dkim-manager

module
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 26, 2022 License: MIT

README

GitHub release main PkgGoDev Go Report Card

dkim-manager

dkim-manager is a Kubernetes controller for creating DKIM keys.

Motivation

When sending mail from inside a Kubernetes cluster, you might want to sign outgoing emails with a DKIM signature. Setting up DKIM involves placing a private key for the DKIM signer to consume, and registering a DNS record containing the public key. Doing so manually can be a chore, and in some environments it is not acceptable to create private keys locally. dkim-manager aims to facilitate this process.

Features

dkim-manager is used in combination with external-dns. When a DKIM key is requested via the DKIMKey custom resource, dkim-manager creates a key pair, and creates two resources:

  • a Secret containing the private key, that the mailer pod can mount and consume
  • a DNSEndpoint containing the public key and other necessary information for external-dns to create the DNS record
  • RSA (1024-bit, 2048-bit, 4096-bit) and ed25519 keys are supported
    • 2048-bit RSA is selected as a sensible default

It is recommended to create a delegated subdomain for the sole purpose of storing DKIM records (eg: dkim.example.com) and grant external-dns only permission on that subdomain. See this blog for more details why.

Usage

DKIM keys can be requested by creating a DKIMKey resource.

apiVersion: dkim-manager.atelierhsn.com/v1
kind: DKIMKey
metadata:
    name: selector1-example-com
    namespace: example
spec:
    secretName: selector1-example-com
    selector: selector1
    domain: dkim.example.com

This will create the following resources:

# Secret
apiVersion: v1
kind: Secret
metadata:
    name: selector1-example-com
data:
    dkim.example.com.selector1.key: |
        "..."
---
### DNSEndpoint
apiVersion: externaldns.k8s.io/v1alpha1
kind: DNSEndpoint
metadata:
    name: selector1-example-com
spec:
    endpoints:
    - dnsName: selector1._domainkey.dkim.example.com
      recordTTL: 86400
      recordType: TXT
      targets:
      - "v=DKIM1; h=sha256; k=rsa; p=...."

Future Considerations

Currently, DKIM private keys are stored as a Secret resource. While ubiquitous, this makes the keys visible to any priviledged users inside the cluster. In a future release support for writing private keys to HashiCorp Vault may be considered.

Directories

Path Synopsis
api
v1
Package v1 contains API Schema definitions for the dkim-manager v1 API group +kubebuilder:object:generate=true +groupName=dkim-manager.atelierhsn.com
 Package v1 contains API Schema definitions for the dkim-manager v1 API group +kubebuilder:object:generate=true +groupName=dkim-manager.atelierhsn.com
cmd
dkim-manager
pkg
client
dkim
externaldns

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.