Update whole Bind setup

ansible-bind-primary.yml

@@ -0,0 +1,65 @@
+- name: Setup primary nameserver
+  hosts: ns1.k-space.ee
+  tasks:
+  - name: Make sure bind9 is installed
+    ansible.builtin.apt:
+      name: bind9
+      state: present
+  - name: Configure Bind
+    register: bind
+    copy:
+      dest: /etc/bind/named.conf
+      content: |
+        # This file is managed by Ansible
+        # https://git.k-space.ee/k-space/kube/src/branch/master/ansible-bind-primary.yml
+        # Do NOT modify manually
+
+        include "/etc/bind/named.conf.options";
+        include "/etc/bind/named.conf.local";
+        include "/etc/bind/readwrite.key";
+        include "/etc/bind/readonly.key";
+
+        # https://kb.isc.org/docs/aa-00723
+
+        acl allowed {
+            172.20.3.0/24;
+            172.20.4.0/24;
+        };
+
+        acl rejected { !allowed; any; };
+
+        zone "." {
+            type hint;
+            file "/var/lib/bind/db.root";
+        };
+
+        zone "k-space.ee" {
+            type master;
+            file "/var/lib/bind/db.k-space.ee";
+            allow-update { !rejected; key readwrite; };
+            allow-transfer { !rejected; key readonly; key readwrite; };
+            notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
+        };
+
+        zone "k6.ee" {
+            type master;
+            file "/var/lib/bind/db.k6.ee";
+            allow-update { !rejected; key readwrite; };
+            allow-transfer { !rejected; key readonly; key readwrite; };
+            notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
+        };
+
+        zone "kspace.ee" {
+            type master;
+            file "/var/lib/bind/db.kspace.ee";
+            allow-update { !rejected; key readwrite; };
+            allow-transfer { !rejected; key readonly; key readwrite; };
+            notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
+        };
+  - name: Check Bind config
+    ansible.builtin.shell: "named-checkconf"
+  - name: Reload Bind config
+    service:
+      name: bind9
+      state: reloaded
+    when: bind.changed

bind/README.md

@@ -0,0 +1,31 @@
+# Bind setup
+
+The Bind primary resides outside Kubernetes at `193.40.103.2` and
+it's internally reachable via `172.20.0.2`
+
+Bind secondaries are hosted inside Kubernetes and load balanced behind `62.65.250.2`
+
+Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee`
+are picked up automatically by `external-dns` and updated on primary.
+
+The primary triggers notification events to `172.20.53.{1..3}`
+which are internally exposed IP-s of the secondaries.
+
+# Secrets
+
+To configure TSIG secrets:
+
+```
+kubectl create secret generic -n bind bind-readonly-secret \
+  --from-file=readonly.key
+kubectl create secret generic -n bind bind-readwrite-secret \
+  --from-file=readwrite.key
+kubectl create secret generic -n bind external-dns
+kubectl -n bind delete secret tsig-secret
+kubectl -n bind create secret generic tsig-secret \
+    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
+kubectl -n cert-manager delete secret tsig-secret
+kubectl -n cert-manager create secret generic tsig-secret \
+    --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
+```
+

