# backends — GSLB가 고르는 "서로 다른 IP 2개"의 실체. # # backend-a / backend-b 는 각각 고정 ClusterIP를 갖는 Service(=안정적인 IP1/IP2)이고, # TLS(:443)로 자기 정체성("backend-a"/"backend-b")을 응답한다. lab-dns 의 A 레코드가 # 이 둘 중 하나(또는 둘 다)를 가리키도록 flip 하면, client 입장에선 "같은 도메인이 # 매번 다른 IP를 준다"(GSLB)가 된다. # # 주의: # - sidecar.istio.io/inject:"false" → 이 파드들은 "메시 외부 서버"를 흉내낸다 # (client sidecar가 여기로 TLS origination). 백엔드에 sidecar가 붙으면 mTLS가 # 끼어들어 origination 테스트가 흐려진다. # - 서버 인증서(secret gslb-tls, SAN=gslb.lab.internal)는 scripts/dns-lab-setup.sh 가 # openssl로 생성해 주입한다. DR 은 insecureSkipVerify=true 라 검증은 생략하지만, # nginx가 TLS를 말하려면 인증서 자체는 필요하다. --- apiVersion: v1 kind: ConfigMap metadata: { name: backend-a-conf, namespace: dns-lab } data: default.conf: | server { listen 443 ssl; server_name gslb.lab.internal; ssl_certificate /etc/nginx/tls/tls.crt; ssl_certificate_key /etc/nginx/tls/tls.key; default_type text/plain; location / { return 200 "backend-a\n"; } } --- apiVersion: v1 kind: ConfigMap metadata: { name: backend-b-conf, namespace: dns-lab } data: default.conf: | server { listen 443 ssl; server_name gslb.lab.internal; ssl_certificate /etc/nginx/tls/tls.crt; ssl_certificate_key /etc/nginx/tls/tls.key; default_type text/plain; location / { return 200 "backend-b\n"; } } --- apiVersion: apps/v1 kind: Deployment metadata: { name: backend-a, namespace: dns-lab, labels: { app: backend-a } } spec: replicas: 1 selector: { matchLabels: { app: backend-a } } template: metadata: labels: { app: backend-a } annotations: { sidecar.istio.io/inject: "false" } spec: containers: - name: nginx image: nginx:1.27-alpine ports: [{ containerPort: 443 }] volumeMounts: - { name: conf, mountPath: /etc/nginx/conf.d/default.conf, subPath: default.conf } - { name: tls, mountPath: /etc/nginx/tls, readOnly: true } readinessProbe: tcpSocket: { port: 443 } initialDelaySeconds: 2 volumes: - name: conf configMap: { name: backend-a-conf } - name: tls secret: { secretName: gslb-tls } --- apiVersion: apps/v1 kind: Deployment metadata: { name: backend-b, namespace: dns-lab, labels: { app: backend-b } } spec: replicas: 1 selector: { matchLabels: { app: backend-b } } template: metadata: labels: { app: backend-b } annotations: { sidecar.istio.io/inject: "false" } spec: containers: - name: nginx image: nginx:1.27-alpine ports: [{ containerPort: 443 }] volumeMounts: - { name: conf, mountPath: /etc/nginx/conf.d/default.conf, subPath: default.conf } - { name: tls, mountPath: /etc/nginx/tls, readOnly: true } readinessProbe: tcpSocket: { port: 443 } initialDelaySeconds: 2 volumes: - name: conf configMap: { name: backend-b-conf } - name: tls secret: { secretName: gslb-tls } --- apiVersion: v1 kind: Service metadata: { name: backend-a, namespace: dns-lab } spec: selector: { app: backend-a } ports: [{ name: https, port: 443, targetPort: 443 }] --- apiVersion: v1 kind: Service metadata: { name: backend-b, namespace: dns-lab } spec: selector: { app: backend-b } ports: [{ name: https, port: 443, targetPort: 443 }]