You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
2 years ago | |
---|---|---|
mysql | 2 years ago | |
README.md | 2 years ago | |
admin.yaml | 2 years ago | |
issuer.yaml | 2 years ago | |
namespace.yaml | 2 years ago | |
power.yaml | 2 years ago |
README.md
Powerdns, WebGui and dns-01 certs
Create the namespace
kubectl apply -f namespace.yaml
PowerDNS (mysql backend)
Create a persistent volume for the mysql database
kubectl apply -f mysql_pvc.yaml
Create the mysql database
kubectl apply -f mysql.yaml
Create the PowerDNS service. ! Here you want to change the externalIPs that your DNS will be accessible to the world wide web
kubectl apply -f power.yaml
PowerDNS Admin (webgui)
This will create a PVC for the GUIs data, and the service itself, listening on http://10.0.0.9:8053. You might want to change this IP again
kubectl apply -f admin.yaml
- create one user, then disable new user creation
/settings/authentication/Allow users to sign up
- enable SOA records (otherwise you get set the default, wich is no good)
/settings/records/SOA Forward and Reverse Zone
Cert-Manger DNS-01 (Wildcard) Certs
Install cert-manager, when you read this you might need to look for a newer yaml.
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager.yaml
Prepare PowerDNS
kubectl exec -it -n inhouse-dns powerpdns-xxxx -- bash
into any of the PowerDNS Pods.pdnsutil generate-tsig-key master_key hmac-md5
create a key namedmaster_key
and write it to the database (the command will do both)- Allow key to edit your domain (yes this can only be done through direct SQL - expose the PowerDNS mysql database through an externalIP)
select id from domains where name='example.org'; > 1 insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'master_key');
- base64 encode the key generated by
pdnsutil generate-tsig-key master_key hmac-md5
, double encryption i know, but sadly this is the only way kubernetes stores secrets/all secrets will be decoded upon being loaded, so if we dont encode it ours wont be readableapiVersion: v1 kind: Secret metadata: name: secret namespace: cert-manager data: key: base64_encoded_hmac-md5sum
kubectl apply -f issuer.yaml
, you want to modify it to your domain and the public ipv4 of you nameserver