dns

app-of-apps/dns.yaml

@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dns
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: dns
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: dns
+    repoURL: https://build-node.undercloud.local/Undercloud/k8s-apps.git
+    targetRevision: HEAD

dns/dns.yaml

@@ -0,0 +1,176 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dns
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: etcd-data
+  namespace: dns
+spec:
+  accessModes: [ReadWriteOnce]
+  resources: { requests: { storage: 1Gi } }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: etcd
+  namespace: dns
+spec:
+  replicas: 1
+  selector: { matchLabels: { app: etcd } }
+  template:
+    metadata: { labels: { app: etcd } }
+    spec:
+      containers:
+        - name: etcd
+          image: quay.io/coreos/etcd:v3.5.13
+          command:
+            - /usr/local/bin/etcd
+            - --name=etcd0
+            - --data-dir=/var/lib/etcd
+            - --advertise-client-urls=http://0.0.0.0:2379
+            - --listen-client-urls=http://0.0.0.0:2379
+          ports:
+            - { name: client, containerPort: 2379, protocol: TCP }
+          volumeMounts:
+            - { name: data, mountPath: /var/lib/etcd }
+      volumes:
+        - name: data
+          persistentVolumeClaim: { claimName: etcd-data }
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: etcd
+  namespace: dns
+spec:
+  selector: { app: etcd }
+  ports:
+    - { name: client, port: 2379, targetPort: 2379 }
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns-corefile
+  namespace: dns
+data:
+  Corefile: |
+    # Zone publique autoritative
+    apps.undercloud.dev:53 {
+        errors
+        log
+        health
+        ready
+
+        # SOA et NS d'apex
+        template IN SOA apps.undercloud.dev {
+            rcode NOERROR
+            answer "{{.Name}} 3600 IN SOA ns1.apps.undercloud.dev. hostmaster.apps.undercloud.dev. 1 7200 3600 1209600 3600"
+            additional "ns1.apps.undercloud.dev. 3600 IN A REPLACE_NS1_IPV4"
+            additional "ns2.apps.undercloud.dev. 3600 IN A REPLACE_NS2_IPV4"
+            # additional "ns1.apps.undercloud.dev. 3600 IN AAAA REPLACE_NS1_IPV6"
+            # additional "ns2.apps.undercloud.dev. 3600 IN AAAA REPLACE_NS2_IPV6"
+        }
+        template IN NS apps.undercloud.dev {
+            rcode NOERROR
+            answer "{{.Name}} 3600 IN NS ns1.apps.undercloud.dev."
+            answer "{{.Name}} 3600 IN NS ns2.apps.undercloud.dev."
+            additional "ns1.apps.undercloud.dev. 3600 IN A REPLACE_NS1_IPV4"
+            additional "ns2.apps.undercloud.dev. 3600 IN A REPLACE_NS2_IPV4"
+        }
+
+        # A/AAAA des NS
+        hosts {
+            REPLACE_NS1_IPV4 ns1.apps.undercloud.dev
+            REPLACE_NS2_IPV4 ns2.apps.undercloud.dev
+            # REPLACE_NS1_IPV6 ns1.apps.undercloud.dev
+            # REPLACE_NS2_IPV6 ns2.apps.undercloud.dev
+            fallthrough
+        }
+
+        # Enregistrements dynamiques depuis etcd (schema skydns)
+        etcd {
+            path /skydns
+            endpoint http://etcd.dns.svc.cluster.local:2379
+        }
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coredns-auth
+  namespace: dns
+spec:
+  replicas: 2
+  selector: { matchLabels: { app: coredns-auth } }
+  template:
+    metadata:
+      labels: { app: coredns-auth, component: bind-auth }
+    spec:
+      containers:
+        - name: coredns
+          image: coredns/coredns:1.11.1
+          args: ["-conf","/etc/coredns/Corefile"]
+          ports:
+            - { name: dns-udp, containerPort: 53, protocol: UDP }
+            - { name: dns-tcp, containerPort: 53, protocol: TCP }
+            - { name: health,  containerPort: 8080, protocol: TCP }
+          livenessProbe: { httpGet: { path: /health, port: 8080 }, initialDelaySeconds: 5, periodSeconds: 10 }
+          readinessProbe: { httpGet: { path: /ready,  port: 8080 }, initialDelaySeconds: 3, periodSeconds: 5 }
+          volumeMounts:
+            - { name: corefile, mountPath: /etc/coredns }
+      volumes:
+        - name: corefile
+          configMap: { name: coredns-corefile, items: [{key: Corefile, path: Corefile}] }
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: coredns-authoritative
+  namespace: dns
+spec:
+  selector: { app: coredns-auth }
+  type: ClusterIP
+  ports:
+    - { name: dns-udp, port: 53, targetPort: 53, protocol: UDP }
+    - { name: dns-tcp, port: 53, targetPort: 53, protocol: TCP }
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: coredns-nodeport-udp
+  namespace: dns
+spec:
+  type: ClusterIP
+  clusterIP: fd00:0:0:f:1::81
+  clusterIPs:
+    - fd00:0:0:f:1::82
+    - 10.0.91.82
+  ipFamilies:
+    - IPv6
+    - IPv4
+  ipFamilyPolicy: RequireDualStack
+  selector: { app: coredns-auth }
+  ports:
+    - name: dns-udp
+      port: 53
+      targetPort: 53
+      protocol: UDP
+      nodePort: 30060
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: coredns-nodeport-tcp
+  namespace: dns
+spec:
+  selector: { app: coredns-auth }
+  type: NodePort
+  ports:
+    - name: dns-tcp
+      port: 53
+      targetPort: 53
+      protocol: TCP
+      nodePort: 30061

dns/external-dns.yaml

@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-dns
+  namespace: dns
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns
+rules:
+- apiGroups: [""]
+  resources: ["services","endpoints","pods","nodes"]
+  verbs: ["get","watch","list"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get","watch","list"]
+- apiGroups: ["gateway.networking.k8s.io"]
+  resources: ["httproutes","gateways","grpcroutes","tlsroutes","tcproutes","udproutes"]
+  verbs: ["get","watch","list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns-viewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns
+subjects:
+- kind: ServiceAccount
+  name: external-dns
+  namespace: dns
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns
+  namespace: dns
+spec:
+  replicas: 1
+  selector: { matchLabels: { app: external-dns } }
+  template:
+    metadata: { labels: { app: external-dns } }
+    spec:
+      serviceAccountName: external-dns
+      containers:
+        - name: external-dns
+          image: ghcr.io/kubernetes-sigs/external-dns/external-dns:v0.14.0
+          args:
+            - --source=ingress
+            - --registry=txt
+            - --txt-owner-id=k8s
+            - --policy=upsert-only
+            - --domain-filter=apps.undercloud.dev
+            - --provider=coredns
+            - --coredns-etcd-endpoints=http://etcd.dns.svc.cluster.local:2379

dns/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dns