update bind role

Constantin07 · Aug 1, 2024 · 6af814c · 6af814c
1 parent 625d354
commit 6af814c
Show file tree

Hide file tree

Showing 14 changed files with 111 additions and 11 deletions.
diff --git a/ansible/k8s-nodes.yaml b/ansible/k8s-nodes.yaml
@@ -13,4 +13,4 @@
    - containerd
    - kube_common
    - kubelet_config
-   - role: prometheus/node_exporter
+#   - role: prometheus/node_exporter
diff --git a/ansible/roles/bind/tasks/debian.yml b/ansible/roles/bind/tasks/debian.yml
@@ -16,6 +16,11 @@
   loop: "{{ debian_packages }}"
   tags: bind
 
+- name: Include secrets
+  include_vars: key.enc.yml
+  no_log: true
+  tags: bind
+
 - name: Update /etc/bind/named.conf.options file
   ansible.builtin.template:
     src: named.conf.options.j2
@@ -27,6 +32,40 @@
   notify: restart bind
   tags: bind
 
+- name: Copy /etc/bind/named.conf.internal file
+  ansible.builtin.template:
+    src: named.conf.internal.j2
+    dest: /etc/bind/named.conf.internal
+    owner: "{{ bind_user }}"
+    group: "{{ bind_group }}"
+    mode: 0644
+    validate: /usr/bin/named-checkconf %s
+  notify: restart bind
+  tags: bind
+
+- name: Create zone file /etc/bind/db.internal
+  ansible.builtin.template:
+    src: db.internal.j2
+    dest: /etc/bind/db.internal
+    owner: "{{ bind_user }}"
+    group: "{{ bind_group }}"
+    mode: 0644
+    validate: /usr/bin/named-checkzone internal %s
+  notify: restart bind
+  tags: bind
+
+- name: Update /etc/bind/named.conf
+  ansible.builtin.lineinfile:
+    path: /etc/bind/named.conf
+    line: 'include "/etc/bind/named.conf.internal";'
+    create: true
+    mode: 0644
+    owner: "{{ bind_user }}"
+    group: "{{ bind_group }}"
+    validate: /usr/bin/named-checkconf %s
+  notify: restart bind
+  tags: bind
+
 - name: Start bind service
   ansible.builtin.service:
     name: named

diff --git a/ansible/roles/bind/templates/db.internal.j2 b/ansible/roles/bind/templates/db.internal.j2
@@ -0,0 +1,32 @@
+$ORIGIN .
+$TTL 60 ; 1 minute
+internal                IN SOA  ns1.internal. admin.internal. (
+                                2014       ; serial
+                                604800     ; refresh (1 week)
+                                86400      ; retry (1 day)
+                                2419200    ; expire (4 weeks)
+                                604800     ; minimum (1 week)
+                                )
+                        NS      ns1.internal.
+                        NS      ns2.internal.
+$ORIGIN internal.
+$TTL 60 ; 1 minute
+ns1                     A       10.0.2.26
+ns2                     A       10.0.2.26
+server                  A       10.0.2.26
+jenkins                 CNAME   server
+registry                CNAME   server
+kube-cluster            CNAME   server
+ingress                 CNAME   kube-cluster
+jenkins-agent           A       10.0.2.37
+registry                CNAME   server
+vault                   CNAME   server
+prometheus              A       10.0.2.14
+grafana                 CNAME   prometheus
+master-node1            A       10.0.2.34
+worker-node1            A       10.0.2.32
+worker-node2            A       10.0.2.33
+kube-state-metrics      A       10.0.2.32
+                        A       10.0.2.33
+hello-kubernetes        A       10.0.2.32
+                        A       10.0.2.33
diff --git a/ansible/roles/bind/templates/named.conf.internal.j2 b/ansible/roles/bind/templates/named.conf.internal.j2
@@ -0,0 +1,14 @@
+// DNS zone internal
+
+zone "internal" IN {
+    type master;
+    file "/etc/bind/db.internal"; // path to zone file
+
+    allow-transfer {
+      key kube-cluster.internal.;
+    };
+
+    update-policy {
+      grant kube-cluster.internal. zonesub ANY;
+    };
+};
diff --git a/ansible/roles/bind/templates/named.conf.options.j2 b/ansible/roles/bind/templates/named.conf.options.j2
@@ -1,24 +1,38 @@
+controls {
+  inet {{ ansible_default_ipv4.address }} port 953 allow { 10.0.0.0/8; } keys { "kube-cluster.internal."; };
+//    inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
+};
+
 acl "trusted" {
     localhost;
     10.0.0.0/8;
     172.16.0.0/12;
     192.168.0.0/16;
 };
 
+// For external-dns
+key kube-cluster.internal. {
+  algorithm hmac-sha256;
+  secret "{{ key_internal }}";
+};
+
 options {
     directory "/var/cache/bind";
 
