From 4e6a0b310559b8a695f9c4b44c5d9f7709bafcb6 Mon Sep 17 00:00:00 2001
From: Lumpiasty <arek.dzski@gmail.com>
Date: Tue, 4 Feb 2025 04:41:59 +0100
Subject: [PATCH] Separate dns deployment for world-facing dns

---
 infra/dns/Makefile  |   2 +-
 infra/dns/proxy.yml | 158 ++++++++++++++++++++++++++++++++++++++++++++
 infra/dns/svc.yml   |   6 +-
 3 files changed, 161 insertions(+), 5 deletions(-)
 create mode 100644 infra/dns/proxy.yml

diff --git a/infra/dns/Makefile b/infra/dns/Makefile
index f79eb57..8533b5a 100644
--- a/infra/dns/Makefile
+++ b/infra/dns/Makefile
@@ -1,2 +1,2 @@
 install:
-	kubectl apply -f svc.yml
\ No newline at end of file
+	kubectl apply -f proxy.yml -f svc.yml
\ No newline at end of file
diff --git a/infra/dns/proxy.yml b/infra/dns/proxy.yml
new file mode 100644
index 0000000..3750ed6
--- /dev/null
+++ b/infra/dns/proxy.yml
@@ -0,0 +1,158 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns-external
+  namespace: kube-system
+data:
+  Corefile: |-
+    .:53 {
+        # Filter out anything IPv4 related
+        view external {
+            expr type() in ['AAAA', 'SRV', 'PTR'] 
+            expr not hasSuffix(name(), '.in-addr.arpa.')
+        }
+        errors
+        health {
+            lameduck 5s
+        }
+        ready
+        log . {
+            class error
+        }
+        # Exposes kubernetes domain names under homelab.lumpiasty.xyz
+        # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
+        kubernetes homelab.lumpiasty.xyz ip6.arpa {
+            pods insecure
+            endpoint_pod_names
+            ttl 30
+        }
+        # Exposes loadbalancer domain names under lb.homelab.lumpiasty.xyz
+        k8s_external lb.homelab.lumpiasty.xyz {
+            ttl 30
+        }
+        # Cache results to reduce stress on apiserver
+        cache 30 {
+            disable success homelab.lumpiasty.xyz
+            disable denial homelab.lumpiasty.xyz
+        }
+        reload
+        loadbalance
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    k8s-app: kube-dns-external
+    kubernetes.io/name: CoreDNS
+  name: coredns-external
+  namespace: kube-system
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      k8s-app: kube-dns-external
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        k8s-app: kube-dns-external
+    spec:
+      subdomain: kube-dns-external
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                    - key: k8s-app
+                      operator: In
+                      values:
+                        - kube-dns
+                topologyKey: kubernetes.io/hostname
+              weight: 100
+      containers:
+        - args:
+            - -conf
+            - /etc/coredns/Corefile
+          env:
+            - name: GOMEMLIMIT
+              value: 161MiB
+          image: registry.k8s.io/coredns/coredns:v1.12.0
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 5
+            httpGet:
+              path: /health
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 5
+          name: coredns
+          ports:
+            - containerPort: 53
+              name: dns
+              protocol: UDP
+            - containerPort: 53
+              name: dns-tcp
+              protocol: TCP
+            - containerPort: 9153
+              name: metrics
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /ready
+              port: 8181
+              scheme: HTTP
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          resources:
+            limits:
+              memory: 170Mi
+            requests:
+              cpu: 100m
+              memory: 70Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              add:
+                - NET_BIND_SERVICE
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /etc/coredns
+              name: config-volume
+              readOnly: true
+      dnsPolicy: Default
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      serviceAccount: coredns
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
+        - effect: NoSchedule
+          key: node.cloudprovider.kubernetes.io/uninitialized
+          operator: Exists
+      volumes:
+        - configMap:
+            defaultMode: 420
+            items:
+              - key: Corefile
+                path: Corefile
+            name: coredns-external
+          name: config-volume
diff --git a/infra/dns/svc.yml b/infra/dns/svc.yml
index a2d8ebc..b60e86e 100644
--- a/infra/dns/svc.yml
+++ b/infra/dns/svc.yml
@@ -6,11 +6,9 @@ metadata:
 spec:
   type: LoadBalancer
   externalTrafficPolicy: Local
-  ipFamilyPolicy: SingleStack
-  ipFamilies:
-    - IPv6
+  ipFamilyPolicy: RequireDualStack
   selector:
-    k8s-app: kube-dns
+    k8s-app: kube-dns-external
   ports:
     - name: dns
       port: 53