mirror of https://gerrit.hackerspace.pl/hscloud
200 lines
7.2 KiB
Plaintext
200 lines
7.2 KiB
Plaintext
# Deploy a per-cluster CoreDNS
|
|
|
|
local kube = import "../../../kube/kube.libsonnet";
|
|
|
|
{
|
|
Environment: {
|
|
local env = self,
|
|
local cfg = env.cfg,
|
|
cfg:: {
|
|
image: "coredns/coredns:1.3.0",
|
|
namespace: "kube-system",
|
|
upstream_server: "185.236.240.1",
|
|
cluster_domains: [
|
|
"cluster.local",
|
|
],
|
|
reverse_cidrs: ["in-addr.arpa", "ip6.arpa"],
|
|
clusterIP: "10.10.12.254",
|
|
},
|
|
|
|
sa: kube.ServiceAccount("coredns") {
|
|
metadata+: {
|
|
namespace: cfg.namespace,
|
|
},
|
|
},
|
|
|
|
cr: kube.ClusterRole("system:coredns") {
|
|
metadata+: {
|
|
labels: {
|
|
"kubernetes.io/bootstrapping": "rbac-defaults",
|
|
},
|
|
},
|
|
rules: [
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["endpoints", "services", "pods", "namespaces"],
|
|
verbs: ["list", "watch"],
|
|
},
|
|
{
|
|
apiGroups: [""],
|
|
resources: ["nodes"],
|
|
verbs: ["get"],
|
|
},
|
|
],
|
|
},
|
|
|
|
crb: kube.ClusterRoleBinding("system:coredns") {
|
|
metadata+: {
|
|
labels: {
|
|
"kubernetes.io/bootstrapping": "rbac-defaults",
|
|
},
|
|
annotations+: {
|
|
"rbac.authorization.kubernetes.io/autoupdate": "true",
|
|
},
|
|
},
|
|
roleRef: {
|
|
apiGroup: "rbac.authorization.k8s.io",
|
|
kind: "ClusterRole",
|
|
name: env.cr.metadata.name,
|
|
},
|
|
subjects: [
|
|
{
|
|
kind: "ServiceAccount",
|
|
name: env.sa.metadata.name,
|
|
namespace: env.sa.metadata.namespace,
|
|
},
|
|
],
|
|
},
|
|
|
|
cm: kube.ConfigMap("coredns") {
|
|
local map = self,
|
|
|
|
upstream_server:: cfg.upstream_server,
|
|
cluster_domains:: std.join(" ", cfg.cluster_domains),
|
|
reverse_cidrs:: std.join(" ", cfg.reverse_cidrs),
|
|
|
|
metadata+: {
|
|
namespace: cfg.namespace,
|
|
},
|
|
data: {
|
|
Corefile: |||
|
|
.:53 {
|
|
log
|
|
errors
|
|
health
|
|
kubernetes %s %s {
|
|
pods insecure
|
|
upstream
|
|
fallthrough in-addr.arpa ip6.arpa
|
|
}
|
|
rewrite name suffix .svc.k0.hswaw.net .svc.cluster.local
|
|
prometheus :9153
|
|
proxy . %s
|
|
cache 30
|
|
loop
|
|
reload
|
|
loadbalance
|
|
}
|
|
||| % [map.cluster_domains, map.reverse_cidrs, map.upstream_server]
|
|
},
|
|
},
|
|
|
|
deployment: kube.Deployment("coredns") {
|
|
metadata+: {
|
|
namespace: cfg.namespace,
|
|
labels+: {
|
|
"k8s-app": "coredns",
|
|
},
|
|
},
|
|
spec+: {
|
|
replicas: 2,
|
|
strategy: {
|
|
type: "RollingUpdate",
|
|
rollingUpdate: { maxUnavailable: 1 },
|
|
},
|
|
template+: {
|
|
spec+: {
|
|
serviceAccountName: env.sa.metadata.name,
|
|
tolerations: [
|
|
{ key: "CriticalAddonsOnly", operator: "Exists" },
|
|
],
|
|
dnsPolicy: "Default",
|
|
volumes_: {
|
|
config: {
|
|
configMap: {
|
|
name: env.cm.metadata.name,
|
|
items: [ { key: "Corefile", path: "Corefile" } ],
|
|
},
|
|
},
|
|
},
|
|
containers_: {
|
|
coredns: kube.Container("coredns") {
|
|
local container = self,
|
|
|
|
image: cfg.image,
|
|
args: [
|
|
"-conf", "%s/Corefile" % container.volumeMounts[0].mountPath,
|
|
],
|
|
imagePullPolicy: "IfNotPresent",
|
|
resources: {
|
|
limits: { memory: "170Mi" },
|
|
requests: { memory: "70Mi", cpu: "100m" },
|
|
},
|
|
volumeMounts_: {
|
|
config: {
|
|
mountPath: "/etc/coredns",
|
|
},
|
|
},
|
|
ports_: {
|
|
dns: {
|
|
containerPort: 53,
|
|
protocol: "UDP",
|
|
},
|
|
"dns-tcp": {
|
|
containerPort: 53,
|
|
protocol: "TCP",
|
|
},
|
|
metrics: {
|
|
containerPort: 9153,
|
|
protocol: "TCP",
|
|
},
|
|
},
|
|
securityContext: {
|
|
allowPrivilegeEscalation: false,
|
|
capabilities: {
|
|
add: ["NET_BIND_SERVICE"],
|
|
drop: ["all"],
|
|
},
|
|
readOnlyRootFilesystem: true,
|
|
},
|
|
livenessProbe: {
|
|
httpGet: {
|
|
path: "/health",
|
|
port: 8080,
|
|
scheme: "HTTP",
|
|
},
|
|
initialDelaySeconds: 60,
|
|
timeoutSeconds: 5,
|
|
successThreshold: 1,
|
|
failureThreshold: 5,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
svc: kube.Service("coredns") {
|
|
local svc = self,
|
|
metadata+: {
|
|
namespace: cfg.namespace,
|
|
},
|
|
target_pod: env.deployment.spec.template,
|
|
spec+: {
|
|
ports: [ { name: p.name, port: p.containerPort, protocol: p.protocol } for p in svc.target_pod.spec.containers[0].ports ],
|
|
clusterIP: cfg.clusterIP,
|
|
},
|
|
},
|
|
},
|
|
}
|