diff --git a/gen/k8s/dns-cache/configmap.yml b/gen/k8s/dns-cache/configmap.yml index e9e23ce6..61b41572 100644 --- a/gen/k8s/dns-cache/configmap.yml +++ b/gen/k8s/dns-cache/configmap.yml @@ -1,7 +1,7 @@ { "apiVersion": "v1", "data": { - "unbound.conf": "server:\n do-daemonize: no\n chroot: \"\"\n username: \"unbound\"\n logfile: \"\" # stderr\n verbosity: 1\n extended-statistics: yes\n log-servfail: yes\n val-log-level: 2\n\n interface: 0.0.0.0@10053\n interface: 0.0.0.0@10853\n interface: 0.0.0.0@10443\n port: 10053\n tls-port: 10853\n https-port: 10443\n access-control: 10.33.0.0/16 allow\n\n do-ip4: yes\n do-ip6: no\n\n tls-service-key: /secrets/tls-cert/tls.key\n tls-service-pem: /secrets/tls-cert/tls.crt\n\n root-hints: /usr/share/dns/root.hints\n trust-anchor-file: /var/lib/unbound/root.key\n\n prefetch: yes\n prefetch-key: yes\n\n # https://nlnetlabs.nl/documentation/unbound/howto-optimise/\n num-threads: 2\n num-queries-per-thread: 4096\n outgoing-range: 8192\n\n incoming-num-tcp: 1000\n outgoing-num-tcp: 1000\n\n msg-cache-slabs: 2\n rrset-cache-slabs: 2\n infra-cache-slabs: 2\n key-cache-slabs: 2\n\n rrset-cache-size: 400m\n msg-cache-size: 200m\n\n so-rcvbuf: 4m\n so-sndbuf: 4m\n so-reuseport: yes\n\n local-zone: 10.in-addr.arpa. nodefault\n local-zone: a.c.0.0.5.8.0.f.d.0.1.0.0.2.ip6.arpa. nodefault\n domain-insecure: 10.in-addr.arpa.\n domain-insecure: a.c.0.0.5.8.0.f.d.0.1.0.0.2.ip6.arpa.\n\n # https://datatracker.ietf.org/doc/rfc9461/\n local-zone: resolver.rubykaigi.net. typetransparent\n local-data: \"resolver.rubykaigi.net. 300 IN HTTPS 1 . alpn=h3,h2\"\n local-data: \"_dns.resolver.rubykaigi.net. 300 IN SVCB 1 resolver.rubykaigi.net. alpn=h3,h2 key7=/dns-query{?dns}\"\n local-data: \"_dns.resolver.rubykaigi.net. 300 IN SVCB 2 resolver.rubykaigi.net. alpn=dot\"\n local-data: \"_dns.resolver.rubykaigi.net. 300 IN SVCB 9 resolver.rubykaigi.net. alpn=http/1.1 key7=/dns-query{?dns}\"\n\n # https://datatracker.ietf.org/doc/rfc9462/\n local-zone: resolver.arpa. static\n local-data: \"_dns.resolver.arpa. 300 IN SVCB 1 resolver.rubykaigi.net. alpn=h3,h2 key7=/dns-query{?dns}\"\n local-data: \"_dns.resolver.arpa. 300 IN SVCB 2 resolver.rubykaigi.net. alpn=dot\"\n local-data: \"_dns.resolver.arpa. 300 IN SVCB 9 resolver.rubykaigi.net. alpn=http/1.1 key7=/dns-query{?dns}\"\n domain-insecure: resolver.arpa.\n\n # https://datatracker.ietf.org/doc/rfc7050/\n local-zone: ipv4only.arpa. typetransparent # insecure zone\n local-data: \"ipv4only.arpa. 86400 IN AAAA 2001:df0:8500:ca64:a9:8200:192.0.0.170\"\n local-data: \"ipv4only.arpa. 86400 IN AAAA 2001:df0:8500:ca64:a9:8200:192.0.0.171\"\n\nforward-zone:\n name: 10.in-addr.arpa.\n forward-addr: 169.254.169.253\n\nforward-zone:\n name: a.c.0.0.5.8.0.f.d.0.1.0.0.2.ip6.arpa.\n forward-addr: 169.254.169.253\n\nforward-zone:\n name: rubykaigi.net.\n forward-addr: 169.254.169.253\n\nforward-zone:\n name: rubykaigi.org.