+    listen-on port 53 { 127.0.0.1; {% for ip in ansible_all_ipv4_addresses %}{{ ip }}; {% endfor %}};
+
     recursion yes;
     auth-nxdomain yes;
 
     allow-query { trusted; };
     forwarders {
-	192.168.0.1; 8.8.8.8;
+	192.168.1.254; 8.8.8.8;
     };
 
     allow-transfer { 10.0.0.0/8; }; // Used by external-dns in Kubernetes
 
     dnssec-validation auto;
+    dnssec-must-be-secure internal no;
 
     listen-on-v6 { any; };
 };
diff --git a/ansible/roles/bind/vars/key.enc.yml b/ansible/roles/bind/vars/key.enc.yml
diff --git a/ansible/roles/jenkins_agent/defaults/main.yml b/ansible/roles/jenkins_agent/defaults/main.yml
@@ -11,7 +11,7 @@ jenkins_service_name: jenkins-agent.service
 jenkins_master_host: jenkins.internal
 jenkins_master_port: 8443
 jenkins_master_scheme: https
-jenkins_remoting_version: 3198.v03a_401881f3e
+jenkins_remoting_version: 3256.v88a_f6e922152
 jenkins_remoting_package: remoting-{{ jenkins_remoting_version }}.jar
 jenkins_remoting_url: https://repo.jenkins-ci.org/public/org/jenkins-ci/main/remoting/{{ jenkins_remoting_version }}/{{ jenkins_remoting_package }}
 

diff --git a/ansible/roles/resolv/files/resolv.conf b/ansible/roles/resolv/files/resolv.conf
@@ -1,2 +1,2 @@
 search internal
-nameserver 10.0.2.4
+nameserver 10.0.2.26
diff --git a/ansible/roles/trivy/defaults/main.yml b/ansible/roles/trivy/defaults/main.yml
@@ -1,3 +1,3 @@
 ---
 
-trivy_version: 0.53.0
+trivy_version: 0.54.1
diff --git a/pipelines/dockerfiles/consul-template/Makefile b/pipelines/dockerfiles/consul-template/Makefile
@@ -5,7 +5,7 @@ EXECUTABLES = docker
 K := $(foreach exec,$(EXECUTABLES),\
   $(if $(shell command -v $(exec) 2> /dev/null),some string,$(error "No $(exec) in PATH")))
 
-VERSION=0.39.0
+VERSION=0.39.1
 
 .PHONY: all login build scan tag push clean
 default: build tag push

diff --git a/pipelines/kubernetes/bootstrap/1.0_update_coredns/Makefile b/pipelines/kubernetes/bootstrap/1.0_update_coredns/Makefile
@@ -8,7 +8,8 @@ EXECUTABLES = kubeconform kubectl
 K := $(foreach exec,$(EXECUTABLES),\
   $(if $(shell command -v $(exec) 2> /dev/null),some string,$(error "No $(exec) in PATH")))
 
-.PHONY: validate apply diff
+.PHONY: all validate apply diff
+all: validate apply test
 
 validate:
 	mkdir -p /tmp/kubeconform

diff --git a/pipelines/kubernetes/bootstrap/1.0_update_coredns/coredns_cm.yaml b/pipelines/kubernetes/bootstrap/1.0_update_coredns/coredns_cm.yaml
@@ -10,7 +10,7 @@ data:
     internal:53 {
         errors
         cache 10
-        forward . 10.0.2.4:53 {
+        forward . 10.0.2.26:53 {
             prefer_udp
         }
     }

diff --git a/pipelines/kubernetes/bootstrap/1.0_update_coredns/coredns_tests.sh b/pipelines/kubernetes/bootstrap/1.0_update_coredns/coredns_tests.sh
@@ -22,9 +22,9 @@ test_CoreDnsCheckLocalDomainConfigured() {
 }
 
 test_CoreDnsCanResolveInternal() {
-  local HOST='centos7.internal'
+  local HOST='server.internal'
   result=`kubectl exec busybox -- nslookup -type=a ${HOST} | tail -n +2 | grep Address | awk '{print $2}'`
-  assertContains "CoreDNS can resolve ${HOST}" "${result}" '10.0.2.4'
+  assertContains "CoreDNS can resolve ${HOST}" "${result}" '10.0.2.26'
 }
 
 test_CoreDnsCanResolveVault() {

diff --git a/pipelines/kubernetes/bootstrap/3.3_external_dns/helmfile.yaml b/pipelines/kubernetes/bootstrap/3.3_external_dns/helmfile.yaml
@@ -22,7 +22,7 @@ releases:
           - ingress
         provider: rfc2136
         extraArgs:
-          - --rfc2136-host=centos7.internal
+          - --rfc2136-host=server.internal
           - --rfc2136-port=53
           - --rfc2136-zone=internal
           - --rfc2136-tsig-keyname=kube-cluster.internal.