You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
tobi 7a4cf64f6c idk 10 months ago
mysql static pv, fix 10 months ago
README.md idk 10 months ago
admin.yaml static pv, fix 10 months ago
issuer.yaml static pv, fix 10 months ago
namespace.yaml init 11 months ago
power.yaml rewrite readme, better doc 11 months ago

README.md

Powerdns, WebGui and dns-01 certs

Create the namespace

kubectl apply -f namespace.yaml

PowerDNS (mysql backend)

Create a persistent volume for the mysql database

kubectl apply -f mysql_pvc.yaml

Create the mysql database

kubectl apply -f mysql.yaml

Create the PowerDNS service. ! Here you want to change the externalIPs that your DNS will be accessible to the world wide web

kubectl apply -f power.yaml

PowerDNS Admin (webgui)

This will create a PVC for the GUIs data, and the service itself, listening on http://10.0.0.9:8053. You might want to change this IP again

kubectl apply -f admin.yaml
  • create one user, then disable new user creation

/settings/authentication/Allow users to sign up

  • enable SOA records (otherwise you get set the default, wich is no good)

/settings/records/SOA Forward and Reverse Zone

Cert-Manger DNS-01 (Wildcard) Certs

Install cert-manager, when you read this you might need to look for a newer yaml.

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager.yaml

Prepare PowerDNS

  1. kubectl exec -it -n inhouse-dns powerpdns-xxxx -- bash into any of the PowerDNS Pods.
  2. pdnsutil generate-tsig-key master_key hmac-md5 create a key named master_key and write it to the database (the command will do both)
  3. Allow key to edit your domain (yes this can only be done through direct SQL - expose the PowerDNS mysql database through an externalIP)
    select id from domains where name='example.org';
    > 1
    insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'master_key');
    
  4. base64 encode the key generated by pdnsutil generate-tsig-key master_key hmac-md5, double encryption i know, but sadly this is the only way kubernetes stores secrets/all secrets will be decoded upon being loaded, so if we dont encode it ours wont be readable
    apiVersion: v1
    kind: Secret
    metadata:
      name: secret
      namespace: cert-manager
    data:
      key: base64_encoded_hmac-md5sum
    
  5. kubectl apply -f issuer.yaml, you want to modify it to your domain and the public ipv4 of you nameserver

Useful Resources