diff --git a/contexts/_template/blueprint.jsonnet b/contexts/_template/blueprint.jsonnet index 95519bb4..e9fe967f 100644 --- a/contexts/_template/blueprint.jsonnet +++ b/contexts/_template/blueprint.jsonnet @@ -155,7 +155,7 @@ local concat(arrays) = std.foldl(function(x, y) x + y, arrays, []); [ "nginx", if vmDriver == "docker-desktop" then "nginx/nodeport" else null, - // "nginx/coredns", + "nginx/coredns", "nginx/flux-webhook", "nginx/web", ] @@ -163,31 +163,31 @@ local concat(arrays) = std.foldl(function(x, y) x + y, arrays, []); dependsOn: ["pki-resources"], cleanup: ["loadbalancers", "ingresses"], }, - // { - // name: "dns", - // path: "dns", - // components: - // if provider == "aws" then [ - // "external-dns", - // "external-dns/route53", - // ] - // else if vmDriver == "docker-desktop" then [ - // "coredns", - // "coredns/etcd", - // "external-dns", - // "external-dns/localhost", - // "external-dns/coredns", - // "external-dns/ingress", - // ] - // else [ - // "coredns", - // "coredns/etcd", - // "external-dns", - // "external-dns/coredns", - // "external-dns/ingress", - // ], - // dependsOn: if provider == "aws" then [] else ["pki-base"], - // }, + { + name: "dns", + path: "dns", + components: + if provider == "aws" then [ + "external-dns", + "external-dns/route53", + ] + else if vmDriver == "docker-desktop" then [ + "coredns", + "coredns/etcd", + "external-dns", + "external-dns/localhost", + "external-dns/coredns", + "external-dns/ingress", + ] + else [ + "coredns", + "coredns/etcd", + "external-dns", + "external-dns/coredns", + "external-dns/ingress", + ], + dependsOn: if provider == "aws" then [] else ["pki-base"], + }, { name: "gitops", path: "gitops/flux", diff --git a/kustomize/dns/coredns/etcd/certificates.yaml b/kustomize/dns/coredns/etcd/certificates.yaml index 87f93422..6101d616 100644 --- a/kustomize/dns/coredns/etcd/certificates.yaml +++ b/kustomize/dns/coredns/etcd/certificates.yaml @@ -9,12 +9,12 @@ spec: issuerRef: name: private kind: ClusterIssuer - commonName: etcd-peer-coredns + commonName: etcd-peer dnsNames: - - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" - - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" - - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" - - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "*.etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "etcd-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "*.etcd-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" usages: - digital signature - key encipherment @@ -31,12 +31,12 @@ spec: issuerRef: name: private kind: ClusterIssuer - commonName: etcd-coredns + commonName: etcd dnsNames: - - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" - - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" - - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" - - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "*.etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "etcd-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "*.etcd-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" usages: - server auth - client auth @@ -51,6 +51,6 @@ spec: issuerRef: name: private kind: ClusterIssuer - commonName: etcd-coredns + commonName: etcd-client usages: - client auth diff --git a/kustomize/dns/coredns/etcd/ha/kustomization.yaml b/kustomize/dns/coredns/etcd/ha/kustomization.yaml deleted file mode 100644 index 8138d116..00000000 --- a/kustomize/dns/coredns/etcd/ha/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -patches: - - path: patches/helm-release.yaml diff --git a/kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml b/kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml deleted file mode 100644 index 83be0d6f..00000000 --- a/kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: etcd-coredns - namespace: system-dns -spec: - values: - replicaCount: 3 - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: "app.kubernetes.io/name" - operator: In - values: - - etcd - topologyKey: "kubernetes.io/hostname" diff --git a/kustomize/dns/coredns/etcd/helm-release.yaml b/kustomize/dns/coredns/etcd/helm-release.yaml deleted file mode 100644 index 8009c383..00000000 --- a/kustomize/dns/coredns/etcd/helm-release.