diff --git a/apps/k8s01/dns/certificate.yaml b/apps/k8s01/dns/certificate.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4d59f2bb69409cb9a3a9c7507cfb8fbe7fa7cb97
--- /dev/null
+++ b/apps/k8s01/dns/certificate.yaml
@@ -0,0 +1,64 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: dns-tls
+ namespace: dns
+spec:
+ dnsNames:
+ - ENC[AES256_GCM,data:GtyHvjuP4PX0aDUSigwUp/Ve3e1olrU=,iv:tElxtT7/m5iZjcdEdHkX2OFABM8sK+36Yz6UU89vyo8=,tag:bvwGnGIo5uI19pWISjs62Q==,type:str]
+ issuerRef:
+ name: letsencrypt
+ kind: ClusterIssuer
+ secretName: ingress-dns-tls
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2022-06-07T20:01:49Z"
+ mac: ENC[AES256_GCM,data:cpdWt9cPPYL9uV0/14WXLCqwB6LzVbTNsJyzrX/7kHy1rQXh9X/5bi0+KIsf0fYwBoHwZZ9j4Tlsf280Ce89Pjw2ewwnSoygPWECA7wMmt9EesAOPDYACoPLsIStCu/ZOxFGfe79NVVlO3UKdIgjUwfAk8WCcv+jJrvGpIgkFy0=,iv:6jMHh6uh+fOF3ym1Ko2Gpyi7exMFlVm717nCJAZIvdU=,tag:TvP36Ny9yXga0BChfTBTIg==,type:str]
+ pgp:
+ - created_at: "2022-01-21T18:13:48Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ wcFMA7kpg2bgzVHcARAAHhDshl1OJqNRUolNvbIXzOuDzssJnvyi6cIZuMmVMsxf
+ a6wAWAtYOehvtn1ODL7/h4fIpBtfp7d8VuwfJSrh3ghUeiOl3zRzQbmaFA2L5/iG
+ Jd94tFAVwIl30qjcYqGVB2RF27VF1RElzgDLQh3hiXn1hDC+WmNSnBF5hwnwCFOL
+ wM4BHuE2AB4TX3PlYSo1n71VSzcCqRzbIxelZasYLnJQVL0VE6AjEd/fHS468R8N
+ aZ3mhmHW3sWzuLHNREMD2Q3ghkguLhau0VoETlYRI9103I4k7/khFrhAj5l2/PUr
+ 2SWgpXyRqXVaKPeTiQs3QR8B5jNq3BlZj6Celw5Ig/wx3LY0EhI9e9WFgtSlZxM+
+ 2yk65HQGvTIgsbys/z/0skA9vqik9csFRsH9iK42E/+XLvoAT6yxyl0cv1kBEyAS
+ ggPmKOq8+CT+voHzuh8kZHq9Sa8kH5xL1DQLzX2yIruV3OhTPSK+VlDpjUbycmI2
+ qR1oCo/snOJwwwvfl9vu0B8FCwhrz8554ZQBErFfJl6GFiUV8LElRlZh5S9Jiysr
+ nYJS5gxrcvjF/0Y6EHEfWDRDxvCHoWQpWhl2hRkh5UlQKH0ab+QWLYpISyNJxjfl
+ orQJdaVX3BQwhqMLwiMLGoaNGrSpmxXveLOZmsdK0obXC67lyE6ZM/Wy6gx2dFnS
+ 5gFdXCLzQmmjYK8gIlsejQdnxZI2qWavZIN9T70OZQGaDE/S+U1uxKjuGBM7HTcP
+ 7f1nUa6z96A9ydWs1xHjtm7k172V16PMSrvjQ8KLhFJd9eJDq3ksAA==
+ =XgF6
+ -----END PGP MESSAGE-----
+ fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+ - created_at: "2022-01-21T18:13:48Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4oYbIHZIrAPAQ//S/9rOkbd3beNH20dxgZ7VuZxgnjiV3Hd3om717njcMm2
+ kCfTJ3AmpLtQsT2s1W221tIyCwtHOobj82ANP9KzNi4e6v3LlNTIVHTQiHXk9KJP
+ AX6JoCOLu3bAI0xcdApNBU2wAlHBVC+T4BUfhPqD5AdHpW++e1qUIsM/6TViunHj
+ BWoIA0bpXqyOhTm1GbkJrHMgczJn2qgR5lBf8wgGmASd8jlNyfA7SxoKHj8sl/Ji
+ nucP/90dmyD2eBIJYdYS3anJYa2uP96oioG5xxIyfppnL5dwozDAit3Z5vvnBZNb
