From 7555e214a56344656c015ce0f747e6eb4b3250fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?BENEDEK=20L=C3=A1szl=C3=B3?= Date: Sat, 3 May 2025 21:18:22 +0200 Subject: [PATCH] split dns --- k8s/coredns/coredns.yml | 124 ++++++++++++++++++++-------------- k8s/traefik/values.yml | 27 +++++++- k8s/whoami/whoami.yml | 145 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 243 insertions(+), 53 deletions(-) create mode 100644 k8s/whoami/whoami.yml diff --git a/k8s/coredns/coredns.yml b/k8s/coredns/coredns.yml index e88c8f8..c98deac 100644 --- a/k8s/coredns/coredns.yml +++ b/k8s/coredns/coredns.yml @@ -4,58 +4,67 @@ metadata: name: dns --- - kind: ConfigMap apiVersion: v1 metadata: name: config namespace: dns data: - Corefile: |- + private-Corefile: |- .:53 { - log - errors + log . "private: {remote}:{port} - {>id} {>opcode} {>name} {>type} {>proto}" + debug file /config/db.cluster } + public.cluster. { + forward . 192.168.123.240 + } + + public-Corefile: |- .:54 { - log - errors + log . "public: {remote}:{port} - {>id} {>opcode} {>name} {>type} {>proto}" + debug file /config/db.public.cluster } + db.cluster: |- $TTL 1m $ORIGIN cluster. - @ IN SOA cluster. lacbenedek.gmail.com. ( - 2025050202 ; serial + @ IN SOA ns1.cluster. admin.cluster. ( + 2025050302 ; serial 1m ; period 1m ; retry 1m ; exp 1m ; ttl ) - cluster. IN A 192.168.123.241 - control.cluster. IN A 192.168.123.1 - private.cluster. IN A 192.168.123.241 - IN TXT "private dns" - public.cluster. IN NS public.cluster. - IN A 192.168.123.240 + control.cluster. IN A 192.168.123.1 + + ns1.cluster. IN A 192.168.123.241 + ns2.cluster. IN A 192.168.123.240 + + public.cluster. IN NS ns2.cluster. + + private.cluster. IN A 192.168.123.241 + whoami.private.cluster. IN CNAME private.cluster. db.public.cluster: |- $TTL 1m $ORIGIN public.cluster. - @ IN SOA public.cluster. lacbenedek.gmail.com. ( - 2025050202 ; serial + @ IN SOA ns2.cluster. admin.cluster. ( + 2025050302 ; serial 1m ; period 1m ; retry 1m ; exp 1m ; ttl ) - public.cluster. IN A 192.168.123.240 - IN TXT "public dns" + ns2.cluster. IN A 192.168.123.240 + + public.cluster. IN A 192.168.123.240 + whoami.public.cluster. IN CNAME public.cluster. --- - kind: Deployment apiVersion: apps/v1 metadata: @@ -72,37 +81,52 @@ spec: app: coredns spec: containers: - - name: coredns + - name: coredns-private image: coredns/coredns ports: - containerPort: 53 protocol: UDP - containerPort: 53 protocol: TCP - - containerPort: 54 - protocol: UDP - - containerPort: 54 - protocol: TCP args: - - -conf=/config/Corefile + - -conf=/config/private-Corefile volumeMounts: - mountPath: /config name: config readOnly: true resources: limits: - cpu: '1000m' - memory: '500Mi' + cpu: "1000m" + memory: "500Mi" requests: - cpu: '10m' - memory: '10Mi' + cpu: "10m" + memory: "10Mi" + - name: coredns-public + image: coredns/coredns + ports: + - containerPort: 54 + protocol: UDP + - containerPort: 54 + protocol: TCP + args: + - -conf=/config/public-Corefile + volumeMounts: + - mountPath: /config + name: config + readOnly: true + resources: + limits: + cpu: "1000m" + memory: "500Mi" + requests: + cpu: "10m" + memory: "10Mi" volumes: - name: config configMap: name: config --- - kind: Service apiVersion: v1 metadata: @@ -130,7 +154,6 @@ spec: app: coredns --- - apiVersion: traefik.io/v1alpha1 kind: IngressRouteUDP metadata: @@ -138,14 +161,13 @@ metadata: namespace: dns spec: entryPoints: - - dns-udp-private + - dns-udp-private routes: - - services: - - name: dns - port: 53 + - services: + - name: dns + port: 53 --- - apiVersion: traefik.io/v1alpha1 kind: IngressRouteTCP metadata: @@ -153,14 +175,13 @@ metadata: namespace: