Local dns + lb-l7

2025-11-03 03:38:35 +00:00 · 2021-12-25 22:10:04 +02:00
parent df9cddf2b1
commit 256f5a2426
7 changed files with 303 additions and 110 deletions
--- a/oracle/deployments/coredns-local.yaml
+++ b/oracle/deployments/coredns-local.yaml
@@ -0,0 +1,151 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: coredns-local
  namespace: kube-system
 data:
  empty.db: |
    @       60      IN      SOA     localnet. root.localnet. (
                    1       ; serial
                    60      ; refresh
                    60      ; retry
                    60      ; expiry
                    60 )    ; minimum
    ;
    @       IN      NS      localnet.
  hosts: |
    # static hosts
    169.254.2.53        dns.local
    fd00::169:254:2:53  dns.local
  Corefile.local: |
    (empty) {
        file /etc/coredns/empty.db
    }
    .:53 {
        errors
        bind 169.254.2.53 fd00::169:254:2:53
        health 127.0.0.1:8091 {
           lameduck 5s
        }
        hosts /etc/coredns/hosts {
            reload 60s
            fallthrough
        }
        kubernetes cluster.local in-addr.arpa ip6.arpa {
            endpoint https://api.cluster.local:6443
            kubeconfig /etc/coredns/kubeconfig.conf coredns
            pods insecure
            ttl 60
        }
        prometheus :9153
        forward . /etc/resolv.conf {
            policy sequential
            expire 30s
        }
        cache 300
        loop
        reload
        loadbalance
    }
  kubeconfig.conf: |-
    apiVersion: v1
    kind: Config
    clusters:
    - cluster:
        certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
        server: https://api.cluster.local:6443
      name: default
    contexts:
    - context:
        cluster: default
        namespace: kube-system
        user: coredns
      name: coredns
    current-context: coredns
    users:
    - name: coredns
      user:
        tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: coredns-local
  namespace: kube-system
  labels:
    k8s-app: kube-dns-local
    kubernetes.io/name: CoreDNS
 spec:
  updateStrategy:
    type: RollingUpdate
  minReadySeconds: 15
  selector:
    matchLabels:
      k8s-app: kube-dns-local
      kubernetes.io/name: CoreDNS
  template:
    metadata:
      labels:
        k8s-app: kube-dns-local
        kubernetes.io/name: CoreDNS
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "9153"
    spec:
      priorityClassName: system-node-critical
      serviceAccount: coredns
      serviceAccountName: coredns
      enableServiceLinks: false
      tolerations:
        - key: node.cloudprovider.kubernetes.io/uninitialized
          effect: NoSchedule
          value: "true"
      hostNetwork: true
      containers:
      - name: coredns
        image: coredns/coredns:1.8.6
        imagePullPolicy: IfNotPresent
        resources:
          limits:
            cpu: 100m
            memory: 128Mi
          requests:
            cpu: 50m
            memory: 64Mi
        args: [ "-conf", "/etc/coredns/Corefile.local" ]
        volumeMounts:
        - name: config-volume
          mountPath: /etc/coredns
          readOnly: true
        livenessProbe:
          httpGet:
            host: 127.0.0.1
            path: /health
            port: 8091
            scheme: HTTP
          initialDelaySeconds: 60
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 5
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - all
          readOnlyRootFilesystem: true
      dnsPolicy: Default
      volumes:
        - name: config-volume
          configMap:
            name: coredns-local
--- a/oracle/instances-controlplane.tf
+++ b/oracle/instances-controlplane.tf
@@ -57,7 +57,6 @@ resource "oci_core_instance" "contolplane" {
    are_all_plugins_disabled = true
    is_management_disabled   = true
    is_monitoring_disabled   = true
  }
  availability_config {
    is_live_migration_preferred = true
--- a/oracle/instances-web.tf
+++ b/oracle/instances-web.tf
@@ -12,6 +12,13 @@ resource "oci_core_instance_pool" "web" {
    primary_subnet_id   = local.network_public[local.zone].id
