選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
tobi 7a4cf64f6c idk 1年前
mysql static pv, fix 1年前
README.md idk 1年前
admin.yaml static pv, fix 1年前
issuer.yaml static pv, fix 1年前
namespace.yaml init 1年前
power.yaml rewrite readme, better doc 1年前

README.md

Powerdns, WebGui and dns-01 certs

Create the namespace

kubectl apply -f namespace.yaml

PowerDNS (mysql backend)

Create a persistent volume for the mysql database

kubectl apply -f mysql_pvc.yaml

Create the mysql database

kubectl apply -f mysql.yaml

Create the PowerDNS service. ! Here you want to change the externalIPs that your DNS will be accessible to the world wide web

kubectl apply -f power.yaml

PowerDNS Admin (webgui)

This will create a PVC for the GUIs data, and the service itself, listening on http://10.0.0.9:8053. You might want to change this IP again

kubectl apply -f admin.yaml
  • create one user, then disable new user creation

/settings/authentication/Allow users to sign up

  • enable SOA records (otherwise you get set the default, wich is no good)

/settings/records/SOA Forward and Reverse Zone

Cert-Manger DNS-01 (Wildcard) Certs

Install cert-manager, when you read this you might need to look for a newer yaml.

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager.yaml

Prepare PowerDNS

  1. kubectl exec -it -n inhouse-dns powerpdns-xxxx -- bash into any of the PowerDNS Pods.
  2. pdnsutil generate-tsig-key master_key hmac-md5 create a key named master_key and write it to the database (the command will do both)
  3. Allow key to edit your domain (yes this can only be done through direct SQL - expose the PowerDNS mysql database through an externalIP)
    select id from domains where name='example.org';
    > 1
    insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'master_key');
    
  4. base64 encode the key generated by pdnsutil generate-tsig-key master_key hmac-md5, double encryption i know, but sadly this is the only way kubernetes stores secrets/all secrets will be decoded upon being loaded, so if we dont encode it ours wont be readable
    apiVersion: v1
    kind: Secret
    metadata:
      name: secret
      namespace: cert-manager
    data:
      key: base64_encoded_hmac-md5sum
    
  5. kubectl apply -f issuer.yaml, you want to modify it to your domain and the public ipv4 of you nameserver

Useful Resources