diff --git a/.gitignore b/.gitignore index 30adb371d6..db4b5e4c89 100644 --- a/.gitignore +++ b/.gitignore @@ -48,3 +48,6 @@ external-dns vendor/ profile.cov + +# github codespaces +.venv/ \ No newline at end of file diff --git a/docs/tutorials/rfc2136.md b/docs/tutorials/rfc2136.md index 843e8030ff..05d06d4a5a 100644 --- a/docs/tutorials/rfc2136.md +++ b/docs/tutorials/rfc2136.md @@ -382,11 +382,10 @@ You'll want to configure `external-dns` similarly to the following: - --provider=rfc2136 - --rfc2136-host=dns-host.yourdomain.com - --rfc2136-port=53 - - --rfc2136-zone=your-domain.com - - --rfc2136-gss-tsig - - --rfc2136-kerberos-realm=YOUR-REALM.COM # optional; use if your realm's name differs from the DNS zone + - --rfc2136-zone=your-zone.com - --rfc2136-kerberos-username=your-domain-account - --rfc2136-kerberos-password=your-domain-password + - --rfc2136-kerberos-realm=your-domain.com - --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records. ... ``` diff --git a/main.go b/main.go index 7cd5cad842..1a6f7cf658 100644 --- a/main.go +++ b/main.go @@ -293,7 +293,7 @@ func main() { p, err = oci.NewOCIProvider(*config, domainFilter, zoneIDFilter, cfg.DryRun) } case "rfc2136": - p, err = rfc2136.NewRfc2136Provider(cfg.RFC2136Host, cfg.RFC2136Port, cfg.RFC2136Zone, cfg.RFC2136Insecure, cfg.RFC2136TSIGKeyName, cfg.RFC2136TSIGSecret, cfg.RFC2136TSIGSecretAlg, cfg.RFC2136TAXFR, domainFilter, cfg.DryRun, cfg.RFC2136MinTTL, cfg.RFC2136GSSTSIG, cfg.RFC2136KerberosRealm, cfg.RFC2136KerberosUsername, cfg.RFC2136KerberosPassword, nil) + p, err = rfc2136.NewRfc2136Provider(cfg.RFC2136Host, cfg.RFC2136Port, cfg.RFC2136Zone, cfg.RFC2136Insecure, cfg.RFC2136TSIGKeyName, cfg.RFC2136TSIGSecret, cfg.RFC2136TSIGSecretAlg, cfg.RFC2136TAXFR, domainFilter, cfg.DryRun, cfg.RFC2136MinTTL, cfg.RFC2136GSSTSIG, cfg.RFC2136KerberosUsername, cfg.RFC2136KerberosPassword, cfg.RFC2136KerberosRealm, nil) case "ns1": p, err = ns1.NewNS1Provider( ns1.NS1Config{ diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go index 6ddb23904c..8655dc480c 100644 --- a/pkg/apis/externaldns/types.go +++ b/pkg/apis/externaldns/types.go @@ -451,10 +451,10 @@ func (cfg *Config) ParseFlags(args []string) error { app.Flag("rfc2136-tsig-secret-alg", "When using the RFC2136 provider, specify the TSIG (base64) value to attached to DNS messages (required when --rfc2136-insecure=false)").Default(defaultConfig.RFC2136TSIGSecretAlg).StringVar(&cfg.RFC2136TSIGSecretAlg) app.Flag("rfc2136-tsig-axfr", "When using the RFC2136 provider, specify the TSIG (base64) value to attached to DNS messages (required when --rfc2136-insecure=false)").BoolVar(&cfg.RFC2136TAXFR) app.Flag("rfc2136-min-ttl", "When using the RFC2136 provider, specify minimal TTL (in duration format) for records. This value will be used if the provided TTL for a service/ingress is lower than this").Default(defaultConfig.RFC2136MinTTL.String()).DurationVar(&cfg.RFC2136MinTTL) - app.Flag("rfc2136-gss-tsig", "When using the RFC2136 provider, specify whether to use secure updates with GSS-TSIG using Kerberos (default: false, requires --rfc2136-kerberos-username and