From b51b01702f5c124d4eb40772b16dafe48523b9b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?BENEDEK=20L=C3=A1szl=C3=B3?= Date: Sat, 3 May 2025 19:00:45 +0200 Subject: [PATCH] separate public/private ingress --- k8s/coredns/coredns.yml | 85 ++++++++++++++++++++++++++++++----- k8s/keepalived/keepalived.yml | 16 +++++-- k8s/traefik/values.yml | 48 ++++++++++++++++---- 3 files changed, 127 insertions(+), 22 deletions(-) diff --git a/k8s/coredns/coredns.yml b/k8s/coredns/coredns.yml index 87a20c3..e88c8f8 100644 --- a/k8s/coredns/coredns.yml +++ b/k8s/coredns/coredns.yml @@ -4,6 +4,7 @@ metadata: name: dns --- + kind: ConfigMap apiVersion: v1 metadata: @@ -17,19 +18,41 @@ data: file /config/db.cluster } + .:54 { + log + errors + file /config/db.public.cluster + } + db.cluster: |- $TTL 1m $ORIGIN cluster. - @ IN SOA cluster. lacbenedek.gmail.com. ( + @ IN SOA cluster. lacbenedek.gmail.com. ( 2025050202 ; serial 1m ; period 1m ; retry 1m ; exp 1m ; ttl ) - cluster. IN A 192.168.123.240 - cluster. IN TXT "example txt section in dns" - control.cluster. IN A 192.168.123.1 + cluster. IN A 192.168.123.241 + control.cluster. IN A 192.168.123.1 + private.cluster. IN A 192.168.123.241 + IN TXT "private dns" + public.cluster. IN NS public.cluster. + IN A 192.168.123.240 + + db.public.cluster: |- + $TTL 1m + $ORIGIN public.cluster. + @ IN SOA public.cluster. lacbenedek.gmail.com. ( + 2025050202 ; serial + 1m ; period + 1m ; retry + 1m ; exp + 1m ; ttl + ) + public.cluster. IN A 192.168.123.240 + IN TXT "public dns" --- @@ -56,6 +79,10 @@ spec: protocol: UDP - containerPort: 53 protocol: TCP + - containerPort: 54 + protocol: UDP + - containerPort: 54 + protocol: TCP args: - -conf=/config/Corefile volumeMounts: @@ -86,11 +113,19 @@ spec: - port: 53 targetPort: 53 protocol: UDP - name: dns + name: dns-udp-private - port: 53 targetPort: 53 protocol: TCP - name: dns-tcp + name: dns-tcp-private + - port: 54 + targetPort: 54 + protocol: UDP + name: dns-udp-public + - port: 54 + targetPort: 54 + protocol: TCP + name: dns-tcp-public selector: app: coredns @@ -99,11 +134,11 @@ spec: apiVersion: traefik.io/v1alpha1 kind: IngressRouteUDP metadata: - name: dns + name: dns-udp-private namespace: dns spec: entryPoints: - - dns + - dns-udp-private routes: - services: - name: dns @@ -114,13 +149,43 @@ spec: apiVersion: traefik.io/v1alpha1 kind: IngressRouteTCP metadata: - name: dnstcp + name: dns-tcp-private namespace: dns spec: entryPoints: - - dnstcp + - dns-tcp-private routes: - match: HostSNI('*') services: - name: dns port: 53 +--- + +apiVersion: traefik.io/v1alpha1 +kind: IngressRouteUDP +metadata: + name: dns-udp-public + namespace: dns +spec: + entryPoints: + - dns-udp-public + routes: + - services: + - name: dns + port: 54 + +--- + +apiVersion: traefik.io/v1alpha1 +kind: IngressRouteTCP +metadata: + name: dns-tcp-public + namespace: dns +spec: + entryPoints: + - dns-tcp-public + routes: + - match: HostSNI('*') + services: + - name: dns + port: 54 diff --git a/k8s/keepalived/keepalived.yml b/k8s/keepalived/keepalived.yml index 12769ac..e428c7b 100644 --- a/k8s/keepalived/keepalived.yml +++ b/k8s/keepalived/keepalived.yml @@ -28,14 +28,22 @@ data: } virtual_ipaddress { - $VIP label $INTERFACE:PUB_VIP + $VIP_PUB label $INTERFACE:PUB_VIP + } + + virtual_ipaddress { + $VIP_PRIV label $INTERFACE:PUB_PRIV } } init.sh: |- #!/bin/sh set -e - cat /keepalived-generic.conf | sed -e "s/\$INTERFACE/$INTERFACE/g" -e "s/\$PASSWORD/$PASSWORD/g" -e "s/\$VIP/$VIP/g" > /keepalived.conf + cat /keepalived-generic.conf | sed \ + -e "s/\$INTERFACE/$INTERFACE/g" \ + -e "s/\$PASSWORD/$PASSWORD/g" \ + -e "s/\$VIP_PUB/$VIP_PUB/g" \ + -e "s/\$VIP_PRIV/$VIP_PRIV/g" > /keepalived.conf chown root /keepalived.conf && chmod 600 /keepalived.conf --- @@ -72,8 +80,10 @@ spec: name: generate-config command: ["/bin/bash", "/init.sh"] env: - - name: VIP + - name: VIP_PUB value: 192.168.123.240 + - name: VIP_PRIV + value: 192.168.123.241 - name: INTERFACE value: lan0 - name: PASSWORD diff --git a/k8s/traefik/values.yml b/k8s/traefik/values.yml index 9f957cc..14ab949 100644 --- a/k8s/traefik/values.yml +++ b/k8s/traefik/values.yml @@ -5,23 +5,53 @@ service: type: LoadBalancer externalIPs: - 192.168.123.240 + additionalServices: + private: + type: LoadBalancer + single: true + externalIPs: + - 192.168.123.241 + labels: + traefik-service-label: private ports: web: - nodePort: 30080 + expose: + default: true + private: true websecure: - nodePort: 30443 - dns: + expose: + default: true + private: true + dns-udp-private: port: 30053 exposedPort: 53 expose: - default: true + default: false + private: true protocol: UDP - dns-tcp: + dns-tcp-private: port: 30053 exposedPort: 53 expose: - default: true + default: false + private: true protocol: TCP -additionalArguments: - - "--entryPoints.dns.address=:30053/udp" - - "--entryPoints.dns-tcp.address=:30053/tcp" \ No newline at end of file + dns-udp-public: + port: 30153 + exposedPort: 53 + expose: + default: true + private: false + protocol: UDP + dns-tcp-public: + port: 30153 + exposedPort: 53 + expose: + default: true + private: false + protocol: TCP +# additionalArguments: +# - "--entryPoints.dns-udp-private.address=:30053/udp" +# - "--entryPoints.dns-tcp-private.address=:30053/tcp" +# - "--entryPoints.dns-udp-private.address=:30053/udp" +# - "--entryPoints.dns-tcp-private.address=:30053/tcp"