Authoritative zones: accept puppet client dynamic updates #244

Merged
benvin merged 1 commits from benvin/auth-dynamic-update into main 2026-07-11 00:57:52 +10:00
Owner

Enables per-host RFC2136 updates from puppet (puppet-prod #475 profiles::dns::updater) to the bind-authoritative zones, via the .9 write endpoint.

Changes

  • add client-update BindTSIGKey (clusterRef bind-authoritative; operator generates the material into Secret client-update-tsig)
  • set dynamicUpdate: true + updateKeyRef: client-update on all 18 authoritative zones → the operator renders allow-update { key "client-update"; }

Key bridge (manual, per the TSIG plan)

The operator generates the client-update key value; it must reach puppet eyaml (profiles::dns::updater::key_secret) for clients to authenticate — until the planned Vault-sync/secret-reflection operator features exist. Get it with:
kubectl -n bind-internal get secret client-update-tsig -o jsonpath='{.data.secret}' | base64 -d

Validated

kustomize build + kubeconform.

Enables per-host RFC2136 updates from puppet (puppet-prod #475 profiles::dns::updater) to the bind-authoritative zones, via the .9 write endpoint. ## Changes - add **client-update** BindTSIGKey (clusterRef bind-authoritative; operator generates the material into Secret client-update-tsig) - set `dynamicUpdate: true` + `updateKeyRef: client-update` on all **18** authoritative zones → the operator renders `allow-update { key "client-update"; }` ## Key bridge (manual, per the TSIG plan) The operator generates the client-update key value; it must reach puppet eyaml (`profiles::dns::updater::key_secret`) for clients to authenticate — until the planned Vault-sync/secret-reflection operator features exist. Get it with: `kubectl -n bind-internal get secret client-update-tsig -o jsonpath='{.data.secret}' | base64 -d` ## Validated kustomize build + kubeconform.
unkinben added 1 commit 2026-07-11 00:33:52 +10:00
Let authoritative zones accept puppet client updates
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
43ba8b2356
Enables per-host RFC2136 updates from puppet (profiles::dns::updater) to
the bind-authoritative zones.

- add client-update BindTSIGKey (operator-generated)
- set dynamicUpdate: true + updateKeyRef: client-update on all 18
  authoritative zones (allow-update { key client-update; })
benvin merged commit 05d2c83258 into main 2026-07-11 00:57:52 +10:00
benvin deleted branch benvin/auth-dynamic-update 2026-07-11 00:57:52 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#244