To simplify OpenShift / Kubernetes integration, FreeIPA should provide URI records in addition to SRV records. As of today Kubernetes does not support SRV records with same name but different protocols, e.g. _kerberos._tcp and _kerberos._udp entries. #97149.
_kerberos._tcp
_kerberos._udp
URI discovery support was added in MIT KRB5 1.15. Kerberos clients prefer _kerberos and _kpasswd URI records over SRV records. URI records have priority and weight just like SRV records. In addition to SRV record they can encode different types of transport and have flags.
_kerberos
_kpasswd
Example:
_kerberos.EXAMPLE.COM URI 10 1 krb5srv:m:tcp:kdc1.example.com URI 20 1 krb5srv:m:udp:kdc2.example.com:89 URI 40 1 krb5srv::udp:10.10.0.23 URI 30 1 krb5srv::kkdcp:https://proxy:89/auth
Benefits:
Upstream documentation: https://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html#kdc-discovery
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5990
master:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field changelog adjusted to FreeIPA DNS integration now provides URI records for a dynamic discovery of Kerberos KDCs. This allows automatic discover and use of MS-KKDCP proxies. URI records are also Kubernetes-friendly as Kubernetes does not support SRV records with the same name and different protocols.
Login to comment on this ticket.