  }
  load_balancers {
    backend_set_name = oci_load_balancer_backend_set.web.name
    load_balancer_id = oci_load_balancer.web.id
    port             = 80
    vnic_selection   = "primaryvnic"
  }
  lifecycle {
    ignore_changes = [
      state,
@@ -70,8 +77,9 @@ resource "oci_core_instance_configuration" "web" {
      }
      agent_config {
-        is_management_disabled = false
+        are_all_plugins_disabled = true
-        is_monitoring_disabled = false
+        is_management_disabled   = true
        is_monitoring_disabled   = true
      }
      launch_options {
        network_type = "PARAVIRTUALIZED"
@@ -90,10 +98,10 @@ resource "oci_core_instance_configuration" "web" {
  }
 }
-data "oci_core_instance_pool_instances" "web" {
+# data "oci_core_instance_pool_instances" "web" {
-  compartment_id   = var.compartment_ocid
+#   compartment_id   = var.compartment_ocid
-  instance_pool_id = oci_core_instance_pool.web.id
+#   instance_pool_id = oci_core_instance_pool.web.id
-}
+# }
 # locals {
 #   lbv4_web_instances = local.lbv4_web_enable && length(data.oci_core_instance_pool_instances.web.instances) > 0
@@ -104,32 +112,32 @@ data "oci_core_instance_pool_instances" "web" {
 #   vnic_id  = data.oci_core_vnic_attachments.contolplane[count.index].vnic_attachments[0]["vnic_id"]
 # }
-resource "oci_network_load_balancer_backend" "web_http" {
+# resource "oci_network_load_balancer_backend" "web_http" {
-  for_each = local.lbv4_web_enable ? { for instances in data.oci_core_instance_pool_instances.web.instances.* : instances.display_name => instances.id } : {}
+#   for_each = local.lbv4_web_enable ? { for instances in data.oci_core_instance_pool_instances.web.instances.* : instances.display_name => instances.id } : {}
-  backend_set_name         = oci_network_load_balancer_backend_set.web_http[0].name
+#   backend_set_name         = oci_network_load_balancer_backend_set.web_http[0].name
-  network_load_balancer_id = oci_network_load_balancer_network_load_balancer.web[0].id
+#   network_load_balancer_id = oci_network_load_balancer_network_load_balancer.web[0].id
-  port                     = 80
+#   port                     = 80
-  name      = "web-http-lb"
+#   name      = "web-http-lb"
-  target_id = each.value
+#   target_id = each.value
-  depends_on = [
+#   depends_on = [
-    oci_core_instance_pool.web
+#     oci_core_instance_pool.web
-  ]
+#   ]
-}
+# }
-resource "oci_network_load_balancer_backend" "web_https" {
+# resource "oci_network_load_balancer_backend" "web_https" {
-  for_each = local.lbv4_web_enable ? { for instances in data.oci_core_instance_pool_instances.web.instances.* : instances.display_name => instances.id } : {}
+#   for_each = local.lbv4_web_enable ? { for instances in data.oci_core_instance_pool_instances.web.instances.* : instances.display_name => instances.id } : {}
-  backend_set_name         = oci_network_load_balancer_backend_set.web_https[0].name
+#   backend_set_name         = oci_network_load_balancer_backend_set.web_https[0].name
-  network_load_balancer_id = oci_network_load_balancer_network_load_balancer.web[0].id
+#   network_load_balancer_id = oci_network_load_balancer_network_load_balancer.web[0].id
-  port                     = 443
+#   port                     = 443
-  name      = "web-https-lb"
+#   name      = "web-https-lb"
-  target_id = each.value
+#   target_id = each.value
-  depends_on = [
+#   depends_on = [
-    oci_core_instance_pool.web
+#     oci_core_instance_pool.web
-  ]
+#   ]
-}
+# }
--- a/oracle/instances-workers.tf
+++ b/oracle/instances-workers.tf
@@ -1,90 +1,90 @@
-resource "oci_core_instance_pool" "worker" {
+# resource "oci_core_instance_pool" "worker" {
-  compartment_id            = var.compartment_ocid
+#   compartment_id            = var.compartment_ocid
-  instance_configuration_id = oci_core_instance_configuration.worker.id
+#   instance_configuration_id = oci_core_instance_configuration.worker.id
-  size                      = lookup(var.instances[local.zone], "worker_count", 0)
