Browse Source

init

master
tobi 1 year ago
commit
86101ba666
7 changed files with 305 additions and 0 deletions
  1. +21
    -0
      README.md
  2. +70
    -0
      admin.yaml
  3. +20
    -0
      issuer.yaml
  4. +55
    -0
      mysql.yaml
  5. +16
    -0
      mysql_pvc.yaml
  6. +4
    -0
      namespace.yaml
  7. +119
    -0
      power.yaml

+ 21
- 0
README.md View File

@@ -0,0 +1,21 @@
## Powerdns, WebGui and dns-01 certs

### [Webgui (admin)](http://10.0.0.12:8053)

* create one user, then disable new user creation

`/settings/authentication/Allow users to sign up`

* enable SOA records (otherwise you get set the default, wich is no good)

`/settings/records/SOA Forward and Reverse Zone`

### dns-01 certs

kubernetes job that start a go-acme/lego container, performing a dns-01 challenge for a wildcard cert.

the cert is available for further use through the persistent volume, in the same namespace.

that means you have to create a job for every cert in that specific namespace,

see lego.yaml for an example

+ 70
- 0
admin.yaml View File

@@ -0,0 +1,70 @@
# the powerdns admin keeps login information stored, hook that up to a shared volume
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: admin
namespace: inhouse-dns
annotations:
volume.beta.kubernetes.io/storage-class: 3-rep-storage
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---

apiVersion: apps/v1
kind: Deployment
metadata:
name: admin
namespace: inhouse-dns
spec:
replicas: 1
selector:
matchLabels:
app: admin
template:
metadata:
labels:
app: admin
spec:
# tried all other settings (security context etc), nothing else seems to work to set the
# access rights for the pda user (from the powerdns admin image) for the shared volume
initContainers:
- name: chown
image: busybox
command: ["sh", "-c", "chown -R 100:100 /data"]
volumeMounts:
- name: data
mountPath: /data
containers:
- name: admin
image: ngoduykhanh/powerdns-admin:latest
ports:
- containerPort: 80
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
persistentVolumeClaim:
claimName: admin
---
# access the powerdns admin webgui from within the network
apiVersion: v1
kind: Service
metadata:
name: admin
namespace: inhouse-dns
spec:
# private floating ip
externalIPs:
- 10.0.0.9
ports:
- name: tcp
protocol: TCP
port: 8053
targetPort: 80
selector:
app: admin

+ 20
- 0
issuer.yaml View File

@@ -0,0 +1,20 @@
# will ignore namespace, cluster wide issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: issuer
spec:
acme:
email: tobi_h@outlook.com
privateKeySecretRef:
name: tobi-outlook-acc-key
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- dns01:
rfc2136:
nameserver: 90.187.215.61
tsigKeyName: master_key
tsigAlgorithm: HMACMD5
tsigSecretSecretRef:
name: master-pdns-key
key: key

+ 55
- 0
mysql.yaml View File

@@ -0,0 +1,55 @@

apiVersion: apps/v1
kind: Deployment
metadata:
name: mysql
namespace: inhouse-dns
spec:
selector:
matchLabels:
app: mysql
# when rolling new udpdate dont ever have 2 pods at the same time, this would fuck up the db data
strategy:
type: Recreate
template:
metadata:
labels:
app: mysql
spec:
containers:
- image: mysql:5.7.31
name: mysql
env:
# passwords can be dead simple because the database is only accessible from within the cluster
- name: MYSQL_ROOT_PASSWORD
value: "powerdns"
- name: MYSQL_DATABASE
value: "powerdns"
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: db-vol
mountPath: /var/lib/mysql
volumes:
- name: db-vol
persistentVolumeClaim:
claimName: db-data

---
# for the powerdns servers
apiVersion: v1
kind: Service
metadata:
name: mysql
namespace: inhouse-dns
spec:
externalIPs:
- 10.0.0.9
ports:
- port: 3306
targetPort: 3306
selector:
app: mysql



+ 16
- 0
mysql_pvc.yaml View File

@@ -0,0 +1,16 @@
# so that in an emergency the mysql server can be booted up from another node
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: db-data
namespace: inhouse-dns
annotations:
volume.beta.kubernetes.io/storage-class: 3-rep-storage
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi



+ 4
- 0
namespace.yaml View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: inhouse-dns

+ 119
- 0
power.yaml View File

@@ -0,0 +1,119 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: powerdns
namespace: inhouse-dns
spec:
# high availability
replicas: 2
selector:
matchLabels:
app: powerdns
template:
metadata:
labels:
app: powerdns
spec:
topologySpreadConstraints:
- maxSkew: 1
topologyKey: zone
whenUnsatisfiable: DoNotSchedule
containers:
- name: powerdns
image: pschiffe/pdns-mysql
ports:
- containerPort: 53
env:
# mysql
- name: PDNS_gmysql_host
value: "mysql"
- name: PDNS_gmysql_port
value: "3306"
- name: PDNS_gmysql_user
value: "root"
- name: PDNS_gmysql_password
value: "powerdns"
- name: PDNS_gmysql_dbname
value: "powerdns"
- name: PDNS_master
value: "yes"
# api settings
- name: PDNS_api
value: "yes"
- name: PDNS_api_key
value: "password"
- name: PDNS_webserver
value: "yes"
- name: PDNS_webserver_address
value: "0.0.0.0"
- name: PDNS_webserver_password
value: "password"
- name: PDNS_webserver_allow_from
value: "10.0.0.0/16 10.1.0.0/16"
- name: PDNS_dnsupdate
value: "yes"
- name: PDNS_allow_dnsupdate_from
value: "10.1.0.0/16"
---
# for linking with the global nameservers
apiVersion: v1
kind: Service
metadata:
name: public-v6
namespace: inhouse-dns
spec:
ipFamily: IPv6
externalIPs:
- 2a02:8106:33:3300::53
- 2a02:8106:33:3300::54
ports:
- name: udp
protocol: UDP
port: 53
targetPort: 53
- name: tcp
protocol: TCP
port: 53
targetPort: 53
selector:
app: powerdns
---
# for linking with the global nameservers
apiVersion: v1
kind: Service
metadata:
name: public-v4
namespace: inhouse-dns
spec:
# forwarded floating ip
externalIPs:
- 10.0.0.80
ports:
- name: udp
protocol: UDP
port: 53
targetPort: 53
- name: tcp
protocol: TCP
port: 53
targetPort: 53
selector:
app: powerdns

---

# expose internally for the admin ui
apiVersion: v1
kind: Service
metadata:
name: api
namespace: inhouse-dns
spec:
ports:
- name: api
protocol: TCP
port: 8081
targetPort: 8081
selector:
app: powerdns

Loading…
Cancel
Save