code review

.dockerignore

@@ -0,0 +1,3 @@
+**/.*
+**/*.md
+**/*.yml

.gitignore

@@ -1 +1,2 @@
 *secret*
+node.yml

Readme.md

@@ -7,7 +7,6 @@ kubectl create -f cloudflare-secret.yml
 # kubectl get secrets
 # kubectl get secret cloudflare -o yaml
 
-
 kubectl create -f acme-init-job.yml
 kubectl create -f kube/dnscrypt-init-job.yml
 ```
@@ -29,3 +28,42 @@ kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/
 # or
 minikube dashboard
 ```
+
+Debugging
+
+```sh
+kubectl get nodes
+kubectl get jobs
+kubectl get deployments
+kubectl get services
+kubectl get pods -o wide
+kubectl get all -l app=dns-server
+
+## SSH into the container/pod
+export POD_NAME=$(kubectl get pods -o go-template --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}')
+kubectl exec -ti $POD_NAME sh
+
+## SSH into a new neighbouring container/pod
+kubectl run busybox -it --image=busybox --restart=Never --rm
+kubectl run alpine -it --image=alpine --restart=Never --rm
+
+minikube ssh
+
+kubectl logs deployment/nsd
+kubectl describe deployment/nsd
+```
+
+Build docker images
+
+```sh
+docker build -t publicarray/nsd nsd/
+docker build -t publicarray/unbound unbound/
+docker build -t publicarray/doh-proxy doh-proxy/
+docker build -t publicarray/haproxy haproxy/
+docker build -t publicarray/dnscrypt-wrapper dnscrypt-wrapper/
+docker images
+docker push publicarray/unbound
+
+docker run --rm --name myunbound -it publicarray/unbound sh
+docker run -p 5300:53/udp -v (pwd)/unbound/unbound.conf:/etc/unbound/unbound.conf:ro --name myunbound publicarray/unbound
+```

doh-proxy/Dockerfile

@@ -30,6 +30,6 @@ EXPOSE 3000/udp 3000/tcp
 
 RUN doh-proxy --version
 
-CMD ["/sbin/runsvdir -P /etc/service"]
+CMD ["-u 9.9.9.9:53"]
 
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/usr/local/bin/doh-proxy"]

doh-proxy/doh-proxy-deployment.yml

@@ -17,6 +17,6 @@ spec:
       containers:
         - env:
           image: publicarray/doh-proxy
-          name: ssl-keys
+          name: doh-proxy
           command: ["/entrypoint.sh"]
       restartPolicy: Always

haproxy/Dockerfile

@@ -29,7 +29,7 @@ RUN set -x && \
 #------------------------------------------------------------------------------#
 FROM alpine:latest
 
-ENV HAPROXY_RUN_DEPS openssl runit shadow
+ENV HAPROXY_RUN_DEPS openssl shadow
 
 RUN apk add --no-cache $HAPROXY_RUN_DEPS
 
@@ -50,6 +50,6 @@ EXPOSE 443/udp 443/tcp
 
 RUN haproxy -v
 
-CMD ["/sbin/runsvdir -P /etc/service"]
+CMD ["-f /etc/haproxy.conf"]
 
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/usr/local/sbin/haproxy"]

haproxy/haproxy-deployment.yml

@@ -12,20 +12,21 @@ spec:
   template:
     metadata:
       labels:
-        component: dns-server
+        app: dns-server
+        component: haproxy
         service: haproxy
     spec:
       containers:
         - env:
           image: publicarray/haproxy
-          name: ssl-keys
+          name: haproxy
           volumeMounts:
             - name: ssl-keys
               mountPath: /opt/ssl-keys
           command: ["/entrypoint.sh"]
-          resources:
-            requests:
-              memory: "1Gi"
+          # resources:
+          #   requests:
+          #     memory: "1Gi"
       restartPolicy: Always
       volumes:
         - name: ssl-keys

haproxy/haproxy-srv.yml

@@ -9,6 +9,7 @@ spec:
       port: 453
       targetPort: 453
   selector:
+    application: dns-server
     service: haproxy
   type: LoadBalancer
   loadBalancerIP: 0.0.0.0
@@ -24,6 +25,7 @@ spec:
       port: 453
       targetPort: 453
   selector:
+    application: dns-server
     service: haproxy
   type: LoadBalancer
   loadBalancerIP: 0.0.0.0

namespace.yml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespce
+metadata:
+   name: dns

nsd/Dockerfile

@@ -25,7 +25,7 @@ RUN set -x && \
 #------------------------------------------------------------------------------#
 FROM alpine:latest
 
