130 lines
3.6 KiB
YAML
130 lines
3.6 KiB
YAML
# Production-specific values for unbound DNS resolver
|
|
# Overrides for the production environment
|
|
#
|
|
# ARCHITECTURE NOTE:
|
|
# Unbound provides DNSSEC validation required by Mailu (rspamd for DKIM/SPF/DMARC).
|
|
# CoreDNS does NOT support DNSSEC, so we need Unbound as a dedicated resolver.
|
|
#
|
|
# Two deployment options:
|
|
# 1. Mailu-only: Only Mailu pods use Unbound (via dnsPolicy: None)
|
|
# - CoreDNS forwards to public DNS (8.8.8.8, 1.1.1.1)
|
|
# - Lower resource usage, simpler architecture
|
|
#
|
|
# 2. Cluster-wide: CoreDNS forwards ALL external queries to Unbound
|
|
# - All pods get DNSSEC validation
|
|
# - Higher resource usage, single point of failure for DNS
|
|
|
|
# Use official image for production
|
|
image:
|
|
repository: "mvance/unbound"
|
|
tag: "latest"
|
|
pullPolicy: "IfNotPresent"
|
|
|
|
# Production resource settings - MINIMAL for single-node clusters
|
|
# Unbound is very lightweight - DNS queries use minimal CPU
|
|
resources:
|
|
requests:
|
|
cpu: "50m"
|
|
memory: "64Mi"
|
|
limits:
|
|
cpu: "200m"
|
|
memory: "256Mi"
|
|
|
|
# Single replica for single-node clusters (saves resources)
|
|
# Increase to 2 for multi-node HA deployments
|
|
replicaCount: 1
|
|
|
|
# Production annotations
|
|
podAnnotations:
|
|
environment: "production"
|
|
critical: "true"
|
|
|
|
# Anti-affinity disabled for single-node clusters
|
|
# Uncomment for multi-node HA deployments
|
|
# affinity:
|
|
# podAntiAffinity:
|
|
# preferredDuringSchedulingIgnoredDuringExecution:
|
|
# - weight: 100
|
|
# podAffinityTerm:
|
|
# labelSelector:
|
|
# matchExpressions:
|
|
# - key: app.kubernetes.io/name
|
|
# operator: In
|
|
# values:
|
|
# - unbound
|
|
# topologyKey: "kubernetes.io/hostname"
|
|
|
|
# Production probe settings (more conservative)
|
|
# NOTE: mvance/unbound image does NOT have 'nc' (netcat), use 'drill' instead
|
|
probes:
|
|
readiness:
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 30
|
|
command: "drill @127.0.0.1 localhost || exit 1"
|
|
liveness:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 60
|
|
command: "drill @127.0.0.1 localhost || exit 1"
|
|
|
|
# Custom unbound configuration to forward internal Kubernetes zones to CoreDNS
|
|
config:
|
|
enabled: true
|
|
content: |
|
|
server:
|
|
interface: 0.0.0.0
|
|
port: 53
|
|
do-ip4: yes
|
|
do-ip6: no
|
|
do-udp: yes
|
|
do-tcp: yes
|
|
|
|
# Access control - allow all private networks
|
|
access-control: 10.0.0.0/8 allow
|
|
access-control: 172.16.0.0/12 allow
|
|
access-control: 192.168.0.0/16 allow
|
|
access-control: 127.0.0.0/8 allow
|
|
|
|
# DNSSEC validation (required for Mailu)
|
|
auto-trust-anchor-file: "/opt/unbound/etc/unbound/root.key"
|
|
|
|
# Performance tuning
|
|
num-threads: 2
|
|
msg-cache-size: 32m
|
|
rrset-cache-size: 64m
|
|
cache-min-ttl: 60
|
|
cache-max-ttl: 86400
|
|
|
|
# Logging
|
|
verbosity: 1
|
|
log-queries: no
|
|
log-replies: no
|
|
|
|
# Private addresses - don't send to upstream
|
|
private-address: 10.0.0.0/8
|
|
private-address: 172.16.0.0/12
|
|
private-address: 192.168.0.0/16
|
|
|
|
# Forward Kubernetes internal zones to CoreDNS (10.152.183.10 for MicroK8s)
|
|
forward-zone:
|
|
name: "cluster.local."
|
|
forward-addr: 10.152.183.10
|
|
|
|
forward-zone:
|
|
name: "svc.cluster.local."
|
|
forward-addr: 10.152.183.10
|
|
|
|
forward-zone:
|
|
name: "bakery-ia.svc.cluster.local."
|
|
forward-addr: 10.152.183.10
|
|
|
|
# Forward in-addr.arpa for reverse DNS lookups within cluster
|
|
forward-zone:
|
|
name: "in-addr.arpa."
|
|
forward-addr: 10.152.183.10
|
|
|
|
# Forward all other queries to upstream DNS with DNSSEC
|
|
forward-zone:
|
|
name: "."
|
|
forward-tls-upstream: yes
|
|
forward-addr: 1.1.1.1@853#cloudflare-dns.com
|
|
forward-addr: 8.8.8.8@853#dns.google |