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: etcd-coredns - namespace: system-dns -spec: - interval: 5m - timeout: 10m - chart: - spec: - chart: etcd - # renovate: datasource=helm depName=etcd package=etcd helmRepo=https://charts.bitnami.com/bitnami - version: 10.2.6 - sourceRef: - kind: HelmRepository - name: coredns-etcd-bitnami - namespace: system-gitops - values: - replicaCount: 1 - securityContext: - fsGroup: 1000 - # Modifies the liveness probe to behave like the other probes. Endpoint healthchecks with mTLS are not supported by k8s. - customLivenessProbe: - exec: - command: - - /opt/bitnami/scripts/etcd/healthcheck.sh - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - auth: - rbac: - create: false - allowNoneAuthentication: true - peer: - useAutoTLS: false - secureTransport: true - enableAuthentication: true - certFilename: tls.crt - certKeyFilename: tls.key - caFilename: ca.crt - existingSecret: etcd-peer-tls - client: - secureTransport: true - enableAuthentication: true - certFilename: tls.crt - certKeyFilename: tls.key - caFilename: ca.crt - # The server certificate is what etcd serves to clients - existingSecret: etcd-server-tls - persistence: - enabled: false - resources: - requests: - cpu: 200m - memory: 256Mi diff --git a/kustomize/dns/coredns/etcd/helm-repository.yaml b/kustomize/dns/coredns/etcd/helm-repository.yaml deleted file mode 100644 index 77b7fa10..00000000 --- a/kustomize/dns/coredns/etcd/helm-repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: coredns-etcd-bitnami - namespace: system-gitops -spec: - interval: 10m - timeout: 3m - url: https://charts.bitnami.com/bitnami diff --git a/kustomize/dns/coredns/etcd/kustomization.yaml b/kustomize/dns/coredns/etcd/kustomization.yaml index 847d14fc..dcdb365c 100644 --- a/kustomize/dns/coredns/etcd/kustomization.yaml +++ b/kustomize/dns/coredns/etcd/kustomization.yaml @@ -1,15 +1,10 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component resources: + - statefulset.yaml + - service.yaml - certificates.yaml - - helm-repository.yaml - - helm-release.yaml + - rbac.yaml + - network-policy.yaml patches: - - path: patches/patch.yaml - target: - group: helm.toolkit.fluxcd.io - version: v2 - kind: HelmRelease - name: coredns - namespace: system-dns - path: patches/helm-release.yaml diff --git a/kustomize/dns/coredns/etcd/network-policy.yaml b/kustomize/dns/coredns/etcd/network-policy.yaml new file mode 100644 index 00000000..839c3b12 --- /dev/null +++ b/kustomize/dns/coredns/etcd/network-policy.yaml @@ -0,0 +1,54 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: etcd + namespace: system-dns +spec: + podSelector: + matchLabels: + app: etcd + policyTypes: + - Ingress + - Egress + ingress: + # Allow etcd peer communication + - from: + - podSelector: + matchLabels: + app: etcd + ports: + - protocol: TCP + port: 2380 + # Allow client connections from CoreDNS + - from: + - podSelector: + matchLabels: + app: coredns + ports: + - protocol: TCP + port: 2379 + egress: + # Allow DNS resolution + - to: [] + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 + # Allow etcd peer communication + - to: + - podSelector: + matchLabels: + app: etcd + ports: + - protocol: TCP + port: 2380 + # Allow client connections to other etcd instances + - to: + - podSelector: + matchLabels: + app: etcd + ports: + - protocol: TCP + port: 2379 diff --git a/kustomize/dns/coredns/etcd/patches/helm-release.yaml b/kustomize/dns/coredns/etcd/patches/helm-release.yaml index 63000cc5..479c4d18 100644 --- a/kustomize/dns/coredns/etcd/patches/helm-release.yaml +++ b/kustomize/dns/coredns/etcd/patches/helm-release.yaml @@ -6,27 +6,36 @@ metadata: namespace: system-dns spec: values: + extraVolumes: + - name: etcd-client-tls + secret: + secretName: etcd-client-tls + extraVolumeMounts: + - name: etcd-client-tls + mountPath: /etc/etcd/tls + readOnly: true servers: - zones: - zone: . port: 53 plugins: - - name: log - parameters: stdout - name: errors - name: health configBlock: |- lameduck 5s - - name: ready - name: etcd configBlock: | path /skydns - endpoint etcd-coredns.system-dns.svc.cluster.local:2379 - tls /etc/coredns/tls/tls.crt /etc/coredns/tls/tls.key /etc/coredns/tls/ca.crt + endpoint etcd.system-dns.svc.cluster.local:2379 + tls /etc/etcd/tls/tls.crt /etc/etcd/tls/tls.key /etc/etcd/tls/ca.crt fallthrough - name: forward parameters: . 1.1.1.1 8.8.8.8 - - name: loop - - name: reload + - name: ready - name: prometheus parameters: 0.0.0.0:9153 + - name: cache + parameters: 30 + - name: loop + - name: reload + - name: loadbalance diff --git a/kustomize/dns/coredns/etcd/patches/patch.yaml b/kustomize/dns/coredns/etcd/patches/patch.yaml deleted file mode 100644 index f99092b3..00000000 --- a/kustomize/dns/coredns/etcd/patches/patch.yaml +++ /dev/null @@ -1,17 +0,0 @@ -- op: add - path: /spec/dependsOn/- - value: - name: etcd-coredns - namespace: system-dns -- op: add - path: /spec/values/extraVolumes/- - value: - name: etcd-client-tls - secret: - secretName: etcd-client-tls -- op: add - path: /spec/values/extraVolumeMounts/- - value: - name: etcd-client-tls - mountPath: /etc/coredns/tls - readOnly: true diff --git a/kustomize/dns/coredns/etcd/rbac.yaml b/kustomize/dns/coredns/etcd/rbac.yaml new file mode 100644 index 00000000..2810fcb8 --- /dev/null +++ b/kustomize/dns/coredns/etcd/rbac.