+ 1rrpUnN8H0cCcaj7tmDEmjGfjGwxLKegQRZX7Pg5hwaaOOPGheXf8Ip/DpDf6T0n
+ Sq24X6DC5gD1RBU+YY6ZayMt/OKpVVVwRlY4BTDIUe4M+ecK/fve5vpDW2M+KWMc
+ pOkO1B09/prsX0w5XjFh8hb/6HlDDhomiB+BszcRCUDzocRzSEIFwMf7/iTaExe8
+ 2fKCCHB4kHo6GHpydlQOpnGMOvDmiNKopXxTkFQUFQjyRmHGXf/u79JNXBjHkniv
+ ZiokjTEarwMp68dyiaL4L/5Uk+4NG3MetobqSaeW2TbeBwif3G2eFleYscz7QPIR
+ 5ZBBhU/CoUEz2Xge6t8rlp8PNcQ1yq/R+tZjaeqIIT4++ZxCErhA0lsxyFrgLefU
+ aAEJAhD7hR3IMDGN2zOZSiw1IBz9P8Jss/oERQiuVpe/eTv5Vqj9vuL+koKftwnF
+ vSVkNo0fLwNLtnU659Mkoj9utoUL9tAhcCMpP3NehKkBG5RjF9crnIP6zT3lvVU0
+ GYyW4Lsfrt/a
+ =FfV+
+ -----END PGP MESSAGE-----
+ fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+ encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL)$
+ version: 3.7.1
diff --git a/apps/k8s01/dns/dns.yaml b/apps/k8s01/dns/dns.yaml
index 09cc2300da9c2f39f77d98264ba2baa50142916a..cf13ff5dfca7679f7144c09ded546d134a0f236a 100644
--- a/apps/k8s01/dns/dns.yaml
+++ b/apps/k8s01/dns/dns.yaml
@@ -27,11 +27,17 @@ spec:
- --cache-size=100663296
- --cache-min-ttl=300
- --cache-optimistic
+ # Enable DoT
+ - --tls-port=853
+ - --tls-crt=/etc/pki/dnsproxy/tls.crt
+ - --tls-key=/etc/pki/dnsproxy/tls.key
ports:
- containerPort: 53
protocol: TCP
- containerPort: 53
protocol: UDP
+ - containerPort: 853
+ protocol: TCP
resources:
requests:
cpu: 100m
@@ -39,7 +45,16 @@ spec:
limits:
cpu: 100m
memory: 256Mi
+ volumeMounts:
+ - name: tls-secret
+ mountPath: "/etc/pki/dnsproxy"
+ readOnly: true
automountServiceAccountToken: false
+ volumes:
+ - name: tls-secret
+ secret:
+ secretName: ingress-dns-tls
+ optional: false
---
apiVersion: v1
kind: Service
@@ -73,6 +88,22 @@ spec:
port: 53
targetPort: 53
---
+apiVersion: v1
+kind: Service
+metadata:
+ name: dns-over-tls
+ annotations:
+ metallb.universe.tf/allow-shared-ip: "dns"
+spec:
+ type: LoadBalancer
+ selector:
+ app: resolver
+ ports:
+ - name: dns-over-tls
+ protocol: TCP
+ port: 853
+ targetPort: 853
+---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
diff --git a/apps/k8s01/dns/kustomization.yaml b/apps/k8s01/dns/kustomization.yaml
index d2a1ad9fdc61948021617419a40476f5449b6791..a98025ae1eb4d477c511ef3d55dee260f198f048 100644
--- a/apps/k8s01/dns/kustomization.yaml
+++ b/apps/k8s01/dns/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization
namespace: dns
resources:
- namespace.yaml
+ - certificate.yaml
- dns.yaml
- networkpolicy.yaml
- ../../../shared/networkpolicies/allow-from-same-namespace.yaml