Struct RndcSecretRef 

pub struct RndcSecretRef {
    pub name: String,
    pub algorithm: RndcAlgorithm,
    pub key_name_key: String,
    pub secret_key: String,
}

Reference to a Kubernetes Secret containing RNDC/TSIG credentials.

This allows you to use an existing external Secret for RNDC authentication instead of having the operator auto-generate one. The Secret is mounted as a directory at /etc/bind/keys/ in the BIND9 container, and BIND9 uses the rndc.key file.

External (User-Managed) Secrets

For external secrets, you ONLY need to provide the rndc.key field containing the complete BIND9 key file content. The other fields (key-name, algorithm, secret) are optional metadata used by operator-generated secrets.

Minimal External Secret Example

apiVersion: v1
kind: Secret
metadata:
  name: my-rndc-key
  namespace: dns-system
type: Opaque
stringData:
  rndc.key: |
    key "bindy-operator" {
        algorithm hmac-sha256;
        secret "base64EncodedSecretKeyMaterial==";
    };

Auto-Generated (Operator-Managed) Secrets

When the operator auto-generates a Secret (no rndcSecretRef specified), it creates a Secret with all 4 fields for internal metadata tracking:

apiVersion: v1
kind: Secret
metadata:
  name: bind9-instance-rndc
  namespace: dns-system
type: Opaque
stringData:
  key-name: "bindy-operator"     # Operator metadata
  algorithm: "hmac-sha256"       # Operator metadata
  secret: "randomBase64Key=="    # Operator metadata
  rndc.key: |                    # Used by BIND9
    key "bindy-operator" {
        algorithm hmac-sha256;
        secret "randomBase64Key==";
    };

Using with Bind9Instance

apiVersion: bindy.firestoned.io/v1beta1
kind: Bind9Instance
metadata:
  name: production-dns-primary-0
spec:
  clusterRef: production-dns
  role: primary
  rndcSecretRef:
    name: my-rndc-key
    algorithm: hmac-sha256

How It Works

When the Secret is mounted at /etc/bind/keys/, Kubernetes creates individual files for each Secret key:

• /etc/bind/keys/rndc.key (the BIND9 key file) ← This is what BIND9 uses
• /etc/bind/keys/key-name (optional metadata for operator-generated secrets)
• /etc/bind/keys/algorithm (optional metadata for operator-generated secrets)
• /etc/bind/keys/secret (optional metadata for operator-generated secrets)

The rndc.conf file includes /etc/bind/keys/rndc.key, so BIND9 only needs that one file to exist

Fields

name: String

Name of the Kubernetes Secret containing RNDC credentials

algorithm: RndcAlgorithm

HMAC algorithm for this key

key_name_key: String

Key within the secret for the key name (default: “key-name”)

secret_key: String

Key within the secret for the secret value (default: “secret”)

Trait Implementations

impl Clone for RndcSecretRef

fn clone(&self) -> RndcSecretRef

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for RndcSecretRef

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for RndcSecretRef

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl JsonSchema for RndcSecretRef

fn schema_name() -> Cow<'static, str>

The name of the generated JSON Schema.

fn schema_id() -> Cow<'static, str>

Returns a string that uniquely identifies the schema produced by this type.

fn json_schema(generator: &mut SchemaGenerator) -> Schema

Generates a JSON Schema for this type.

fn inline_schema() -> bool

Whether JSON Schemas generated for this type should be included directly in parent schemas, rather than being re-used where possible using the $ref keyword.

impl Serialize for RndcSecretRef

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.