dns spec: entryPoints: - - dns-tcp-private + - dns-tcp-private routes: - - match: HostSNI('*') - services: - - name: dns - port: 53 + - match: HostSNI('*') + services: + - name: dns + port: 53 --- - apiVersion: traefik.io/v1alpha1 kind: IngressRouteUDP metadata: @@ -168,14 +189,13 @@ metadata: namespace: dns spec: entryPoints: - - dns-udp-public + - dns-udp-public routes: - - services: - - name: dns - port: 54 + - services: + - name: dns + port: 54 --- - apiVersion: traefik.io/v1alpha1 kind: IngressRouteTCP metadata: @@ -183,9 +203,9 @@ metadata: namespace: dns spec: entryPoints: - - dns-tcp-public + - dns-tcp-public routes: - - match: HostSNI('*') - services: - - name: dns - port: 54 + - match: HostSNI('*') + services: + - name: dns + port: 54 diff --git a/k8s/traefik/values.yml b/k8s/traefik/values.yml index 14ab949..73bd37e 100644 --- a/k8s/traefik/values.yml +++ b/k8s/traefik/values.yml @@ -17,10 +17,35 @@ ports: web: expose: default: true - private: true + private: false websecure: expose: default: true + private: false + web-priv: + port: 31080 + exposedPort: 80 + expose: + default: false + private: true + websecure-priv: + port: 31443 + exposedPort: 443 + protocol: TCP + allowACMEByPass: false + http3: + enabled: false + forwardedHeaders: + insecure: false + proxyProtocol: + insecure: false + tls: + enabled: true + options: "" + certResolver: "" + domains: [] + expose: + default: false private: true dns-udp-private: port: 30053 diff --git a/k8s/whoami/whoami.yml b/k8s/whoami/whoami.yml new file mode 100644 index 0000000..0ec7fe7 --- /dev/null +++ b/k8s/whoami/whoami.yml @@ -0,0 +1,145 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: whoami + +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: whoami-public + namespace: whoami +spec: + selector: + matchLabels: + app: whoami-public + template: + metadata: + labels: + app: whoami-public + spec: + containers: + - name: whoami-public + image: traefik/whoami + ports: + - containerPort: 80 + protocol: TCP + env: + - name: WHOAMI_NAME + value: public + resources: + limits: + cpu: "1000m" + memory: "500Mi" + requests: + cpu: "10m" + memory: "10Mi" + +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: whoami-private + namespace: whoami +spec: + selector: + matchLabels: + app: whoami-private + template: + metadata: + labels: + app: whoami-private + spec: + containers: + - name: whoami-private + image: traefik/whoami + ports: + - containerPort: 80 + protocol: TCP + env: + - name: WHOAMI_NAME + value: private + resources: + limits: + cpu: "1000m" + memory: "500Mi" + requests: + cpu: "10m" + memory: "10Mi" + +--- +kind: Service +apiVersion: v1 +metadata: + name: whoami-public + namespace: whoami +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: 80 + selector: + app: whoami-public + +--- +kind: Service +apiVersion: v1 +metadata: + name: whoami-private + namespace: whoami +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: 80 + selector: + app: whoami-private + +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + labels: + app: whoami-public + name: whoami-public + namespace: whoami +spec: + ingressClassName: traefik + rules: + - host: whoami.public.cluster + http: + paths: + - backend: + service: + name: whoami-public + port: + number: 80 + path: / + pathType: Prefix + +--- + +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: web-priv,websecure-priv + labels: + app: whoami-private + name: whoami-private + namespace: whoami +spec: + ingressClassName: traefik + rules: + - host: whoami.private.cluster + http: + paths: + - backend: + service: + name: whoami-private + port: + number: 80 + path: / + pathType: Prefix