Files
argocd-apps/apps/base/bind-internal/authoritative/tsigkey.yaml
T
unkinben 43ba8b2356
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
Let authoritative zones accept puppet client updates
Enables per-host RFC2136 updates from puppet (profiles::dns::updater) to
the bind-authoritative zones.

- add client-update BindTSIGKey (operator-generated)
- set dynamicUpdate: true + updateKeyRef: client-update on all 18
  authoritative zones (allow-update { key client-update; })
2026-07-11 00:33:49 +10:00

25 lines
807 B
YAML

---
# Zone-transfer / catalog key. The operator generates the material into a
# Secret (transfer-key-tsig); nothing sensitive is committed to git.
apiVersion: bind.unkin.net/v1alpha1
kind: BindTSIGKey
metadata:
name: transfer-key
namespace: bind-internal
spec:
clusterRef: bind-authoritative
algorithm: hmac-sha256
---
# Client-update key: puppet clients (profiles::dns::updater) nsupdate their own
# records to the authoritative zones with this key. Operator generates the
# material into Secret client-update-tsig; the same value must reach puppet
# eyaml (or the planned Vault-sync bridge) for clients to authenticate.
apiVersion: bind.unkin.net/v1alpha1
kind: BindTSIGKey
metadata:
name: client-update
namespace: bind-internal
spec:
clusterRef: bind-authoritative
algorithm: hmac-sha256