274 lines
7.1 KiB
YAML
274 lines
7.1 KiB
YAML
apiVersion: v1
|
||
kind: PersistentVolumeClaim
|
||
metadata:
|
||
name: etcd-data
|
||
namespace: dns
|
||
spec:
|
||
accessModes: [ReadWriteOnce]
|
||
resources: { requests: { storage: 1Gi } }
|
||
storageClassName: cephfs-hyper
|
||
---
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: etcd
|
||
namespace: dns
|
||
spec:
|
||
selector: { app: etcd }
|
||
ipFamilyPolicy: PreferDualStack
|
||
ipFamilies: [IPv6, IPv4]
|
||
ports:
|
||
- name: client
|
||
port: 2379
|
||
targetPort: 2379
|
||
protocol: TCP
|
||
---
|
||
apiVersion: apps/v1
|
||
kind: Deployment
|
||
metadata:
|
||
name: etcd
|
||
namespace: dns
|
||
spec:
|
||
replicas: 1
|
||
selector: { matchLabels: { app: etcd } }
|
||
template:
|
||
metadata: { labels: { app: etcd } }
|
||
spec:
|
||
containers:
|
||
- name: etcd
|
||
image: quay.io/coreos/etcd:v3.6.4
|
||
command:
|
||
- /usr/local/bin/etcd
|
||
- --name=etcd0
|
||
- --data-dir=/var/lib/etcd
|
||
- --listen-client-urls=http://[::]:2379
|
||
- --advertise-client-urls=http://etcd.dns.svc:2379
|
||
ports:
|
||
- { name: client, containerPort: 2379, protocol: TCP }
|
||
volumeMounts:
|
||
- { name: data, mountPath: /var/lib/etcd }
|
||
volumes:
|
||
- name: data
|
||
persistentVolumeClaim: { claimName: etcd-data }
|
||
---
|
||
apiVersion: v1
|
||
kind: ConfigMap
|
||
metadata:
|
||
name: coredns-corefile
|
||
namespace: dns
|
||
data:
|
||
Corefile: |
|
||
f.0.0.0.6.1.1.7.0.7.4.0.1.0.0.2.ip6.arpa:53 {
|
||
errors
|
||
log
|
||
reload 10s
|
||
health
|
||
ready
|
||
|
||
# SOA
|
||
template IN SOA f.0.0.0.6.1.1.7.0.7.4.0.1.0.0.2.ip6.arpa {
|
||
rcode NOERROR
|
||
answer "{{.Name}} 3600 IN SOA ns1.undercloud.dev. hostmaster.undercloud.dev. 1 7200 3600 1209600 3600"
|
||
}
|
||
|
||
# NS
|
||
template IN NS f.0.0.0.6.1.1.7.0.7.4.0.1.0.0.2.ip6.arpa {
|
||
rcode NOERROR
|
||
answer "{{.Name}} 3600 IN NS ns1.undercloud.dev."
|
||
answer "{{.Name}} 3600 IN NS ns2.undercloud.dev."
|
||
}
|
||
|
||
# PTR for 2001:470:7116:f:1::50 -> mail.undercloud.dev.
|
||
template IN PTR f.0.0.0.6.1.1.7.0.7.4.0.1.0.0.2.ip6.arpa {
|
||
match ^0\.5\.0\.0\.0\.0\.0\.0\.0\.0\.0\.0\.1\.0\.0\.0\.f\.0\.0\.0\.6\.1\.1\.7\.0\.7\.4\.0\.1\.0\.0\.2\.ip6\.arpa\.?$
|
||
rcode NOERROR
|
||
answer "{{.Name}} 300 IN PTR mail.undercloud.dev."
|
||
}
|
||
}
|
||
|
||
apps.undercloud.dev:53 {
|
||
view internal-mail {
|
||
expr name() == 'mail.apps.undercloud.dev.' && (incidr(client_ip(), '10.0.0.0/8') || incidr(client_ip(), '192.168.0.0/16') || incidr(client_ip(), '172.16.0.0/12') || incidr(client_ip(), 'fd00::/8') || incidr(client_ip(), '2001:470:7116:f:1::/64'))
|
||
}
|
||
|
||
template IN A {
|
||
match ^mail\.apps\.undercloud\.dev\.$
|
||
answer "{{.Name}} 300 IN A 10.0.91.50"
|
||
fallthrough
|
||
}
|
||
}
|
||
|
||
apps.undercloud.dev:53 {
|
||
errors
|
||
log
|
||
reload 10s
|
||
health
|
||
ready
|
||
|
||
# SOA
|
||
template IN SOA apps.undercloud.dev {
|
||
rcode NOERROR
|
||
answer "{{.Name}} 3600 IN SOA ns1.apps.undercloud.dev. hostmaster.apps.undercloud.dev. 1 7200 3600 1209600 3600"
|
||
}
|
||
|
||
# NS délégation
|
||
template IN NS apps.undercloud.dev {
|
||
rcode NOERROR
|
||
answer "{{.Name}} 3600 IN NS ns1.apps.undercloud.dev."
|
||
answer "{{.Name}} 3600 IN NS ns2.apps.undercloud.dev."
