You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
tobi 7a4cf64f6c idk 2 years ago
mysql static pv, fix 2 years ago idk 2 years ago
admin.yaml static pv, fix 2 years ago
issuer.yaml static pv, fix 2 years ago
namespace.yaml init 2 years ago
power.yaml rewrite readme, better doc 2 years ago

Powerdns, WebGui and dns-01 certs

Create the namespace

kubectl apply -f namespace.yaml

PowerDNS (mysql backend)

Create a persistent volume for the mysql database

kubectl apply -f mysql_pvc.yaml

Create the mysql database

kubectl apply -f mysql.yaml

Create the PowerDNS service. ! Here you want to change the externalIPs that your DNS will be accessible to the world wide web

kubectl apply -f power.yaml

PowerDNS Admin (webgui)

This will create a PVC for the GUIs data, and the service itself, listening on You might want to change this IP again

kubectl apply -f admin.yaml
  • create one user, then disable new user creation

/settings/authentication/Allow users to sign up

  • enable SOA records (otherwise you get set the default, wich is no good)

/settings/records/SOA Forward and Reverse Zone

Cert-Manger DNS-01 (Wildcard) Certs

Install cert-manager, when you read this you might need to look for a newer yaml.

kubectl apply --validate=false -f

Prepare PowerDNS

  1. kubectl exec -it -n inhouse-dns powerpdns-xxxx -- bash into any of the PowerDNS Pods.
  2. pdnsutil generate-tsig-key master_key hmac-md5 create a key named master_key and write it to the database (the command will do both)
  3. Allow key to edit your domain (yes this can only be done through direct SQL - expose the PowerDNS mysql database through an externalIP)
    select id from domains where name='';
    > 1
    insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'master_key');
  4. base64 encode the key generated by pdnsutil generate-tsig-key master_key hmac-md5, double encryption i know, but sadly this is the only way kubernetes stores secrets/all secrets will be decoded upon being loaded, so if we dont encode it ours wont be readable
    apiVersion: v1
    kind: Secret
      name: secret
      namespace: cert-manager
      key: base64_encoded_hmac-md5sum
  5. kubectl apply -f issuer.yaml, you want to modify it to your domain and the public ipv4 of you nameserver

Useful Resources