f3dfe87d03
- Helm chart: Primary и Secondary Deployment, kube-vip LoadBalancer сервисы (UDP+TCP :53), ClusterIP для Web UI, PVC (ReadWriteOnce), Secret, Ingress - CronJob sync (*/5 мин): Python sync.py опрашивает Technitium REST API, создаёт Secondary зоны на secondary и вызывает forceSyncZone для каждой зоны - ExternalDNS (disabled по умолчанию): RFC 2136 DDNS для автоматических DNS-записей из Ingress - Ansible role: validate, namespace, Helm deploy, cleanup secrets, summary с Keenetic-инструкцией - Интеграция: Makefile, playbooks/addons.yml, group_vars/all/addons.yml, vault.yml.example - README с архитектурой, Keenetic-конфигурацией и troubleshooting
95 lines
3.2 KiB
YAML
95 lines
3.2 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ include "technitium-dns.name" . }}-primary
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{- include "technitium-dns.labels" . | nindent 4 }}
|
|
app.kubernetes.io/component: primary
|
|
spec:
|
|
replicas: 1
|
|
# Recreate is required for ReadWriteOnce PVCs — ensures old pod is fully
|
|
# terminated before new pod mounts the volume.
|
|
strategy:
|
|
type: Recreate
|
|
selector:
|
|
matchLabels:
|
|
{{- include "technitium-dns.selectorLabels" . | nindent 6 }}
|
|
app.kubernetes.io/component: primary
|
|
template:
|
|
metadata:
|
|
labels:
|
|
{{- include "technitium-dns.selectorLabels" . | nindent 8 }}
|
|
app.kubernetes.io/component: primary
|
|
spec:
|
|
{{- if .Values.primary.nodeName }}
|
|
# Hard pin to specific node
|
|
nodeSelector:
|
|
kubernetes.io/hostname: {{ .Values.primary.nodeName | quote }}
|
|
{{- else }}
|
|
# Soft anti-affinity: prefer different node than secondary
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- weight: 100
|
|
podAffinityTerm:
|
|
labelSelector:
|
|
matchLabels:
|
|
{{- include "technitium-dns.selectorLabels" . | nindent 20 }}
|
|
app.kubernetes.io/component: secondary
|
|
topologyKey: kubernetes.io/hostname
|
|
{{- end }}
|
|
containers:
|
|
- name: dns
|
|
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
|
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
ports:
|
|
- name: dns-udp
|
|
containerPort: 53
|
|
protocol: UDP
|
|
- name: dns-tcp
|
|
containerPort: 53
|
|
protocol: TCP
|
|
- name: web-ui
|
|
containerPort: 5380
|
|
protocol: TCP
|
|
env:
|
|
# Set admin password on first boot (stored in config after that)
|
|
- name: DNS_SERVER_ADMIN_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ include "technitium-dns.name" . }}-secret
|
|
key: adminPassword
|
|
- name: DNS_SERVER_DOMAIN
|
|
value: {{ printf "dns1.%s" .Values.dns.domain | quote }}
|
|
# Upstream forwarders for queries outside managed zones
|
|
- name: DNS_SERVER_FORWARDERS
|
|
value: {{ .Values.dns.forwarders | join "," | quote }}
|
|
- name: DNS_SERVER_RECURSION
|
|
value: {{ .Values.dns.recursion | quote }}
|
|
- name: DNS_SERVER_LOCAL_END_POINTS
|
|
value: "0.0.0.0:53"
|
|
volumeMounts:
|
|
- name: data
|
|
mountPath: /etc/dns
|
|
resources:
|
|
{{- toYaml .Values.resources | nindent 12 }}
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 5380
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
failureThreshold: 3
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 5380
|
|
initialDelaySeconds: 45
|
|
periodSeconds: 20
|
|
failureThreshold: 3
|
|
volumes:
|
|
- name: data
|
|
persistentVolumeClaim:
|
|
claimName: {{ include "technitium-dns.name" . }}-primary
|