diff --git a/ansible/k8s-nodes.yaml b/ansible/k8s-nodes.yaml index 0b7017af6..2a3cfa61e 100644 --- a/ansible/k8s-nodes.yaml +++ b/ansible/k8s-nodes.yaml @@ -13,4 +13,4 @@ - containerd - kube_common - kubelet_config - - role: prometheus/node_exporter +# - role: prometheus/node_exporter diff --git a/ansible/roles/bind/tasks/debian.yml b/ansible/roles/bind/tasks/debian.yml index d2cbd648f..e1a89b191 100644 --- a/ansible/roles/bind/tasks/debian.yml +++ b/ansible/roles/bind/tasks/debian.yml @@ -16,6 +16,11 @@ loop: "{{ debian_packages }}" tags: bind +- name: Include secrets + include_vars: key.enc.yml + no_log: true + tags: bind + - name: Update /etc/bind/named.conf.options file ansible.builtin.template: src: named.conf.options.j2 @@ -27,6 +32,40 @@ notify: restart bind tags: bind +- name: Copy /etc/bind/named.conf.internal file + ansible.builtin.template: + src: named.conf.internal.j2 + dest: /etc/bind/named.conf.internal + owner: "{{ bind_user }}" + group: "{{ bind_group }}" + mode: 0644 + validate: /usr/bin/named-checkconf %s + notify: restart bind + tags: bind + +- name: Create zone file /etc/bind/db.internal + ansible.builtin.template: + src: db.internal.j2 + dest: /etc/bind/db.internal + owner: "{{ bind_user }}" + group: "{{ bind_group }}" + mode: 0644 + validate: /usr/bin/named-checkzone internal %s + notify: restart bind + tags: bind + +- name: Update /etc/bind/named.conf + ansible.builtin.lineinfile: + path: /etc/bind/named.conf + line: 'include "/etc/bind/named.conf.internal";' + create: true + mode: 0644 + owner: "{{ bind_user }}" + group: "{{ bind_group }}" + validate: /usr/bin/named-checkconf %s + notify: restart bind + tags: bind + - name: Start bind service ansible.builtin.service: name: named diff --git a/ansible/roles/bind/templates/db.internal.j2 b/ansible/roles/bind/templates/db.internal.j2 new file mode 100644 index 000000000..6ecc51348 --- /dev/null +++ b/ansible/roles/bind/templates/db.internal.j2 @@ -0,0 +1,32 @@ +$ORIGIN . +$TTL 60 ; 1 minute +internal IN SOA ns1.internal. admin.internal. ( + 2014 ; serial + 604800 ; refresh (1 week) + 86400 ; retry (1 day) + 2419200 ; expire (4 weeks) + 604800 ; minimum (1 week) + ) + NS ns1.internal. + NS ns2.internal. +$ORIGIN internal. +$TTL 60 ; 1 minute +ns1 A 10.0.2.26 +ns2 A 10.0.2.26 +server A 10.0.2.26 +jenkins CNAME server +registry CNAME server +kube-cluster CNAME server +ingress CNAME kube-cluster +jenkins-agent A 10.0.2.37 +registry CNAME server +vault CNAME server +prometheus A 10.0.2.14 +grafana CNAME prometheus +master-node1 A 10.0.2.34 +worker-node1 A 10.0.2.32 +worker-node2 A 10.0.2.33 +kube-state-metrics A 10.0.2.32 + A 10.0.2.33 +hello-kubernetes A 10.0.2.32 + A 10.0.2.33 diff --git a/ansible/roles/bind/templates/named.conf.internal.j2 b/ansible/roles/bind/templates/named.conf.internal.j2 new file mode 100644 index 000000000..095d94a9b --- /dev/null +++ b/ansible/roles/bind/templates/named.conf.internal.j2 @@ -0,0 +1,14 @@ +// DNS zone internal + +zone "internal" IN { + type master; + file "/etc/bind/db.internal"; // path to zone file + + allow-transfer { + key kube-cluster.internal.; + }; + + update-policy { + grant kube-cluster.internal. zonesub ANY; + }; +}; diff --git a/ansible/roles/bind/templates/named.conf.options.j2 b/ansible/roles/bind/templates/named.conf.options.j2 index a156e14b7..424a63343 100644 --- a/ansible/roles/bind/templates/named.conf.options.j2 +++ b/ansible/roles/bind/templates/named.conf.options.j2 @@ -1,3 +1,8 @@ +controls { + inet {{ ansible_default_ipv4.address }} port 953 allow { 10.0.0.0/8; } keys { "kube-cluster.internal."; }; +// inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; +}; + acl "trusted" { localhost; 10.0.0.0/8; @@ -5,20 +10,29 @@ acl "trusted" { 192.168.0.0/16; }; +// For external-dns +key kube-cluster.internal. { + algorithm hmac-sha256; + secret "{{ key_internal }}"; +}; + options { directory "/var/cache/bind"; + listen-on port 53 { 127.0.0.1; {% for ip in ansible_all_ipv4_addresses %}{{ ip }}; {% endfor %}}; + recursion yes; auth-nxdomain yes; allow-query { trusted; }; forwarders { - 192.168.0.1; 8.8.8.8; + 192.168.1.254; 8.8.8.8; }; allow-transfer { 10.0.0.0/8; }; // Used by external-dns in Kubernetes dnssec-validation auto; + dnssec-must-be-secure internal no; listen-on-v6 { any; }; }; diff --git a/ansible/roles/bind/vars/key.enc.yml