From fa857131c2c5a5c8b24dd9f74f5287beb69e1429 Mon Sep 17 00:00:00 2001 From: Brock Alberry <61976254+ba-work@users.noreply.github.com> Date: Wed, 3 Mar 2021 21:28:11 +0000 Subject: [PATCH 1/4] add krb5 realm support --- .gitignore | 3 +++ docs/tutorials/rfc2136.md | 3 ++- main.go | 2 +- pkg/apis/externaldns/types.go | 2 ++ provider/rfc2136/rfc2136.go | 4 ++-- provider/rfc2136/rfc2136_test.go | 2 +- 6 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 30adb371d6..db4b5e4c89 100644 --- a/.gitignore +++ b/.gitignore @@ -48,3 +48,6 @@ external-dns vendor/ profile.cov + +# github codespaces +.venv/ \ No newline at end of file diff --git a/docs/tutorials/rfc2136.md b/docs/tutorials/rfc2136.md index 10210dd916..aba5c0053b 100644 --- a/docs/tutorials/rfc2136.md +++ b/docs/tutorials/rfc2136.md @@ -379,9 +379,10 @@ You'll want to configure `external-dns` similarly to the following: - --rfc2136-gss-tsig - --rfc2136-host=123.123.123.123 - --rfc2136-port=53 - - --rfc2136-zone=your-domain.com + - --rfc2136-zone=your-zone.com - --rfc2136-kerberos-username=your-domain-account - --rfc2136-kerberos-password=your-domain-password + - --rfc2136-kerberos-realm=your-domain.com - --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records. ... ``` \ No newline at end of file diff --git a/main.go b/main.go index 09860c08d2..22613cf2fa 100644 --- a/main.go +++ b/main.go @@ -283,7 +283,7 @@ func main() { p, err = oci.NewOCIProvider(*config, domainFilter, zoneIDFilter, cfg.DryRun) } case "rfc2136": - p, err = rfc2136.NewRfc2136Provider(cfg.RFC2136Host, cfg.RFC2136Port, cfg.RFC2136Zone, cfg.RFC2136Insecure, cfg.RFC2136TSIGKeyName, cfg.RFC2136TSIGSecret, cfg.RFC2136TSIGSecretAlg, cfg.RFC2136TAXFR, domainFilter, cfg.DryRun, cfg.RFC2136MinTTL, cfg.RFC2136GSSTSIG, cfg.RFC2136KerberosUsername, cfg.RFC2136KerberosPassword, nil) + p, err = rfc2136.NewRfc2136Provider(cfg.RFC2136Host, cfg.RFC2136Port, cfg.RFC2136Zone, cfg.RFC2136Insecure, cfg.RFC2136TSIGKeyName, cfg.RFC2136TSIGSecret, cfg.RFC2136TSIGSecretAlg, cfg.RFC2136TAXFR, domainFilter, cfg.DryRun, cfg.RFC2136MinTTL, cfg.RFC2136GSSTSIG, cfg.RFC2136KerberosUsername, cfg.RFC2136KerberosPassword, cfg.RFC2136KerberosRealm, nil) case "ns1": p, err = ns1.NewNS1Provider( ns1.NS1Config{ diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go index b8d43f4620..9aba7355ce 100644 --- a/pkg/apis/externaldns/types.go +++ b/pkg/apis/externaldns/types.go @@ -144,6 +144,7 @@ type Config struct { RFC2136GSSTSIG bool RFC2136KerberosUsername string RFC2136KerberosPassword string + RFC2136KerberosRealm string RFC2136TSIGKeyName string RFC2136TSIGSecret string `secure:"yes"` RFC2136TSIGSecretAlg string @@ -436,6 +437,7 @@ func (cfg *Config) ParseFlags(args []string) error { app.Flag("rfc2136-gss-tsig", "When using the RFC2136 provider, specify whether to use secure updates with GSS-TSIG using Kerberos (default: false, requires --rfc2136-kerberos-username and rfc2136-kerberos-password)").Default(strconv.FormatBool(defaultConfig.RFC2136GSSTSIG)).BoolVar(&cfg.RFC2136GSSTSIG) app.Flag("rfc2136-kerberos-username", "When using the RFC2136 provider with GSS-TSIG, specify the username of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)").Default(defaultConfig.RFC2136KerberosUsername).StringVar(&cfg.RFC2136KerberosUsername) app.Flag("rfc2136-kerberos-password", "When using the RFC2136 provider with GSS-TSIG, specify the password of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)").Default(defaultConfig.RFC2136KerberosPassword).StringVar(&cfg.RFC2136KerberosPassword) + app.Flag("rfc2136-kerberos-realm", "When using the RFC2136 provider with GSS-TSIG, specify the realm of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)").Default(defaultConfig.RFC2136KerberosRealm).StringVar(&cfg.RFC2136KerberosRealm) // Flags related to TransIP provider app.Flag("transip-account", "When using the TransIP provider, specify the account name (required when --provider=transip)").Default(defaultConfig.TransIPAccountName).StringVar(&cfg.TransIPAccountName) diff --git a/provider/rfc2136/rfc2136.go b/provider/rfc2136/rfc2136.go index 6112611606..643acab21b 100644 --- a/provider/rfc2136/rfc2136.go +++ b/provider/rfc2136/rfc2136.go @@ -85,7 +85,7 @@ type rfc2136Actions interface { } // NewRfc2136Provider is a factory function for OpenStack rfc2136 providers -func NewRfc2136Provider(host string, port int, zoneName string, insecure bool, keyName string, secret string, secretAlg string, axfr bool, domainFilter endpoint.DomainFilter, dryRun bool, minTTL time.Duration, gssTsig bool, krb5Username string, krb5Password string, actions rfc2136Actions) (provider.Provider, error) { +func NewRfc2136Provider(host string, port int, zoneName string, insecure bool, keyName string, secret string, secretAlg string, axfr bool, domainFilter endpoint.DomainFilter, dryRun bool, minTTL time.Duration, gssTsig bool, krb5Username string, krb5Password string, krb5Realm string, actions rfc2136Actions) (provider.Provider, error) { secretAlgChecked, ok := tsigAlgs[secretAlg] if !ok && !insecure && !gssTsig { return nil, errors.Errorf("%s is not supported TSIG algorithm", secretAlg) @@ -98,7 +98,7 @@ func NewRfc2136Provider(host string, port int, zoneName string, insecure bool, k gssTsig: gssTsig, krb5Username: krb5Username, krb5Password: krb5Password, - krb5Realm: strings.ToUpper(zoneName), + krb5Realm: strings.ToUpper(krb5Realm), domainFilter: domainFilter, dryRun: dryRun, axfr: axfr, diff --git a/provider/rfc2136/rfc2136_test.go b/provider/rfc2136/rfc2136_test.go index 1df3ea1c6c..59d3ea818d 100644 --- a/provider/rfc2136/rfc2136_test.go +++ b/provider/rfc2136/rfc2136_test.go @@ -95,7 +95,7 @@ func (r *rfc2136Stub) IncomeTransfer(m *dns.Msg, a string) (env chan *dns.Envelo } func createRfc2136StubProvider(stub *rfc2136Stub) (provider.Provider, error) { - return NewRfc2136Provider("", 0, "", false, "key", "secret", "hmac-sha512", true, endpoint.DomainFilter{}, false, 300*time.Second, false, "", "", stub) + return NewRfc2136Provider("", 0, "", false, "key", "secret", "hmac-sha512", true, endpoint.DomainFilter{}, false, 300*time.Second, false, "", "", "", stub) } func extractAuthoritySectionFromMessage(msg fmt.Stringer) []string { From d0472db86647a1226bbeabc27ab7ec27b0e69683 Mon Sep 17 00:00:00 2001 From: Brock Alberry <61976254+ba-work@users.noreply.github.com> Date: Wed, 10 Mar 2021 14:41:02 +0000 Subject: [PATCH 2/4] add realm flag validation --- pkg/apis/externaldns/validation/validation.go | 4 +- .../externaldns/validation/validation_test.go | 45 +++++++++++++++++++ 