feat(dns): Add DNS over TLS service

This patch adds DNS over TLS as a directly exposed service, this helps
to keep the setup simple and not rely on any ingress container to
function. TLS certificates are manged by cert-manager anyway, which
should make it easy to keep everything up-to-date with no problem.

apps/k8s01/dns/certificate.yaml

+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+    name: dns-tls
+    namespace: dns
+spec:
+    dnsNames:
+        - ENC[AES256_GCM,data:GtyHvjuP4PX0aDUSigwUp/Ve3e1olrU=,iv:tElxtT7/m5iZjcdEdHkX2OFABM8sK+36Yz6UU89vyo8=,tag:bvwGnGIo5uI19pWISjs62Q==,type:str]
+    issuerRef:
+        name: letsencrypt
+        kind: ClusterIssuer
+    secretName: ingress-dns-tls
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-06-07T20:01:49Z"
+    mac: ENC[AES256_GCM,data:cpdWt9cPPYL9uV0/14WXLCqwB6LzVbTNsJyzrX/7kHy1rQXh9X/5bi0+KIsf0fYwBoHwZZ9j4Tlsf280Ce89Pjw2ewwnSoygPWECA7wMmt9EesAOPDYACoPLsIStCu/ZOxFGfe79NVVlO3UKdIgjUwfAk8WCcv+jJrvGpIgkFy0=,iv:6jMHh6uh+fOF3ym1Ko2Gpyi7exMFlVm717nCJAZIvdU=,tag:TvP36Ny9yXga0BChfTBTIg==,type:str]
+    pgp:
+        - created_at: "2022-01-21T18:13:48Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7kpg2bgzVHcARAAHhDshl1OJqNRUolNvbIXzOuDzssJnvyi6cIZuMmVMsxf
+            a6wAWAtYOehvtn1ODL7/h4fIpBtfp7d8VuwfJSrh3ghUeiOl3zRzQbmaFA2L5/iG
+            Jd94tFAVwIl30qjcYqGVB2RF27VF1RElzgDLQh3hiXn1hDC+WmNSnBF5hwnwCFOL
+            wM4BHuE2AB4TX3PlYSo1n71VSzcCqRzbIxelZasYLnJQVL0VE6AjEd/fHS468R8N
+            aZ3mhmHW3sWzuLHNREMD2Q3ghkguLhau0VoETlYRI9103I4k7/khFrhAj5l2/PUr
+            2SWgpXyRqXVaKPeTiQs3QR8B5jNq3BlZj6Celw5Ig/wx3LY0EhI9e9WFgtSlZxM+
+            2yk65HQGvTIgsbys/z/0skA9vqik9csFRsH9iK42E/+XLvoAT6yxyl0cv1kBEyAS
+            ggPmKOq8+CT+voHzuh8kZHq9Sa8kH5xL1DQLzX2yIruV3OhTPSK+VlDpjUbycmI2
+            qR1oCo/snOJwwwvfl9vu0B8FCwhrz8554ZQBErFfJl6GFiUV8LElRlZh5S9Jiysr
+            nYJS5gxrcvjF/0Y6EHEfWDRDxvCHoWQpWhl2hRkh5UlQKH0ab+QWLYpISyNJxjfl
+            orQJdaVX3BQwhqMLwiMLGoaNGrSpmxXveLOZmsdK0obXC67lyE6ZM/Wy6gx2dFnS
+            5gFdXCLzQmmjYK8gIlsejQdnxZI2qWavZIN9T70OZQGaDE/S+U1uxKjuGBM7HTcP
+            7f1nUa6z96A9ydWs1xHjtm7k172V16PMSrvjQ8KLhFJd9eJDq3ksAA==
+            =XgF6
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2022-01-21T18:13:48Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4oYbIHZIrAPAQ//S/9rOkbd3beNH20dxgZ7VuZxgnjiV3Hd3om717njcMm2
+            kCfTJ3AmpLtQsT2s1W221tIyCwtHOobj82ANP9KzNi4e6v3LlNTIVHTQiHXk9KJP
+            AX6JoCOLu3bAI0xcdApNBU2wAlHBVC+T4BUfhPqD5AdHpW++e1qUIsM/6TViunHj
+            BWoIA0bpXqyOhTm1GbkJrHMgczJn2qgR5lBf8wgGmASd8jlNyfA7SxoKHj8sl/Ji
+            nucP/90dmyD2eBIJYdYS3anJYa2uP96oioG5xxIyfppnL5dwozDAit3Z5vvnBZNb
+            1rrpUnN8H0cCcaj7tmDEmjGfjGwxLKegQRZX7Pg5hwaaOOPGheXf8Ip/DpDf6T0n
+            Sq24X6DC5gD1RBU+YY6ZayMt/OKpVVVwRlY4BTDIUe4M+ecK/fve5vpDW2M+KWMc
+            pOkO1B09/prsX0w5XjFh8hb/6HlDDhomiB+BszcRCUDzocRzSEIFwMf7/iTaExe8
+            2fKCCHB4kHo6GHpydlQOpnGMOvDmiNKopXxTkFQUFQjyRmHGXf/u79JNXBjHkniv
+            ZiokjTEarwMp68dyiaL4L/5Uk+4NG3MetobqSaeW2TbeBwif3G2eFleYscz7QPIR
+            5ZBBhU/CoUEz2Xge6t8rlp8PNcQ1yq/R+tZjaeqIIT4++ZxCErhA0lsxyFrgLefU
+            aAEJAhD7hR3IMDGN2zOZSiw1IBz9P8Jss/oERQiuVpe/eTv5Vqj9vuL+koKftwnF
+            vSVkNo0fLwNLtnU659Mkoj9utoUL9tAhcCMpP3NehKkBG5RjF9crnIP6zT3lvVU0
+            GYyW4Lsfrt/a
+            =FfV+
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL)$
+    version: 3.7.1

apps/k8s01/dns/dns.yaml

@@ -27,11 +27,17 @@ spec:
             - --cache-size=100663296
             - --cache-min-ttl=300
             - --cache-optimistic
+            # Enable DoT
+            - --tls-port=853
+            - --tls-crt=/etc/pki/dnsproxy/tls.crt
+            - --tls-key=/etc/pki/dnsproxy/tls.key
           ports:
             - containerPort: 53
               protocol: TCP
             - containerPort: 53
               protocol: UDP
+            - containerPort: 853
+              protocol: TCP
           resources:
             requests:
               cpu: 100m
@@ -39,7 +45,16 @@ spec:
             limits:
               cpu: 100m
               memory: 256Mi
+          volumeMounts:
+            - name: tls-secret
+              mountPath: "/etc/pki/dnsproxy"
+              readOnly: true
       automountServiceAccountToken: false
+      volumes:
+        - name: tls-secret
+          secret:
+            secretName: ingress-dns-tls
+            optional: false
 ---
 apiVersion: v1
 kind: Service
@@ -73,6 +88,22 @@ spec:
       port: 53
       targetPort: 53
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dns-over-tls
+  annotations:
+    metallb.universe.tf/allow-shared-ip: "dns"
+spec:
+  type: LoadBalancer
+  selector:
+    app: resolver
+  ports:
+    - name: dns-over-tls
+      protocol: TCP
+      port: 853
+      targetPort: 853
+---
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:

apps/k8s01/dns/kustomization.yaml

@@ -3,6 +3,7 @@ kind: Kustomization
 namespace: dns
 resources:
   - namespace.yaml
+  - certificate.yaml
   - dns.yaml
   - networkpolicy.yaml
   - ../../../shared/networkpolicies/allow-from-same-namespace.yaml