From 3a94a7d203af2d8489e9e79d7704eb35edc85531 Mon Sep 17 00:00:00 2001 From: Sheogorath <sheogorath@shivering-isles.com> Date: Mon, 4 Apr 2022 02:09:57 +0200 Subject: [PATCH] feat(dns): Add basic dns setup to flux This patch moves an existing "wild" deployment into the version controlled space. It's currently very simple and provides only the pure basics, but it MVP is good enough. --- apps/k8s01/dns/dns.yaml | 139 ++++++++++++++++++++++++++++++ apps/k8s01/dns/kustomization.yaml | 8 ++ apps/k8s01/dns/namespace.yaml | 6 ++ 3 files changed, 153 insertions(+) create mode 100644 apps/k8s01/dns/dns.yaml create mode 100644 apps/k8s01/dns/kustomization.yaml create mode 100644 apps/k8s01/dns/namespace.yaml diff --git a/apps/k8s01/dns/dns.yaml b/apps/k8s01/dns/dns.yaml new file mode 100644 index 000000000..e2c7d793f --- /dev/null +++ b/apps/k8s01/dns/dns.yaml @@ -0,0 +1,139 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: resolver + labels: + app: resolver +spec: + replicas: 2 + selector: + matchLabels: + app: resolver + template: + metadata: + labels: + app: resolver + spec: + containers: + - name: dns-over-httpd + image: quay.io/sheogorath/doh:latest + env: + - name: UPSTREAM_NAME + value: localhost4 + ports: + - containerPort: 8053 + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 100m + memory: 256Mi + - name: named + image: docker.io/secns/unbound:latest + env: + - name: CACHE_MIN_TTL + value: "300" + - name: PREFETCH + value: "yes" + ports: + - containerPort: 53 + protocol: TCP + - containerPort: 53 + protocol: UDP + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 100m + memory: 256Mi + volumeMounts: + - name: unbound-chroot + mountPath: /usr/local/etc/unbound/conf.d/ + readOnly: true + # - name: unbound-exporter + # image: ghcr.io/leoquote/unbound_exporter:main + # ports: + # - name: metrics + # containerPort: 9167 + # protocol: TCP + # resources: + # requests: + # cpu: 100m + # memory: 64Mi + # limits: + # cpu: 100m + # memory: 64Mi + volumes: + - name: unbound-chroot + configMap: + name: unbound-chroot + automountServiceAccountToken: false +--- +apiVersion: v1 +kind: Service +metadata: + name: dns53-tcp + annotations: + metallb.universe.tf/allow-shared-ip: "dns" +spec: + type: LoadBalancer + selector: + app: resolver + ports: + - name: dns53tcp + protocol: TCP + port: 53 + targetPort: 53 +--- +apiVersion: v1 +kind: Service +metadata: + name: dns53-udp + annotations: + metallb.universe.tf/allow-shared-ip: "dns" +spec: + type: LoadBalancer + selector: + app: resolver + ports: + - name: dns53udp + protocol: UDP + port: 53 + targetPort: 53 +--- +apiVersion: v1 +kind: Service +metadata: + name: dns-over-http +spec: + selector: + app: resolver + ports: + - protocol: TCP + port: 80 + targetPort: 8053 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: unbound-chroot +data: + chroot.conf: | + server: + chroot: "" + extended-statistics: yes + remote-control: + control-enable: yes +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: dns-pdb +spec: + minAvailable: 1 + selector: + matchLabels: + app: resolver diff --git a/apps/k8s01/dns/kustomization.yaml b/apps/k8s01/dns/kustomization.yaml new file mode 100644 index 000000000..9309b0251 --- /dev/null +++ b/apps/k8s01/dns/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: dns +resources: + - namespace.yaml + - dns.yaml + - ../../../shared/networkpolicies/allow-from-same-namespace.yaml + - ../../../shared/resourcequotas/default.yaml diff --git a/apps/k8s01/dns/namespace.yaml b/apps/k8s01/dns/namespace.yaml new file mode 100644 index 000000000..fdd106b0c --- /dev/null +++ b/apps/k8s01/dns/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: dns + labels: + name: dns -- GitLab