rfc2136 provider expects TSIG key in base64 DEcoded format

What happened: Currently the provider secret for rfc2136 expects TSIGSecret to be set to the base64 decoded version of the TSIG key. While it base64 encodes the secret during runtime.

What you expected to happen: no decoding and reencoding.

How to reproduce it (as minimally and precisely as possible):

Generate a tsig Key. tsig-keygen -a HMAC-SHA256 mykey:

key "keyname" {
algorithm hmac-sha256;
secret "base64encodedkey==";
};

Configure it on the DNS server

Create the rfc2136 provider secret:

export SERVER="127.0.0.1"
export ZONE="example.com."
export TSIG_ID="keyname."
export TSIG_KEY="base64encodedkey=="
export TSIG_ALGO="hmac-sha256"

kubectl create secret -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: rfc2136-credentials
namespace: default
type: Opaque
data:
Server: $SERVER
TSIGKeyName: $TSIG_ID
TSIGSecret: $TSIG_KEY # this currently only works if set to $(echo $TSIG_KEY | base64 -d)
Zone: $ZONE
TSIGSecretAlgorithm: $TSIG_ALGO
EOF

Create DNSProvider and DNSEntry

Anything else we need to know:

Environment: external-dns-management v0.16.0 as well as on master. kubernetes 1.26

gardener / external-dns-management

rfc2136 provider expects TSIG key in base64 DEcoded format #346