b/ansible/roles/bind/vars/key.enc.yml new file mode 100644 index 000000000..bd40efc94 Binary files /dev/null and b/ansible/roles/bind/vars/key.enc.yml differ diff --git a/ansible/roles/jenkins_agent/defaults/main.yml b/ansible/roles/jenkins_agent/defaults/main.yml index 3144c1eae..1e5bdfa92 100644 --- a/ansible/roles/jenkins_agent/defaults/main.yml +++ b/ansible/roles/jenkins_agent/defaults/main.yml @@ -11,7 +11,7 @@ jenkins_service_name: jenkins-agent.service jenkins_master_host: jenkins.internal jenkins_master_port: 8443 jenkins_master_scheme: https -jenkins_remoting_version: 3198.v03a_401881f3e +jenkins_remoting_version: 3256.v88a_f6e922152 jenkins_remoting_package: remoting-{{ jenkins_remoting_version }}.jar jenkins_remoting_url: https://repo.jenkins-ci.org/public/org/jenkins-ci/main/remoting/{{ jenkins_remoting_version }}/{{ jenkins_remoting_package }} diff --git a/ansible/roles/resolv/files/resolv.conf b/ansible/roles/resolv/files/resolv.conf index 5cb9b6eec..0291604cc 100644 --- a/ansible/roles/resolv/files/resolv.conf +++ b/ansible/roles/resolv/files/resolv.conf @@ -1,2 +1,2 @@ search internal -nameserver 10.0.2.4 +nameserver 10.0.2.26 diff --git a/ansible/roles/trivy/defaults/main.yml b/ansible/roles/trivy/defaults/main.yml index 3c22cba79..518effb88 100644 --- a/ansible/roles/trivy/defaults/main.yml +++ b/ansible/roles/trivy/defaults/main.yml @@ -1,3 +1,3 @@ --- -trivy_version: 0.53.0 +trivy_version: 0.54.1 diff --git a/pipelines/dockerfiles/consul-template/Makefile b/pipelines/dockerfiles/consul-template/Makefile index ee7da0058..c37c53064 100644 --- a/pipelines/dockerfiles/consul-template/Makefile +++ b/pipelines/dockerfiles/consul-template/Makefile @@ -5,7 +5,7 @@ EXECUTABLES = docker K := $(foreach exec,$(EXECUTABLES),\ $(if $(shell command -v $(exec) 2> /dev/null),some string,$(error "No $(exec) in PATH"))) -VERSION=0.39.0 +VERSION=0.39.1 .PHONY: all login build scan tag push clean default: build tag push diff --git a/pipelines/kubernetes/bootstrap/1.0_update_coredns/Makefile b/pipelines/kubernetes/bootstrap/1.0_update_coredns/Makefile index 9019d8dda..3fd7d3724 100644 --- a/pipelines/kubernetes/bootstrap/1.0_update_coredns/Makefile +++ b/pipelines/kubernetes/bootstrap/1.0_update_coredns/Makefile @@ -8,7 +8,8 @@ EXECUTABLES = kubeconform kubectl K := $(foreach exec,$(EXECUTABLES),\ $(if $(shell command -v $(exec) 2> /dev/null),some string,$(error "No $(exec) in PATH"))) -.PHONY: validate apply diff +.PHONY: all validate apply diff +all: validate apply test validate: mkdir -p /tmp/kubeconform diff --git a/pipelines/kubernetes/bootstrap/1.0_update_coredns/coredns_cm.yaml b/pipelines/kubernetes/bootstrap/1.0_update_coredns/coredns_cm.yaml index f97cad3b8..5832e0372 100644 --- a/pipelines/kubernetes/bootstrap/1.0_update_coredns/coredns_cm.yaml +++ b/pipelines/kubernetes/bootstrap/1.0_update_coredns/coredns_cm.yaml @@ -10,7 +10,7 @@ data: internal:53 { errors cache 10 - forward . 10.0.2.4:53 { + forward . 10.0.2.26:53 { prefer_udp } } diff --git a/pipelines/kubernetes/bootstrap/1.0_update_coredns/coredns_tests.sh b/pipelines/kubernetes/bootstrap/1.0_update_coredns/coredns_tests.sh index 85e6b44b6..3880d4cfa 100755 --- a/pipelines/kubernetes/bootstrap/1.0_update_coredns/coredns_tests.sh +++ b/pipelines/kubernetes/bootstrap/1.0_update_coredns/coredns_tests.sh @@ -22,9 +22,9 @@ test_CoreDnsCheckLocalDomainConfigured() { } test_CoreDnsCanResolveInternal() { - local HOST='centos7.internal' + local HOST='server.internal' result=`kubectl exec busybox -- nslookup -type=a ${HOST} | tail -n +2 | grep Address | awk '{print $2}'` - assertContains "CoreDNS can resolve ${HOST}" "${result}" '10.0.2.4' + assertContains "CoreDNS can resolve ${HOST}" "${result}" '10.0.2.26' } test_CoreDnsCanResolveVault() { diff --git a/pipelines/kubernetes/bootstrap/3.3_external_dns/helmfile.yaml b/pipelines/kubernetes/bootstrap/3.3_external_dns/helmfile.yaml index c723191e7..502e9fd4a 100644 --- a/pipelines/kubernetes/bootstrap/3.3_external_dns/helmfile.yaml +++ b/pipelines/kubernetes/bootstrap/3.3_external_dns/helmfile.yaml @@ -22,7 +22,7 @@ releases: - ingress provider: rfc2136 extraArgs: - - --rfc2136-host=centos7.internal + - --rfc2136-host=server.internal - --rfc2136-port=53 - --rfc2136-zone=internal - --rfc2136-tsig-keyname=kube-cluster.internal.