-ENV NSD_RUN_DEPS libressl libevent runit shadow
+ENV NSD_RUN_DEPS libressl libevent shadow
 
 RUN apk add --no-cache $NSD_RUN_DEPS
 
@@ -52,6 +52,6 @@ EXPOSE 552/udp 552/tcp
 
 RUN nsd -v
 
-CMD ["/sbin/runsvdir -P /etc/service"]
+CMD ["-d"]
 
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/usr/local/sbin/nsd"]

nsd/nsd-deployment.yml

@@ -0,0 +1,27 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  namespace: default
+  labels:
+    service: nsd
+  name: nsd
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: dns-server
+        component: nsd
+        service: nsd
+    spec:
+      containers:
+        - env:
+          image: publicarray/nsd
+          name: nsd
+          command: ["/entrypoint.sh"]
+          resources:
+            requests:
+              memory: "1Gi"
+      restartPolicy: Always

nsd/nsd-srv.yml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nsd-tcp
+  namespace: default
+spec:
+  ports:
+    - protocol: TCP
+      port: 552
+      targetPort: 53
+  selector:
+    application: dns-server
+    service: nsd
+  type: ClusterIP
+  # clusterIP: 192.168.99.100
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nsd-udp
+  namespace: default
+spec:
+  ports:
+    - protocol: UDP
+      port: 552
+      targetPort: 53
+  selector:
+    application: dns-server
+    service: nsd
+  type: ClusterIP
+  # clusterIP: 192.168.99.100

nsd/nsd.conf

@@ -18,7 +18,8 @@ server:
     # ip-address: 1.2.3.4
     # ip-address: 1.2.3.4@5678
     # ip-address: 12fe::8ef0
-    ip-address: 127.0.0.1
+    # ip-address: 127.0.0.1
+    ip-address: 0.0.0.0
 
     # listen on IPv4 connections
     do-ip4: yes
@@ -27,7 +28,7 @@ server:
     do-ip6: yes
 
     # port to answer queries on. default is 53.
-    port: 552
+    port: 53
 
     # Verbosity level.
     verbosity: 0

unbound/Dockerfile

@@ -1,5 +1,12 @@
 FROM alpine:latest
-MAINTAINER Frank Denis
+MAINTAINER publicarray
+# LABEL org.label-schema.name="unbound"
+# LABEL org.label-schema.vendor="publicarray"
+# LABEL org.label-schema.description=""
+# LABEL org.label-schema.vcs-url="https://github.com/publicarray/dns-resolver-infra"
+# LABEL org.label-schema.version="3.7"
+# LABEL org.label-schema.license="MIT"
+
 ENV SERIAL 7
 
 ENV UNBOUND_BUILD_DEPS make gcc musl-dev libressl-dev libevent-dev expat-dev
@@ -58,7 +65,7 @@ EXPOSE 53/udp 53/tcp
 
 RUN unbound -h || true
 
-CMD ["/sbin/runsvdir -P /etc/service"]
+# CMD [""] --munin
 
 ENTRYPOINT ["/entrypoint.sh"]
 

unbound/entrypoint.sh

@@ -1,8 +1,9 @@
 #!/bin/sh
 # Borrowed from: https://github.com/faisyl/alpine-runit/blob/master/start_runit
-
 set -e
 
+# export > /etc/envvars
+
 if [ $# -eq 0 ]; then
     exec /sbin/runsvdir -P /etc/service
 fi

unbound/unbound-deployment.yml

@@ -0,0 +1,27 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  namespace: default
+  labels:
+    service: unbound
+  name: unbound
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: dns-server
+        component: unbound
+        service: unbound
+    spec:
+      containers:
+        - env:
+          image: publicarray/unbound
+          name: unbound
+          command: ["/entrypoint.sh"]
+          resources:
+            requests:
+              memory: "1Gi"
+      restartPolicy: Always

unbound/unbound.sh

@@ -1,4 +1,5 @@
 #!/bin/sh
 set -e
-
-/usr/local/sbin/unbound -d
+exec 2>&1
+# . /etc/envvars
+exec /usr/local/sbin/unbound -d