From bc8b77dd968a498c3b4d98b746df314877981425 Mon Sep 17 00:00:00 2001
From: wesleysu <59680532+River-sh@users.noreply.github.com>
Date: Wed, 29 Nov 2023 23:58:02 +0800
Subject: [PATCH] add raven proxy dns (#1827)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: 珩轩 <hengxuan.sh@alibaba-inc.com>
---
 config/setup/raven-proxy-dns.yaml | 213 ++++++++++++++++++++++++++++++
 1 file changed, 213 insertions(+)
 create mode 100644 config/setup/raven-proxy-dns.yaml

diff --git a/config/setup/raven-proxy-dns.yaml b/config/setup/raven-proxy-dns.yaml
new file mode 100644
index 00000000000..a5ec5b272e9
--- /dev/null
+++ b/config/setup/raven-proxy-dns.yaml
@@ -0,0 +1,213 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: raven-proxy-dns
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:raven-proxy-dns
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+      - services
+      - pods
+      - namespaces
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:raven-proxy-dns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:raven-proxy-dns
+subjects:
+  - kind: ServiceAccount
+    name: raven-proxy-dns
+    namespace: kube-system
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: raven-proxy-dns
+  namespace: kube-system
+data:
+  Corefile: |
+    .:53 {
+        errors
+        health {
+          lameduck 5s
+        }
+        ready
+        hosts /etc/edge/tunnel-nodes {
+            reload 300ms
+            fallthrough
+        }
+        kubernetes cluster.local in-addr.arpa ip6.arpa {
+           pods insecure
+           fallthrough in-addr.arpa ip6.arpa
+           ttl 30
+        }
+        prometheus :9153
+        forward . /etc/resolv.conf {
+          max_concurrent 1000
+        }
+        cache 30
+        loop
+        reload
+        loadbalance
+    }
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: edge-tunnel-nodes
+  namespace: kube-system
+data:
+  tunnel-nodes: |
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: raven-proxy-dns
+  namespace: kube-system
+  labels:
+    k8s-app: raven-proxy-dns
+    kubernetes.io/name: "CoreDNS"
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  selector:
+    matchLabels:
+      k8s-app: raven-proxy-dns
+  template:
+    metadata:
+      labels:
+        k8s-app: raven-proxy-dns
+    spec:
+      serviceAccountName: raven-proxy-dns
+      priorityClassName: system-cluster-critical
+      tolerations:
+        - operator: "Exists"
+      nodeSelector:
+        kubernetes.io/os: linux
+        openyurt.io/is-edge-worker: "false"
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: k8s-app
+                    operator: In
+                    values: ["raven-proxy-dns"]
+              topologyKey: kubernetes.io/hostname
+      containers:
+        - name: raven-proxy-dns
+          image: coredns/coredns:1.9.3
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              memory: 170Mi
+            requests:
+              cpu: 100m
+              memory: 70Mi
+          args: [ "-conf", "/etc/raven-proxy-dns/Corefile" ]
+          volumeMounts:
+            - name: config-volume
+              mountPath: /etc/raven-proxy-dns
+              readOnly: true
+            - name: hosts
+              mountPath: /etc/edge
+              readOnly: true
+          ports:
+            - containerPort: 53
+              name: dns
+              protocol: UDP
+            - containerPort: 53
+              name: dns-tcp
+              protocol: TCP
+            - containerPort: 9153
+              name: metrics
+              protocol: TCP
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              add:
+                - NET_BIND_SERVICE
+              drop:
+                - all
+            readOnlyRootFilesystem: true
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 60
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 5
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 8181
+              scheme: HTTP
+      dnsPolicy: Default
+      volumes:
+        - name: config-volume
+          configMap:
+            name: raven-proxy-dns
+            items:
+              - key: Corefile
+                path: Corefile
+        - name: hosts
+          configMap:
+            name: edge-tunnel-nodes
+            defaultMode: 420
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: raven-proxy-dns
+  namespace: kube-system
+  annotations:
+    prometheus.io/port: "9153"
+    prometheus.io/scrape: "true"
+  labels:
+    k8s-app: raven-proxy-dns
+spec:
+  selector:
+    k8s-app: raven-proxy-dns
+  type: ClusterIP
+  ports:
+    - name: dns
+      port: 53
+      protocol: UDP
+    - name: dns-tcp
+      port: 53
+      protocol: TCP
+    - name: metrics
+      port: 9153
+      protocol: TCP