fix rfc2136 provider missing port error, plumb dnsNameserver01
Signed-off-by: splashx <splash@gmail.com>
This commit is contained in:
splashx
parent
fe9643340f
commit
4e9af51629
@ -57,7 +57,7 @@ type dnsProviderConstructors struct {
|
||||
route53 func(accessKey, secretKey, hostedZoneID, region string, ambient bool, dns01Nameservers []string) (*route53.DNSProvider, error)
|
||||
azureDNS func(clientID, clientSecret, subscriptionID, tenentID, resourceGroupName, hostedZoneName string, dns01Nameservers []string) (*azuredns.DNSProvider, error)
|
||||
acmeDNS func(host string, accountJson []byte, dns01Nameservers []string) (*acmedns.DNSProvider, error)
|
||||
rfc2136 func(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret string) (*rfc2136.DNSProvider, error)
|
||||
rfc2136 func(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret string, dns01Nameservers []string) (*rfc2136.DNSProvider, error)
|
||||
}
|
||||
|
||||
// Solver is a solver for the acme dns01 challenge.
|
||||
@ -301,6 +301,7 @@ func (s *Solver) solverForIssuerProvider(issuer v1alpha1.GenericIssuer, provider
|
||||
string(providerConfig.RFC2136.TSIGAlgorithm),
|
||||
providerConfig.RFC2136.TSIGKeyName,
|
||||
secret,
|
||||
s.DNS01Nameservers,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error instantiating rfc2136 challenge solver: %s", err.Error())
|
||||
|
||||
@ -16,6 +16,7 @@ go_test(
|
||||
srcs = ["rfc2136_test.go"],
|
||||
embed = [":go_default_library"],
|
||||
deps = [
|
||||
"//pkg/issuer/acme/dns/util:go_default_library",
|
||||
"//vendor/github.com/miekg/dns:go_default_library",
|
||||
"//vendor/github.com/stretchr/testify/assert:go_default_library",
|
||||
],
|
||||
|
||||
@ -34,6 +34,8 @@ import (
|
||||
"github.com/miekg/dns"
|
||||
)
|
||||
|
||||
var defaultPort = "53"
|
||||
|
||||
var supportedAlgorithms = map[string]string{
|
||||
"HMACMD5": dns.HmacMD5,
|
||||
"HMACSHA1": dns.HmacSHA1,
|
||||
@ -70,7 +72,7 @@ func ValidNameserver(nameserver string) (string, error) {
|
||||
// nameserver.com: "nameserver.com" "" <nil>
|
||||
// nameserver.com:53 "nameserver.com" 53 <nil>
|
||||
// :53 "" 53 <nil>
|
||||
host, port, err := net.SplitHostPort(nameserver)
|
||||
host, port, err := net.SplitHostPort(strings.TrimSpace(nameserver))
|
||||
|
||||
if err != nil {
|
||||
if strings.Contains(err.Error(), "missing port") {
|
||||
@ -79,7 +81,7 @@ func ValidNameserver(nameserver string) (string, error) {
|
||||
}
|
||||
|
||||
if port == "" {
|
||||
port = "53"
|
||||
port = defaultPort
|
||||
}
|
||||
|
||||
if host != "" {
|
||||
@ -89,16 +91,20 @@ func ValidNameserver(nameserver string) (string, error) {
|
||||
} else {
|
||||
return "", fmt.Errorf("RFC2136 nameserver has no IP Address defined, %v", nameserver)
|
||||
}
|
||||
|
||||
nameserver = host + ":" + port
|
||||
|
||||
return nameserver, nil
|
||||
}
|
||||
|
||||
// DNSProvider is an implementation of the acme.ChallengeProvider interface that
|
||||
// uses dynamic DNS updates (RFC 2136) to create TXT records on a nameserver.
|
||||
type DNSProvider struct {
|
||||
nameserver string
|
||||
tsigAlgorithm string
|
||||
tsigKeyName string
|
||||
tsigSecret string
|
||||
nameserver string
|
||||
tsigAlgorithm string
|
||||
tsigKeyName string
|
||||
tsigSecret string
|
||||
dns01Nameservers []string
|
||||
}
|
||||
|
||||
// NewDNSProvider returns a DNSProvider instance configured for rfc2136
|
||||
@ -109,19 +115,19 @@ type DNSProvider struct {
|
||||
// RFC2136_TSIG_KEY: Name of the secret key as defined in DNS server configuration.
|
||||
// RFC2136_TSIG_SECRET: Secret key payload.
|
||||
// To disable TSIG authentication, leave the RFC2136_TSIG* variables unset.