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: etcd + namespace: system-dns +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: etcd + namespace: system-dns +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: etcd + namespace: system-dns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: etcd +subjects: +- kind: ServiceAccount + name: etcd + namespace: system-dns diff --git a/kustomize/dns/coredns/etcd/service.yaml b/kustomize/dns/coredns/etcd/service.yaml new file mode 100644 index 00000000..ed73c7bf --- /dev/null +++ b/kustomize/dns/coredns/etcd/service.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: Service +metadata: + name: etcd + namespace: system-dns + labels: + app: etcd +spec: + type: ClusterIP + clusterIP: None + ports: + - name: client + port: 2379 + targetPort: 2379 + protocol: TCP + - name: peer + port: 2380 + targetPort: 2380 + protocol: TCP + selector: + app: etcd +--- +apiVersion: v1 +kind: Service +metadata: + name: etcd-headless + namespace: system-dns + labels: + app: etcd +spec: + type: ClusterIP + clusterIP: None + ports: + - name: client + port: 2379 + targetPort: 2379 + protocol: TCP + - name: peer + port: 2380 + targetPort: 2380 + protocol: TCP + selector: + app: etcd diff --git a/kustomize/dns/coredns/etcd/statefulset.yaml b/kustomize/dns/coredns/etcd/statefulset.yaml new file mode 100644 index 00000000..2a424f96 --- /dev/null +++ b/kustomize/dns/coredns/etcd/statefulset.yaml @@ -0,0 +1,114 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: etcd + namespace: system-dns + labels: + app: etcd +spec: + serviceName: etcd + replicas: 1 + podManagementPolicy: Parallel + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app: etcd + template: + metadata: + labels: + app: etcd + spec: + securityContext: + fsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + serviceAccountName: etcd + containers: + - name: etcd + # renovate: datasource=docker depName=quay.io/coreos/etcd package=quay.io/coreos/etcd + image: quay.io/coreos/etcd:v3.6.5 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + capabilities: + drop: + - ALL + ports: + - name: client + containerPort: 2379 + protocol: TCP + - name: peer + containerPort: 2380 + protocol: TCP + command: + - /usr/local/bin/etcd + args: + - --name=etcd-0 + - --data-dir=/var/lib/etcd + - --listen-client-urls=https://0.0.0.0:2379 + - --advertise-client-urls=https://etcd-0.etcd:2379 + - --listen-peer-urls=https://0.0.0.0:2380 + - --initial-advertise-peer-urls=https://etcd-0.etcd:2380 + - --initial-cluster=etcd-0=https://etcd-0.etcd:2380 + - --initial-cluster-state=new + - --client-cert-auth + - --trusted-ca-file=/etc/etcd/tls/ca.crt + - --cert-file=/etc/etcd/tls/tls.crt + - --key-file=/etc/etcd/tls/tls.key + - --peer-client-cert-auth + - --peer-trusted-ca-file=/etc/etcd/tls/ca.crt + - --peer-cert-file=/etc/etcd/tls/tls.crt + - --peer-key-file=/etc/etcd/tls/tls.key + - --auto-compaction-retention=24h + - --quota-backend-bytes=1073741824 + env: [] + livenessProbe: + tcpSocket: + port: 2379 + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + tcpSocket: + port: 2379 + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 3 + successThreshold: 1 + failureThreshold: 3 + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + memory: 256Mi + volumeMounts: + - name: etcd-data + mountPath: /var/lib/etcd + - name: etcd-tls + mountPath: /etc/etcd/tls + readOnly: true + - name: tmp + mountPath: /tmp + volumes: + - name: etcd-tls + secret: + secretName: etcd-server-tls + - name: tmp + emptyDir: {} + volumeClaimTemplates: + - metadata: + name: etcd-data + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 1Gi diff --git a/kustomize/dns/external-dns/coredns/patches/helm-release.yaml b/kustomize/dns/external-dns/coredns/patches/helm-release.yaml index 1f256c16..a6b31b06 100644 --- a/kustomize/dns/external-dns/coredns/patches/helm-release.yaml +++ b/kustomize/dns/external-dns/coredns/patches/helm-release.yaml @@ -1,8 +1,3 @@ -- op: add - path: /spec/dependsOn/- - value: - name: etcd-coredns - namespace: system-dns - op: add path: /spec/values/provider value: @@ -11,7 +6,7 @@ path: /spec/values/env/- value: name: ETCD_URLS - value: https://etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}:2379 + value: https://etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}:2379 - op: add path: /spec/values/env/- value: @@ -31,7 +26,7 @@ path: /spec/values/env/- value: name: ETCD_TLS_SERVER_NAME - value: etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local} + value: etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local} - op: add path: /spec/values/extraVolumes/- value: