DNS Support

contexts/default/blueprint.yaml → contexts/colima/blueprint.yaml

@@ -1,8 +1,8 @@
 kind: Blueprint
 apiVersion: blueprints.windsorcli.dev/v1alpha1
 metadata:
-  name: default
-  description: This blueprint outlines resources in the local context
+  name: colima
+  description: This blueprint configures core for running in a Colima managed VM
 repository:
   url: http://git.test/git/core
   ref:
@@ -29,43 +29,58 @@ kustomize:
   path: pki/base
   dependsOn:
   - policy-resources
+  force: true
   components:
   - cert-manager
   - trust-manager
 - name: pki-resources
   path: pki/resources
   dependsOn:
   - pki-base
-  - policy-resources
+  force: true
   components:
   - private-issuer/ca
   - public-issuer/selfsigned
+- name: dns
+  path: dns
+  dependsOn:
+  - pki-base
+  force: true
+  components:
+  - coredns
+  - coredns/etcd
+  - external-dns
+  - external-dns/coredns
+  - external-dns/ingress
 - name: lb-base
   path: lb/base
   dependsOn:
   - policy-resources
+  force: true
   components:
   - metallb
 - name: lb-resources
   path: lb/resources
   dependsOn:
   - lb-base
-  - policy-resources
+  force: true
   components:
   - metallb/layer2
 - name: ingress-base
   path: ingress/base
   dependsOn:
   - pki-resources
-  - policy-resources
+  force: true
   components:
   - nginx
-  - nginx/nodeport-web
-  - nginx/nodeport-flux-webhook
+  - nginx/loadbalancer
+  - nginx/coredns
+  - nginx/flux-webhook
+  - nginx/web
 - name: gitops
   path: gitops/flux
   dependsOn:
   - ingress-base
-  - policy-resources
+  force: true
   components:
   - webhook

contexts/colima/terraform/cluster/talos.tfvars

@@ -0,0 +1,25 @@
+// Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten.
+// Module source: github.com/windsorcli/core//terraform/cluster/talos?ref=main
+
+// The external controlplane API endpoint of the kubernetes API
+cluster_endpoint = "https://10.5.0.2:6443"
+
+// The name of the cluster
+cluster_name = "talos"
+
+// A YAML string of common config patches to apply
+common_config_patches = "\"cluster\":\n  \"apiServer\":\n    \"certSANs\":\n    - \"localhost\"\n    - \"10.5.0.2\"\n  \"extraManifests\":\n  - \"https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/v0.8.7/deploy/standalone-install.yaml\"\n\"machine\":\n  \"certSANs\":\n  - \"localhost\"\n  - \"10.5.0.2\"\n  \"features\":\n    \"hostDNS\":\n      \"forwardKubeDNSToHost\": true\n  \"kubelet\":\n    \"extraArgs\":\n      \"rotate-server-certificates\": \"true\"\n  \"network\":\n    \"interfaces\":\n    - \"ignore\": true\n      \"interface\": \"eth0\"\n  \"registries\":\n    \"mirrors\":\n      \"gcr.io\":\n        \"endpoints\":\n        - \"http://gcr.test:5000\"\n      \"ghcr.io\":\n        \"endpoints\":\n        - \"http://ghcr.test:5000\"\n      \"quay.io\":\n        \"endpoints\":\n        - \"http://quay.test:5000\"\n      \"registry-1.docker.io\":\n        \"endpoints\":\n        - \"http://registry-1.docker.test:5000\"\n      \"registry.k8s.io\":\n        \"endpoints\":\n        - \"http://registry.k8s.test:5000\"\n      \"registry.test\":\n        \"endpoints\":\n        - \"http://registry.test:5000\""
+
+// Machine config details for control planes
+controlplanes = [{
+  endpoint = "10.5.0.2:50000"
+  hostname = "controlplane-1.test"
+  node     = "10.5.0.2"
+}]
+
+// Machine config details for workers
+workers = [{
+  endpoint = "10.5.0.11:50000"
+  hostname = "worker-1.test"
+  node     = "10.5.0.11"
+}]

