separate public/private ingress

2025-05-03 19:00:45 +02:00 · 2025-05-03 19:00:45 +02:00 · b51b01702f
commit b51b01702f
parent 9a645ba86d
3 changed files with 127 additions and 22 deletions
--- a/k8s/coredns/coredns.yml
+++ b/k8s/coredns/coredns.yml
@ -4,6 +4,7 @@ metadata:
  name: dns

 ---
+
 kind: ConfigMap
 apiVersion: v1
 metadata:
@ -17,6 +18,12 @@ data:
      file /config/db.cluster
    }

+    .:54 {
+      log
+      errors
+      file /config/db.public.cluster
+    }
+
  db.cluster: |-
    $TTL 1m
    $ORIGIN cluster.
@ -27,9 +34,25 @@ data:
        1m         ; exp
        1m         ; ttl
    )
-    cluster.         IN A     192.168.123.240
-    cluster.         IN TXT   "example txt section in dns"
+    cluster.         IN A   192.168.123.241
    control.cluster. IN A   192.168.123.1
+    private.cluster. IN A   192.168.123.241
+                     IN TXT "private dns"
+    public.cluster.  IN NS  public.cluster.
+                     IN A   192.168.123.240
+
+  db.public.cluster: |-
+    $TTL 1m
+    $ORIGIN public.cluster.
+    @ IN SOA public.cluster. lacbenedek.gmail.com. (
+        2025050202 ; serial
+        1m         ; period
+        1m         ; retry
+        1m         ; exp
+        1m         ; ttl
+    )
+    public.cluster. IN A   192.168.123.240
+                    IN TXT "public dns"

 ---

@ -56,6 +79,10 @@ spec:
              protocol: UDP
            - containerPort: 53
              protocol: TCP
+            - containerPort: 54
+              protocol: UDP
+            - containerPort: 54
+              protocol: TCP
          args:
            - -conf=/config/Corefile
          volumeMounts:
@ -86,11 +113,19 @@ spec:
    - port: 53
      targetPort: 53
      protocol: UDP
-      name: dns
+      name: dns-udp-private
    - port: 53
      targetPort: 53
      protocol: TCP
-      name: dns-tcp
+      name: dns-tcp-private
+    - port: 54
+      targetPort: 54
+      protocol: UDP
+      name: dns-udp-public
+    - port: 54
+      targetPort: 54
+      protocol: TCP
+      name: dns-tcp-public
  selector:
    app: coredns

@ -99,11 +134,11 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: IngressRouteUDP
 metadata:
-  name: dns
+  name: dns-udp-private
  namespace: dns
 spec:
  entryPoints:
-  - dns
+  - dns-udp-private
  routes:
  - services:
    - name: dns
@ -114,13 +149,43 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: IngressRouteTCP
 metadata:
-  name: dnstcp
+  name: dns-tcp-private
  namespace: dns
 spec:
  entryPoints:
-  - dnstcp
+  - dns-tcp-private
  routes:
  - match: HostSNI('*')
    services:
    - name: dns
      port: 53
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteUDP
+metadata:
+  name: dns-udp-public
+  namespace: dns
+spec:
+  entryPoints:
+  - dns-udp-public
+  routes:
+  - services:
+    - name: dns
+      port: 54
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: dns-tcp-public
+  namespace: dns
+spec:
+  entryPoints:
+  - dns-tcp-public
+  routes:
+  - match: HostSNI('*')
+    services:
+    - name: dns
+      port: 54
--- a/k8s/keepalived/keepalived.yml
+++ b/k8s/keepalived/keepalived.yml
@ -28,14 +28,22 @@ data:
        }

        virtual_ipaddress {
-            $VIP label $INTERFACE:PUB_VIP
+            $VIP_PUB label $INTERFACE:PUB_VIP
+        }
+
+        virtual_ipaddress {
+            $VIP_PRIV label $INTERFACE:PUB_PRIV
        }
    }

  init.sh: |-
    #!/bin/sh
    set -e
-    cat /keepalived-generic.conf | sed -e "s/\$INTERFACE/$INTERFACE/g" -e "s/\$PASSWORD/$PASSWORD/g" -e "s/\$VIP/$VIP/g" > /keepalived.conf
+    cat /keepalived-generic.conf | sed \
+    -e "s/\$INTERFACE/$INTERFACE/g" \
+    -e "s/\$PASSWORD/$PASSWORD/g" \
+    -e "s/\$VIP_PUB/$VIP_PUB/g" \
+    -e "s/\$VIP_PRIV/$VIP_PRIV/g" > /keepalived.conf
    chown root /keepalived.conf && chmod 600 /keepalived.conf

 ---
@ -72,8 +80,10 @@ spec:
          name: generate-config
          command: ["/bin/bash", "/init.sh"]
          env:
-            - name: VIP
+            - name: VIP_PUB
              value: 192.168.123.240
+            - name: VIP_PRIV
+              value: 192.168.123.241
            - name: INTERFACE
              value: lan0
            - name: PASSWORD
--- a/k8s/traefik/values.yml
+++ b/k8s/traefik/values.yml
@ -5,23 +5,53 @@ service:
  type: LoadBalancer
  externalIPs:
    - 192.168.123.240
+  additionalServices:
+    private:
+      type: LoadBalancer
+      single: true
+      externalIPs:
+        - 192.168.123.241
+      labels:
+        traefik-service-label: private
 ports:
  web:
-    nodePort: 30080
+    expose:
+      default: true
+      private: true
  websecure:
-    nodePort: 30443
-  dns:
+    expose:
+      default: true
+      private: true
+  dns-udp-private:
    port: 30053
    exposedPort: 53
    expose:
-      default: true
+      default: false
+      private: true
    protocol: UDP
-  dns-tcp:
+  dns-tcp-private:
    port: 30053
    exposedPort: 53
    expose:
-      default: true
+      default: false
+      private: true
    protocol: TCP
-additionalArguments:
-  - "--entryPoints.dns.address=:30053/udp"
-  - "--entryPoints.dns-tcp.address=:30053/tcp"
+  dns-udp-public:
+    port: 30153
+    exposedPort: 53
+    expose:
+      default: true
+      private: false
+    protocol: UDP
+  dns-tcp-public:
+    port: 30153
+    exposedPort: 53
+    expose:
+      default: true
+      private: false
+    protocol: TCP
+# additionalArguments:
+#   - "--entryPoints.dns-udp-private.address=:30053/udp"
+#   - "--entryPoints.dns-tcp-private.address=:30053/tcp"
+#   - "--entryPoints.dns-udp-private.address=:30053/udp"
+#   - "--entryPoints.dns-tcp-private.address=:30053/tcp"