Enabling RFC2136 for ExternalDNS
In order to enable the provider RFC2136 on ExternalDNS, the following rfc2136.*
parameters should be changed in the values.yaml of the K8GB helm chart:
-
One authentication method should be enabled on the values:
- Insecure
- This method doesn't use any authentication and anonymous updates to the DNS records can be executed
- TSIG
- This method uses TSIG authentication that relies on a token provided for the DNS records update.
- GSS-TSIG
- This method uses GSS-TSIG authentication, which is a variation of the TSIG method, but uses Kerberos for the generation of tokens for authentication and authorization
- Method used by Active Directory Windows DNS
- Insecure
-
GSS-TSIG
- kerberos-username
- this key should have the value of a Active Directory user account that has permissions for DNS updates
- kerberos-password
- password of the user account that will be used. Be aware that this isn't encrypted and so far ExternalDNS doesn't support adding a Secret reference for this value, so it will be stored in clear text
- kerberos-realm
- domain that will be used for authentication of the user
- kerberos-username
Sample for GSS-TSIG authentication
rfc2136:
enabled: true
rfc2136Opts:
- host: yourAcDc.k8gb.local
- port: 53
rfc2136auth:
insecure:
enabled: false
tsig:
enabled: false
tsigCreds:
- tsig-secret-alg: hmac-sha256
- tsig-keyname: externaldns-key
gssTsig:
enabled: true
gssTsigCreds:
- kerberos-username: someServiceAccount
- kerberos-password: insecurePlainTextPassword
- kerberos-realm: yourKerberosRealm.domain