Authoritative zones: accept puppet client dynamic updates #244
Reference in New Issue
Block a user
Delete Branch "benvin/auth-dynamic-update"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Enables per-host RFC2136 updates from puppet (puppet-prod #475 profiles::dns::updater) to the bind-authoritative zones, via the .9 write endpoint.
Changes
dynamicUpdate: true+updateKeyRef: client-updateon all 18 authoritative zones → the operator rendersallow-update { key "client-update"; }Key bridge (manual, per the TSIG plan)
The operator generates the client-update key value; it must reach puppet eyaml (
profiles::dns::updater::key_secret) for clients to authenticate — until the planned Vault-sync/secret-reflection operator features exist. Get it with:kubectl -n bind-internal get secret client-update-tsig -o jsonpath='{.data.secret}' | base64 -dValidated
kustomize build + kubeconform.
Enables per-host RFC2136 updates from puppet (profiles::dns::updater) to the bind-authoritative zones. - add client-update BindTSIGKey (operator-generated) - set dynamicUpdate: true + updateKeyRef: client-update on all 18 authoritative zones (allow-update { key client-update; })