-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ACME] Add RFC2136 DNS Provider #245
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! Absolutely will accept if we can get a few things cleaned up.
It looks like this code was also taken from the xenolf lego package? That's the source I've used for other provides 😄
pkg/issuer/acme/dns/dns.go
Outdated
tsigSecret, err := s.secretLister.Secrets(s.resourceNamespace).Get(providerConfig.RFC2136.TSIGSecret.Name) | ||
if err != nil { | ||
return nil, fmt.Errorf("error getting rfc2136 service account: %s", err.Error()) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like if this is left blank, authentication can be disabled. If the secret specified doesn't exist we should attempt without auth.
TSIGKey string `json:"TSIGKey"` | ||
TSIGAlgorithm string `json:"TSIGAlgorithm"` | ||
Timeout string `json:"timeout"` | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You'll need to run ./hack/update-codegen.sh
as you've updated API types.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi munnerz,
I have been able to execute this command successfully.
Great. Can you add and Issuer example config to the docs, so people will know it is available. |
c2694a6
to
6d7aa84
Compare
f59a549
to
593edb5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The referenced secret is now also optional.
Documentation (Issuer and ClusterIssuer) enhanced with RFC2136 Provider.
Anything else missing?
TSIGKey string `json:"TSIGKey"` | ||
TSIGAlgorithm string `json:"TSIGAlgorithm"` | ||
Timeout string `json:"timeout"` | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi munnerz,
I have been able to execute this command successfully.
/ok-to-test |
/test e2e |
311bad3
to
3594882
Compare
@simonfuhrer PR needs rebase |
@munnerz when do you plan to accept this pull request? Is there anything else I can do? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay here - i've had a pending review sitting for a few days!
With the addition of the Azure provider #246, I mentioned potentially moving the providers configuration into a single secret (with fixed value keys, e.g. tsigKey
needs to be set as a value in the Secret) to save having so many fields that a user need configure on these manifests.
I'd like to hold this PR until we can decide what is best to do, and merge both this and #246 together after potentially adjusting for this new convention. What are your thoughts? I'm not sure if there's somewhere else in Kubernetes we can use as a reference for this perhaps.
docs/api-types/issuer/spec.md
Outdated
rfc2136: | ||
nameserver: 192.168.0.1 | ||
TSIGKey: tsig-key | ||
TSIGSecretSecretRef: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please camelCase this, so tsigSecretSecretRef
and tsigKey
docs/api-types/issuer/spec.md
Outdated
name: tsig-secret | ||
key: secret | ||
TSIGAlgorithm: HmacMD5 | ||
timeout: 60 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably makes sense to just have the one example of this, explaining each field? If some fields are optional, add a comment to it to indicate so.
Nameserver string `json:"nameserver"` | ||
TSIGSecret SecretKeySelector `json:"TSIGSecretSecretRef"` | ||
TSIGKey string `json:"TSIGKey"` | ||
TSIGAlgorithm string `json:"TSIGAlgorithm"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How many algorithm types are there in the spec? Can we pull this into its own type?
type TSIGAlgorithm string
const (
HmacMD5Algorithm TSIGAlgorithm = "HmacMD5"
)
docs/examples/acme-issuer.yaml
Outdated
@@ -46,3 +46,20 @@ spec: | |||
# This field is optional for overriding the Route53 hosted zone ID | |||
# It is required to use it if the cert-manager cannot disambiguate between two different hosted zones for the same zone name | |||
hostedZoneID: DIKER8JPL21PSA | |||
- name: rfc2136 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dns providers can have friendly names here, e.g. 'corp-dns'. It might be better to use that kind of name here, so that users can realise this? rfc2136
is explicitly called out below in the struct configuration.
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Assign the PR to them by writing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
956da58
to
6dd9689
Compare
/retest |
@simonfuhrer: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
In my opinion we should avoid any secrets and use environment variables instead. What are your though? |
If environment variables were used, it would not be possible to talk to two
different RFC2136 servers for different issuers, effectively breaking the
multi tenant use case for DNS providers.
By having this configuration (somehow) referenced/associated with each
Issuer, we're able to support a wide variety of certificate issuing sources
without having to deploy multiple instances of cert-manager.
…On Sun, 28 Jan 2018 at 16:47, Simon Fuhrer ***@***.***> wrote:
In my opinion we should avoid any secrets and use environment variables
instead.
These can then also be made available in the pods via secrets.
However, we leave this choice to the users. This would simplify the entire
deployment process.
What are your though?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#245 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAMbP_2fbAVSryuK8WUIWM5pi4ppuImRks5tPKSQgaJpZM4RdZYH>
.
|
I agree Secrets should be used in this case because:
|
you convinced me. I see the benefits. So it would be best to put the whole provider configuration in a secret with predefined keys. The Issuer object then only refers to the corresponding secret. |
@simonfuhrer that's a far less clear-cut question or more matter of taste or convention. I would suggest consistency is the aim here, ie. use the same approach other parts of Looking around the configuration is usually to put only the actual secrets in the Secret, and refer to the secret values (or whole config file) by name and key name. Which is exactly what you already did in your PR spec and sample issuer for the tsig secret I think? @munnerz talks above about having fixed keys to keep the Issuer manifest smaller. But I would personally prefer not to so that, as the correct fixed, and case-specific key in these cases is not obvious for users to guess, and the key would then become 'magic' value for each protocol that users can only find in the documentation. You'd get confused new users trying to create Secrets to match the implicit 'magic' key value. Having the key specified explicitly in the Issuer takes away all doubt for the user or trouble-shooter. It also give the user more flexibility, e.g. to stack all their tsig keys in one Secret under different keys. So I prefer to keep consistent with the current approach used by the clouddns/cloudflare examples below. What do you and @munnerz think?
|
@simonfuhrer PR needs rebase |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks once again for this, and I'm sorry its taken so long to get merged. There's just the one comment now about removing the timeout
field, and then I'll add a lgtm ready for the 0.3 release! 😄
TSIGSecret SecretKeySelector `json:"tsigSecretSecretRef"` | ||
TSIGKey string `json:"tsigKey"` | ||
TSIGAlgorithm TSIGAlgorithm `json:"tsigAlgorithm"` | ||
Timeout string `json:"timeout"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The 'timeout' field isn't actually used within the provider, in favour of a static global timeout.
None of the other DNS providers have this field, so for now I think we're best to remove it from our API surface. In future, we may add it back in (potentially as a top-level timeout field on the issuer).
Corresponding docs need updating too to reflect this!
/unassign |
Closing in favour of #661 |
What this PR does / why we need it:
In our datacenter we do not use any of the currently supported DNS providers. With this pull request I added support for the DNS RFC2136 provider. An example configuration is also included.
Special notes for your reviewer:
What do you think of that? Is there anything missing? It would be great if this could be merged.
Release note: