dowerx/cluster-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

separate public/private ingress

Browse Source
This commit is contained in:
BENEDEK László 2025-05-03 19:00:45 +02:00
parent 9a645ba86d
commit b51b01702f
3 changed files with 127 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
k8s/coredns/coredns.yml
View File

@ -4,6 +4,7 @@ metadata:
name: dns name: dns
--- ---
kind: ConfigMap kind: ConfigMap
apiVersion: v1 apiVersion: v1
metadata: metadata:
@ -17,19 +18,41 @@ data:
file /config/db.cluster file /config/db.cluster
} }
.:54 {
log
errors
file /config/db.public.cluster
}
db.cluster: |- db.cluster: |-
$TTL 1m $TTL 1m
$ORIGIN cluster. $ORIGIN cluster.
@ IN SOA cluster. lacbenedek.gmail.com. ( @ IN SOA cluster. lacbenedek.gmail.com. (
2025050202 ; serial 2025050202 ; serial
1m ; period 1m ; period
1m ; retry 1m ; retry
1m ; exp 1m ; exp
1m ; ttl 1m ; ttl
) )
cluster. IN A 192.168.123.240 cluster. IN A 192.168.123.241
cluster. IN TXT "example txt section in dns" control.cluster. IN A 192.168.123.1
control.cluster. IN A 192.168.123.1 private.cluster. IN A 192.168.123.241
IN TXT "private dns"
public.cluster. IN NS public.cluster.
IN A 192.168.123.240
db.public.cluster: |-
$TTL 1m
$ORIGIN public.cluster.
@ IN SOA public.cluster. lacbenedek.gmail.com. (
2025050202 ; serial
1m ; period
1m ; retry
1m ; exp
1m ; ttl
)
public.cluster. IN A 192.168.123.240
IN TXT "public dns"
--- ---
@ -56,6 +79,10 @@ spec:
protocol: UDP protocol: UDP
- containerPort: 53 - containerPort: 53
protocol: TCP protocol: TCP
- containerPort: 54
protocol: UDP
- containerPort: 54
protocol: TCP
args: args:
- -conf=/config/Corefile - -conf=/config/Corefile
volumeMounts: volumeMounts:
@ -86,11 +113,19 @@ spec:
- port: 53 - port: 53
targetPort: 53 targetPort: 53
protocol: UDP protocol: UDP
name: dns name: dns-udp-private
- port: 53 - port: 53
targetPort: 53 targetPort: 53
protocol: TCP protocol: TCP
name: dns-tcp name: dns-tcp-private
- port: 54
targetPort: 54
protocol: UDP
name: dns-udp-public
- port: 54
targetPort: 54
protocol: TCP
name: dns-tcp-public
selector: selector:
app: coredns app: coredns
@ -99,11 +134,11 @@ spec:
apiVersion: traefik.io/v1alpha1 apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP kind: IngressRouteUDP
metadata: metadata:
name: dns name: dns-udp-private
namespace: dns namespace: dns
spec: spec:
entryPoints: entryPoints:
- dns - dns-udp-private
routes: routes:
- services: - services:
- name: dns - name: dns
@ -114,13 +149,43 @@ spec:
apiVersion: traefik.io/v1alpha1 apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP kind: IngressRouteTCP
metadata: metadata:
name: dnstcp name: dns-tcp-private
namespace: dns namespace: dns
spec: spec:
entryPoints: entryPoints:
- dnstcp - dns-tcp-private
routes: routes:
- match: HostSNI('*') - match: HostSNI('*')
services: services:
- name: dns - name: dns
port: 53 port: 53
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: dns-udp-public
namespace: dns
spec:
entryPoints:
- dns-udp-public
routes:
- services:
- name: dns
port: 54
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: dns-tcp-public
namespace: dns
spec:
entryPoints:
- dns-tcp-public
routes:
- match: HostSNI('*')
services:
- name: dns
port: 54

16
k8s/keepalived/keepalived.yml
View File

@ -28,14 +28,22 @@ data:
} }
virtual_ipaddress { virtual_ipaddress {
$VIP label $INTERFACE:PUB_VIP $VIP_PUB label $INTERFACE:PUB_VIP
}
virtual_ipaddress {
$VIP_PRIV label $INTERFACE:PUB_PRIV
} }
} }
init.sh: |- init.sh: |-
#!/bin/sh #!/bin/sh
set -e set -e
cat /keepalived-generic.conf | sed -e "s/\$INTERFACE/$INTERFACE/g" -e "s/\$PASSWORD/$PASSWORD/g" -e "s/\$VIP/$VIP/g" > /keepalived.conf cat /keepalived-generic.conf | sed \
-e "s/\$INTERFACE/$INTERFACE/g" \
-e "s/\$PASSWORD/$PASSWORD/g" \
-e "s/\$VIP_PUB/$VIP_PUB/g" \
-e "s/\$VIP_PRIV/$VIP_PRIV/g" > /keepalived.conf
chown root /keepalived.conf && chmod 600 /keepalived.conf chown root /keepalived.conf && chmod 600 /keepalived.conf
--- ---
@ -72,8 +80,10 @@ spec:
name: generate-config name: generate-config
command: ["/bin/bash", "/init.sh"] command: ["/bin/bash", "/init.sh"]
env: env:
- name: VIP - name: VIP_PUB
value: 192.168.123.240 value: 192.168.123.240
- name: VIP_PRIV
value: 192.168.123.241
- name: INTERFACE - name: INTERFACE
value: lan0 value: lan0
- name: PASSWORD - name: PASSWORD

48
k8s/traefik/values.yml
View File

@ -5,23 +5,53 @@ service:
type: LoadBalancer type: LoadBalancer
externalIPs: externalIPs:
- 192.168.123.240 - 192.168.123.240
additionalServices:
private:
type: LoadBalancer
single: true
externalIPs:
- 192.168.123.241
labels:
traefik-service-label: private
ports: ports:
web: web:
nodePort: 30080 expose:
default: true
private: true
websecure: websecure:
nodePort: 30443 expose:
dns: default: true
private: true
dns-udp-private:
port: 30053 port: 30053
exposedPort: 53 exposedPort: 53
expose: expose:
default: true default: false
private: true
protocol: UDP protocol: UDP
dns-tcp: dns-tcp-private:
port: 30053 port: 30053
exposedPort: 53 exposedPort: 53
expose: expose:
default: true default: false
private: true
protocol: TCP protocol: TCP
additionalArguments: dns-udp-public:
- "--entryPoints.dns.address=:30053/udp" port: 30153
- "--entryPoints.dns-tcp.address=:30053/tcp" exposedPort: 53
expose:
default: true
private: false
protocol: UDP
dns-tcp-public:
port: 30153
exposedPort: 53
expose:
default: true
private: false
protocol: TCP
# additionalArguments:
# - "--entryPoints.dns-udp-private.address=:30053/udp"
# - "--entryPoints.dns-tcp-private.address=:30053/tcp"
# - "--entryPoints.dns-udp-private.address=:30053/udp"
# - "--entryPoints.dns-tcp-private.address=:30053/tcp"