+#   size                      = lookup(var.instances[local.zone], "worker_count", 0)
-  state                     = "RUNNING"
+#   state                     = "RUNNING"
-  display_name              = "${var.project}-worker"
+#   display_name              = "${var.project}-worker"
-  placement_configurations {
+#   placement_configurations {
-    availability_domain = local.network_private[local.zone].availability_domain
+#     availability_domain = local.network_private[local.zone].availability_domain
-    fault_domains       = data.oci_identity_fault_domains.domains.fault_domains.*.name
+#     fault_domains       = data.oci_identity_fault_domains.domains.fault_domains.*.name
-    primary_subnet_id   = local.network_private[local.zone].id
+#     primary_subnet_id   = local.network_private[local.zone].id
-  }
+#   }
-  lifecycle {
+#   lifecycle {
-    ignore_changes = [
+#     ignore_changes = [
-      state,
+#       state,
-      defined_tags
+#       defined_tags
-    ]
+#     ]
-  }
+#   }
-}
+# }
-locals {
+# locals {
-  worker_labels = "topology.kubernetes.io/region=${var.region},topology.kubernetes.io/zone=${local.zone_label},project.io/node-pool=worker"
+#   worker_labels = "topology.kubernetes.io/region=${var.region},topology.kubernetes.io/zone=${local.zone_label},project.io/node-pool=worker"
-}
+# }
-resource "oci_core_instance_configuration" "worker" {
+# resource "oci_core_instance_configuration" "worker" {
-  compartment_id = var.compartment_ocid
+#   compartment_id = var.compartment_ocid
-  display_name   = "${var.project}-worker"
+#   display_name   = "${var.project}-worker"
-  instance_details {
+#   instance_details {
-    instance_type = "compute"
+#     instance_type = "compute"
-    launch_details {
+#     launch_details {
-      compartment_id                      = var.compartment_ocid
+#       compartment_id                      = var.compartment_ocid
-      display_name                        = "${var.project}-worker"
+#       display_name                        = "${var.project}-worker"
-      is_pv_encryption_in_transit_enabled = true
+#       is_pv_encryption_in_transit_enabled = true
-      preferred_maintenance_action        = "LIVE_MIGRATE"
+#       preferred_maintenance_action        = "LIVE_MIGRATE"
-      launch_mode                         = "NATIVE"
+#       launch_mode                         = "NATIVE"
-      shape = lookup(var.instances[local.zone], "worker_instance_shape", "VM.Standard.E2.1.Micro")
+#       shape = lookup(var.instances[local.zone], "worker_instance_shape", "VM.Standard.E2.1.Micro")
-      shape_config {
+#       shape_config {
-        ocpus         = lookup(var.instances[local.zone], "worker_instance_ocpus", 1)
+#         ocpus         = lookup(var.instances[local.zone], "worker_instance_ocpus", 1)
-        memory_in_gbs = lookup(var.instances[local.zone], "worker_instance_memgb", 1)
+#         memory_in_gbs = lookup(var.instances[local.zone], "worker_instance_memgb", 1)
-      }
+#       }
-      metadata = {
+#       metadata = {
-        user_data = base64encode(templatefile("${path.module}/templates/worker.yaml.tpl",
+#         user_data = base64encode(templatefile("${path.module}/templates/worker.yaml.tpl",
-          merge(var.kubernetes, {
+#           merge(var.kubernetes, {
-            lbv4        = local.lbv4_local
+#             lbv4        = local.lbv4_local
-            clusterDns  = cidrhost(split(",", var.kubernetes["serviceSubnets"])[0], 10)
+#             clusterDns  = cidrhost(split(",", var.kubernetes["serviceSubnets"])[0], 10)
-            nodeSubnets = local.network_private[local.zone].cidr_block
+#             nodeSubnets = local.network_private[local.zone].cidr_block
-            labels      = local.worker_labels
+#             labels      = local.worker_labels
-          })
+#           })
-        ))
+#         ))
-      }
+#       }
-      source_details {
+#       source_details {
-        source_type             = "image"
+#         source_type             = "image"
-        image_id                = data.oci_core_images.talos_x64.images[0].id
