forked from k-space/kube
		
	Update whole Bind setup
This commit is contained in:
		
							
								
								
									
										1
									
								
								bind/.gitignore
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								bind/.gitignore
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | ||||
| *.key | ||||
							
								
								
									
										31
									
								
								bind/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										31
									
								
								bind/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,31 @@ | ||||
| # Bind setup | ||||
|  | ||||
| The Bind primary resides outside Kubernetes at `193.40.103.2` and | ||||
| it's internally reachable via `172.20.0.2` | ||||
|  | ||||
| Bind secondaries are hosted inside Kubernetes and load balanced behind `62.65.250.2` | ||||
|  | ||||
| Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee` | ||||
| are picked up automatically by `external-dns` and updated on primary. | ||||
|  | ||||
| The primary triggers notification events to `172.20.53.{1..3}` | ||||
| which are internally exposed IP-s of the secondaries. | ||||
|  | ||||
| # Secrets | ||||
|  | ||||
| To configure TSIG secrets: | ||||
|  | ||||
| ``` | ||||
| kubectl create secret generic -n bind bind-readonly-secret \ | ||||
|   --from-file=readonly.key | ||||
| kubectl create secret generic -n bind bind-readwrite-secret \ | ||||
|   --from-file=readwrite.key | ||||
| kubectl create secret generic -n bind external-dns | ||||
| kubectl -n bind delete secret tsig-secret | ||||
| kubectl -n bind create secret generic tsig-secret \ | ||||
|     --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2) | ||||
| kubectl -n cert-manager delete secret tsig-secret | ||||
| kubectl -n cert-manager create secret generic tsig-secret \ | ||||
|     --from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2) | ||||
| ``` | ||||
|  | ||||
							
								
								
									
										163
									
								
								bind/bind-secondary.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										163
									
