-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DigitalOcean DNS-01 support #345
Conversation
/ok-to-test |
Any idea how I can cause an error like that? That appears to be the root cause. |
That's a really unfortunate test flake that occasionally comes up. I've not had a chance to fix it yet 😬 /retest |
There's been some work by @euank here: #381 to document how to build/deploy a custom version of cert-manager if you're able to try this out on DigitialOcean! I've not got an account, nor anything set up over there so if you could test it and let me know, I'd be happy to merge this if all is okay! (I've taken a look, and there's nothing really to change! 😄 💯) |
return nil, fmt.Errorf("No existing record found for %s", fqdn) | ||
} | ||
|
||
func (c *DNSProvider) makeRequest(method, uri string, body io.Reader) (json.RawMessage, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any reason for hand-writing the 50 lines of client code we need vs using the digital ocean godo library to make these calls?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am aware of the godo library. However, it is a library for the entire DO API, vs just 50 lines to make the 1 or 2 API calls needed. I was also observing the convention of the other DNS providers making similar choices.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the other DNS providers all use the cloud-provider provided library, excepting cloudflare.
I'm personally in favour of using those libraries when possible since auth and retry logic can be a bit tricky otherwise.
I'll defer to @munnerz if he wishes to weigh in differently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 using the official go library reduces the amount of testing and maintenance for this area of code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm open to doing this in future - so far, we've copied across all the DNS providers from xenolf/lego when implementing them here. There's nothing wrong with us changing/improving them, but I don't think it's a requirement in order to accept it initially.
return nil, err | ||
} | ||
|
||
return nil, fmt.Errorf("DigitalOcean API Error \n%d: %s", r.Code, r.Message) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general, it's preferable to not have newlines in error strings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know go very well, I was just copying from the other DNS providers. Will fix if @munnerz agrees.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep could you remove the \n
😄
pkg/issuer/acme/dns/dns.go
Outdated
case providerConfig.DigitalOcean != nil: | ||
apiTokenSecret, err := s.secretLister.Secrets(s.resourceNamespace).Get(providerConfig.DigitalOcean.Token.Name) | ||
if err != nil { | ||
return nil, fmt.Errorf("error getting digitalocean token: %s", err.Error()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no need to call .Error
here (I know other parts of this file do too, they should be fixed as well).
The %s
format string will automatically call .Error
for anything that implements error (with a higher priority than calling .String
even, see playground)
I would really like to test this PR, what are the steps to run this branch locally ? I tried the |
@sylvainfilteau seems like what you have to do is run Your testing would really help out, since I have been too busy! I also still have to do a couple small corrections in the code as mentioned earlier anyway. Since munnerz has voiced support for using godo, I will probably add it. |
@dl00 if it's easy enough to switch to godo, I'm happy for it to happen, although would like to see some automated tests running to ensure it works if you do. Otherwise I'm happy to accept this as is given it's been verified in the upstream xenolf/lego repo. |
I opened an issue #401 because of my incapacity to build the code. |
hi, i would really appreciate to see this code in cert-manager ... is anything that can be done to get this merged? |
I have some free time. I can do the rebase and updates tomorrow.Sorry for delays. On May 24, 2018 10:39 AM, Ulrich Schreiner <notifications@github.com> wrote:hi,
i would really appreciate to see this code in cert-manager ... is anything that can be done to get this merged?
—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or mute the thread.
|
Nothing to add except I was looking at forking this myself, and then saw there was much progress. Commenting to subscribe to updates as this is something I'm interested in. |
@munnerz what is the appropriate way to run the E2E tests on my local machine? If I try to run I am nearly done with the switch to Godo, just testing. |
What’s the status on this PR? I’m interested in using digital ocean DNS-01 challenge later this year, and I hope this hasn’t dropped off the radar too far. If no one is working on it, I might be able to contribute in a couple months. |
i have made some changes, but I am unsure why the checks are failing. and then I forgot about this issue again because of life. I can take another look in a few days. |
I'm testing a little bit, I would love to se DO-DNS provider! @dl00 to fix the |
@dl00 thanks! |
/retest |
/retest |
1 similar comment
/retest |
/lgtm cancel |
context.Background(), | ||
util.UnFqdn(zoneName), | ||
createRequest, | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this return an error if the record already exists?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(it should 'upsert', i.e. absorb errors if the record already exists)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my testing digital ocean will simply post a duplicate of the record without error even if the challenge is exactly the same. Later it deletes any matching records found during clean up.
This can be added to the tests explicitly if you prefer.
@dl00 I've resolved the issues with the e2e environment that have hit all PRs this evening. A domain used during e2e tests had expired..! I've just got that one Q, and if that's all okay then we can go ahead and apply lgtm again 😄 |
I've responded, thanks for your help! |
/retest |
Super excited for this PR! Being able to move over from kube-lego -> cert-manager with DigitalOcean DNS-01 will solve an issue I have been having with kube-lego for a while now. 🙌 If there is anything I can do to help please let me know! |
@munnerz ready to merge when you are |
@dl00: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hey - sorry there's been a few PRs merged today and this was obviously not merged beforehand! 😬 I'll drop a merge commit on top of your branch to bring this up to speed with the latest changes if you've got the 'Allow edits from maintainers' option enabled and get this merged to save you having to do more work! Again, sorry for all the hassle! |
@munnerz the setting you mentioned is enabled, thanks for your help. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kragniz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Sorry, I pushed the wrong branch by mistake and closed this. I've continued in #821 since I can't push to this branch anymore. |
What this PR does / why we need it:
This PR adds DigitalOcean DNS-01 challenge support.
Which issue this PR fixes
No issue, I just wanted it.
Special notes for your reviewer:
DIGITALOCEAN_TOKEN
andDIGITALOCEAN_DOMAIN
environment variables to run live.Release note: