Browse Source

rewrite readme, better doc

master
tobi 1 year ago
parent
commit
40377184a4
2 changed files with 61 additions and 11 deletions
  1. +60
    -8
      README.md
  2. +1
    -3
      power.yaml

+ 60
- 8
README.md View File

@@ -1,8 +1,35 @@
## Powerdns, WebGui and dns-01 certs
# Powerdns, WebGui and dns-01 certs

## [Cert-Manager Setup](https://wiki.tobias-huebner.org/index.php/Cert_Manager_DNS-01)
Create the namespace
```
kubectl apply -f namespace.yaml
```

### [Webgui (admin)](http://10.0.0.12:8053)
## PowerDNS (mysql backend)

Create a [persistent volume](https://gitea.tobias-huebner.org/tobi/GlusterFS_Heketi) for the mysql database
```
kubectl apply -f mysql_pvc.yaml
```

Create the mysql database

```
kubectl apply -f mysql.yaml
```

Create the PowerDNS service. ! Here you want to change the externalIPs that your DNS will be accessible to the world wide web
```
kubectl apply -f power.yaml
```

## PowerDNS Admin (webgui)


This will create a PVC for the GUIs data, and the service itself, listening on http://10.0.0.9:8053. You might want to change this IP again
```
kubectl apply -f admin.yaml
```

* create one user, then disable new user creation

@@ -12,12 +39,37 @@

`/settings/records/SOA Forward and Reverse Zone`

### dns-01 certs
## Cert-Manger DNS-01 (Wildcard) Certs

Install cert-manager, when you read this you might need to look for a newer yaml.
```
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager.yaml
```

### Prepare PowerDNS

kubernetes job that start a go-acme/lego container, performing a dns-01 challenge for a wildcard cert.
1. `kubectl exec -it -n inhouse-dns powerpdns-xxxx -- bash` into any of the PowerDNS Pods.
2. `pdnsutil generate-tsig-key master_key hmac-md5` create a key named `master_key` and write it to the database (the command will do both)
3. Allow key to edit your domain (yes this can only be done through direct SQL - expose the PowerDNS mysql database through an externalIP)
```
select id from domains where name='example.org';
> 1
insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'master_key');
```
4. base64 encode the key generated by `pdnsutil generate-tsig-key master_key hmac-md5`, double encryption i know, but sadly
this is the only way kubernetes stores secrets/all secrets will be decoded upon being loaded, so if we dont encode it
ours wont be readable
```
apiVersion: v1
kind: Secret
metadata:
name: secret
data:
key: base64_encoded_hmac-md5sum
```
5. `kubectl apply -f issuer.yaml`, you want to modify it to your domain and the public ipv4 of you nameserver

the cert is available for further use through the persistent volume, in the same namespace.
### Useful Resources

that means you have to create a job for every cert in that specific namespace,
* [DNS Settings at your Zone provider](https://wiki.tobias-huebner.org/index.php/Zone_Provider_DNS)

see lego.yaml for an example

+ 1
- 3
power.yaml View File

@@ -38,7 +38,7 @@ spec:
- name: PDNS_master
value: "yes"
# api settings
# api settings needed for dns-01 certs
- name: PDNS_api
value: "yes"
- name: PDNS_api_key
@@ -100,9 +100,7 @@ spec:
targetPort: 53
selector:
app: powerdns

---

# expose internally for the admin ui
apiVersion: v1
kind: Service


Loading…
Cancel
Save