								
								bind/bind-secondary.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,163 @@ | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: ConfigMap | ||||
| metadata: | ||||
|   name: bind-secondary-config | ||||
| data: | ||||
|   named.conf: | | ||||
|     include "/etc/bind/readonly.key"; | ||||
|     options { | ||||
|         recursion no; | ||||
|         pid-file "/var/bind/named.pid"; | ||||
|         allow-query { 0.0.0.0/0; }; | ||||
|         allow-notify { 172.20.0.2; }; | ||||
|         allow-transfer { none; }; | ||||
|         check-names slave ignore; | ||||
|     }; | ||||
|     zone "k-space.ee" { type slave; masters { 172.20.0.2 key readonly; }; }; | ||||
|     zone "k6.ee" { type slave; masters { 172.20.0.2 key readonly; }; }; | ||||
|     zone "kspace.ee" { type slave; masters { 172.20.0.2 key readonly; }; }; | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: StatefulSet | ||||
| metadata: | ||||
|   name: bind-secondary | ||||
|   namespace: bind | ||||
| spec: | ||||
|   replicas: 3 | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app: bind-secondary | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         app: bind-secondary | ||||
|     spec: | ||||
|       volumes: | ||||
|         - name: run | ||||
|           emptyDir: {} | ||||
|       containers: | ||||
|         - name: bind-secondary | ||||
|           image: internetsystemsconsortium/bind9:9.19 | ||||
|           volumeMounts: | ||||
|             - mountPath: /run/named | ||||
|               name: run | ||||
|           workingDir: /var/bind | ||||
|           command: | ||||
|             - named | ||||
|             - -g | ||||
|             - -c | ||||
|             - /etc/bind/named.conf | ||||
|           volumeMounts: | ||||
|             - name: bind-secondary-config | ||||
|               mountPath: /etc/bind | ||||
|               readOnly: true | ||||
|             - name: bind-data | ||||
|               mountPath: /var/bind | ||||
|       volumes: | ||||
|         - name: bind-secondary-config | ||||
|           projected: | ||||
|             sources: | ||||
|               - configMap: | ||||
|                   name: bind-secondary-config | ||||
|               - secret: | ||||
|                   name: bind-readonly-secret | ||||
|         - name: bind-data | ||||
|           emptyDir: {} | ||||
|       affinity: | ||||
|         podAntiAffinity: | ||||
|           requiredDuringSchedulingIgnoredDuringExecution: | ||||
|             - labelSelector: | ||||
|                 matchExpressions: | ||||
|                   - key: app | ||||
|                     operator: In | ||||
|                     values: | ||||
|                       - bind-secondary | ||||
|               topologyKey: "kubernetes.io/hostname" | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: bind-secondary | ||||
|   namespace: bind | ||||
| spec: | ||||
|   type: LoadBalancer | ||||
|   externalTrafficPolicy: Local | ||||
|   loadBalancerIP: 62.65.250.2 | ||||
|   selector: | ||||
|     app: bind-secondary | ||||
|   ports: | ||||
|     - protocol: TCP | ||||
|       port: 53 | ||||
|       name: dns-tcp | ||||
|       targetPort: 53 | ||||
|     - protocol: UDP | ||||
|       port: 53 | ||||
|       name: dns-udp | ||||
|       targetPort: 53 | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: bind-secondary-0 | ||||
|   namespace: bind | ||||
| spec: | ||||
|   type: LoadBalancer | ||||
|   externalTrafficPolicy: Local | ||||
|   loadBalancerIP: 172.20.53.1 | ||||
|   selector: | ||||
|     app: bind-secondary | ||||
|     statefulset.kubernetes.io/pod-name: bind-secondary-0 | ||||
|   ports: | ||||
|     - protocol: TCP | ||||
|       port: 53 | ||||
|       name: dns-tcp | ||||
|       targetPort: 53 | ||||
|     - protocol: UDP | ||||
|       port: 53 | ||||
|       name: dns-udp | ||||
|       targetPort: 53 | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: bind-secondary-1 | ||||
|   namespace: bind | ||||
| spec: | ||||
|   type: LoadBalancer | ||||
|   externalTrafficPolicy: Local | ||||
|   loadBalancerIP: 172.20.53.2 | ||||
|   selector: | ||||
|     app: bind-secondary | ||||
|     statefulset.kubernetes.io/pod-name: bind-secondary-1 | ||||
|   ports: | ||||
|     - protocol: TCP | ||||
|       port: 53 | ||||
|       name: dns-tcp | ||||
|       targetPort: 53 | ||||
|     - protocol: UDP | ||||
|       port: 53 | ||||
|       name: dns-udp | ||||
|       targetPort: 53 | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: bind-secondary-2 | ||||
|   namespace: bind | ||||
| spec: | ||||
|   type: LoadBalancer | ||||
|   externalTrafficPolicy: Local | ||||
|   loadBalancerIP: 172.20.53.3 | ||||
|   selector: | ||||
|     app: bind-secondary | ||||
|     statefulset.kubernetes.io/pod-name: bind-secondary-2 | ||||
|   ports: | ||||
|     - protocol: TCP | ||||
|       port: 53 | ||||
|       name: dns-tcp | ||||
|       targetPort: 53 | ||||
|     - protocol: UDP | ||||
|       port: 53 | ||||
|       name: dns-udp | ||||
|       targetPort: 53 | ||||
							
								
								
									
										40
									
								
								bind/external-dns-k-space.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										40
									
								
								bind/external-dns-k-space.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,40 @@ | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: external-dns-k-space | ||||
| spec: | ||||
|   revisionHistoryLimit: 0 | ||||
|   selector: | ||||
|     matchLabels: &selectorLabels | ||||
|       app.kubernetes.io/name: external-dns | ||||
|       domain: k-space.ee | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: *selectorLabels | ||||
|     spec: | ||||
|       serviceAccountName: external-dns | ||||
|       containers: | ||||
|         - name: external-dns | ||||
|           image: registry.k8s.io/external-dns/external-dns:v0.13.5 | ||||
|           envFrom: | ||||
|             - secretRef: | ||||
|                 name: tsig-secret | ||||
|           args: | ||||
|             - --events | ||||
|             - --registry=txt | ||||
|             - --txt-prefix=external-dns- | ||||
|             - --txt-owner-id=k8s | ||||
|             - --provider=rfc2136 | ||||
|             - --source=ingress | ||||
|             - --source=service | ||||
|             - --source=crd | ||||
|             - --domain-filter=k-space.ee | ||||
|             - --rfc2136-tsig-axfr | ||||
|             - --rfc2136-host=172.20.0.2 | ||||
|             - --rfc2136-port=53 | ||||
|             - --rfc2136-zone=k-space.ee | ||||
|             - --rfc2136-tsig-keyname=readwrite | ||||
|             - --rfc2136-tsig-secret-alg=hmac-sha512 | ||||
|             - --rfc2136-tsig-secret=$(TSIG_SECRET) | ||||
|             # https://github.com/kubernetes-sigs/external-dns/issues/2446 | ||||
							
								
								
									
										71
									
								
								bind/external-dns-k6.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										71
									
								
								bind/external-dns-k6.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,71 @@ | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: external-dns-k6 | ||||
| spec: | ||||
|   revisionHistoryLimit: 0 | ||||
|   selector: | ||||
|     matchLabels: &selectorLabels | ||||
|       app.kubernetes.io/name: external-dns | ||||
|       domain: k6.ee | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: *selectorLabels | ||||
|     spec: | ||||
|       serviceAccountName: external-dns | ||||
|       containers: | ||||
|         - name: external-dns | ||||
|           image: registry.k8s.io/external-dns/external-dns:v0.13.5 | ||||
|           envFrom: | ||||
|             - secretRef: | ||||
|                 name: tsig-secret | ||||
|           args: | ||||
|             - --log-level=debug | ||||
|             - --events | ||||
|             - --registry=noop | ||||
|             - --provider=rfc2136 | ||||
|             - --source=service | ||||
|             - --source=crd | ||||
|             - --domain-filter=k6.ee | ||||
|             - --rfc2136-tsig-axfr | ||||
|             - --rfc2136-host=172.20.0.2 | ||||
|             - --rfc2136-port=53 | ||||
|             - --rfc2136-zone=k6.ee | ||||
|             - --rfc2136-tsig-keyname=readwrite | ||||
|             - --rfc2136-tsig-secret-alg=hmac-sha512 | ||||
|             - --rfc2136-tsig-secret=$(TSIG_SECRET) | ||||
|             # https://github.com/kubernetes-sigs/external-dns/issues/2446 | ||||
| --- | ||||
| apiVersion: externaldns.k8s.io/v1alpha1 | ||||
| kind: DNSEndpoint | ||||
| metadata: | ||||
|   name: k6 | ||||
| spec: | ||||
|   endpoints: | ||||
|   - dnsName: k6.ee | ||||
|     recordTTL: 300 | ||||
|     recordType: SOA | ||||
|     targets: | ||||
|       - "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)" | ||||
|   - dnsName: k6.ee | ||||
|     recordTTL: 300 | ||||
|     recordType: NS | ||||
|     targets: | ||||
|       - ns1.k-space.ee | ||||
|       - ns2.k-space.ee | ||||
|   - dnsName: ns1.k-space.ee | ||||
|     recordTTL: 300 | ||||
|     recordType: A | ||||
|     targets: | ||||
|       - 193.40.103.2 | ||||
|   - dnsName: ns2.k-space.ee | ||||
|     recordTTL: 300 | ||||
|     recordType: A | ||||
|     targets: | ||||
|       - 62.65.250.2 | ||||
|   - dnsName: k-space.ee | ||||
|     recordTTL: 300 | ||||
|     recordType: MX | ||||
|     targets: | ||||
|       - 10 mail.k-space.ee | ||||
							
								
								
									
										66
									
								
								bind/external-dns-kspace.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										66
									
								
								bind/external-dns-kspace.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,66 @@ | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: external-dns-kspace | ||||
| spec: | ||||
|   revisionHistoryLimit: 0 | ||||
|   selector: | ||||
|     matchLabels: &selectorLabels | ||||
|       app.kubernetes.io/name: external-dns | ||||
|       domain: kspace.ee | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: *selectorLabels | ||||
|     spec: | ||||
|       serviceAccountName: external-dns | ||||
|       containers: | ||||
|         - name: external-dns | ||||
|           image: registry.k8s.io/external-dns/external-dns:v0.13.5 | ||||
|           envFrom: | ||||
|           - secretRef: | ||||
|               name: tsig-secret | ||||
|           args: | ||||
|             - --events | ||||
|             - --registry=noop | ||||
|             - --provider=rfc2136 | ||||
|             - --source=ingress | ||||
|             - --source=service | ||||
|             - --source=crd | ||||
|             - --domain-filter=kspace.ee | ||||
|             - --rfc2136-tsig-axfr | ||||
|             - --rfc2136-host=172.20.0.2 | ||||
|             - --rfc2136-port=53 | ||||
|             - --rfc2136-zone=kspace.ee | ||||
|             - --rfc2136-tsig-keyname=readwrite | ||||
|             - --rfc2136-tsig-secret-alg=hmac-sha512 | ||||
|             - --rfc2136-tsig-secret=$(TSIG_SECRET) | ||||
|             # https://github.com/kubernetes-sigs/external-dns/issues/2446 | ||||
| --- | ||||
| apiVersion: externaldns.k8s.io/v1alpha1 | ||||
| kind: DNSEndpoint | ||||
| metadata: | ||||
|   name: kspace | ||||
| spec: | ||||
|   endpoints: | ||||
|   - dnsName: kspace.ee | ||||
|     recordTTL: 300 | ||||
|     recordType: SOA | ||||
|     targets: | ||||
|       - "ns1.k-space.ee. hostmaster.k-space.ee. (1 300 300 300 300)" | ||||
|   - dnsName: kspace.ee | ||||
|     recordTTL: 300 | ||||
|     recordType: NS | ||||
|     targets: | ||||
|       - ns1.k-space.ee | ||||
|       - ns2.k-space.ee | ||||
|   - dnsName: ns1.k-space.ee | ||||
|     recordTTL: 300 | ||||
|     recordType: A | ||||
|     targets: | ||||
|       - 193.40.103.2 | ||||
|   - dnsName: ns2.k-space.ee | ||||
|     recordTTL: 300 | ||||
|     recordType: A | ||||
|     targets: | ||||
|       - 62.65.250.2 | ||||
							
								
								
									
										58
									
								
								bind/external-dns.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										58
									
								
								bind/external-dns.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,58 @@ | ||||
| --- | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRole | ||||
| metadata: | ||||
|   name: external-dns | ||||
| rules: | ||||
| - apiGroups: | ||||
|   - "" | ||||
|   resources: | ||||
|   - services | ||||
|   - endpoints | ||||
|   - pods | ||||
|   - nodes | ||||
|   verbs: | ||||
|   - get | ||||
|   - watch | ||||
|   - list | ||||
| - apiGroups: | ||||
|   - extensions | ||||
|   - networking.k8s.io | ||||
|   resources: | ||||
|   - ingresses | ||||
|   verbs: | ||||
|   - get | ||||
|   - list | ||||
|   - watch | ||||
| - apiGroups: | ||||
|   - externaldns.k8s.io | ||||
|   resources: | ||||
|   - dnsendpoints | ||||
|   verbs: | ||||
|   - get | ||||
|   - watch | ||||
|   - list | ||||
| - apiGroups: | ||||
|   - externaldns.k8s.io | ||||
|   resources: | ||||
|   - dnsendpoints/status | ||||
|   verbs: | ||||
|   - update | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: ServiceAccount | ||||
| metadata: | ||||
|   name: external-dns | ||||
| --- | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRoleBinding | ||||
| metadata: | ||||
|   name: external-dns-viewer | ||||
| roleRef: | ||||
|   apiGroup: rbac.authorization.k8s.io | ||||
|   kind: ClusterRole | ||||
|   name: external-dns | ||||
| subjects: | ||||
| - kind: ServiceAccount | ||||
|   name: external-dns | ||||
|   namespace: bind | ||||
		Reference in New Issue
	
	Block a user