Deploy bind-operator and three BIND DNS tiers

Adds the bind-operator and the three BindClusters that replace the
Puppet-managed BIND estate (authoritative / resolver / external-dns).

- add apps/base/bind-system: 9 CRDs, operator Deployment, RBAC (ns bind-system)
- add apps/base/binddns-auth: authoritative BindCluster + catalog zone + TSIG key
- add apps/base/binddns-resolver: recursive-resolver BindCluster with forwarders
- add apps/base/binddns-externaldns: dynamic (RFC2136) BindCluster + TSIG key
- add au-syd1 overlays for all four apps
- register the four apps in the platform ApplicationSet
- add binddns-* namespaces to the platform AppProject destinations
- add schemas/bind.unkin.net/*.json so kubeconform validates the new CRs

DNS Services are LoadBalancer via PureLB. TSIG key material is generated by
the operator into Secrets at runtime (no plain Secrets in git).
This commit is contained in:
2026-07-03 17:48:45 +10:00
parent 15225433e9
commit d11c2900de
39 changed files with 4990 additions and 0 deletions
@@ -0,0 +1,145 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.3
name: bindacls.bind.unkin.net
spec:
group: bind.unkin.net
names:
kind: BindACL
listKind: BindACLList
plural: bindacls
shortNames:
- bacl
singular: bindacl
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.clusterRef
name: Cluster
type: string
- jsonPath: .spec.entries[*]
name: Entries
type: integer
- jsonPath: .status.ready
name: Ready
type: boolean
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
BindACL is a named address-match-list referenced by views, zones and
policies for match-clients / allow-query / allow-transfer / allow-update.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: BindACLSpec defines a reusable named address_match_list.
properties:
clusterRef:
description: |-
ClusterRef names the BindCluster whose named.conf this ACL is rendered
into. When empty the ACL is available to every cluster in the namespace.
type: string
entries:
description: |-
Entries are raw BIND address-match-list elements, e.g. "10.0.0.0/8",
"!192.168.1.5", "key transfer-key", "localhost", "any", or the name of
another ACL.
items:
type: string
minItems: 1
type: array
required:
- entries
type: object
status:
description: BindACLStatus reports observed ACL state.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
observedGeneration:
format: int64
type: integer
ready:
type: boolean
type: object
type: object
served: true
storage: true
subresources:
status: {}
@@ -0,0 +1,159 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.3
name: bindcatalogzones.bind.unkin.net
spec:
group: bind.unkin.net
names:
kind: BindCatalogZone
listKind: BindCatalogZoneList
plural: bindcatalogzones
shortNames:
- bcz
singular: bindcatalogzone
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.clusterRef
name: Cluster
type: string
- jsonPath: .spec.zoneName
name: Zone
type: string
- jsonPath: .status.memberCount
name: Members
type: integer
- jsonPath: .status.ready
name: Ready
type: boolean
name: v1alpha1
schema:
openAPIV3Schema:
description: BindCatalogZone auto-provisions member zones onto cluster secondaries.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
BindCatalogZoneSpec defines a BIND9 catalog zone. The primary publishes it
and secondaries consume it, so member zones are provisioned onto every
secondary automatically without per-zone reconfiguration.
properties:
clusterRef:
description: ClusterRef names the owning BindCluster.
type: string
defaultPrimaries:
description: |-
DefaultPrimaries are the addresses member zones point at on secondaries.
Defaults to the cluster primary Service.
items:
type: string
type: array
transferKeyRef:
description: |-
TransferKeyRef names the BindTSIGKey authenticating catalog + member zone
transfers to secondaries.
type: string
zoneName:
description: ZoneName is the catalog zone's own origin, e.g. "catalog.internal".
type: string
required:
- clusterRef
- zoneName
type: object
status:
description: BindCatalogZoneStatus reports observed catalog state.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
memberCount:
description: MemberCount is the number of member zones registered
in the catalog.
format: int32
type: integer
observedGeneration:
format: int64
type: integer
ready:
type: boolean
type: object
type: object
served: true
storage: true
subresources:
status: {}
File diff suppressed because it is too large Load Diff
@@ -0,0 +1,219 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.3
name: binddnssecpolicies.bind.unkin.net
spec:
group: bind.unkin.net
names:
kind: BindDNSSECPolicy
listKind: BindDNSSECPolicyList
plural: binddnssecpolicies
shortNames:
- bdp
singular: binddnssecpolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.clusterRef
name: Cluster
type: string
- jsonPath: .spec.algorithm
name: Algorithm
type: string
- jsonPath: .status.zoneCount
name: Zones
type: integer
- jsonPath: .status.ready
name: Ready
type: boolean
name: v1alpha1
schema:
openAPIV3Schema:
description: BindDNSSECPolicy is a reusable DNSSEC signing policy.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
BindDNSSECPolicySpec mirrors a BIND9 dnssec-policy. Zones referencing it are
signed with inline-signing and automated key management.
