Private DNS

2025-10-30 17:58:32 +00:00 · 2021-12-20 21:51:46 +02:00
parent 2a98f8c7b5
commit 73ef6b9a42
6 changed files with 45 additions and 3 deletions
--- a/oracle/init/policy.tf
+++ b/oracle/init/policy.tf
@@ -7,6 +7,7 @@ resource "oci_identity_policy" "terraform" {
  statements = [
    "Allow group ${oci_identity_group.terraform.name} to manage virtual-network-family in compartment ${oci_identity_compartment.project.name}",
    "Allow group ${oci_identity_group.terraform.name} to manage load-balancers in compartment ${oci_identity_compartment.project.name}",
+    "Allow group ${oci_identity_group.terraform.name} to manage dns in compartment ${oci_identity_compartment.project.name}",
    "Allow group ${oci_identity_group.terraform.name} to manage compute-management-family in compartment ${oci_identity_compartment.project.name}",
    "Allow group ${oci_identity_group.terraform.name} to manage instances in compartment ${oci_identity_compartment.project.name}",
    "Allow group ${oci_identity_group.terraform.name} to manage instance-family in compartment ${oci_identity_compartment.project.name}",
--- a/oracle/network-lb.tf
+++ b/oracle/network-lb.tf
@@ -2,12 +2,25 @@
 locals {
  lbv4_enable = false
  lbv4        = local.lbv4_enable ? [for ip in oci_network_load_balancer_network_load_balancer.contolplane[0].ip_addresses : ip.ip_address if ip.is_public][0] : "127.0.0.1"
-  lbv4_local  = local.lbv4_enable ? [for ip in oci_network_load_balancer_network_load_balancer.contolplane[0].ip_addresses : ip.ip_address if !ip.is_public][0] : "127.0.0.1"
+  lbv4_local  = local.lbv4_enable ? [for ip in oci_network_load_balancer_network_load_balancer.contolplane[0].ip_addresses : ip.ip_address if !ip.is_public][0] : cidrhost(local.network_public[local.zone].cidr_block, 11)

  lbv4_web_enable = false
  lbv4_web        = local.lbv4_web_enable ? [for ip in oci_network_load_balancer_network_load_balancer.web[0].ip_addresses : ip.ip_address if ip.is_public][0] : "127.0.0.1"
 }

+resource "oci_dns_rrset" "lbv4_local" {
+  zone_name_or_id = local.dns_zone_id
+  domain          = var.kubernetes["apiDomain"]
+  rtype           = "A"
+
+  items {
+    domain = var.kubernetes["apiDomain"]
+    rdata  = local.lbv4_local
+    rtype  = "A"
+    ttl    = 3600
+  }
+}
+
 resource "oci_network_load_balancer_network_load_balancer" "contolplane" {
  count                      = local.lbv4_enable ? 1 : 0
  compartment_id             = var.compartment_ocid
--- a/oracle/prepare/network-dns.tf
+++ b/oracle/prepare/network-dns.tf
@@ -0,0 +1,17 @@
+
+data "oci_core_vcn_dns_resolver_association" "main" {
+  vcn_id = oci_core_vcn.main.id
+}
+
+data "oci_dns_resolver" "main" {
+  resolver_id = data.oci_core_vcn_dns_resolver_association.main.dns_resolver_id
+  scope       = "PRIVATE"
+}
+
+resource "oci_dns_zone" "cluster" {
+  compartment_id = var.compartment_ocid
+  name           = var.kubernetes["domain"]
+  zone_type      = "PRIMARY"
+  scope          = "PRIVATE"
+  view_id        = data.oci_dns_resolver.main.default_view_id
+}
--- a/oracle/prepare/network.tf
+++ b/oracle/prepare/network.tf
@@ -4,6 +4,7 @@ resource "oci_core_vcn" "main" {
  display_name   = var.project
  cidr_blocks    = [var.vpc_main_cidr]
  is_ipv6enabled = true
+  dns_label      = var.project
 }

 resource "oci_core_internet_gateway" "main" {
@@ -50,6 +51,7 @@ resource "oci_core_subnet" "regional_lb" {
  prohibit_public_ip_on_vnic = false

  display_name = "${oci_core_vcn.main.display_name}-regional-lb"
+  dns_label    = "lb"
 }
 resource "oci_core_subnet" "regional" {
  cidr_block                 = cidrsubnet(oci_core_vcn.main.cidr_block, 10, 1)
@@ -61,6 +63,7 @@ resource "oci_core_subnet" "regional" {
  prohibit_public_ip_on_vnic = false

  display_name = "${oci_core_vcn.main.display_name}-regional"
+  dns_label    = "regional"
 }

 resource "oci_core_subnet" "public" {
@@ -76,6 +79,7 @@ resource "oci_core_subnet" "public" {
  availability_domain        = each.key

  display_name = "${oci_core_vcn.main.display_name}-public-zone-${each.value}"
+  dns_label    = "public${each.value}"
 }

 resource "oci_core_subnet" "private" {
@@ -90,4 +94,5 @@ resource "oci_core_subnet" "private" {
  availability_domain        = each.key

  display_name = "${oci_core_vcn.main.display_name}-private-zone-${each.value}"
+  dns_label    = "private${each.value}"
 }
--- a/oracle/prepare/output.tf
+++ b/oracle/prepare/output.tf
@@ -14,6 +14,11 @@ output "zones" {
  value       = local.zones
 }

+output "dns_zone_id" {
+  description = "DNS zones id"
+  value       = oci_dns_zone.cluster.id
+}
+
 output "network_nat" {
  description = "The nat IP"
  value       = oci_core_public_ip.nat.ip_address
--- a/oracle/variables.tf
+++ b/oracle/variables.tf
@@ -26,8 +26,9 @@ data "terraform_remote_state" "prepare" {
 }

 locals {
-  project = data.terraform_remote_state.prepare.outputs.project
-  zone    = data.terraform_remote_state.prepare.outputs.zones[0]
+  project     = data.terraform_remote_state.prepare.outputs.project
+  zone        = data.terraform_remote_state.prepare.outputs.zones[0]
+  dns_zone_id = data.terraform_remote_state.prepare.outputs.dns_zone_id

  network_lb      = data.terraform_remote_state.prepare.outputs.network_lb
  network_public  = data.terraform_remote_state.prepare.outputs.network_public