bind/bind-secondary.yaml

@@ -0,0 +1,163 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bind-secondary-config
+data:
+  named.conf: |
+    include "/etc/bind/readonly.key";
+    options {
+        recursion no;
+        pid-file "/var/bind/named.pid";
+        allow-query { 0.0.0.0/0; };
+        allow-notify { 172.20.0.2; };
+        allow-transfer { none; };
+        check-names slave ignore;
+    };
+    zone "k-space.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
+    zone "k6.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
+    zone "kspace.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: bind-secondary
+  namespace: bind
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: bind-secondary
+  template:
+    metadata:
+      labels:
+        app: bind-secondary
+    spec:
+      volumes:
+        - name: run
+          emptyDir: {}
+      containers:
+        - name: bind-secondary
+          image: internetsystemsconsortium/bind9:9.19
+          volumeMounts:
+            - mountPath: /run/named
+              name: run
+          workingDir: /var/bind
+          command:
+            - named
+            - -g
+            - -c
+            - /etc/bind/named.conf
+          volumeMounts:
+            - name: bind-secondary-config
+              mountPath: /etc/bind
+              readOnly: true
+            - name: bind-data
+              mountPath: /var/bind
+      volumes:
+        - name: bind-secondary-config
+          projected:
+            sources:
+              - configMap:
+                  name: bind-secondary-config
+              - secret:
+                  name: bind-readonly-secret
+        - name: bind-data
+          emptyDir: {}
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: app
+                    operator: In
+                    values:
+                      - bind-secondary
+              topologyKey: "kubernetes.io/hostname"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bind-secondary
+  namespace: bind
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  loadBalancerIP: 62.65.250.2
+  selector:
+    app: bind-secondary
+  ports:
+    - protocol: TCP
+      port: 53
+      name: dns-tcp
+      targetPort: 53
+    - protocol: UDP
+      port: 53
+      name: dns-udp
+      targetPort: 53
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bind-secondary-0
+  namespace: bind
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  loadBalancerIP: 172.20.53.1
+  selector:
+    app: bind-secondary
+    statefulset.kubernetes.io/pod-name: bind-secondary-0
+  ports:
+    - protocol: TCP
+      port: 53
+      name: dns-tcp
+      targetPort: 53
+    - protocol: UDP
+      port: 53
+      name: dns-udp
+      targetPort: 53
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bind-secondary-1
+  namespace: bind
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  loadBalancerIP: 172.20.53.2
+  selector:
+    app: bind-secondary
+    statefulset.kubernetes.io/pod-name: bind-secondary-1
+  ports:
+    - protocol: TCP
+      port: 53
+      name: dns-tcp
+      targetPort: 53
+    - protocol: UDP
+      port: 53
+      name: dns-udp
+      targetPort: 53
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bind-secondary-2
+  namespace: bind
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  loadBalancerIP: 172.20.53.3
+  selector:
+    app: bind-secondary
+    statefulset.kubernetes.io/pod-name: bind-secondary-2
+  ports:
+    - protocol: TCP
+      port: 53
+      name: dns-tcp
+      targetPort: 53
+    - protocol: UDP
+      port: 53
+      name: dns-udp
+      targetPort: 53

bind/external-dns-k-space.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns-k-space
+spec:
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels: &selectorLabels
+      app.kubernetes.io/name: external-dns
+      domain: k-space.ee
+  template:
+    metadata:
+      labels: *selectorLabels
+    spec:
+      serviceAccountName: external-dns
+      containers:
+        - name: external-dns
+          image: registry.k8s.io/external-dns/external-dns:v0.13.5
+          envFrom:
+            - secretRef:
+                name: tsig-secret
+          args:
+            - --events
+            - --registry=txt
+            - --txt-prefix=external-dns-
+            - --txt-owner-id=k8s
+            - --provider=rfc2136
+            - --source=ingress
+            - --source=service
+            - --source=crd
+            - --domain-filter=k-space.ee
+            - --rfc2136-tsig-axfr
+            - --rfc2136-host=172.20.0.2
+            - --rfc2136-port=53
+            - --rfc2136-zone=k-space.ee
+            - --rfc2136-tsig-keyname=readwrite
+            - --rfc2136-tsig-secret-alg=hmac-sha512
+            - --rfc2136-tsig-secret=$(TSIG_SECRET)
+            # https://github.com/kubernetes-sigs/external-dns/issues/2446

