1
0
forked from k-space/kube

bind, cert-manager: Cleanups

This commit is contained in:
Lauri Võsandi 2024-08-14 10:04:41 +03:00
parent 3f4d89b4b1
commit 1d39827375
9 changed files with 160 additions and 139 deletions

View File

@ -1,32 +1,31 @@
#TODO: # Bind namespace
- cert-manager talks to master to add domain names, and DNS-01 TLS through ns1.k-space.ee The Bind secondary servers and `external-dns` service pods are running in this namespace.
^ both-side link to cert-manager The `external-dns` pods are used to declaratively update DNS records on the
[Bind primary](https://git.k-space.ee/k-space/ansible/src/branch/main/authoritative-nameserver.yaml).
bind-services (zone transfer to HA replicas from ns1.k-space.ee) The Bind primary `ns1.k-space.ee` resides outside Kubernetes at `193.40.103.2` and
### ns1.k-space.ee
Primary authoritive nameserver replica. Other replicas live on Kube nodes
Idea to move it to Zone.
dns.yaml files add DNS records
# Bind setup
The Bind primary resides outside Kubernetes at `193.40.103.2` and
it's internally reachable via `172.20.0.2`. it's internally reachable via `172.20.0.2`.
Bind secondaries perform AXFR (zone transfer) from `ns1.k-space.ee` using
shared secret autentication.
The primary triggers notification events to `172.20.53.{1..3}`
which are internally exposed IP-s of the secondaries.
Bind secondaries are hosted inside Kubernetes, load balanced behind `62.65.250.2` and Bind secondaries are hosted inside Kubernetes, load balanced behind `62.65.250.2` and
under normal circumstances managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/bind). under normal circumstances managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/bind).
Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee` Note that [cert-manager](https://git.k-space.ee/k-space/kube/src/branch/master/cert-manager/issuer.yml) also performs DNS updates on the Bind primary.
are picked up automatically by `external-dns` and updated on primary.
The primary triggers notification events to `172.20.53.{1..3}`
which are internally exposed IP-s of the secondaries.
# Secrets # For user
`Ingresses` and `DNSEndpoint` resources under `k-space.ee`, `kspace.ee`, `k6.ee`
domains are picked up automatically by `external-dns` and updated on the Bind primary.
To find usage examples in this repository use
`grep -r -A25 "^kind: Ingress" .` and
`grep -R -r -A100 "^kind: DNSEndpoint" .`
# For administrator
To configure TSIG secrets: To configure TSIG secrets:

View File

@ -1,8 +1,10 @@
# yamllint disable rule:line-length
--- ---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: bind-secondary-config-local name: bind-secondary-config-local
namespace: bind
data: data:
named.conf.local: | named.conf.local: |
zone "codemowers.ee" { type slave; masters { 172.20.0.2 key readonly; }; }; zone "codemowers.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
@ -13,6 +15,7 @@ apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: bind-secondary-config name: bind-secondary-config
namespace: bind
data: data:
named.conf: | named.conf: |
include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.local";
@ -36,6 +39,7 @@ metadata:
name: bind-secondary name: bind-secondary
namespace: bind namespace: bind
spec: spec:
revisionHistoryLimit: 0
replicas: 3 replicas: 3
selector: selector:
matchLabels: matchLabels:
@ -45,15 +49,9 @@ spec:
labels: labels:
app: bind-secondary app: bind-secondary
spec: spec:
volumes:
- name: run
emptyDir: {}
containers: containers:
- name: bind-secondary - name: bind-secondary
image: internetsystemsconsortium/bind9:9.20 image: internetsystemsconsortium/bind9:9.20
volumeMounts:
- mountPath: /run/named
name: run
workingDir: /var/bind workingDir: /var/bind
command: command:
- named - named

View File

@ -3,6 +3,7 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: external-dns-k-space name: external-dns-k-space
namespace: bind
spec: spec:
revisionHistoryLimit: 0 revisionHistoryLimit: 0
selector: selector:

View File

@ -3,6 +3,7 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: external-dns-k6 name: external-dns-k6
namespace: bind
spec: spec:
revisionHistoryLimit: 0 revisionHistoryLimit: 0
selector: selector:
@ -41,31 +42,32 @@ apiVersion: externaldns.k8s.io/v1alpha1
kind: DNSEndpoint kind: DNSEndpoint
metadata: metadata:
name: k6 name: k6
namespace: bind
spec: spec:
endpoints: endpoints:
- dnsName: k6.ee - dnsName: k6.ee
recordTTL: 300 recordTTL: 300
recordType: SOA recordType: SOA
targets: targets:
- "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)" - "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)"
- dnsName: k6.ee - dnsName: k6.ee
recordTTL: 300 recordTTL: 300
recordType: NS recordType: NS
targets: targets:
- ns1.k-space.ee - ns1.k-space.ee
- ns2.k-space.ee - ns2.k-space.ee
- dnsName: ns1.k-space.ee - dnsName: ns1.k-space.ee
recordTTL: 300 recordTTL: 300
recordType: A recordType: A
targets: targets:
- 193.40.103.2 - 193.40.103.2
- dnsName: ns2.k-space.ee - dnsName: ns2.k-space.ee
recordTTL: 300 recordTTL: 300
recordType: A recordType: A
targets: targets:
- 62.65.250.2 - 62.65.250.2
- dnsName: k-space.ee - dnsName: k-space.ee
recordTTL: 300 recordTTL: 300
recordType: MX recordType: MX
targets: targets:
- 10 mail.k-space.ee - 10 mail.k-space.ee