contexts/docker-desktop/blueprint.yaml

@@ -0,0 +1,60 @@
+kind: Blueprint
+apiVersion: blueprints.windsorcli.dev/v1alpha1
+metadata:
+  name: docker-desktop
+  description: This blueprint configures core for running on Docker Desktop
+repository:
+  url: http://git.test/git/core
+  ref:
+    branch: main
+  secretName: flux-system
+sources:
+- name: core
+  url: github.com/windsorcli/core
+  ref:
+    branch: main
+terraform:
+- path: cluster/talos
+- path: gitops/flux
+kustomize:
+- name: policy-base
+  path: policy/base
+  components:
+  - kyverno
+- name: policy-resources
+  path: policy/resources
+  dependsOn:
+  - policy-base
+- name: pki-base
+  path: pki/base
+  dependsOn:
+  - policy-resources
+  force: true
+  components:
+  - cert-manager
+  - trust-manager
+- name: pki-resources
+  path: pki/resources
+  dependsOn:
+  - pki-base
+  force: true
+  components:
+  - private-issuer/ca
+  - public-issuer/selfsigned
+- name: ingress-base
+  path: ingress/base
+  dependsOn:
+  - pki-resources
+  force: true
+  components:
+  - nginx
+  - nginx/nodeport
+  - nginx/flux-webhook
+  - nginx/web
+- name: gitops
+  path: gitops/flux
+  dependsOn:
+  - ingress-base
+  force: true
+  components:
+  - webhook

contexts/docker-desktop/terraform/cluster/talos.tfvars

@@ -0,0 +1,25 @@
+// Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten.
+// Module source: github.com/windsorcli/core//terraform/cluster/talos?ref=main
+
+// The external controlplane API endpoint of the kubernetes API
+cluster_endpoint = "https://127.0.0.1:6443"
+
+// The name of the cluster
+cluster_name = "talos"
+
+// A YAML string of common config patches to apply
+common_config_patches = "\"cluster\":\n  \"apiServer\":\n    \"certSANs\":\n    - \"localhost\"\n    - \"127.0.0.1\"\n  \"extraManifests\":\n  - \"https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/v0.8.7/deploy/standalone-install.yaml\"\n\"machine\":\n  \"certSANs\":\n  - \"localhost\"\n  - \"127.0.0.1\"\n  \"features\":\n    \"hostDNS\":\n      \"forwardKubeDNSToHost\": true\n  \"kubelet\":\n    \"extraArgs\":\n      \"rotate-server-certificates\": \"true\"\n  \"network\":\n    \"interfaces\":\n    - \"ignore\": true\n      \"interface\": \"eth0\"\n  \"registries\":\n    \"mirrors\":\n      \"gcr.io\":\n        \"endpoints\":\n        - \"http://gcr.test:5000\"\n      \"ghcr.io\":\n        \"endpoints\":\n        - \"http://ghcr.test:5000\"\n      \"quay.io\":\n        \"endpoints\":\n        - \"http://quay.test:5000\"\n      \"registry-1.docker.io\":\n        \"endpoints\":\n        - \"http://registry-1.docker.test:5000\"\n      \"registry.k8s.io\":\n        \"endpoints\":\n        - \"http://registry.k8s.test:5000\"\n      \"registry.test\":\n        \"endpoints\":\n        - \"http://registry.test:5000\""
+
+// Machine config details for control planes
+controlplanes = [{
+  endpoint = "127.0.0.1:50000"
+  hostname = "controlplane-1.test"
+  node     = "127.0.0.1"
+}]
+
+// Machine config details for workers
+workers = [{
+  endpoint = "127.0.0.1:50001"
+  hostname = "worker-1.test"
+  node     = "127.0.0.1"
+}]

contexts/docker-desktop/terraform/gitops/flux.tfvars

@@ -0,0 +1,11 @@
+// Managed by Windsor CLI: This file is partially managed by the windsor CLI. Your changes will not be overwritten.
+// Module source: github.com/windsorcli/core//terraform/gitops/flux?ref=main
+
+// The git password or PAT used to authenticate with the git provider
+git_password = "local"
+
+// The git user to use to authenticate with the git provider
+git_username = "local"
+
+// The token to use for the webhook
+webhook_token = "abcdef123456"

kustomize/dns/coredns/etcd/certificates.yaml

@@ -0,0 +1,56 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-peer
+  namespace: system-dns
+spec:
+  secretName: etcd-peer-tls
+  issuerRef:
+    name: private
+    kind: ClusterIssuer
+  commonName: etcd-peer-coredns
+  dnsNames:
+    - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-server
+  namespace: system-dns
+spec:
+  secretName: etcd-server-tls
+  issuerRef:
+    name: private
+    kind: ClusterIssuer
+  commonName: etcd-coredns
+  dnsNames:
+    - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+    - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}"
+  usages:
+    - server auth
+    - client auth
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-client
+  namespace: system-dns
+spec:
+  secretName: etcd-client-tls
+  issuerRef:
+    name: private
+    kind: ClusterIssuer
+  commonName: etcd-coredns
+  usages:
+    - client auth

kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml

@@ -0,0 +1,17 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: etcd-coredns
+  namespace: system-dns
+spec:
+  values:
+    affinity:
+      podAntiAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+        - labelSelector:
+            matchExpressions:
+            - key: "app.kubernetes.io/name"
+              operator: In
+              values:
+              - etcd
+          topologyKey: "kubernetes.io/hostname"