05d2c83258
Enables per-host RFC2136 updates from puppet (puppet-prod #475 profiles::dns::updater) to the bind-authoritative zones, via the .9 write endpoint. ## Changes - add **client-update** BindTSIGKey (clusterRef bind-authoritative; operator generates the material into Secret client-update-tsig) - set `dynamicUpdate: true` + `updateKeyRef: client-update` on all **18** authoritative zones → the operator renders `allow-update { key "client-update"; }` ## Key bridge (manual, per the TSIG plan) The operator generates the client-update key value; it must reach puppet eyaml (`profiles::dns::updater::key_secret`) for clients to authenticate — until the planned Vault-sync/secret-reflection operator features exist. Get it with: `kubectl -n bind-internal get secret client-update-tsig -o jsonpath='{.data.secret}' | base64 -d` ## Validated kustomize build + kubeconform. Reviewed-on: #244 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
25 lines
807 B
YAML
25 lines
807 B
YAML
---
|
|
# Zone-transfer / catalog key. The operator generates the material into a
|
|
# Secret (transfer-key-tsig); nothing sensitive is committed to git.
|
|
apiVersion: bind.unkin.net/v1alpha1
|
|
kind: BindTSIGKey
|
|
metadata:
|
|
name: transfer-key
|
|
namespace: bind-internal
|
|
spec:
|
|
clusterRef: bind-authoritative
|
|
algorithm: hmac-sha256
|
|
---
|
|
# Client-update key: puppet clients (profiles::dns::updater) nsupdate their own
|
|
# records to the authoritative zones with this key. Operator generates the
|
|
# material into Secret client-update-tsig; the same value must reach puppet
|
|
# eyaml (or the planned Vault-sync bridge) for clients to authenticate.
|
|
apiVersion: bind.unkin.net/v1alpha1
|
|
kind: BindTSIGKey
|
|
metadata:
|
|
name: client-update
|
|
namespace: bind-internal
|
|
spec:
|
|
clusterRef: bind-authoritative
|
|
algorithm: hmac-sha256
|