bind/external-dns-k6.yaml

@@ -2,8 +2,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: k6
-  namespace: external-dns
+  name: external-dns-k6
 spec:
   revisionHistoryLimit: 0
   selector:
@@ -16,27 +15,27 @@ spec:
     spec:
       serviceAccountName: external-dns
       containers:
-      - name: external-dns
-        image: registry.k8s.io/external-dns/external-dns:v0.13.5
-        envFrom:
-        - secretRef:
-            name: tsig-secret
-        args:
-        - --log-level=debug
-        - --events
-        - --registry=noop
-        - --provider=rfc2136
-        - --source=service
-        - --source=crd
-        - --domain-filter=k6.ee
-        - --rfc2136-tsig-axfr
-        - --rfc2136-host=193.40.103.2
-        - --rfc2136-port=53
-        - --rfc2136-zone=k6.ee
-        - --rfc2136-tsig-keyname=acme
-        - --rfc2136-tsig-secret-alg=hmac-sha512
-        - --rfc2136-tsig-secret=$(TSIG_SECRET)
-        # https://github.com/kubernetes-sigs/external-dns/issues/2446
+        - name: external-dns
+          image: registry.k8s.io/external-dns/external-dns:v0.13.5
+          envFrom:
+            - secretRef:
+                name: tsig-secret
+          args:
+            - --log-level=debug
+            - --events
+            - --registry=noop
+            - --provider=rfc2136
+            - --source=service
+            - --source=crd
+            - --domain-filter=k6.ee
+            - --rfc2136-tsig-axfr
+            - --rfc2136-host=172.20.0.2
+            - --rfc2136-port=53
+            - --rfc2136-zone=k6.ee
+            - --rfc2136-tsig-keyname=readwrite
+            - --rfc2136-tsig-secret-alg=hmac-sha512
+            - --rfc2136-tsig-secret=$(TSIG_SECRET)
+            # https://github.com/kubernetes-sigs/external-dns/issues/2446
 ---
 apiVersion: externaldns.k8s.io/v1alpha1
 kind: DNSEndpoint

bind/external-dns-kspace.yaml

@@ -2,8 +2,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: kspace
-  namespace: external-dns
+  name: external-dns-kspace
 spec:
   revisionHistoryLimit: 0
   selector:
@@ -16,27 +15,27 @@ spec:
     spec:
       serviceAccountName: external-dns
       containers:
-      - name: external-dns
-        image: registry.k8s.io/external-dns/external-dns:v0.13.5
-        envFrom:
-        - secretRef:
-            name: tsig-secret
-        args:
-        - --events
-        - --registry=noop
-        - --provider=rfc2136
-        - --source=ingress
-        - --source=service
-        - --source=crd
-        - --domain-filter=kspace.ee
-        - --rfc2136-tsig-axfr
-        - --rfc2136-host=193.40.103.2
-        - --rfc2136-port=53
-        - --rfc2136-zone=kspace.ee
-        - --rfc2136-tsig-keyname=acme
-        - --rfc2136-tsig-secret-alg=hmac-sha512
-        - --rfc2136-tsig-secret=$(TSIG_SECRET)
-        # https://github.com/kubernetes-sigs/external-dns/issues/2446
+        - name: external-dns
+          image: registry.k8s.io/external-dns/external-dns:v0.13.5
+          envFrom:
+          - secretRef:
+              name: tsig-secret
+          args:
+            - --events
+            - --registry=noop
+            - --provider=rfc2136
+            - --source=ingress
+            - --source=service
+            - --source=crd
+            - --domain-filter=kspace.ee
+            - --rfc2136-tsig-axfr
+            - --rfc2136-host=172.20.0.2
+            - --rfc2136-port=53
+            - --rfc2136-zone=kspace.ee
+            - --rfc2136-tsig-keyname=readwrite
+            - --rfc2136-tsig-secret-alg=hmac-sha512
+            - --rfc2136-tsig-secret=$(TSIG_SECRET)
+            # https://github.com/kubernetes-sigs/external-dns/issues/2446
 ---
 apiVersion: externaldns.k8s.io/v1alpha1
 kind: DNSEndpoint

bind/external-dns.yaml

@@ -0,0 +1,58 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - endpoints
+  - pods
+  - nodes
+  verbs:
+  - get
+  - watch
+  - list
+- apiGroups:
+  - extensions
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - externaldns.k8s.io
+  resources:
+  - dnsendpoints
+  verbs:
+  - get
+  - watch
+  - list
+- apiGroups:
+  - externaldns.k8s.io
+  resources:
+  - dnsendpoints/status
+  verbs:
+  - update
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-dns
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns-viewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns
+subjects:
+- kind: ServiceAccount
+  name: external-dns
+  namespace: bind

external-dns/README.md

@@ -1,15 +0,0 @@
-Before applying replace the secret with the actual one.
-
-For debugging add `- --log-level=debug`:
-
-```
-wget https://raw.githubusercontent.com/kubernetes-sigs/external-dns/master/docs/contributing/crd-source/crd-manifest.yaml -O crd.yml
-kubectl apply -n external-dns -f application.yml -f crd.yml
-```
-
-Insert TSIG secret:
-
-```
- kubectl -n external-dns create secret generic tsig-secret \
-    --from-literal=TSIG_SECRET=<secret>
-```

