New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add flag for setting nameservers for DNS01 check #710
Conversation
|
||
Cert-manager will check the correct DNS records exist before attempting a DNS01 | ||
challenge. By default, the DNS servers for this check will be taken from | ||
``/etc/resolv.conf``. If this is not desired, the cert-manager controller |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you expand If this is not desired,
to give some examples of where this may not be desired (i.e. if you have two authoritative nameservers for the same zone/are using split-brain/split-horizon DNS)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a little extra, let me know if some larger examples would be needed
@@ -120,6 +126,8 @@ func (s *ControllerOptions) AddFlags(fs *pflag.FlagSet) { | |||
fs.StringVar(&s.DefaultACMEIssuerDNS01ProviderName, "default-acme-issuer-dns01-provider-name", defaultACMEIssuerDNS01ProviderName, ""+ | |||
"Required if --default-acme-issuer-challenge-type is set to dns01. The DNS01 provider to use for ingresses using ACME dns01 "+ | |||
"validation that do not explicitly state a dns provider.") | |||
fs.StringVar(&s.DNS01Nameservers, "dns01-nameservers", defaultDNS01Nameservers, ""+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dns01-self-check-nameservers
maybe? Not sure if it's such an important differentiation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It'd also be good to provide some examples of this flags usage. As it stands, the user will need to guess that they should specify 8.8.8.8:53
here. I imagine many users will specify 8.8.8.8
.
Let's add a (e.g. 8.8.8.8:53,8.8.4.4:53)
to the help message, and also perform validation in the options Validate function to ensure that the NS's entered are validated and checked on start-up (we don't need to actually query the NS, just ensure that the values inputted are all sensible, e.g. is a valid IPv4/IPv6 address followed by a port number.
cmd/controller/app/controller.go
Outdated
@@ -95,6 +97,15 @@ func buildControllerContext(opts *options.ControllerOptions) (*controller.Contex | |||
return nil, nil, fmt.Errorf("error creating kubernetes client: %s", err.Error()) | |||
} | |||
|
|||
nameservers := []string{} | |||
if opts.DNS01Nameservers != "" { | |||
nameservers = strings.Split(opts.DNS01Nameservers, ",") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't need to split manually - pflag supports slices natively: https://godoc.org/github.com/spf13/pflag#StringSlice
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: munnerz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This adds a new flag,
--dns01-nameservers
, which allows setting a list of custom nameservers for the DNS01 check.Fixes #506.