properties:
algorithm:
default: ecdsap256sha256
description: Algorithm for signing. Defaults to ecdsap256sha256.
type: string
clusterRef:
description: ClusterRef names the owning BindCluster.
type: string
csk:
description: CSK, when set, uses a Combined Signing Key instead of
split KSK/ZSK.
properties:
algorithm:
description: Algorithm overrides the policy algorithm for this
key.
type: string
keySize:
description: KeySize in bits for RSA algorithms (ignored for ECDSA/EdDSA).
format: int32
type: integer
lifetime:
description: |-
Lifetime is how long the key is used before rollover, e.g. "P30D" or
"unlimited". Empty means unlimited.
type: string
type: object
extraOptions:
description: ExtraOptions are raw named.conf lines appended inside
the policy block.
items:
type: string
type: array
ksk:
description: KSK is the Key Signing Key configuration (ignored when
CSK is set).
properties:
algorithm:
description: Algorithm overrides the policy algorithm for this
key.
type: string
keySize:
description: KeySize in bits for RSA algorithms (ignored for ECDSA/EdDSA).
format: int32
type: integer
lifetime:
description: |-
Lifetime is how long the key is used before rollover, e.g. "P30D" or
"unlimited". Empty means unlimited.
type: string
type: object
maxZoneTTL:
description: MaxZoneTTL, e.g. "P1D".
type: string
nsec3:
description: NSEC3 enables NSEC3 hashing instead of NSEC.
type: boolean
policyName:
description: |-
PolicyName is the dnssec-policy name in named.conf. Defaults to the object
name.
type: string
signaturesValidity:
description: SignaturesValidity, e.g. "P14D".
type: string
zsk:
description: ZSK is the Zone Signing Key configuration (ignored when
CSK is set).
properties:
algorithm:
description: Algorithm overrides the policy algorithm for this
key.
type: string
keySize:
description: KeySize in bits for RSA algorithms (ignored for ECDSA/EdDSA).
format: int32
type: integer
lifetime:
description: |-
Lifetime is how long the key is used before rollover, e.g. "P30D" or
"unlimited". Empty means unlimited.
type: string
type: object
required:
- clusterRef
type: object
status:
description: BindDNSSECPolicyStatus reports observed policy state.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
observedGeneration:
format: int64
type: integer
ready:
type: boolean
zoneCount:
description: ZoneCount is the number of zones signed with this policy.
format: int32
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
@@ -0,0 +1,203 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.3
name: bindpolicies.bind.unkin.net
spec:
group: bind.unkin.net
names:
kind: BindPolicy
listKind: BindPolicyList
plural: bindpolicies
shortNames:
- bp
singular: bindpolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.clusterRef
name: Cluster
type: string
- jsonPath: .spec.zoneName
name: Zone
type: string
- jsonPath: .status.ruleCount
name: Rules
type: integer
- jsonPath: .status.ready
name: Ready
type: boolean
name: v1alpha1
schema:
openAPIV3Schema:
description: BindPolicy is a Response Policy Zone (RPZ) applied to a cluster.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
BindPolicySpec defines a Response Policy Zone (RPZ) — a DNS firewall applied
to a resolver cluster.
properties:
clusterRef:
description: ClusterRef names the owning BindCluster (typically a
resolver).
type: string
order:
default: 100
description: Order controls this policy's position in the response-policy
clause.
format: int32
type: integer
primaries:
description: |-
Primaries lets the RPZ zone be transferred from an external feed instead
of being locally populated.
items:
type: string
type: array
rules:
description: Rules are the inline policy triggers.
items:
description: RPZRule is a single response-policy rule.
properties:
action:
default: nxdomain
description: Action taken when the rule matches.
enum:
- nxdomain
- nodata
- passthru
- drop
- tcp-only
- cname
type: string
match:
description: Match is the trigger value, e.g. a domain "bad.example."
or CIDR.
type: string
target:
description: Target is the rewrite target when Action is cname.
type: string
trigger:
default: qname
description: Trigger selects what the Match is compared against.
enum:
- qname
- client-ip
- ip
- nsdname
- nsip
type: string
required:
- match
type: object
type: array
transferKeyRef:
description: TransferKeyRef names the BindTSIGKey used to pull from
Primaries.
type: string
viewRef:
description: ViewRef optionally scopes the policy to a single view.
type: string
zoneName:
description: ZoneName is the RPZ zone origin, e.g. "rpz.internal".
type: string
required:
- clusterRef
- zoneName
type: object
status:
description: BindPolicyStatus reports observed policy state.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
observedGeneration:
format: int64
type: integer
ready:
type: boolean
ruleCount:
description: RuleCount is the number of active rules.
format: int32
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
@@ -0,0 +1,165 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.3
name: bindtsigkeys.bind.unkin.net
spec:
group: bind.unkin.net
names:
kind: BindTSIGKey
listKind: BindTSIGKeyList
plural: bindtsigkeys
shortNames:
- btk
singular: bindtsigkey
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.algorithm
name: Algorithm
type: string
- jsonPath: .status.secretName
name: Secret
type: string
- jsonPath: .status.ready
name: Ready
type: boolean
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
BindTSIGKey is a TSIG key backing zone transfers, dynamic updates and view
matching. The key material lives in a Kubernetes Secret, never in the CR.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
BindTSIGKeySpec defines a TSIG key. If no existing key material is imported,
the operator generates a random key and stores it in a Secret.
properties:
algorithm:
default: hmac-sha256
description: Algorithm is the HMAC algorithm. Defaults to hmac-sha256.
enum:
- hmac-sha256
- hmac-sha512
- hmac-sha384
- hmac-sha224
- hmac-sha1
- hmac-md5
type: string
importExisting:
description: |-
ImportExisting, when true, means the referenced Secret already contains a
`secret` key and the operator will not generate new material.
type: boolean
keyName:
description: |-
KeyName is the TSIG key name emitted into named.conf. Defaults to the
object name.
type: string
secretName:
description: |-
SecretName is the Secret the key material is written to (or read from when
ImportExisting is set). Defaults to "<name>-tsig".
type: string
type: object
status:
description: BindTSIGKeyStatus reports observed TSIG key state.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
keyName:
description: KeyName as used in named.conf.
type: string
observedGeneration:
description: ObservedGeneration is the last reconciled generation.
format: int64
type: integer
ready:
description: Ready is true once the key Secret exists.
type: boolean
secretName:
description: SecretName holds the generated/managed key material.
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
@@ -0,0 +1,177 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.3
name: bindviews.bind.unkin.net
spec:
group: bind.unkin.net
names:
kind: BindView
listKind: BindViewList
plural: bindviews
shortNames:
- bv
singular: bindview
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.clusterRef
name: Cluster
type: string
- jsonPath: .spec.order
name: Order
type: integer
- jsonPath: .status.zoneCount
name: Zones
type: integer
- jsonPath: .status.ready
name: Ready
type: boolean
name: v1alpha1
schema:
openAPIV3Schema:
description: BindView is a split-horizon view on a BindCluster.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
BindViewSpec defines a split-horizon view. View ordering is significant in
BIND; use Order to control the sequence in named.conf.
properties:
allowQuery:
description: AllowQuery is an address-match-list restricting queries
into this view.
items:
type: string
type: array
clusterRef:
description: ClusterRef names the owning BindCluster.
type: string
extraOptions:
description: ExtraOptions are raw named.conf lines appended inside
the view block.
items:
type: string
type: array
matchClients:
description: |-
MatchClients is an address-match-list (inline entries and/or ACL names)
selecting which clients this view answers. Defaults to "any".
items:
type: string
type: array
matchDestinations:
description: MatchDestinations is an optional destination address-match-list.
items:
type: string
type: array
order:
default: 100
description: |-
Order controls the position of this view in named.conf (ascending). The
first view whose match-clients matches a query wins.
format: int32
type: integer
recursion:
description: Recursion overrides the cluster recursion setting for
this view.
type: boolean
required:
- clusterRef
type: object
status:
description: BindViewStatus reports observed view state.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
observedGeneration:
format: int64
type: integer
ready:
type: boolean
zoneCount:
description: ZoneCount is the number of zones currently bound to this
view.
format: int32
type: integer
type: object
type: object
served: true
storage: true
subresources:
status: {}
@@ -0,0 +1,252 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.3
name: bindzones.bind.unkin.net
spec:
group: bind.unkin.net
names:
kind: BindZone
listKind: BindZoneList
plural: bindzones
shortNames:
- bz
singular: bindzone
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.zoneName
name: Zone
type: string
- jsonPath: .spec.type
name: Type
type: string
- jsonPath: .spec.clusterRef
name: Cluster
type: string
- jsonPath: .status.serial
name: Serial
type: integer
- jsonPath: .status.phase
name: Phase
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: BindZone is a forward or reverse DNS zone.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: BindZoneSpec defines a DNS zone managed on a BindCluster's
primary.
properties:
allowTransfer:
description: |-
AllowTransfer is an address-match-list (inline entries and/or ACL/key
names) permitted to AXFR/IXFR this zone.
items:
type: string
type: array
catalog:
default: true
description: |-
Catalog, when true, registers this zone as a member of the cluster's
catalog zone so secondaries auto-provision it.
type: boolean
clusterRef:
description: ClusterRef names the owning BindCluster.
type: string
defaultTTL:
default: 3600
description: DefaultTTL for records that do not set their own TTL.
Defaults to 3600.
format: int32
type: integer
dnssecPolicyRef:
description: DNSSECPolicyRef names a BindDNSSECPolicy to sign this
zone with.
type: string
dynamicUpdate:
description: |-
DynamicUpdate enables RFC2136 updates for this zone (external-dns style).
When true, UpdateKeyRef must reference a BindTSIGKey.
type: boolean
forwarders:
description: Forwarders lists upstreams for a forward-type zone.
items:
type: string
type: array
primaries:
description: Primaries lists source servers for a secondary/stub-type
zone.
items:
type: string
type: array
records:
description: Records are static record sets seeded into a primary
zone.
items:
description: |-
Record is a single resource record set seeded into a primary zone via
dynamic update (nsupdate). Ongoing changes may also arrive from DNSRecord
objects or external RFC2136 clients.
properties:
name:
default: '@'
description: |-
Name is the owner name, relative to the zone apex or fully qualified.
Use "@" for the apex.
type: string
ttl:
description: TTL for the record set in seconds. Falls back to
the zone default TTL.
format: int32
type: integer
type:
description: Type is the RR type, e.g. A, AAAA, CNAME, MX, TXT,
SRV, NS, PTR, CAA.
type: string
values:
description: |-
Values are the RDATA entries, e.g. ["10 mail.example.com."] for an MX or
["192.0.2.1","192.0.2.2"] for an A round-robin.
items:
type: string
minItems: 1
type: array
required:
- type
- values
type: object
type: array
transferKeyRef:
description: |-
TransferKeyRef names the BindTSIGKey used to authenticate transfers from
Primaries for a secondary zone.
type: string
type:
default: primary
description: Type is the zone type. Defaults to primary.
enum:
- primary
- secondary
- forward
- stub
type: string
updateKeyRef:
description: UpdateKeyRef names the BindTSIGKey permitted to send
dynamic updates.
type: string
viewRef:
description: ViewRef optionally binds this zone to a BindView.
type: string
zoneName:
description: ZoneName is the DNS origin, e.g. "example.com" or "2.0.192.in-addr.arpa".
type: string
required:
- clusterRef
- zoneName
type: object
status:
description: BindZoneStatus reports observed zone state.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
observedGeneration:
format: int64
type: integer
phase:
description: Phase is a coarse lifecycle summary (Pending/Ready/Error).
type: string
recordCount:
description: RecordCount is the number of managed record sets applied.
format: int32
type: integer
serial:
description: Serial is the last observed SOA serial on the primary.
format: int64
type: integer
signed:
description: Signed reports whether DNSSEC signing is active.
type: boolean
type: object
type: object
served: true
storage: true
subresources:
status: {}
@@ -0,0 +1,165 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.3
name: dnsrecords.bind.unkin.net
spec:
group: bind.unkin.net
names:
kind: DNSRecord
listKind: DNSRecordList
plural: dnsrecords
shortNames:
- dnsr
singular: dnsrecord
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.zoneRef
name: Zone
type: string
- jsonPath: .spec.name
name: Name
type: string
- jsonPath: .spec.type
name: Type
type: string
- jsonPath: .status.phase
name: Phase
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: DNSRecord is an individually-managed record set applied to a
BindZone.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
DNSRecordSpec defines a single record set applied to a zone via TSIG dynamic
update (nsupdate) — the external-dns write path expressed as a CRD.
properties:
name:
default: '@'
description: Name is the owner name, relative to the zone apex or
fully qualified.
type: string
ttl:
description: TTL for the record set in seconds. Falls back to the
zone default TTL.
format: int32
type: integer
type:
description: Type is the RR type, e.g. A, AAAA, CNAME, TXT, SRV, MX.
type: string
values:
description: Values are the RDATA entries.
items:
type: string
minItems: 1
type: array
zoneRef:
description: |-
ZoneRef names the BindZone this record belongs to. The cluster, view and
update key are derived from the referenced zone.
type: string
required:
- type
- values
- zoneRef
type: object
status:
description: DNSRecordStatus reports observed record state.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
fqdn:
description: FQDN is the fully-qualified owner name that was applied.
type: string
observedGeneration:
format: int64
type: integer
phase:
description: Phase is a coarse lifecycle summary (Pending/Applied/Error).
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}