external-dns/k-space.yaml

@@ -1,101 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: external-dns
-  namespace: external-dns
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - services
-  - endpoints
-  - pods
-  - nodes
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - extensions
-  - networking.k8s.io
-  resources:
-  - ingresses
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - externaldns.k8s.io
-  resources:
-  - dnsendpoints
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - externaldns.k8s.io
-  resources:
-  - dnsendpoints/status
-  verbs:
-  - update
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-dns
-  namespace: external-dns
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: external-dns-viewer
-  namespace: external-dns
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: external-dns
-subjects:
-- kind: ServiceAccount
-  name: external-dns
-  namespace: external-dns
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: k-space
-  namespace: external-dns
-spec:
-  revisionHistoryLimit: 0
-  selector:
-    matchLabels: &selectorLabels
-      app.kubernetes.io/name: external-dns
-      domain: k-space.ee
-  template:
-    metadata:
-      labels: *selectorLabels
-    spec:
-      serviceAccountName: external-dns
-      containers:
-      - name: external-dns
-        image: registry.k8s.io/external-dns/external-dns:v0.13.5
-        envFrom:
-        - secretRef:
-            name: tsig-secret
-        args:
-        - --events
-        - --registry=txt
-        - --txt-prefix=external-dns-
-        - --txt-owner-id=k8s
-        - --provider=rfc2136
-        - --source=ingress
-        - --source=service
-        - --source=crd
-        - --domain-filter=k-space.ee
-        - --rfc2136-tsig-axfr
-        - --rfc2136-host=193.40.103.2
-        - --rfc2136-port=53
-        - --rfc2136-zone=k-space.ee
-        - --rfc2136-tsig-keyname=acme
-        - --rfc2136-tsig-secret-alg=hmac-sha512
-        - --rfc2136-tsig-secret=$(TSIG_SECRET)
-        # https://github.com/kubernetes-sigs/external-dns/issues/2446

inventory.yml

@@ -1,5 +1,8 @@
 all:
   children:
+    bind:
+      hosts:
+        ns1.k-space.ee:
     kubernetes:
       children:
         masters:

inventory/README.md

@@ -0,0 +1,21 @@
+
+To deploy components:
+
+```
+kubectl create namespace members-site
+kubectl apply -n members-site -f doorboy.yml
+```
+
+
+# Doorboy
+
+Set up Doorboy UID hashing salt:
+
+```
+ kubectl create secret generic -n members-site doorboy-api \
+    --from-literal=DOORBOY_SECRET=hg2NmVlf6JcS3w237ZXn
+ kubectl create secret generic -n members-site doorboy-uid-hash-salt \
+    --from-literal=KDOORPI_UID_SALT=hkRXwLlQKmCJoy5qaahp
+ kubectl create secret generic -n members-site mongo-application-readwrite \
+    --from-literal=connectionString.standard=mongodb://kspace_accounting:dBDCS21pHlZAd5isyfBI@mongodb.infra.k-space.ee:27017/kspace_accounting?replicaSet=kspace-mongo-set
+```

metallb-system/application.yml

@@ -35,7 +35,9 @@ metadata:
   namespace: metallb-system
 spec:
   ipAddressPools:
-  - zoo
+    - zoo
+    - bind-secondary-external
+    - bind-secondary-internal
 ---
 # Slice of public EEnet subnet using MetalLB L3 method
 apiVersion: metallb.io/v1beta1
@@ -57,6 +59,24 @@ spec:
   addresses:
   - 62.65.250.36/30
 ---
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: bind-secondary-internal
+  namespace: metallb-system
+spec:
+  addresses:
+  - 172.20.53.0/24
+---
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: bind-secondary-external
+  namespace: metallb-system
+spec:
+  addresses:
+  - 62.65.250.2/32
+---
 apiVersion: metallb.io/v1beta2
 kind: BGPPeer
 metadata:

ssh_config

@@ -4,3 +4,5 @@ Host *
     ControlMaster auto
     ControlPath ~/.ssh/cm-%r@%h:%p
 
+Host ns1.k-space.ee
+    Hostname 172.20.0.2