rfc2136-kerberos-password)").Default(strconv.FormatBool(defaultConfig.RFC2136GSSTSIG)).BoolVar(&cfg.RFC2136GSSTSIG) - app.Flag("rfc2136-kerberos-realm", "When using the RFC2136 provider with GSS-TSIG, specify the Kerberos realm used for authentication (default: the value of --rfc2316-zone converted to uppercase)").Default(defaultConfig.RFC2136KerberosRealm).StringVar(&cfg.RFC2136KerberosRealm) + app.Flag("rfc2136-gss-tsig", "When using the RFC2136 provider, specify whether to use secure updates with GSS-TSIG using Kerberos (default: false, requires --rfc2136-kerberos-realm, --rfc2136-kerberos-username, and rfc2136-kerberos-password)").Default(strconv.FormatBool(defaultConfig.RFC2136GSSTSIG)).BoolVar(&cfg.RFC2136GSSTSIG) app.Flag("rfc2136-kerberos-username", "When using the RFC2136 provider with GSS-TSIG, specify the username of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)").Default(defaultConfig.RFC2136KerberosUsername).StringVar(&cfg.RFC2136KerberosUsername) app.Flag("rfc2136-kerberos-password", "When using the RFC2136 provider with GSS-TSIG, specify the password of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)").Default(defaultConfig.RFC2136KerberosPassword).StringVar(&cfg.RFC2136KerberosPassword) + app.Flag("rfc2136-kerberos-realm", "When using the RFC2136 provider with GSS-TSIG, specify the realm of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)").Default(defaultConfig.RFC2136KerberosRealm).StringVar(&cfg.RFC2136KerberosRealm) // Flags related to TransIP provider app.Flag("transip-account", "When using the TransIP provider, specify the account name (required when --provider=transip)").Default(defaultConfig.TransIPAccountName).StringVar(&cfg.TransIPAccountName) diff --git a/pkg/apis/externaldns/validation/validation.go b/pkg/apis/externaldns/validation/validation.go index 81f27a34a3..3251a7b09a 100644 --- a/pkg/apis/externaldns/validation/validation.go +++ b/pkg/apis/externaldns/validation/validation.go @@ -92,8 +92,8 @@ func ValidateConfig(cfg *externaldns.Config) error { } if cfg.RFC2136GSSTSIG { - if cfg.RFC2136KerberosPassword == "" || cfg.RFC2136KerberosUsername == "" { - return errors.New("--rfc2136-kerberos-username and --rfc2136-kerberos-password both required when specifying --rfc2136-gss-tsig option") + if cfg.RFC2136KerberosPassword == "" || cfg.RFC2136KerberosUsername == "" || cfg.RFC2136KerberosRealm == "" { + return errors.New("--rfc2136-kerberos-realm, --rfc2136-kerberos-username, and --rfc2136-kerberos-password are required when specifying --rfc2136-gss-tsig option") } } } diff --git a/pkg/apis/externaldns/validation/validation_test.go b/pkg/apis/externaldns/validation/validation_test.go index 98c5a50685..8bb6fdafa5 100644 --- a/pkg/apis/externaldns/validation/validation_test.go +++ b/pkg/apis/externaldns/validation/validation_test.go @@ -158,6 +158,7 @@ func TestValidateBadRfc2136GssTsigConfig(t *testing.T) { Sources: []string{"test-source"}, Provider: "rfc2136", RFC2136GSSTSIG: true, + RFC2136KerberosRealm: "test-realm", RFC2136KerberosUsername: "test-user", RFC2136KerberosPassword: "", RFC2136MinTTL: 3600, @@ -167,6 +168,7 @@ func TestValidateBadRfc2136GssTsigConfig(t *testing.T) { Sources: []string{"test-source"}, Provider: "rfc2136", RFC2136GSSTSIG: true, + RFC2136KerberosRealm: "test-realm", RFC2136KerberosUsername: "", RFC2136KerberosPassword: "test-pass", RFC2136MinTTL: 3600, @@ -177,6 +179,48 @@ func TestValidateBadRfc2136GssTsigConfig(t *testing.T) { Provider: "rfc2136", RFC2136GSSTSIG: true, RFC2136Insecure: true, + RFC2136KerberosRealm: "test-realm", + RFC2136KerberosUsername: "test-user", + RFC2136KerberosPassword: "test-pass", + RFC2136MinTTL: 3600, + }, + { + LogFormat: "json", + Sources: []string{"test-source"}, + Provider: "rfc2136", + RFC2136GSSTSIG: true, + RFC2136KerberosRealm: "", + RFC2136KerberosUsername: "test-user", + RFC2136KerberosPassword: "", + RFC2136MinTTL: 3600, + }, + { + LogFormat: "json", + Sources: []string{"test-source"}, + Provider: "rfc2136", + RFC2136GSSTSIG: true, + RFC2136KerberosRealm: "", + RFC2136KerberosUsername: "", + RFC2136KerberosPassword: "test-pass", + RFC2136MinTTL: 3600, + }, + { + LogFormat: "json", + Sources: []string{"test-source"}, + Provider: "rfc2136", + RFC2136GSSTSIG: true, + RFC2136Insecure: true, + RFC2136KerberosRealm: "", + RFC2136KerberosUsername: "test-user", + RFC2136KerberosPassword: "test-pass", + RFC2136MinTTL: 3600, + }, + { + LogFormat: "json", + Sources: []string{"test-source"}, + Provider: "rfc2136", + RFC2136GSSTSIG: true, + RFC2136KerberosRealm: "", RFC2136KerberosUsername: "test-user", RFC2136KerberosPassword: "test-pass", RFC2136MinTTL: 3600, @@ -198,6 +242,7 @@ func TestValidateGoodRfc2136GssTsigConfig(t *testing.T) { Provider: "rfc2136", RFC2136GSSTSIG: true, RFC2136Insecure: false, + RFC2136KerberosRealm: "test-realm", RFC2136KerberosUsername: "test-user", RFC2136KerberosPassword: "test-pass", RFC2136MinTTL: 3600, diff --git a/provider/rfc2136/rfc2136.go b/provider/rfc2136/rfc2136.go index 893c98be13..0ce9b8cc53 100644 --- a/provider/rfc2136/rfc2136.go +++ b/provider/rfc2136/rfc2136.go @@ -85,7 +85,7 @@ type rfc2136Actions interface { } // NewRfc2136Provider is a factory function for OpenStack rfc2136 providers -func NewRfc2136Provider(host string, port int, zoneName string, insecure bool, keyName string, secret string, secretAlg string, axfr bool, domainFilter endpoint.DomainFilter, dryRun bool, minTTL time.Duration, gssTsig bool, krb5Realm string, krb5Username string, krb5Password string, actions rfc2136Actions) (provider.Provider, error) { +func NewRfc2136Provider(host string, port int, zoneName string, insecure bool, keyName string, secret string, secretAlg string, axfr bool, domainFilter endpoint.DomainFilter, dryRun bool, minTTL time.Duration, gssTsig bool, krb5Username string, krb5Password string, krb5Realm string, actions rfc2136Actions) (provider.Provider, error) { secretAlgChecked, ok := tsigAlgs[secretAlg] if !ok && !insecure && !gssTsig { return nil, errors.Errorf("%s is not supported TSIG algorithm", secretAlg) @@ -102,7 +102,7 @@ func NewRfc2136Provider(host string, port int, zoneName string, insecure bool, k gssTsig: gssTsig, krb5Username: krb5Username, krb5Password: krb5Password, - krb5Realm: krb5Realm, + krb5Realm: strings.ToUpper(krb5Realm), domainFilter: domainFilter, dryRun: dryRun, axfr: axfr,