|
||||
func NewDNSProvider() (*DNSProvider, error) {
|
||||
func NewDNSProvider(dns01Nameservers []string) (*DNSProvider, error) {
|
||||
nameserver := os.Getenv("RFC2136_NAMESERVER")
|
||||
tsigAlgorithm := os.Getenv("RFC2136_TSIG_ALGORITHM")
|
||||
tsigKeyName := os.Getenv("RFC2136_TSIG_KEY_NAME")
|
||||
tsigSecret := os.Getenv("RFC2136_TSIG_SECRET")
|
||||
return NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret)
|
||||
return NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret, dns01Nameservers)
|
||||
}
|
||||
|
||||
// NewDNSProviderCredentials uses the supplied credentials to return a
|
||||
// DNSProvider instance configured for rfc2136 dynamic update. To disable TSIG
|
||||
// authentication, leave the TSIG parameters as empty strings.
|
||||
// nameserver must be a network address in the form "IP" or "IP:port".
|
||||
func NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret string) (*DNSProvider, error) {
|
||||
func NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret string, dns01Nameservers []string) (*DNSProvider, error) {
|
||||
|
||||
d := &DNSProvider{}
|
||||
|
||||
@ -148,6 +154,7 @@ func NewDNSProviderCredentials(nameserver, tsigAlgorithm, tsigKeyName, tsigSecre
|
||||
}
|
||||
d.tsigAlgorithm = tsigAlgorithm
|
||||
|
||||
d.dns01Nameservers = dns01Nameservers
|
||||
return d, nil
|
||||
}
|
||||
|
||||
@ -159,7 +166,7 @@ func (r *DNSProvider) Timeout() (timeout, interval time.Duration) {
|
||||
|
||||
// Present creates a TXT record using the specified parameters
|
||||
func (r *DNSProvider) Present(domain, token, keyAuth string) error {
|
||||
fqdn, value, ttl, err := util.DNS01Record(domain, keyAuth, strings.Fields(r.nameserver))
|
||||
fqdn, value, ttl, err := util.DNS01Record(domain, keyAuth, r.dns01Nameservers)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -168,7 +175,7 @@ func (r *DNSProvider) Present(domain, token, keyAuth string) error {
|
||||
|
||||
// CleanUp removes the TXT record matching the specified parameters
|
||||
func (r *DNSProvider) CleanUp(domain, token, keyAuth string) error {
|
||||
fqdn, value, ttl, err := util.DNS01Record(domain, keyAuth, strings.Fields(r.nameserver))
|
||||
fqdn, value, ttl, err := util.DNS01Record(domain, keyAuth, r.dns01Nameservers)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -177,7 +184,7 @@ func (r *DNSProvider) CleanUp(domain, token, keyAuth string) error {
|
||||
|
||||
func (r *DNSProvider) changeRecord(action, fqdn, value string, ttl int) error {
|
||||
// Find the zone for the given fqdn
|
||||
zone, err := util.FindZoneByFqdn(fqdn, []string{r.nameserver})
|
||||
zone, err := util.FindZoneByFqdn(fqdn, r.dns01Nameservers)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@ -29,6 +29,7 @@ import (
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/jetstack/cert-manager/pkg/issuer/acme/dns/util"
|
||||
"github.com/miekg/dns"
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
@ -80,7 +81,7 @@ func TestRFC2136ServerSuccess(t *testing.T) {
|
||||
}
|
||||
defer server.Shutdown()
|
||||
|
||||
provider, err := NewDNSProviderCredentials(addrstr, "", "", "")
|
||||
provider, err := NewDNSProviderCredentials(addrstr, "", "", "", util.RecursiveNameservers)
|
||||
if err != nil {
|
||||
t.Fatalf("Expected NewDNSProviderCredentials() to return no error but the error was -> %v", err)
|
||||
}
|
||||
@ -99,7 +100,7 @@ func TestRFC2136ServerError(t *testing.T) {
|
||||
}
|
||||
defer server.Shutdown()
|
||||
|
||||
provider, err := NewDNSProviderCredentials(addrstr, "", "", "")
|
||||
provider, err := NewDNSProviderCredentials(addrstr, "", "", "", util.RecursiveNameservers)
|
||||
if err != nil {
|
||||
t.Fatalf("Expected NewDNSProviderCredentials() to return no error but the error was -> %v", err)
|
||||
}
|
||||
@ -120,7 +121,7 @@ func TestRFC2136TsigClient(t *testing.T) {
|
||||
}
|
||||
defer server.Shutdown()
|
||||
|
||||
provider, err := NewDNSProviderCredentials(addrstr, "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret)
|
||||
provider, err := NewDNSProviderCredentials(addrstr, "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers)
|
||||
if err != nil {
|
||||
t.Fatalf("Expected NewDNSProviderCredentials() to return no error but the error was -> %v", err)
|
||||
}
|
||||
@ -130,63 +131,79 @@ func TestRFC2136TsigClient(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestRFC2136InvalidNameserverFQDN(t *testing.T) {
|
||||
_, err := NewDNSProviderCredentials("nameserver.com", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret)
|
||||
_, err := NewDNSProviderCredentials("nameserver.com", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers)
