmVlf6JcS3w237ZXn
|
||||||
|
kubectl create secret generic -n members-site doorboy-uid-hash-salt \
|
||||||
|
--from-literal=KDOORPI_UID_SALT=hkRXwLlQKmCJoy5qaahp
|
||||||
|
kubectl create secret generic -n members-site mongo-application-readwrite \
|
||||||
|
--from-literal=connectionString.standard=mongodb://kspace_accounting:dBDCS21pHlZAd5isyfBI@mongodb.infra.k-space.ee:27017/kspace_accounting?replicaSet=kspace-mongo-set
|
||||||
|
```
|
@ -35,7 +35,9 @@ metadata:
|
|||||||
namespace: metallb-system
|
namespace: metallb-system
|
||||||
spec:
|
spec:
|
||||||
ipAddressPools:
|
ipAddressPools:
|
||||||
- zoo
|
- zoo
|
||||||
|
- bind-secondary-external
|
||||||
|
- bind-secondary-internal
|
||||||
---
|
---
|
||||||
# Slice of public EEnet subnet using MetalLB L3 method
|
# Slice of public EEnet subnet using MetalLB L3 method
|
||||||
apiVersion: metallb.io/v1beta1
|
apiVersion: metallb.io/v1beta1
|
||||||
@ -57,6 +59,24 @@ spec:
|
|||||||
addresses:
|
addresses:
|
||||||
- 62.65.250.36/30
|
- 62.65.250.36/30
|
||||||
---
|
---
|
||||||
|
apiVersion: metallb.io/v1beta1
|
||||||
|
kind: IPAddressPool
|
||||||
|
metadata:
|
||||||
|
name: bind-secondary-internal
|
||||||
|
namespace: metallb-system
|
||||||
|
spec:
|
||||||
|
addresses:
|
||||||
|
- 172.20.53.0/24
|
||||||
|
---
|
||||||
|
apiVersion: metallb.io/v1beta1
|
||||||
|
kind: IPAddressPool
|
||||||
|
metadata:
|
||||||
|
name: bind-secondary-external
|
||||||
|
namespace: metallb-system
|
||||||
|
spec:
|
||||||
|
addresses:
|
||||||
|
- 62.65.250.2/32
|
||||||
|
---
|
||||||
apiVersion: metallb.io/v1beta2
|
apiVersion: metallb.io/v1beta2
|
||||||
kind: BGPPeer
|
kind: BGPPeer
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -4,3 +4,5 @@ Host *
|
|||||||
ControlMaster auto
|
ControlMaster auto
|
||||||
ControlPath ~/.ssh/cm-%r@%h:%p
|
ControlPath ~/.ssh/cm-%r@%h:%p
|
||||||
|
|
||||||
|
Host ns1.k-space.ee
|
||||||
|
Hostname 172.20.0.2
|
||||||
|
Loading…
Reference in New Issue
Block a user