feat: tsigkey implementation

Makefile

@@ -412,10 +412,15 @@ chainsaw: ## Find or download chainsaw
 	$(call go-install-tool,$(CHAINSAW),github.com/kyverno/chainsaw,$(CHAINSAW_VERSION))
 
 .PHONY: chainsaw-test
-chainsaw-test: chainsaw chainsaw-prepare-kubeconfigs ## Run Chainsaw tests (requires dev/kind.*.kubeconfig to exist)
+CHAINSAW_TEST_DIR ?= .
+CHAINSAW_DEFAULT_ARGS ?=
+CHAINSAW_ARGS ?=
+
+.PHONY: chainsaw-test
+chainsaw-test: chainsaw chainsaw-prepare-kubeconfigs ## Run Chainsaw tests (set CHAINSAW_TEST_DIR=./tsig and/or CHAINSAW_ARGS="--include-test-regex <name>")
 	@test -f dev/kind.upstream.kubeconfig || { echo "Missing dev/kind.upstream.kubeconfig. Bootstrap clusters first."; exit 1; }
 	@test -f dev/kind.downstream.kubeconfig || { echo "Missing dev/kind.downstream.kubeconfig. Bootstrap clusters first."; exit 1; }
-	cd test/e2e && $(CHAINSAW) test .
+	cd test/e2e && $(CHAINSAW) test $(CHAINSAW_DEFAULT_ARGS) $(CHAINSAW_ARGS) $(CHAINSAW_TEST_DIR)
 
 .PHONY: chainsaw-prepare-kubeconfigs
 chainsaw-prepare-kubeconfigs: ## Copy dev kind kubeconfigs into test/e2e for stable relative resolution

cmd/main.go

@@ -231,6 +231,13 @@ func main() {
 			setupLog.Error(err, "unable to create controller", "controller", "DNSRecordSetPowerDNS")
 			os.Exit(1)
 		}
+		if err := (&controller.DNSZoneTSIGKeyPowerDNSReconciler{
+			Client: mgr.GetClient(),
+			Scheme: mgr.GetScheme(),
+		}).SetupWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create controller", "controller", "DNSZoneTSIGKeyPowerDNS")
+			os.Exit(1)
+		}
 
 		if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 			setupLog.Error(err, "unable to set up health check")
@@ -306,6 +313,12 @@ func main() {
 			setupLog.Error(err, "unable to create controller", "controller", "DNSZoneDiscoveryReplicator")
 			os.Exit(1)
 		}
+		if err := (&controller.DNSZoneTSIGKeyReplicator{
+			DownstreamClient: downstreamCluster.GetClient(),
+		}).SetupWithManager(mcmgr, downstreamCluster); err != nil {
+			setupLog.Error(err, "unable to create controller", "controller", "DNSZoneTSIGKeyReplicator")
+			os.Exit(1)
+		}
 
 		if err := mcmgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 			setupLog.Error(err, "unable to set up health check")

config/crd/kustomization.yaml

@@ -9,7 +9,8 @@ resources:
 - bases/dns.networking.miloapis.com_dnszonetsigkeys.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
-patches:
+# kustomize expects this to be an array; keep empty by default.
+patches: []
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 # +kubebuilder:scaffold:crdkustomizewebhookpatch

config/rbac/role.yaml

@@ -8,6 +8,7 @@ rules:
   - ""
   resources:
   - configmaps
+  - secrets
   verbs:
   - create
   - delete
@@ -44,6 +45,7 @@ rules:
   - dns.networking.miloapis.com
   resources:
   - dnsrecordsets/finalizers
+  - dnszonetsigkeys/finalizers
   verbs:
   - update
 - apiGroups:
@@ -52,6 +54,7 @@ rules:
   - dnsrecordsets/status
   - dnszonediscoveries/status
   - dnszones/status
+  - dnszonetsigkeys/status
   verbs:
   - get
   - patch
@@ -68,6 +71,7 @@ rules:
   - dns.networking.miloapis.com
   resources:
   - dnszonediscoveries
+  - dnszonetsigkeys
   verbs:
   - get
   - list

config/samples/dns_v1alpha1_dnszonetsigkey.yaml

@@ -10,5 +10,5 @@ spec:
   # algorithm: hmac-sha256
   # Optional (BYO secret):
   # secretRef:
-  #   name: existing-upstream-tsig
+  #   name: existing-upstream
 

internal/controller/conditions.go

@@ -8,6 +8,7 @@ const (
 	ReasonAccepted            = "Accepted"
 	ReasonPending             = "Pending"
 	ReasonInvalidDNSRecordSet = "InvalidDNSRecordSet"
+	ReasonInvalidSecret       = "InvalidSecret"
 	ReasonProgrammed          = "Programmed"
 	ReasonDiscovered          = "Discovered"
 	ReasonDNSZoneInUse        = "DNSZoneInUse"