Add flag for setting nameservers for DNS01 check #710
Conversation
jetstack-bot
added
the
release-note
jetstack-bot
added
the
size/M
|
|
||
| Cert-manager will check the correct DNS records exist before attempting a DNS01 | ||
| challenge. By default, the DNS servers for this check will be taken from | ||
| ``/etc/resolv.conf``. If this is not desired, the cert-manager controller |
There was a problem hiding this comment.
Can you expand If this is not desired, to give some examples of where this may not be desired (i.e. if you have two authoritative nameservers for the same zone/are using split-brain/split-horizon DNS)?
There was a problem hiding this comment.
I've added a little extra, let me know if some larger examples would be needed
| @@ -120,6 +126,8 @@ func (s *ControllerOptions) AddFlags(fs *pflag.FlagSet) { | |||
| fs.StringVar(&s.DefaultACMEIssuerDNS01ProviderName, "default-acme-issuer-dns01-provider-name", defaultACMEIssuerDNS01ProviderName, ""+ | |||
| "Required if --default-acme-issuer-challenge-type is set to dns01. The DNS01 provider to use for ingresses using ACME dns01 "+ | |||
| "validation that do not explicitly state a dns provider.") | |||
| fs.StringVar(&s.DNS01Nameservers, "dns01-nameservers", defaultDNS01Nameservers, ""+ | |||
There was a problem hiding this comment.
dns01-self-check-nameservers maybe? Not sure if it's such an important differentiation
There was a problem hiding this comment.
It'd also be good to provide some examples of this flags usage. As it stands, the user will need to guess that they should specify 8.8.8.8:53 here. I imagine many users will specify 8.8.8.8.
Let's add a (e.g. 8.8.8.8:53,8.8.4.4:53) to the help message, and also perform validation in the options Validate function to ensure that the NS's entered are validated and checked on start-up (we don't need to actually query the NS, just ensure that the values inputted are all sensible, e.g. is a valid IPv4/IPv6 address followed by a port number.
cmd/controller/app/controller.go
Outdated
| @@ -95,6 +97,15 @@ func buildControllerContext(opts *options.ControllerOptions) (*controller.Contex | |||
| return nil, nil, fmt.Errorf("error creating kubernetes client: %s", err.Error()) | |||
| } | |||
|
|
|||
| nameservers := []string{} | |||
| if opts.DNS01Nameservers != "" { | |||
| nameservers = strings.Split(opts.DNS01Nameservers, ",") | |||
There was a problem hiding this comment.
Don't need to split manually - pflag supports slices natively: https://godoc.org/github.com/spf13/pflag#StringSlice
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: munnerz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
the
approved
This adds a new flag,
--dns01-nameservers, which allows setting a list of custom nameservers for the DNS01 check.Fixes #506.