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/pkg/apis/externaldns/validation/validation.go b/pkg/apis/externaldns/validation/validation.go index 81f27a34a3..3251a7b09a 100644 --- a/pkg/apis/externaldns/validation/validation.go +++ b/pkg/apis/externaldns/validation/validation.go @@ -92,8 +92,8 @@ func ValidateConfig(cfg *externaldns.Config) error { } if cfg.RFC2136GSSTSIG { - if cfg.RFC2136KerberosPassword == "" || cfg.RFC2136KerberosUsername == "" { - return errors.New("--rfc2136-kerberos-username and --rfc2136-kerberos-password both required when specifying --rfc2136-gss-tsig option") + if cfg.RFC2136KerberosPassword == "" || cfg.RFC2136KerberosUsername == "" || cfg.RFC2136KerberosRealm == "" { + return errors.New("--rfc2136-kerberos-realm, --rfc2136-kerberos-username, and --rfc2136-kerberos-password are required when specifying --rfc2136-gss-tsig option") } } } diff --git a/pkg/apis/externaldns/validation/validation_test.go b/pkg/apis/externaldns/validation/validation_test.go index 98c5a50685..8bb6fdafa5 100644 --- a/pkg/apis/externaldns/validation/validation_test.go +++ b/pkg/apis/externaldns/validation/validation_test.go @@ -158,6 +158,7 @@ func TestValidateBadRfc2136GssTsigConfig(t *testing.T) { Sources: []string{"test-source"}, Provider: "rfc2136", RFC2136GSSTSIG: true, + RFC2136KerberosRealm: "test-realm", RFC2136KerberosUsername: "test-user", RFC2136KerberosPassword: "", RFC2136MinTTL: 3600, @@ -167,6 +168,7 @@ func TestValidateBadRfc2136GssTsigConfig(t *testing.T) { Sources: []string{"test-source"}, Provider: "rfc2136", RFC2136GSSTSIG: true, + RFC2136KerberosRealm: "test-realm", RFC2136KerberosUsername: "", RFC2136KerberosPassword: "test-pass", RFC2136MinTTL: 3600, @@ -177,6 +179,48 @@ func TestValidateBadRfc2136GssTsigConfig(t *testing.T) { Provider: "rfc2136", RFC2136GSSTSIG: true, RFC2136Insecure: true, + RFC2136KerberosRealm: "test-realm", + RFC2136KerberosUsername: "test-user", + RFC2136KerberosPassword: "test-pass", + RFC2136MinTTL: 3600, + }, + { + LogFormat: "json", + Sources: []string{"test-source"}, + Provider: "rfc2136", + RFC2136GSSTSIG: true, + RFC2136KerberosRealm: "", + RFC2136KerberosUsername: "test-user", + RFC2136KerberosPassword: "", + RFC2136MinTTL: 3600, + }, + { + LogFormat: "json", + Sources: []string{"test-source"}, + Provider: "rfc2136", + RFC2136GSSTSIG: true, + RFC2136KerberosRealm: "", + RFC2136KerberosUsername: "", + RFC2136KerberosPassword: "test-pass", + RFC2136MinTTL: 3600, + }, + { + LogFormat: "json", + Sources: []string{"test-source"}, + Provider: "rfc2136", + RFC2136GSSTSIG: true, + RFC2136Insecure: true, + RFC2136KerberosRealm: "", + RFC2136KerberosUsername: "test-user", + RFC2136KerberosPassword: "test-pass", + RFC2136MinTTL: 3600, + }, + { + LogFormat: "json", + Sources: []string{"test-source"}, + Provider: "rfc2136", + RFC2136GSSTSIG: true, + RFC2136KerberosRealm: "", RFC2136KerberosUsername: "test-user", RFC2136KerberosPassword: "test-pass", RFC2136MinTTL: 3600, @@ -198,6 +242,7 @@ func TestValidateGoodRfc2136GssTsigConfig(t *testing.T) { Provider: "rfc2136", RFC2136GSSTSIG: true, RFC2136Insecure: false, + RFC2136KerberosRealm: "test-realm", RFC2136KerberosUsername: "test-user", RFC2136KerberosPassword: "test-pass", RFC2136MinTTL: 3600, From dad038b7f01e98b77b63b7412b2b689375f071e1 Mon Sep 17 00:00:00 2001 From: Brock Alberry <61976254+ba-work@users.noreply.github.com> Date: Wed, 10 Mar 2021 16:19:57 +0000 Subject: [PATCH 3/4] corrected flag help output --- pkg/apis/externaldns/types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go index 9aba7355ce..210316f671 100644 --- a/pkg/apis/externaldns/types.go +++ b/pkg/apis/externaldns/types.go @@ -434,7 +434,7 @@ func (cfg *Config) ParseFlags(args []string) error { app.Flag("rfc2136-tsig-secret-alg", "When using the RFC2136 provider, specify the TSIG (base64) value to attached to DNS messages (required when --rfc2136-insecure=false)").Default(defaultConfig.RFC2136TSIGSecretAlg).StringVar(&cfg.RFC2136TSIGSecretAlg) app.Flag("rfc2136-tsig-axfr", "When using the RFC2136 provider, specify the TSIG (base64) value to attached to DNS messages (required when --rfc2136-insecure=false)").BoolVar(&cfg.RFC2136TAXFR) app.Flag("rfc2136-min-ttl", "When using the RFC2136 provider, specify minimal TTL (in duration format) for records. This value will be used if the provided TTL for a service/ingress is lower than this").Default(defaultConfig.RFC2136MinTTL.String()).DurationVar(&cfg.RFC2136MinTTL) - app.Flag("rfc2136-gss-tsig", "When using the RFC2136 provider, specify whether to use secure updates with GSS-TSIG using Kerberos (default: false, requires --rfc2136-kerberos-username and rfc2136-kerberos-password)").Default(strconv.FormatBool(defaultConfig.RFC2136GSSTSIG)).BoolVar(&cfg.RFC2136GSSTSIG) + app.Flag("rfc2136-gss-tsig", "When using the RFC2136 provider, specify whether to use secure updates with GSS-TSIG using Kerberos (default: false, requires --rfc2136-kerberos-realm, --rfc2136-kerberos-username, and rfc2136-kerberos-password)").Default(strconv.FormatBool(defaultConfig.RFC2136GSSTSIG)).BoolVar(&cfg.RFC2136GSSTSIG) app.Flag("rfc2136-kerberos-username", "When using the RFC2136 provider with GSS-TSIG, specify the username of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)").Default(defaultConfig.RFC2136KerberosUsername).StringVar(&cfg.RFC2136KerberosUsername) app.Flag("rfc2136-kerberos-password", "When using the RFC2136 provider with GSS-TSIG, specify the password of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)").Default(defaultConfig.RFC2136KerberosPassword).StringVar(&cfg.RFC2136KerberosPassword) app.Flag("rfc2136-kerberos-realm", "When using the RFC2136 provider with GSS-TSIG, specify the realm of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)").Default(defaultConfig.RFC2136KerberosRealm).StringVar(&cfg.RFC2136KerberosRealm) From ecbcf27e355b1b83b8abbe7f2cd528a0e66274b6 Mon Sep 17 00:00:00 2001 From: Brock Alberry <61976254+ba-work@users.noreply.github.com> Date: Thu, 18 Mar 2021 18:12:53 +0000 Subject: [PATCH 4/4] remove double type definition --- pkg/apis/externaldns/types.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go index d614154773..a179fc82a6 100644 --- a/pkg/apis/externaldns/types.go +++ b/pkg/apis/externaldns/types.go @@ -147,7 +147,6 @@ type Config struct { RFC2136KerberosRealm string RFC2136KerberosUsername string RFC2136KerberosPassword string - RFC2136KerberosRealm string RFC2136TSIGKeyName string RFC2136TSIGSecret string `secure:"yes"` RFC2136TSIGSecretAlg string