\n forward-addr: 169.254.169.253\n\nremote-control:\n control-enable: yes\n control-interface: /run/unbound.ctl\n" + "unbound.conf": "server:\n do-daemonize: no\n chroot: \"\"\n username: \"unbound\"\n logfile: \"\" # stderr\n verbosity: 1\n extended-statistics: yes\n log-servfail: yes\n val-log-level: 2\n\n interface: 0.0.0.0@10053\n interface: 0.0.0.0@10853\n interface: 0.0.0.0@10443\n port: 10053\n tls-port: 10853\n https-port: 10443\n access-control: 10.33.0.0/16 allow\n\n do-ip4: yes\n do-ip6: no\n\n tls-service-key: /secrets/tls-cert/tls.key\n tls-service-pem: /secrets/tls-cert/tls.crt\n\n root-hints: /usr/share/dns/root.hints\n trust-anchor-file: /var/lib/unbound/root.key\n\n prefetch: yes\n prefetch-key: yes\n\n # https://nlnetlabs.nl/documentation/unbound/howto-optimise/\n num-threads: 2\n num-queries-per-thread: 4096\n outgoing-range: 8192\n\n incoming-num-tcp: 1000\n outgoing-num-tcp: 1000\n\n msg-cache-slabs: 2\n rrset-cache-slabs: 2\n infra-cache-slabs: 2\n key-cache-slabs: 2\n\n rrset-cache-size: 400m\n msg-cache-size: 200m\n\n so-rcvbuf: 4m\n so-sndbuf: 4m\n so-reuseport: yes\n\n local-zone: 10.in-addr.arpa. nodefault\n local-zone: a.c.0.0.5.8.0.f.d.0.1.0.0.2.ip6.arpa. nodefault\n domain-insecure: 10.in-addr.arpa.\n domain-insecure: a.c.0.0.5.8.0.f.d.0.1.0.0.2.ip6.arpa.\n\n # https://datatracker.ietf.org/doc/rfc9461/\n local-zone: resolver.rubykaigi.net. typetransparent\n local-data: \"resolver.rubykaigi.net. 300 IN HTTPS 1 . alpn=h3,h2\"\n local-data: \"_dns.resolver.rubykaigi.net. 300 IN SVCB 1 resolver.rubykaigi.net. alpn=h3,h2 key7=/dns-query{?dns}\"\n local-data: \"_dns.resolver.rubykaigi.net. 300 IN SVCB 2 resolver.rubykaigi.net. alpn=dot\"\n local-data: \"_dns.resolver.rubykaigi.net. 300 IN SVCB 9 resolver.rubykaigi.net. alpn=http/1.1 key7=/dns-query{?dns}\"\n\n # https://datatracker.ietf.org/doc/rfc9462/\n local-zone: resolver.arpa. static\n local-data: \"_dns.resolver.arpa. 300 IN SVCB 1 resolver.rubykaigi.net. alpn=h3,h2 key7=/dns-query{?dns}\"\n local-data: \"_dns.resolver.arpa. 300 IN SVCB 2 resolver.rubykaigi.net. alpn=dot\"\n local-data: \"_dns.resolver.arpa. 300 IN SVCB 9 resolver.rubykaigi.net. alpn=http/1.1 key7=/dns-query{?dns}\"\n domain-insecure: resolver.arpa.\n\n # https://datatracker.ietf.org/doc/rfc7050/\n local-zone: ipv4only.arpa. typetransparent # insecure zone\n local-data: \"ipv4only.arpa. 86400 IN AAAA 2001:df0:8500:ca64:a9:8200:192.0.0.170\"\n local-data: \"ipv4only.arpa. 86400 IN AAAA 2001:df0:8500:ca64:a9:8200:192.0.0.171\"\n\nforward-zone:\n name: 10.in-addr.arpa.\n forward-addr: 169.254.169.253\n\nforward-zone:\n name: a.c.0.0.5.8.0.f.d.0.1.0.0.2.ip6.arpa.\n forward-addr: 169.254.169.253\n\nforward-zone:\n name: rubykaigi.net.\n forward-addr: 169.254.169.253\n\nforward-zone:\n name: rubykaigi.org.\n forward-addr: 169.254.169.253\n\nremote-control:\n control-enable: yes\n control-interface: /run/unbound.ctl\n\ndnstap:\n dnstap-enable: yes\n dnstap-ip: 127.0.0.1@6000\n dnstap-tls: no\n dnstap-send-identity: yes\n dnstap-send-version: yes\n dnstap-log-resolver-response-messages: yes\n dnstap-log-client-query-messages: yes\n" }, "kind": "ConfigMap", "metadata": { @@ -20,3 +20,14 @@ } } --- +{ + "apiVersion": "v1", + "data": { + "config.yml": "{\n \"global\": {\n \"trace\": {\n \"verbose\": true\n }\n },\n \"multiplexer\": {\n \"collectors\": [\n {\n \"dnstap\": {\n \"listen-ip\": \"127.0.0.1\",\n \"listen-port\": 6000\n },\n \"name\": \"tap\"\n }\n ],\n \"loggers\": [\n {\n \"name\": \"prom\",\n \"prometheus\": {\n \"basic-auth-enable\": false,\n \"histogram-metrics-enabled\": true,\n \"listen-ip\": \"0.0.0.0\",\n \"listen-port\": 8081,\n \"requesters-metrics-enabled\": false,\n \"top-n\": 0\n }\n }\n ],\n \"routes\": [\n {\n \"from\": [\n \"tap\"\n ],\n \"to\": [\n \"prom\"\n ]\n }\n ]\n }\n}" + }, + "kind": "ConfigMap", + "metadata": { + "name": "dnscollector-config" + } +} +--- diff --git a/gen/k8s/dns-cache/deployment.yml b/gen/k8s/dns-cache/deployment.yml index 267b2060..7b1ebbfa 100644 --- a/gen/k8s/dns-cache/deployment.yml +++ b/gen/k8s/dns-cache/deployment.yml @@ -22,6 +22,52 @@ }, "spec": { "containers": [ + { + "args": [ + "-config", + "/etc/dnscollector/config.yml" + ], + "env": [ + + ], + "image": "005216166247.dkr.ecr.ap-northeast-1.amazonaws.com/dnscollector:e3ecd76868c1eb85e1eb6eb53badd01fb3f21e56", + "livenessProbe": { + "failureThreshold": 2, + "httpGet": { + "path": "/metrics", + "port": 8081, + "scheme": "HTTP" + }, + "periodSeconds": 3 + }, + "name": "dnscollector", + "ports": [ + { + "containerPort": 8081, + "name": "dnscollector" + } + ], + "readinessProbe": { + "httpGet": { + "path": "/metrics", + "port": 8081, + "scheme": "HTTP" + } + }, + "resources": { + "requests": { + "cpu": "5m", + "memory": "64M" + } + }, + "volumeMounts": [ + { + "mountPath": "/etc/dnscollector", + "name": "dnscollector-config", + "readOnly": true + } + ] + }, { "args": [ "-c", @@ -134,6 +180,12 @@ }, "name": "unbound-config" }, + { + "configMap": { + "name": "dnscollector-config" + }, + "name": "dnscollector-config" + }, { "name": "tls-cert", "secret": { diff --git a/gen/k8s/dns-cache/monitoring.yml b/gen/k8s/dns-cache/monitoring.yml index a244d731..aba574ef 100644 --- a/gen/k8s/dns-cache/monitoring.yml +++ b/gen/k8s/dns-cache/monitoring.yml @@ -11,6 +11,9 @@ "podMetricsEndpoints": [ { "port": "prom" + }, + { + "port": "dnscollector" } ], "selector": { diff --git a/k8s/dns-cache/config/dnscollector.libsonnet b/k8s/dns-cache/config/dnscollector.libsonnet new file mode 100644 index 00000000..bf046137 --- /dev/null +++ b/k8s/dns-cache/config/dnscollector.libsonnet @@ -0,0 +1,35 @@ +{ + global: { + trace: { + verbose: true, + }, + }, + + multiplexer: { + collectors: [ + { + name: 'tap', + dnstap: { + 'listen-ip': '127.0.0.1', + 'listen-port': 6000, + }, + }, + ], + loggers: [ + { + name: 'prom', + prometheus: { + 'listen-ip': '0.0.0.0', + 'listen-port': 8081, + 'basic-auth-enable': false, + 'top-n': 0, + 'histogram-metrics-enabled': true, + 'requesters-metrics-enabled': false, + }, + }, + ], + routes: [ + { from: ['tap'], to: ['prom'] }, + ], + }, +} diff --git a/k8s/dns-cache/config/unbound.conf b/k8s/dns-cache/config/unbound.conf index 6c596bc4..2fc4b341 100644 --- a/k8s/dns-cache/config/unbound.conf +++ b/k8s/dns-cache/config/unbound.conf @@ -91,3 +91,12 @@ forward-zone: remote-control: control-enable: yes control-interface: /run/unbound.ctl + +dnstap: + dnstap-enable: yes + dnstap-ip: 127.0.0.1@6000 + dnstap-tls: no + dnstap-send-identity: yes + dnstap-send-version: yes + dnstap-log-resolver-response-messages: yes + dnstap-log-client-query-messages: yes diff --git a/k8s/dns-cache/configmap.jsonnet b/k8s/dns-cache/configmap.jsonnet index b4ec362a..05bf2727 100644 --- a/k8s/dns-cache/configmap.jsonnet +++ b/k8s/dns-cache/configmap.jsonnet @@ -19,4 +19,14 @@ 'envoy.json': std.manifestJson(import './config/envoy.libsonnet'), }, }, + { + apiVersion: 'v1', + kind: 'ConfigMap', + metadata: { + name: 'dnscollector-config', + }, + data: { + 'config.yml': std.manifestJson(import './config/dnscollector.libsonnet'), + }, + }, ] diff --git a/k8s/dns-cache/deployment.jsonnet b/k8s/dns-cache/deployment.jsonnet index a2b4e575..5bd7cef3 100644 --- a/k8s/dns-cache/deployment.jsonnet +++ b/k8s/dns-cache/deployment.jsonnet @@ -1,4 +1,5 @@ -local commit = 'ae5a0d23fd293e7e1437519b816480cd01dba5f2'; +local unbound_commit = 'ae5a0d23fd293e7e1437519b816480cd01dba5f2'; +local dnscollector_commit = 'e3ecd76868c1eb85e1eb6eb53badd01fb3f21e56'; local tls_cert_secret = 'cert-resolver-rubykaigi-net'; @@ -42,6 +43,33 @@ local tls_cert_secret = 'cert-resolver-rubykaigi-net'; }, ], containers: [ + { + name: 'dnscollector', + resources: { + requests: { + cpu: '5m', + memory: '64M', + }, + }, + image: std.format('005216166247.dkr.ecr.ap-northeast-1.amazonaws.com/dnscollector:%s', dnscollector_commit), + args: ['-config', '/etc/dnscollector/config.yml'], + ports: [ + { name: 'dnscollector', containerPort: 8081 }, + ], + env: [ + ], + volumeMounts: [ + { name: 'dnscollector-config', mountPath: '/etc/dnscollector', readOnly: true }, + ], + readinessProbe: { + httpGet: { path: '/metrics', port: 8081, scheme: 'HTTP' }, + }, + livenessProbe: { + httpGet: { path: '/metrics', port: 8081, scheme: 'HTTP' }, + failureThreshold: 2, + periodSeconds: 3, + }, + }, { name: 'unbound', resources: { @@ -50,7 +78,7 @@ local tls_cert_secret = 'cert-resolver-rubykaigi-net'; memory: '128M', }, }, - image: std.format('005216166247.dkr.ecr.ap-northeast-1.amazonaws.com/unbound:%s', commit), + image: std.format('005216166247.dkr.ecr.ap-northeast-1.amazonaws.com/unbound:%s', unbound_commit), args: ['-c', '/etc/unbound/unbound.conf', '-dd'], ports: [ { name: 'dns', containerPort: 10053, protocol: 'UDP' }, @@ -85,6 +113,12 @@ local tls_cert_secret = 'cert-resolver-rubykaigi-net'; name: 'unbound-config', }, }, + { + name: 'dnscollector-config', + configMap: { + name: 'dnscollector-config', + }, + }, { name: 'tls-cert', secret: { diff --git a/k8s/dns-cache/monitoring.jsonnet b/k8s/dns-cache/monitoring.jsonnet index 23d87b6b..c9cd0f3c 100644 --- a/k8s/dns-cache/monitoring.jsonnet +++ b/k8s/dns-cache/monitoring.jsonnet @@ -70,6 +70,9 @@ local dnsProbes(domain) = [ { port: 'prom', }, + { + port: 'dnscollector', + }, ], }, },