Browse Source

rewrite readme, better doc

tobi 1 year ago
2 changed files with 61 additions and 11 deletions
  1. +60
  2. +1

+ 60
- 8 View File

@@ -1,8 +1,35 @@
## Powerdns, WebGui and dns-01 certs
# Powerdns, WebGui and dns-01 certs

## [Cert-Manager Setup](
Create the namespace
kubectl apply -f namespace.yaml

### [Webgui (admin)](
## PowerDNS (mysql backend)

Create a [persistent volume]( for the mysql database
kubectl apply -f mysql_pvc.yaml

Create the mysql database

kubectl apply -f mysql.yaml

Create the PowerDNS service. ! Here you want to change the externalIPs that your DNS will be accessible to the world wide web
kubectl apply -f power.yaml

## PowerDNS Admin (webgui)

This will create a PVC for the GUIs data, and the service itself, listening on You might want to change this IP again
kubectl apply -f admin.yaml

* create one user, then disable new user creation

@@ -12,12 +39,37 @@

`/settings/records/SOA Forward and Reverse Zone`

### dns-01 certs
## Cert-Manger DNS-01 (Wildcard) Certs

Install cert-manager, when you read this you might need to look for a newer yaml.
kubectl apply --validate=false -f

### Prepare PowerDNS

kubernetes job that start a go-acme/lego container, performing a dns-01 challenge for a wildcard cert.
1. `kubectl exec -it -n inhouse-dns powerpdns-xxxx -- bash` into any of the PowerDNS Pods.
2. `pdnsutil generate-tsig-key master_key hmac-md5` create a key named `master_key` and write it to the database (the command will do both)
3. Allow key to edit your domain (yes this can only be done through direct SQL - expose the PowerDNS mysql database through an externalIP)
select id from domains where name='';
> 1
insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'master_key');
4. base64 encode the key generated by `pdnsutil generate-tsig-key master_key hmac-md5`, double encryption i know, but sadly
this is the only way kubernetes stores secrets/all secrets will be decoded upon being loaded, so if we dont encode it
ours wont be readable
apiVersion: v1
kind: Secret
name: secret
key: base64_encoded_hmac-md5sum
5. `kubectl apply -f issuer.yaml`, you want to modify it to your domain and the public ipv4 of you nameserver

the cert is available for further use through the persistent volume, in the same namespace.
### Useful Resources

that means you have to create a job for every cert in that specific namespace,
* [DNS Settings at your Zone provider](

see lego.yaml for an example

+ 1
- 3
power.yaml View File

@@ -38,7 +38,7 @@ spec:
- name: PDNS_master
value: "yes"
# api settings
# api settings needed for dns-01 certs
- name: PDNS_api
value: "yes"
- name: PDNS_api_key
@@ -100,9 +100,7 @@ spec:
targetPort: 53
app: powerdns


# expose internally for the admin ui
apiVersion: v1
kind: Service