Let authoritative zones accept puppet client updates
Enables per-host RFC2136 updates from puppet (profiles::dns::updater) to
the bind-authoritative zones.
- add client-update BindTSIGKey (operator-generated)
- set dynamicUpdate: true + updateKeyRef: client-update on all 18
authoritative zones (allow-update { key client-update; })
This commit is contained in:
@@ -9,3 +9,16 @@ metadata:
|
||||
spec:
|
||||
clusterRef: bind-authoritative
|
||||
algorithm: hmac-sha256
|
||||
---
|
||||
# Client-update key: puppet clients (profiles::dns::updater) nsupdate their own
|
||||
# records to the authoritative zones with this key. Operator generates the
|
||||
# material into Secret client-update-tsig; the same value must reach puppet
|
||||
# eyaml (or the planned Vault-sync bridge) for clients to authenticate.
|
||||
apiVersion: bind.unkin.net/v1alpha1
|
||||
kind: BindTSIGKey
|
||||
metadata:
|
||||
name: client-update
|
||||
namespace: bind-internal
|
||||
spec:
|
||||
clusterRef: bind-authoritative
|
||||
algorithm: hmac-sha256
|
||||
|
||||
Reference in New Issue
Block a user