+#         image_id                = data.oci_core_images.talos_x64.images[0].id
-        boot_volume_size_in_gbs = "50"
+#         boot_volume_size_in_gbs = "50"
-      }
+#       }
-      create_vnic_details {
+#       create_vnic_details {
-        display_name              = "${var.project}-worker"
+#         display_name              = "${var.project}-worker"
-        assign_private_dns_record = false
+#         assign_private_dns_record = false
-        assign_public_ip          = false
+#         assign_public_ip          = false
-        nsg_ids                   = [local.nsg_talos, local.nsg_cilium, local.nsg_worker]
+#         nsg_ids                   = [local.nsg_talos, local.nsg_cilium, local.nsg_worker]
-        subnet_id                 = local.network_private[local.zone].id
+#         subnet_id                 = local.network_private[local.zone].id
-      }
+#       }
-      agent_config {
+#       agent_config {
-        is_management_disabled = false
+#         is_management_disabled = false
-        is_monitoring_disabled = false
+#         is_monitoring_disabled = false
-      }
+#       }
-      launch_options {
+#       launch_options {
-        network_type = "PARAVIRTUALIZED"
+#         network_type = "PARAVIRTUALIZED"
-      }
+#       }
-      instance_options {
+#       instance_options {
-        are_legacy_imds_endpoints_disabled = true
+#         are_legacy_imds_endpoints_disabled = true
-      }
+#       }
-      availability_config {
+#       availability_config {
-        recovery_action = "RESTORE_INSTANCE"
+#         recovery_action = "RESTORE_INSTANCE"
-      }
+#       }
-    }
+#     }
-  }
+#   }
-  lifecycle {
+#   lifecycle {
-    create_before_destroy = "true"
+#     create_before_destroy = "true"
-  }
+#   }
-}
+# }
--- a/oracle/network-lb-l7.tf
+++ b/oracle/network-lb-l7.tf
@@ -0,0 +1,35 @@
 resource "oci_load_balancer" "web" {
  compartment_id = var.compartment_ocid
  display_name   = "${local.project}-web-lb-l7"
  shape          = "flexible"
  shape_details {
    maximum_bandwidth_in_mbps = 10
    minimum_bandwidth_in_mbps = 10
  }
  subnet_ids                 = [local.network_lb.id]
  network_security_group_ids = [local.nsg_web]
 }
 resource "oci_load_balancer_listener" "web_http" {
  load_balancer_id         = oci_load_balancer.web.id
  name                     = "${local.project}-web-http"
  default_backend_set_name = oci_load_balancer_backend_set.web.name
  port                     = 80
  protocol                 = "HTTP"
 }
 resource "oci_load_balancer_backend_set" "web" {
  name             = "${local.project}-web-lb-l7"
  load_balancer_id = oci_load_balancer.web.id
  policy           = "ROUND_ROBIN"
  health_checker {
    retries     = 2
    protocol    = "HTTP"
    port        = 80
    url_path    = "/healthz"
    return_code = 200
  }
 }
--- a/oracle/network-lb.tf
+++ b/oracle/network-lb.tf
@@ -1,11 +1,11 @@
 locals {
-  lbv4_enable = false
+  lbv4_enable = true
  lbv4        = local.lbv4_enable ? [for ip in oci_network_load_balancer_network_load_balancer.contolplane[0].ip_addresses : ip.ip_address if ip.is_public][0] : "127.0.0.1"
  lbv4_local  = local.lbv4_enable ? [for ip in oci_network_load_balancer_network_load_balancer.contolplane[0].ip_addresses : ip.ip_address if !ip.is_public][0] : cidrhost(local.network_public[local.zone].cidr_block, 11)
  lbv4_web_enable = false
-  lbv4_web        = local.lbv4_web_enable ? [for ip in oci_network_load_balancer_network_load_balancer.web[0].ip_addresses : ip.ip_address if ip.is_public][0] : "127.0.0.1"
+  lbv4_web        = local.lbv4_web_enable ? [for ip in oci_network_load_balancer_network_load_balancer.web[0].ip_addresses : ip.ip_address if ip.is_public][0] : oci_load_balancer.web.ip_addresses[0]
 }
 resource "oci_dns_rrset" "lbv4_local" {
--- a/oracle/templates/worker.yaml.tpl
+++ b/oracle/templates/worker.yaml.tpl
@@ -14,7 +14,7 @@ machine:
      node-labels: ${labels}
    clusterDNS:
      - 169.254.2.53
-      - 10.200.16.10
+      - ${clusterDns}
    nodeIP:
      validSubnets: ${format("%#v",split(",",nodeSubnets))}
  network: