Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
tobi 7a4cf64f6c idk pirms 1 gada
mysql static pv, fix pirms 1 gada
README.md idk pirms 1 gada
admin.yaml static pv, fix pirms 1 gada
issuer.yaml static pv, fix pirms 1 gada
namespace.yaml init pirms 1 gada
power.yaml rewrite readme, better doc pirms 1 gada

README.md

Powerdns, WebGui and dns-01 certs

Create the namespace

kubectl apply -f namespace.yaml

PowerDNS (mysql backend)

Create a persistent volume for the mysql database

kubectl apply -f mysql_pvc.yaml

Create the mysql database

kubectl apply -f mysql.yaml

Create the PowerDNS service. ! Here you want to change the externalIPs that your DNS will be accessible to the world wide web

kubectl apply -f power.yaml

PowerDNS Admin (webgui)

This will create a PVC for the GUIs data, and the service itself, listening on http://10.0.0.9:8053. You might want to change this IP again

kubectl apply -f admin.yaml
  • create one user, then disable new user creation

/settings/authentication/Allow users to sign up

  • enable SOA records (otherwise you get set the default, wich is no good)

/settings/records/SOA Forward and Reverse Zone

Cert-Manger DNS-01 (Wildcard) Certs

Install cert-manager, when you read this you might need to look for a newer yaml.

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager.yaml

Prepare PowerDNS

  1. kubectl exec -it -n inhouse-dns powerpdns-xxxx -- bash into any of the PowerDNS Pods.
  2. pdnsutil generate-tsig-key master_key hmac-md5 create a key named master_key and write it to the database (the command will do both)
  3. Allow key to edit your domain (yes this can only be done through direct SQL - expose the PowerDNS mysql database through an externalIP)
    select id from domains where name='example.org';
    > 1
    insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'master_key');
    
  4. base64 encode the key generated by pdnsutil generate-tsig-key master_key hmac-md5, double encryption i know, but sadly this is the only way kubernetes stores secrets/all secrets will be decoded upon being loaded, so if we dont encode it ours wont be readable
    apiVersion: v1
    kind: Secret
    metadata:
      name: secret
      namespace: cert-manager
    data:
      key: base64_encoded_hmac-md5sum
    
  5. kubectl apply -f issuer.yaml, you want to modify it to your domain and the public ipv4 of you nameserver

Useful Resources