search

DNSCrypt / dnscrypt-server-docker

A Docker image for a non-censoring, non-logging, DNSSEC-capable, DNSCrypt-enabled DNS resolver
https://dnscrypt.info
ISC License
670 stars 135 forks source link

Kube Deployment #87

Closed ianbashford closed 3 years ago

ianbashford commented 4 years ago

Hi, I've been trying to get a k8s cluster going (on google's GKE).

I ended up straying quite a way from the scripts in the kube directory (I have my scripts to share back if they're of interest). The main issue I ran into however was the generated encrypted-dns.toml file not being in the persisted storage.
Each pod just creates its own instance, so the service wouldn't start - the keys directory is there, but without the config file.

So to the question(s)... Is this just me missing something? And do/did the scripts work without placing the encrypted-dns.toml file into the persisted storage? I suspect they might work on a local microk8s or something simliar...

Finally, is there any consequence I've not considered by having multiple instances of encrypted-dns all accessing the same ../etc/keys/state directory, or should they each use their own?

I can get a PR together for anything you'd like to expand upon (or equally just update the wiki...) I've dropped my scripts here (its still WIP). (There are a few other tweaks in there too e.g. get the storage writable by multiple pods)

jedisct1 commented 3 years ago

Hi Ian,

Did you end up sorting this out?

I don’t know much about Kubernetes and never had the opportunity to test these scripts.

Ideally, each instance should have its own state directory. Having a shared directory is fine until a server restarts: if its in-memory certificates were different than the on-disk ones, on restart, the in-memory ones will not be accepted any more.

That being said, if a Pod always terminates when the server stops (or to put it differently, if the server never restarts within a Pod), this may not be an issue.

ianbashford commented 3 years ago

that's great input thanks -- I might make some tweaks based on that info. So if I understand this right, we'd want these files shared

encrypted-dns.toml
provider-info.txt
provider_name

but the state folder specific to each server instance.
I had a feeling that #94 might have been related...

I did get this all up and working on GKE, and then I saw how much google were charging for the load balancer. The charges went through the roof and it was all the LB. I can't find any other provider (yet) who'll do a full service load balancer at a reasonable price - many are http(s) only or tcp only (or cost a fortune). I'll close this and open a more specific question.