Add new infra architecture 8

2026-01-19 22:28:53 +01:00
parent 012aca0d6a
commit 52b8abdc0e
18 changed files with 810 additions and 148 deletions
--- a/infrastructure/platform/networking/dns/unbound-helm/dev/values.yaml
+++ b/infrastructure/platform/networking/dns/unbound-helm/dev/values.yaml
@@ -33,4 +33,32 @@ probes:
  liveness:
    initialDelaySeconds: 30
    periodSeconds: 60
-    command: "drill @127.0.0.1 -p 53 example.org || echo 'DNS query test'"
+    command: "drill @127.0.0.1 -p 53 example.org || echo 'DNS query test'"
+
+# Custom Unbound forward records for Kubernetes DNS
+config:
+  enabled: true
+  # The mvance/unbound image includes forward-records.conf
+  # We need to add Kubernetes-specific forwarding zones
+  forwardRecords: |
+    # Forward all queries to Cloudflare with DNSSEC (catch-all)
+    forward-zone:
+        name: "."
+        forward-tls-upstream: yes
+        forward-addr: 1.1.1.1@853#cloudflare-dns.com
+        forward-addr: 1.0.0.1@853#cloudflare-dns.com
+
+  # Additional server config to mark cluster.local as insecure (no DNSSEC)
+  # and use stub zones for Kubernetes internal DNS (more reliable than forward)
+  serverConfig: |
+    domain-insecure: "cluster.local."
+    private-domain: "cluster.local."
+    local-zone: "10.in-addr.arpa." nodefault
+
+    stub-zone:
+        name: "cluster.local."
+        stub-addr: 10.96.0.10
+
+    stub-zone:
+        name: "10.in-addr.arpa."
+        stub-addr: 10.96.0.10
--- a/infrastructure/platform/networking/dns/unbound-helm/templates/configmap.yaml
+++ b/infrastructure/platform/networking/dns/unbound-helm/templates/configmap.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.config.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "unbound.fullname" . }}-config
+  namespace: {{ .Values.global.namespace }}
+  labels:
+    {{- include "unbound.labels" . | nindent 4 }}
+data:
+  {{- if .Values.config.forwardRecords }}
+  forward-records.conf: |
+{{ .Values.config.forwardRecords | indent 4 }}
+  {{- end }}
+  {{- if .Values.config.serverConfig }}
+  a-records.conf: |
+{{ .Values.config.serverConfig | indent 4 }}
+  {{- end }}
+  {{- if .Values.config.content }}
+  unbound.conf: |
+{{ .Values.config.content | indent 4 }}
+  {{- end }}
+{{- end }}
--- a/infrastructure/platform/networking/dns/unbound-helm/templates/deployment.yaml
+++ b/infrastructure/platform/networking/dns/unbound-helm/templates/deployment.yaml
@@ -61,18 +61,40 @@ spec:
          {{- end }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
-          {{- with .Values.volumeMounts }}
          volumeMounts:
+            {{- if .Values.config.enabled }}
+            {{- if .Values.config.forwardRecords }}
+            - name: unbound-config
+              mountPath: /opt/unbound/etc/unbound/forward-records.conf
+              subPath: forward-records.conf
+            {{- end }}
+            {{- if .Values.config.serverConfig }}
+            - name: unbound-config
+              mountPath: /opt/unbound/etc/unbound/a-records.conf
+              subPath: a-records.conf
+            {{- end }}
+            {{- if .Values.config.content }}
+            - name: unbound-config
+              mountPath: /opt/unbound/etc/unbound/unbound.conf
+              subPath: unbound.conf
+            {{- end }}
+            {{- end }}
+            {{- with .Values.volumeMounts }}
            {{- toYaml . | nindent 12 }}
-          {{- end }}
+            {{- end }}
          {{- with .Values.env }}
          env:
            {{- toYaml . | nindent 12 }}
          {{- end }}
-      {{- with .Values.volumes }}
      volumes:
+        {{- if .Values.config.enabled }}
+        - name: unbound-config
+          configMap:
+            name: {{ include "unbound.fullname" . }}-config
+        {{- end }}
+        {{- with .Values.volumes }}
        {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/infrastructure/platform/networking/ingress/base/ingress.yaml
+++ b/infrastructure/platform/networking/ingress/base/ingress.yaml
@@ -33,6 +33,7 @@ spec:
  - hosts:
    - DOMAIN_PLACEHOLDER  # To be replaced by kustomize
    - gitea.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
+    - registry.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
    - mail.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
    secretName: TLS_SECRET_PLACEHOLDER  # To be replaced by kustomize
  rules:
@@ -65,6 +66,19 @@ spec:
            name: gitea-http
            port:
              number: 3000
+  # Gitea Container Registry route
+  # NOTE: Gitea's container registry is served on the same HTTP port (3000) under /v2/
+  # It does NOT run on a separate port - the registry.PORT config is not used for external access
+  - host: registry.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: gitea-http  # Service created by Gitea Helm chart
+            port:
+              number: 3000  # Same as HTTP port - registry is at /v2/ path
  # Mail server web interface (webmail and admin)
  - host: mail.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
    http:
--- a/infrastructure/platform/networking/ingress/overlays/dev/gitea-service.yaml
+++ b/infrastructure/platform/networking/ingress/overlays/dev/gitea-service.yaml
@@ -1,3 +1,8 @@
+---
+# Service to route traffic from bakery-ia namespace to Gitea in gitea namespace
+# Using ExternalName pointing to the headless service FQDN
+# The ingress controller can resolve headless services via DNS (returns pod IPs)
+# NOTE: Gitea's container registry is served on port 3000 (same as HTTP) at /v2/ path
 apiVersion: v1
 kind: Service
 metadata:
@@ -5,7 +10,9 @@ metadata:
  namespace: bakery-ia
 spec:
  type: ExternalName
+  # Use the headless service DNS name - nginx ingress resolves this to pod IPs
  externalName: gitea-http.gitea.svc.cluster.local
  ports:
-    - port: 3000
+    - name: http
+      port: 3000
      targetPort: 3000
--- a/infrastructure/platform/networking/ingress/overlays/dev/kustomization.yaml
+++ b/infrastructure/platform/networking/ingress/overlays/dev/kustomization.yaml
@@ -20,7 +20,10 @@ patches:
        value: gitea.bakery-ia.local
      - op: replace
        path: /spec/tls/0/hosts/2
-        value: mail.bakery-ia.local
+        value: registry.bakery-ia.local
+      - op: replace
+        path: /spec/tls/0/hosts/3
+        value: mail.bakery-ia.dev
      - op: replace
        path: /spec/tls/0/secretName
        value: bakery-dev-tls-cert
@@ -32,7 +35,10 @@ patches:
        value: gitea.bakery-ia.local
      - op: replace
        path: /spec/rules/2/host
-        value: mail.bakery-ia.local
+        value: registry.bakery-ia.local
+      - op: replace
+        path: /spec/rules/3/host
+        value: mail.bakery-ia.dev
      - op: replace
        path: /metadata/annotations/nginx.ingress.kubernetes.io~1cors-allow-origin
-        value: "https://localhost,https://localhost:3000,https://localhost:3001,https://127.0.0.1,https://127.0.0.1:3000,https://127.0.0.1:3001,https://bakery-ia.local,http://localhost,http://localhost:3000,http://localhost:3001,http://127.0.0.1,http://127.0.0.1:3000"
+        value: "https://localhost,https://localhost:3000,https://localhost:3001,https://127.0.0.1,https://127.0.0.1:3000,https://127.0.0.1:3001,https://bakery-ia.local,https://registry.bakery-ia.local,https://gitea.bakery-ia.local,http://localhost,http://localhost:3000,http://localhost:3001,http://127.0.0.1,http://127.0.0.1:3000"