Files
argocd-apps/apps/base/bind-system/crds/bind.unkin.net_bindzones.yaml
T
unkinben d11c2900de Deploy bind-operator and three BIND DNS tiers
Adds the bind-operator and the three BindClusters that replace the
Puppet-managed BIND estate (authoritative / resolver / external-dns).

- add apps/base/bind-system: 9 CRDs, operator Deployment, RBAC (ns bind-system)
- add apps/base/binddns-auth: authoritative BindCluster + catalog zone + TSIG key
- add apps/base/binddns-resolver: recursive-resolver BindCluster with forwarders
- add apps/base/binddns-externaldns: dynamic (RFC2136) BindCluster + TSIG key
- add au-syd1 overlays for all four apps
- register the four apps in the platform ApplicationSet
- add binddns-* namespaces to the platform AppProject destinations
- add schemas/bind.unkin.net/*.json so kubeconform validates the new CRs

DNS Services are LoadBalancer via PureLB. TSIG key material is generated by
the operator into Secrets at runtime (no plain Secrets in git).
2026-07-03 17:48:45 +10:00

253 lines
10 KiB
YAML

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.3
name: bindzones.bind.unkin.net
spec:
group: bind.unkin.net
names:
kind: BindZone
listKind: BindZoneList
plural: bindzones
shortNames:
- bz
singular: bindzone
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.zoneName
name: Zone
type: string
- jsonPath: .spec.type
name: Type
type: string
- jsonPath: .spec.clusterRef
name: Cluster
type: string
- jsonPath: .status.serial
name: Serial
type: integer
- jsonPath: .status.phase
name: Phase
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: BindZone is a forward or reverse DNS zone.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: BindZoneSpec defines a DNS zone managed on a BindCluster's
primary.
properties:
allowTransfer:
description: |-
AllowTransfer is an address-match-list (inline entries and/or ACL/key
names) permitted to AXFR/IXFR this zone.
items:
type: string
type: array
catalog:
default: true
description: |-
Catalog, when true, registers this zone as a member of the cluster's
catalog zone so secondaries auto-provision it.
type: boolean
clusterRef:
description: ClusterRef names the owning BindCluster.
type: string
defaultTTL:
default: 3600
description: DefaultTTL for records that do not set their own TTL.
Defaults to 3600.
format: int32
type: integer
dnssecPolicyRef:
description: DNSSECPolicyRef names a BindDNSSECPolicy to sign this
zone with.
type: string
dynamicUpdate:
description: |-
DynamicUpdate enables RFC2136 updates for this zone (external-dns style).
When true, UpdateKeyRef must reference a BindTSIGKey.
type: boolean
forwarders:
description: Forwarders lists upstreams for a forward-type zone.
items:
type: string
type: array
primaries:
description: Primaries lists source servers for a secondary/stub-type
zone.
items:
type: string
type: array
records:
description: Records are static record sets seeded into a primary
zone.
items:
description: |-
Record is a single resource record set seeded into a primary zone via
dynamic update (nsupdate). Ongoing changes may also arrive from DNSRecord
objects or external RFC2136 clients.
properties:
name:
default: '@'
description: |-
Name is the owner name, relative to the zone apex or fully qualified.
Use "@" for the apex.
type: string
ttl:
description: TTL for the record set in seconds. Falls back to
the zone default TTL.
format: int32
type: integer
type:
description: Type is the RR type, e.g. A, AAAA, CNAME, MX, TXT,
SRV, NS, PTR, CAA.
type: string
values:
description: |-
Values are the RDATA entries, e.g. ["10 mail.example.com."] for an MX or
["192.0.2.1","192.0.2.2"] for an A round-robin.
items:
type: string
minItems: 1
type: array
required:
- type
- values
type: object
type: array
transferKeyRef:
description: |-
TransferKeyRef names the BindTSIGKey used to authenticate transfers from
Primaries for a secondary zone.
type: string
type:
default: primary
description: Type is the zone type. Defaults to primary.
enum:
- primary
- secondary
- forward
- stub
type: string
updateKeyRef:
description: UpdateKeyRef names the BindTSIGKey permitted to send
dynamic updates.
type: string
viewRef:
description: ViewRef optionally binds this zone to a BindView.
type: string
zoneName:
description: ZoneName is the DNS origin, e.g. "example.com" or "2.0.192.in-addr.arpa".
type: string
required:
- clusterRef
- zoneName
type: object
status:
description: BindZoneStatus reports observed zone state.
properties:
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
observedGeneration:
format: int64
type: integer
phase:
description: Phase is a coarse lifecycle summary (Pending/Ready/Error).
type: string
recordCount:
description: RecordCount is the number of managed record sets applied.
format: int32
type: integer
serial:
description: Serial is the last observed SOA serial on the primary.
format: int64
type: integer
signed:
description: Signed reports whether DNSSEC signing is active.
type: boolean
type: object
type: object
served: true
storage: true
subresources:
status: {}