|
||
}
|
||
|
||
# Glue A/AAAA pour ns1/ns2 (in-bailiwick)
|
||
template IN A ns1.apps.undercloud.dev {
|
||
rcode NOERROR
|
||
answer "ns1.apps.undercloud.dev. 300 IN A 10.0.91.54"
|
||
}
|
||
template IN A ns2.apps.undercloud.dev {
|
||
rcode NOERROR
|
||
answer "ns2.apps.undercloud.dev. 300 IN A 10.0.91.54"
|
||
}
|
||
template IN AAAA ns1.apps.undercloud.dev {
|
||
rcode NOERROR
|
||
answer "ns1.apps.undercloud.dev. 300 IN AAAA 2001:470:7116:f:1::54"
|
||
}
|
||
template IN AAAA ns2.apps.undercloud.dev {
|
||
rcode NOERROR
|
||
answer "ns2.apps.undercloud.dev. 300 IN AAAA 2001:470:7116:f:1::54"
|
||
}
|
||
|
||
# explicit exception for mail
|
||
template IN AAAA mail.apps.undercloud.dev {
|
||
rcode NOERROR
|
||
answer "mail.apps.undercloud.dev. 300 IN AAAA 2001:470:7116:f:1::50"
|
||
}
|
||
|
||
# optional: mail client helpers
|
||
#template IN AAAA autoconfig.apps.undercloud.dev {
|
||
# rcode NOERROR
|
||
# answer "autoconfig.apps.undercloud.dev. 300 IN AAAA 2001:470:7116:f:1::51"
|
||
#}
|
||
|
||
#template IN AAAA autodiscover.apps.undercloud.dev {
|
||
# rcode NOERROR
|
||
# answer "autodiscover.apps.undercloud.dev. 300 IN AAAA 2001:470:7116:f:1::51"
|
||
#}
|
||
|
||
# CAA (Let’s Encrypt)
|
||
template IN CAA apps.undercloud.dev {
|
||
rcode NOERROR
|
||
answer "{{.Name}} 3600 IN CAA 0 issue \"letsencrypt.org\""
|
||
answer "{{.Name}} 3600 IN CAA 0 iodef \"mailto:hostmaster@undercloud.dev\""
|
||
}
|
||
|
||
# Wildcards vers ton Ingress
|
||
template IN A apps.undercloud.dev {
|
||
match ^(.+)\.apps\.undercloud\.dev\.?$
|
||
answer "{{.Name}} 300 IN A 93.228.39.77"
|
||
}
|
||
template IN AAAA apps.undercloud.dev {
|
||
match ^(.+)\.apps\.undercloud\.dev\.?$
|
||
answer "{{.Name}} 300 IN AAAA 2001:470:7116:f:1::b492"
|
||
}
|
||
|
||
# Enregistrements dynamiques (optionnel)
|
||
etcd {
|
||
path /skydns
|
||
endpoint http://etcd.dns.svc:2379
|
||
fallthrough
|
||
}
|
||
}
|
||
|
||
|
||
|
||
|
||
|
||
---
|
||
apiVersion: apps/v1
|
||
kind: Deployment
|
||
metadata:
|
||
name: coredns-auth
|
||
namespace: dns
|
||
spec:
|
||
replicas: 2
|
||
selector: { matchLabels: { app: coredns-auth } }
|
||
template:
|
||
metadata:
|
||
labels: { app: coredns-auth, component: bind-auth }
|
||
spec:
|
||
containers:
|
||
- name: coredns
|
||
image: coredns/coredns:1.11.1
|
||
args: ["-conf","/etc/coredns/Corefile"]
|
||
ports:
|
||
- { name: dns-udp, containerPort: 53, protocol: UDP }
|
||
- { name: dns-tcp, containerPort: 53, protocol: TCP }
|
||
- { name: health, containerPort: 8080, protocol: TCP }
|
||
- { name: ready, containerPort: 8181, protocol: TCP }
|
||
livenessProbe:
|
||
httpGet: { path: /health, port: 8080 }
|
||
initialDelaySeconds: 5
|
||
periodSeconds: 10
|
||
readinessProbe:
|
||
httpGet: { path: /ready, port: 8181 }
|
||
initialDelaySeconds: 3
|
||
periodSeconds: 5
|
||
volumeMounts:
|
||
- { name: corefile, mountPath: /etc/coredns }
|
||
volumes:
|
||
- name: corefile
|
||
configMap: { name: coredns-corefile, items: [{key: Corefile, path: Corefile}] }
|
||
---
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: coredns-authoritative
|
||
namespace: dns
|
||
spec:
|
||
type: ClusterIP
|
||
clusterIP: 2001:470:7116:f:1::54
|
||
clusterIPs:
|
||
- 2001:470:7116:f:1::54
|
||
- 10.0.91.54
|
||
ipFamilies:
|
||
- IPv6
|
||
- IPv4
|
||
ipFamilyPolicy: RequireDualStack
|
||
selector:
|
||
app: coredns-auth
|
||
ports:
|
||
- name: dns-udp
|
||
port: 53
|
||
protocol: UDP
|
||
targetPort: 53
|
||
- name: dns-tcp
|
||
port: 53
|
||
protocol: TCP
|
||
targetPort: 53
|
||
---
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: coredns-authoritative2
|
||
namespace: dns
|
||
spec:
|
||
type: ClusterIP
|
||
clusterIP: 2001:470:7116:f:1::55
|
||
clusterIPs:
|
||
- 2001:470:7116:f:1::55
|
||
- 10.0.91.55
|
||
ipFamilies:
|
||
- IPv6
|
||
- IPv4
|
||
ipFamilyPolicy: RequireDualStack
|
||
selector:
|
||
app: coredns-auth
|
||
ports:
|
||
- name: dns-udp
|
||
port: 53
|
||
protocol: UDP
|
||
targetPort: 53
|
||
- name: dns-tcp
|
||
port: 53
|
||
protocol: TCP
|
||
targetPort: 53
|