[ACME] Add RFC2136 DNS Provider

[simonfuhrer]

What this PR does / why we need it:
In our datacenter we do not use any of the currently supported DNS providers. With this pull request I added support for the DNS RFC2136 provider. An example configuration is also included.

Special notes for your reviewer:
What do you think of that? Is there anything missing? It would be great if this could be merged.

Release note:

Add RFC2136 DNS Provider

[jetstack-ci-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
We suggest the following additional approver: munnerz

Assign the PR to them by writing /assign @munnerz in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• OWNERS

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[munnerz]

Thanks for this! Absolutely will accept if we can get a few things cleaned up.

It looks like this code was also taken from the xenolf lego package? That's the source I've used for other provides 😄

[munnerz]

It looks like if this is left blank, authentication can be disabled. If the secret specified doesn't exist we should attempt without auth.

[munnerz]

You'll need to run ./hack/update-codegen.sh as you've updated API types.

[simonfuhrer]

Hi munnerz,
I have been able to execute this command successfully.

[whereisaaron]

Great. Can you add and Issuer example config to the docs, so people will know it is available.

[simonfuhrer]

The referenced secret is now also optional.
Documentation (Issuer and ClusterIssuer) enhanced with RFC2136 Provider.

Anything else missing?

[simonfuhrer]

Hi munnerz,
I have been able to execute this command successfully.

[munnerz]

/ok-to-test

[munnerz]

/test e2e

[jetstack-ci-bot]

@simonfuhrer PR needs rebase

[simonfuhrer]

@munnerz when do you plan to accept this pull request? Is there anything else I can do?

[munnerz]

Sorry for the delay here - i've had a pending review sitting for a few days!

With the addition of the Azure provider #246, I mentioned potentially moving the providers configuration into a single secret (with fixed value keys, e.g. tsigKey needs to be set as a value in the Secret) to save having so many fields that a user need configure on these manifests.

I'd like to hold this PR until we can decide what is best to do, and merge both this and #246 together after potentially adjusting for this new convention. What are your thoughts? I'm not sure if there's somewhere else in Kubernetes we can use as a reference for this perhaps.

[munnerz]

Please camelCase this, so tsigSecretSecretRef and tsigKey

[munnerz]

Probably makes sense to just have the one example of this, explaining each field? If some fields are optional, add a comment to it to indicate so.

[munnerz]

How many algorithm types are there in the spec? Can we pull this into its own type?

type TSIGAlgorithm string
const (
    HmacMD5Algorithm TSIGAlgorithm = "HmacMD5"
)

[munnerz]

dns providers can have friendly names here, e.g. 'corp-dns'. It might be better to use that kind of name here, so that users can realise this? rfc2136 is explicitly called out below in the struct configuration.

[jetstack-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
We suggest the following additional approver: munnerz

Assign the PR to them by writing /assign @munnerz in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• OWNERS

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[simonfuhrer]

/retest

[jetstack-bot]

@simonfuhrer: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
cert-manager-quick-verify	4552188	link	/test verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[simonfuhrer]

In my opinion we should avoid any secrets and use environment variables instead.
These can then also be made available in the pods via secrets.
However, we leave this choice to the users. This would simplify the entire deployment process.

What are your though?

[munnerz]

If environment variables were used, it would not be possible to talk to two different RFC2136 servers for different issuers, effectively breaking the multi tenant use case for DNS providers. By having this configuration (somehow) referenced/associated with each Issuer, we're able to support a wide variety of certificate issuing sources without having to deploy multiple instances of cert-manager.

…

On Sun, 28 Jan 2018 at 16:47, Simon Fuhrer ***@***.***> wrote: In my opinion we should avoid any secrets and use environment variables instead. These can then also be made available in the pods via secrets. However, we leave this choice to the users. This would simplify the entire deployment process. What are your though? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#245 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAMbP_2fbAVSryuK8WUIWM5pi4ppuImRks5tPKSQgaJpZM4RdZYH> .

[whereisaaron]

I agree Secrets should be used in this case because:

1. It enables support for multiple RFC2136 servers, whether just because you have more that one RFC2136 DNS Issuer/ClusterIssuer or for multi-tenant clusters - as @munnerz noted. Using environment variables has been a big limitation on previous implementations like kube-lego and kube-cert-manager, where you have to run separate instances of the controller for every DNS provider for a given protocol. We have this issue, and cert-manager use of Secrets over environment variables is a fantastic improvement for operations.
2. It secures credentials in the a multi-tenant situation. If environment variables are used then one tenant's RFC2136 credentials become available other tenants to use.
3. It enables run-time updates to RFC2136 settings and credentials. Environment variable in k8s can only be set at Pod creation. They are not updated when the Secret is updated. Using environment variables necessitates redeploying the cert-manager application because the credentials for one Issuer/ClusterIssuer, of potentially a large number, has changed.

[simonfuhrer]

you convinced me. I see the benefits.

So it would be best to put the whole provider configuration in a secret with predefined keys. The Issuer object then only refers to the corresponding secret.

[whereisaaron]

@simonfuhrer that's a far less clear-cut question or more matter of taste or convention. I would suggest consistency is the aim here, ie. use the same approach other parts of cert-manager.

Looking around the configuration is usually to put only the actual secrets in the Secret, and refer to the secret values (or whole config file) by name and key name. Which is exactly what you already did in your PR spec and sample issuer for the tsig secret I think?

@munnerz talks above about having fixed keys to keep the Issuer manifest smaller. But I would personally prefer not to so that, as the correct fixed, and case-specific key in these cases is not obvious for users to guess, and the key would then become 'magic' value for each protocol that users can only find in the documentation. You'd get confused new users trying to create Secrets to match the implicit 'magic' key value. Having the key specified explicitly in the Issuer takes away all doubt for the user or trouble-shooter. It also give the user more flexibility, e.g. to stack all their tsig keys in one Secret under different keys. So I prefer to keep consistent with the current approach used by the clouddns/cloudflare examples below. What do you and @munnerz think?

      providers:
      - name: prod-dns
        clouddns:
          # A secretKeyRef to a google cloud json service account
          serviceAccountSecretRef:
            name: clouddns-service-account
            key: service-account.json
          # The project in which to update the DNS zone
          project: gcloud-prod-project
      - name: cf-dns
        cloudflare:
          email: user@example.com
          # A secretKeyRef to a cloudflare api key
          apiKeySecretRef:
            name: cloudflare-api-key
            key: api-key.txt

[jetstack-ci-bot]

@simonfuhrer PR needs rebase

[munnerz]

Thanks once again for this, and I'm sorry its taken so long to get merged. There's just the one comment now about removing the timeout field, and then I'll add a lgtm ready for the 0.3 release! 😄

[munnerz]

The 'timeout' field isn't actually used within the provider, in favour of a static global timeout.

None of the other DNS providers have this field, so for now I think we're best to remove it from our API surface. In future, we may add it back in (potentially as a top-level timeout field on the issuer).

Corresponding docs need updating too to reflect this!

[dippynark]

/unassign

[munnerz]

Closing in favour of #661