Mercurial > code > home > repos > infra
changeset 58:f39ada0b8827
push a coredns config with the right forwarding server
| author | drewp@bigasterisk.com |
|---|---|
| date | Sun, 01 May 2022 23:27:33 -0700 |
| parents | 16098abf8f0f |
| children | fa7a71b8a97f |
| files | kube.py templates/kube/Corefile.j2 templates/kube/coredns-map.yaml templates/kube/coredns.yaml |
| diffstat | 4 files changed, 278 insertions(+), 34 deletions(-) [+] |
line wrap: on
line diff
--- a/kube.py Sun Apr 17 22:16:28 2022 -0700 +++ b/kube.py Sun May 01 23:27:33 2022 -0700 @@ -28,7 +28,7 @@ group='root', mode='755', cache_time=43000, - # force=True, # to get a new version + # force=True, # to get a new version ) if is_pi: @@ -69,19 +69,30 @@ ) systemd.service(service=service_name, daemon_reload=True, enabled=True, restarted=True) -# if bang: -# files.template( -# src='templates/kube/Corefile.j2', -# dest='/etc/k3s_coredns_config', -# ) -# server.shell(commands=[ -# 'kubectl replace configmap ' -# '-n kube-system ' -# 'coredns ' -# '--from-file=Corefile=/etc/k3s_coredns_config ' -# '-o yaml ' -# '--dry-run=client | kubectl apply -', -# ]) +if host.name == 'bang': + files.put( + src="templates/kube/coredns.yaml", + dest="/var/lib/rancher/k3s/server/manifests/coredns.yaml", + mode="600", + ) + # files.put( + # src="templates/kube/coredns-map.yaml", + # dest="/var/lib/rancher/k3s/server/manifests/coredns-map.yaml", + # mode="600", + # ) + # tmp = tempfile.NamedTemporaryFile(suffix='.yaml') + # files.template( + # src='templates/kube/Corefile.yaml.j2', + # dest=tmp.name, + # ) + # server.shell(commands=[ + # 'kubectl replace configmap ' + # # '-n kube-system ' + # # 'coredns ' + # f'--filename={tmp.name} ' + # '-o yaml ' + # # '--dry-run=client | kubectl apply -', + # ]) # one-time thing at cluster create time? not sure # - name: Replace https://localhost:6443 by https://master-ip:6443 # command: >-
--- a/templates/kube/Corefile.j2 Sun Apr 17 22:16:28 2022 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,20 +0,0 @@ -.:53 { - errors - health - ready - kubernetes cluster.local in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa - } - hosts /etc/coredns/NodeHosts { - ttl 60 - reload 15s - fallthrough - } - prometheus :9153 - forward . dns://10.2.0.1 - cache 30 - loop - reload - loadbalance -}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/templates/kube/coredns-map.yaml Sun May 01 23:27:33 2022 -0700 @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns + namespace: kube-system +data: + Corefile.yaml: | + .:53 { + errors + health + ready + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + fallthrough in-addr.arpa ip6.arpa + } + hosts /etc/coredns/NodeHosts { + ttl 60 + reload 15s + fallthrough + } + prometheus :9153 + forward . dns://10.2.0.1 + cache 30 + loop + reload + loadbalance + } + # this is automaintained in k3s- shouldn't need it here + NodeHosts: | + 10.5.0.14 garage + 10.5.0.6 slash + 10.5.0.1 bang + 10.5.0.17 frontbed + 10.5.0.5 dash
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/templates/kube/coredns.yaml Sun May 01 23:27:33 2022 -0700 @@ -0,0 +1,219 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: coredns + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:coredns +rules: +- apiGroups: + - "" + resources: + - endpoints + - services + - pods + - namespaces + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:coredns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:coredns +subjects: +- kind: ServiceAccount + name: coredns + namespace: kube-system +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns + namespace: kube-system +data: + Corefile: | + # update 2022-04-19T20:20 + .:53 { + errors + health + ready + kubernetes cluster.local in-addr.arpa ip6.arpa { + pods insecure + fallthrough in-addr.arpa ip6.arpa + } + hosts /etc/coredns/NodeHosts { + ttl 60 + reload 15s + fallthrough + } + prometheus :9153 + forward . 10.5.0.1 + #/etc/resolv.conf + cache 30 + loop + reload + loadbalance + log + } + import /etc/coredns/custom/*.server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: coredns + namespace: kube-system + labels: + k8s-app: kube-dns + kubernetes.io/name: "CoreDNS" +spec: + #replicas: 1 + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: kube-dns + template: + metadata: + labels: + k8s-app: kube-dns + spec: + priorityClassName: "system-cluster-critical" + serviceAccountName: coredns + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + nodeSelector: + kubernetes.io/os: linux + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + k8s-app: kube-dns + containers: + - name: coredns + image: rancher/mirrored-coredns-coredns:1.8.4 + imagePullPolicy: IfNotPresent + resources: + limits: + memory: 170Mi + requests: + cpu: 100m + memory: 70Mi + args: [ "-conf", "/etc/coredns/Corefile" ] + volumeMounts: + - name: config-volume + mountPath: /etc/coredns + readOnly: true + - name: custom-config-volume + mountPath: /etc/coredns/custom + readOnly: true + ports: + - containerPort: 53 + name: dns + protocol: UDP + - containerPort: 53 + name: dns-tcp + protocol: TCP + - containerPort: 9153 + name: metrics + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - all + readOnlyRootFilesystem: true + livenessProbe: + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /ready + port: 8181 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 2 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + dnsPolicy: Default + volumes: + - name: config-volume + configMap: + name: coredns + items: + - key: Corefile + path: Corefile + - key: NodeHosts + path: NodeHosts + - name: custom-config-volume + configMap: + name: coredns-custom + optional: true +--- +apiVersion: v1 +kind: Service +metadata: + name: kube-dns + namespace: kube-system + annotations: + prometheus.io/port: "9153" + prometheus.io/scrape: "true" + labels: + k8s-app: kube-dns + kubernetes.io/cluster-service: "true" + kubernetes.io/name: "CoreDNS" +spec: + selector: + k8s-app: kube-dns + clusterIP: 10.43.0.10 + ports: + - name: dns + port: 53 + protocol: UDP + - name: dns-tcp + port: 53 + protocol: TCP + - name: metrics + port: 9153 + protocol: TCP