DigitalOcean DNS-01 support #345
Conversation
jetstack-bot
added
do-not-merge/release-note-label-needed
jetstack-bot
added
release-note-none
|
/ok-to-test |
jetstack-bot
removed
the
needs-ok-to-test
Any idea how I can cause an error like that? That appears to be the root cause. |
|
That's a really unfortunate test flake that occasionally comes up. I've not had a chance to fix it yet 😬 /retest |
There's been some work by @euank here: #381 to document how to build/deploy a custom version of cert-manager if you're able to try this out on DigitialOcean! I've not got an account, nor anything set up over there so if you could test it and let me know, I'd be happy to merge this if all is okay! (I've taken a look, and there's nothing really to change! 😄 💯) |
| return nil, fmt.Errorf("No existing record found for %s", fqdn) | ||
| } | ||
|
|
||
| func (c *DNSProvider) makeRequest(method, uri string, body io.Reader) (json.RawMessage, error) { |
There was a problem hiding this comment.
Any reason for hand-writing the 50 lines of client code we need vs using the digital ocean godo library to make these calls?
There was a problem hiding this comment.
I am aware of the godo library. However, it is a library for the entire DO API, vs just 50 lines to make the 1 or 2 API calls needed. I was also observing the convention of the other DNS providers making similar choices.
There was a problem hiding this comment.
I think the other DNS providers all use the cloud-provider provided library, excepting cloudflare.
I'm personally in favour of using those libraries when possible since auth and retry logic can be a bit tricky otherwise.
I'll defer to @munnerz if he wishes to weigh in differently.
There was a problem hiding this comment.
+1 using the official go library reduces the amount of testing and maintenance for this area of code
There was a problem hiding this comment.
I'm open to doing this in future - so far, we've copied across all the DNS providers from xenolf/lego when implementing them here. There's nothing wrong with us changing/improving them, but I don't think it's a requirement in order to accept it initially.
| return nil, err | ||
| } | ||
|
|
||
| return nil, fmt.Errorf("DigitalOcean API Error \n%d: %s", r.Code, r.Message) |
There was a problem hiding this comment.
In general, it's preferable to not have newlines in error strings.
There was a problem hiding this comment.
I don't know go very well, I was just copying from the other DNS providers. Will fix if @munnerz agrees.
pkg/issuer/acme/dns/dns.go
Outdated
| case providerConfig.DigitalOcean != nil: | ||
| apiTokenSecret, err := s.secretLister.Secrets(s.resourceNamespace).Get(providerConfig.DigitalOcean.Token.Name) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("error getting digitalocean token: %s", err.Error()) |
There was a problem hiding this comment.
There's no need to call .Error here (I know other parts of this file do too, they should be fixed as well).
The %s format string will automatically call .Error for anything that implements error (with a higher priority than calling .String even, see playground)
|
I would really like to test this PR, what are the steps to run this branch locally ? I tried the |
|
@sylvainfilteau seems like what you have to do is run Your testing would really help out, since I have been too busy! I also still have to do a couple small corrections in the code as mentioned earlier anyway. Since munnerz has voiced support for using godo, I will probably add it. |
|
@dl00 if it's easy enough to switch to godo, I'm happy for it to happen, although would like to see some automated tests running to ensure it works if you do. Otherwise I'm happy to accept this as is given it's been verified in the upstream xenolf/lego repo. |
|
I opened an issue #401 because of my incapacity to build the code. |
jetstack-bot
added
the
needs-rebase
munnerz
added
area/acme
|
hi, i would really appreciate to see this code in cert-manager ... is anything that can be done to get this merged? |
|
I have some free time. I can do the rebase and updates tomorrow.Sorry for delays. On May 24, 2018 10:39 AM, Ulrich Schreiner <notifications@github.com> wrote:hi,
i would really appreciate to see this code in cert-manager ... is anything that can be done to get this merged?
—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Nothing to add except I was looking at forking this myself, and then saw there was much progress. Commenting to subscribe to updates as this is something I'm interested in. |
jetstack-bot
removed
the
needs-rebase
|
@munnerz what is the appropriate way to run the E2E tests on my local machine? If I try to run I am nearly done with the switch to Godo, just testing. |
|
What’s the status on this PR? I’m interested in using digital ocean DNS-01 challenge later this year, and I hope this hasn’t dropped off the radar too far. If no one is working on it, I might be able to contribute in a couple months. |
|
i have made some changes, but I am unsure why the checks are failing. and then I forgot about this issue again because of life. I can take another look in a few days. |
|
I'm testing a little bit, I would love to se DO-DNS provider! @dl00 to fix the |
jetstack-bot
added
size/XXL
jetstack-bot
added
lgtm
|
@dl00 thanks! |
|
/retest |
|
/retest |
1 similar comment
|
/retest |
|
/lgtm cancel |
| context.Background(), | ||
| util.UnFqdn(zoneName), | ||
| createRequest, | ||
| ) |
There was a problem hiding this comment.
Will this return an error if the record already exists?
There was a problem hiding this comment.
(it should 'upsert', i.e. absorb errors if the record already exists)
There was a problem hiding this comment.
In my testing digital ocean will simply post a duplicate of the record without error even if the challenge is exactly the same. Later it deletes any matching records found during clean up.
This can be added to the tests explicitly if you prefer.
|
@dl00 I've resolved the issues with the e2e environment that have hit all PRs this evening. A domain used during e2e tests had expired..! I've just got that one Q, and if that's all okay then we can go ahead and apply lgtm again 😄 |
|
I've responded, thanks for your help! |
|
/retest |
|
Super excited for this PR! Being able to move over from kube-lego -> cert-manager with DigitalOcean DNS-01 will solve an issue I have been having with kube-lego for a while now. 🙌 If there is anything I can do to help please let me know! |
|
@munnerz ready to merge when you are |
jetstack-bot
added
the
needs-rebase
|
@dl00: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Hey - sorry there's been a few PRs merged today and this was obviously not merged beforehand! 😬 I'll drop a merge commit on top of your branch to bring this up to speed with the latest changes if you've got the 'Allow edits from maintainers' option enabled and get this merged to save you having to do more work! Again, sorry for all the hassle! |
|
@munnerz the setting you mentioned is enabled, thanks for your help. |
jetstack-bot
added
retest-not-required-docs-only
size/XS
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kragniz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
munnerz
removed
the
approved
|
Sorry, I pushed the wrong branch by mistake and closed this. I've continued in #821 since I can't push to this branch anymore. |
What this PR does / why we need it:
This PR adds DigitalOcean DNS-01 challenge support.
Which issue this PR fixes
No issue, I just wanted it.
Special notes for your reviewer:
DIGITALOCEAN_TOKENandDIGITALOCEAN_DOMAINenvironment variables to run live.Release note: