RndcKeyConfig

bindy::crd

Struct RndcKeyConfig 

Source 
pub struct RndcKeyConfig {
    pub auto_rotate: bool,
    pub rotate_after: String,
    pub secret_ref: Option<RndcSecretRef>,
    pub secret: Option<SecretSpec>,
    pub algorithm: RndcAlgorithm,
}
Expand description

RNDC key lifecycle configuration with automatic rotation support.

Provides three configuration modes:

  1. Auto-generated with optional rotation (default) - Operator creates and manages keys
  2. Reference to existing Secret - Use pre-existing Kubernetes Secret (no rotation)
  3. Inline Secret specification - Define Secret inline with optional rotation

When auto_rotate is enabled, the operator automatically rotates keys after the rotate_after duration has elapsed. Rotation timestamps are tracked in Secret annotations.

§Examples

# Auto-generated with 30-day rotation
rndcKeys:
  autoRotate: true
  rotateAfter: 720h
  algorithm: hmac-sha256

# Reference existing Secret (no rotation)
rndcKeys:
  secretRef:
    name: my-rndc-key
    algorithm: hmac-sha256

# Inline Secret with rotation
rndcKeys:
  autoRotate: true
  rotateAfter: 2160h  # 90 days
  secret:
    metadata:
      name: custom-rndc-key
      labels:
        app: bindy

Fields§

§auto_rotate: bool

Enable automatic key rotation (default: false for backward compatibility).

When true, the operator automatically rotates the RNDC key after the rotate_after interval. When false, keys are generated once and never rotated.

Important: Rotation only applies to operator-managed Secrets. If you specify secret_ref, that Secret will NOT be rotated automatically.

Default: false

§rotate_after: String

Duration after which to rotate the key (Go duration format: “720h”, “30d”).

Supported units:

  • h (hours): “720h” = 30 days
  • d (days): “30d” = 30 days
  • w (weeks): “4w” = 28 days

Constraints:

  • Minimum: 1h (1 hour)
  • Maximum: 8760h (365 days / 1 year)

Only applies when auto_rotate is true.

Default: "720h" (30 days)

§secret_ref: Option<RndcSecretRef>

Reference to an existing Kubernetes Secret containing RNDC credentials.

When specified, the operator uses this existing Secret instead of auto-generating one. The Secret must contain the rndc.key field with BIND9 key file content.

Mutually exclusive with secret - if both are specified, secret_ref takes precedence and secret is ignored.

Rotation note: User-managed Secrets (via secret_ref) are NOT automatically rotated even if auto_rotate is true. You must rotate these manually.

Default: None (auto-generate key)

§secret: Option<SecretSpec>

Inline Secret specification for operator-managed Secret with optional rotation.

Embeds a full Kubernetes Secret specification. The operator will create and manage this Secret, and rotate it if auto_rotate is true.

Mutually exclusive with secret_ref - if both are specified, secret_ref takes precedence and this field is ignored.

Default: None (auto-generate key)

§algorithm: RndcAlgorithm

HMAC algorithm for the RNDC key.

Only used when auto-generating keys (when neither secret_ref nor secret are specified). If using secret_ref, the algorithm is specified in that reference.

Default: hmac-sha256

Trait Implementations§

Source§

impl Clone for RndcKeyConfig

Source§

fn clone(&self) -> RndcKeyConfig

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for RndcKeyConfig

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for RndcKeyConfig

Source§

fn default() -> RndcKeyConfig

Returns the “default value” for a type. Read more
Source§

impl<'de> Deserialize<'de> for RndcKeyConfig

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl JsonSchema for RndcKeyConfig

Source§

fn schema_name() -> Cow<'static, str>

The name of the generated JSON Schema. Read more
Source§

fn schema_id() -> Cow<'static, str>

Returns a string that uniquely identifies the schema produced by this type. Read more
Source§

fn json_schema(generator: &mut SchemaGenerator) -> Schema

Generates a JSON Schema for this type. Read more
Source§

fn inline_schema() -> bool

Whether JSON Schemas generated for this type should be included directly in parent schemas, rather than being re-used where possible using the $ref keyword. Read more
Source§

impl PartialEq for RndcKeyConfig

Source§

fn eq(&self, other: &RndcKeyConfig) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Serialize for RndcKeyConfig

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl StructuralPartialEq for RndcKeyConfig

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> DynClone for T
where T: Clone,

Source§

fn __clone_box(&self, _: Private) -> *mut ()

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T> FromRef<T> for T
where T: Clone,

§

fn from_ref(input: &T) -> T

Converts to this type from a reference to the input type.
§

impl<T> Instrument for T

§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided [Span], returning an Instrumented wrapper. Read more
§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
§

impl<T> IntoRequest<T> for T

§

fn into_request(self) -> Request<T>

Wrap the input message T in a tonic::Request
§

impl<L> LayerExt<L> for L

§

fn named_layer<S>(&self, service: S) -> Layered<<L as Layer<S>>::Service, S>
where L: Layer<S>,

Applies the layer to a service and wraps it in [Layered].
§

impl<T> PolicyExt for T
where T: ?Sized,

§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns [Action::Follow] only if self and other return Action::Follow. Read more
§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns [Action::Follow] if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
§

impl<T> ServiceExt for T

§

fn map_response_body<F>(self, f: F) -> MapResponseBody<Self, F>
where Self: Sized,

Apply a transformation to the response body. Read more
§

fn trace_for_http(self) -> Trace<Self, SharedClassifier<ServerErrorsAsFailures>>
where Self: Sized,

High level tracing that classifies responses using HTTP status codes. Read more
§

fn trace_for_grpc(self) -> Trace<Self, SharedClassifier<GrpcErrorsAsFailures>>
where Self: Sized,

High level tracing that classifies responses using gRPC headers. Read more
§

fn follow_redirects(self) -> FollowRedirect<Self>
where Self: Sized,

Follow redirect resposes using the Standard policy. Read more
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

§

fn vzip(self) -> V

§

impl<T> WithSubscriber for T

§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a [WithDispatch] wrapper. Read more
§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a [WithDispatch] wrapper. Read more
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,