View File

@ -3,6 +3,7 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: external-dns-kspace name: external-dns-kspace
namespace: bind
spec: spec:
revisionHistoryLimit: 0 revisionHistoryLimit: 0
selector: selector:
@ -18,8 +19,8 @@ spec:
- name: external-dns - name: external-dns
image: registry.k8s.io/external-dns/external-dns:v0.14.2 image: registry.k8s.io/external-dns/external-dns:v0.14.2
envFrom: envFrom:
- secretRef: - secretRef:
name: tsig-secret name: tsig-secret
args: args:
- --events - --events
- --registry=noop - --registry=noop
@ -41,26 +42,27 @@ apiVersion: externaldns.k8s.io/v1alpha1
kind: DNSEndpoint kind: DNSEndpoint
metadata: metadata:
name: kspace name: kspace
namespace: bind
spec: spec:
endpoints: endpoints:
- dnsName: kspace.ee - dnsName: kspace.ee
recordTTL: 300 recordTTL: 300
recordType: SOA recordType: SOA
targets: targets:
- "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)" - "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)"
- dnsName: kspace.ee - dnsName: kspace.ee
recordTTL: 300 recordTTL: 300
recordType: NS recordType: NS
targets: targets:
- ns1.k-space.ee - ns1.k-space.ee
- ns2.k-space.ee - ns2.k-space.ee
- dnsName: ns1.k-space.ee - dnsName: ns1.k-space.ee
recordTTL: 300 recordTTL: 300
recordType: A recordType: A
targets: targets:
- 193.40.103.2 - 193.40.103.2
- dnsName: ns2.k-space.ee - dnsName: ns2.k-space.ee
recordTTL: 300 recordTTL: 300
recordType: A recordType: A
targets: targets:
- 62.65.250.2 - 62.65.250.2

View File

@ -4,55 +4,57 @@ kind: ClusterRole
metadata: metadata:
name: external-dns name: external-dns
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
- services - services
- endpoints - endpoints
- pods - pods
- nodes - nodes
verbs: verbs:
- get - get
- watch - watch
- list - list
- apiGroups: - apiGroups:
- extensions - extensions
- networking.k8s.io - networking.k8s.io
resources: resources:
- ingresses - ingresses
verbs: verbs:
- get - get
- list - list
- watch - watch
- apiGroups: - apiGroups:
- externaldns.k8s.io - externaldns.k8s.io
resources: resources:
- dnsendpoints - dnsendpoints
verbs: verbs:
- get - get
- watch - watch
- list - list
- apiGroups: - apiGroups:
- externaldns.k8s.io - externaldns.k8s.io
resources: resources:
- dnsendpoints/status - dnsendpoints/status
verbs: verbs:
- update - update
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: external-dns name: external-dns
namespace: bind
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: external-dns-viewer name: external-dns-viewer
namespace: bind
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: external-dns name: external-dns
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: external-dns name: external-dns
namespace: bind namespace: bind

View File

@ -1,18 +1,33 @@
# cert-manager # cert-manager
`cert-manager` is used to obtain TLS certificates from Let's Encrypt. `cert-manager` is used to obtain TLS certificates from Let's Encrypt.
It uses DNS-01 challenge in conjunction with Bind primary
at `ns1.k-space.ee`.
Refer to the [Bind primary Ansible playbook](https://git.k-space.ee/k-space/ansible/src/branch/main/authoritative-nameserver.yaml) and
[Bind namespace on Kubernetes cluster](https://git.k-space.ee/k-space/kube/src/branch/master/bind)
for more details
Added manifest with: # For user
Use `Certificate` CRD of cert-manager, refer to
[official documentation](https://cert-manager.io/docs/usage/certificate/).
To find usage examples in this repository use
`grep -r -A10 "^kind: Certificate" .`
# For administrator
Deployed with:
``` ```
curl -L https://github.com/jetstack/cert-manager/releases/download/v1.15.1/cert-manager.yaml -O curl -L https://github.com/jetstack/cert-manager/releases/download/v1.15.1/cert-manager.yaml -O
```
To update certificate issuer
```
kubectl apply -f cert-manager.yaml kubectl apply -f cert-manager.yaml
kubectl apply -f issuer.yml ```
To update the issuer configuration or TSIG secret:
```
kubectl apply -f default-issuer.yml
kubectl -n cert-manager create secret generic tsig-secret \ kubectl -n cert-manager create secret generic tsig-secret \
--from-literal=TSIG_SECRET=<secret> --from-literal=TSIG_SECRET=<secret>
``` ```

View File

@ -0,0 +1,21 @@
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: default
namespace: cert-manager
spec:
acme:
email: info@k-space.ee
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
- dns01:
rfc2136:
nameserver: 193.40.103.2
tsigKeyName: readwrite.
tsigAlgorithm: HMACSHA512
tsigSecretSecretRef:
name: tsig-secret
key: TSIG_SECRET

View File

@ -1,19 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: default
spec:
acme:
email: info@k-space.ee
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: example-issuer-account-key
solvers:
- dns01:
rfc2136:
nameserver: 193.40.103.2
tsigKeyName: acme.
tsigAlgorithm: HMACSHA512
tsigSecretSecretRef:
name: tsig-secret
key: TSIG_SECRET