|
||||
assert.Error(t, err)
|
||||
}
|
||||
|
||||
func TestRFC2136InvalidNameserverFQDNWithPort(t *testing.T) {
|
||||
_, err := NewDNSProviderCredentials("nameserver.com:53", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret)
|
||||
_, err := NewDNSProviderCredentials("nameserver.com:53", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers)
|
||||
assert.Error(t, err)
|
||||
}
|
||||
|
||||
func TestRFC2136InvalidNameserverFQDNWithPort2(t *testing.T) {
|
||||
_, err := NewDNSProviderCredentials("nameserver.com:", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret)
|
||||
_, err := NewDNSProviderCredentials("nameserver.com:", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers)
|
||||
assert.Error(t, err)
|
||||
}
|
||||
|
||||
func TestRFC2136NamserverWithoutPort(t *testing.T) {
|
||||
_, err := NewDNSProviderCredentials("127.0.0.1", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret)
|
||||
nameserver := "127.0.0.1"
|
||||
dnsProvider, err := NewDNSProviderCredentials(nameserver, "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers)
|
||||
assert.NoError(t, err)
|
||||
|
||||
if dnsProvider.nameserver != nameserver+":"+defaultPort {
|
||||
t.Errorf("dnsProvider.namserver to be %v:%v, but it is %v", nameserver, defaultPort, dnsProvider.nameserver)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
func TestRFC2136NamserverWithoutPort2(t *testing.T) {
|
||||
_, err := NewDNSProviderCredentials("127.0.0.1:", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret)
|
||||
nameserver := "127.0.0.1:"
|
||||
dnsProvider, err := NewDNSProviderCredentials(nameserver, "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers)
|
||||
assert.NoError(t, err)
|
||||
|
||||
if dnsProvider.nameserver != nameserver+defaultPort {
|
||||
t.Errorf("dnsProvider.namserver to be %v%v, but it is %v", nameserver, defaultPort, dnsProvider.nameserver)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRFC2136NamserverWithPort(t *testing.T) {
|
||||
_, err := NewDNSProviderCredentials("127.0.0.1:53", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret)
|
||||
nameserver := "127.0.0.1:12345"
|
||||
dnsProvider, err := NewDNSProviderCredentials(nameserver, "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers)
|
||||
assert.NoError(t, err)
|
||||
|
||||
if dnsProvider.nameserver != nameserver {
|
||||
t.Errorf("dnsProvider.namserver to be %v, but it is %v", nameserver, dnsProvider.nameserver)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRFC2136NamserverWithPortNoIP(t *testing.T) {
|
||||
_, err := NewDNSProviderCredentials(":53", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret)
|
||||
_, err := NewDNSProviderCredentials(":53", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers)
|
||||
assert.Error(t, err)
|
||||
}
|
||||
|
||||
func TestRFC2136NamserverEmpty(t *testing.T) {
|
||||
_, err := NewDNSProviderCredentials("", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret)
|
||||
_, err := NewDNSProviderCredentials("", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers)
|
||||
assert.Error(t, err)
|
||||
}
|
||||
|
||||
func TestRFC2136NamserverIPInvalid(t *testing.T) {
|
||||
_, err := NewDNSProviderCredentials("900.65.3.64", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret)
|
||||
_, err := NewDNSProviderCredentials("900.65.3.64", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers)
|
||||
assert.Error(t, err)
|
||||
}
|
||||
|
||||
func TestRFC2136NamserverIPInvalid2(t *testing.T) {
|
||||
_, err := NewDNSProviderCredentials(":", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret)
|
||||
_, err := NewDNSProviderCredentials(":", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers)
|
||||
assert.Error(t, err)
|
||||
}
|
||||
func TestRFC2136DefaultTSIGAlgorithm(t *testing.T) {
|
||||
provider, err := NewDNSProviderCredentials("127.0.0.1:0", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret)
|
||||
provider, err := NewDNSProviderCredentials("127.0.0.1:0", "", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers)
|
||||
if err != nil {
|
||||
assert.Equal(t, provider.tsigAlgorithm, dns.HmacMD5, "Default TSIG must match")
|
||||
}
|
||||
}
|
||||
|
||||
func TestRFC2136InvalidTSIGAlgorithm(t *testing.T) {
|
||||
_, err := NewDNSProviderCredentials("127.0.0.1:0", "HAMMOCK", rfc2136TestTsigKeyName, rfc2136TestTsigSecret)
|
||||
_, err := NewDNSProviderCredentials("127.0.0.1:0", "HAMMOCK", rfc2136TestTsigKeyName, rfc2136TestTsigSecret, util.RecursiveNameservers)
|
||||
assert.Error(t, err)
|
||||
}
|
||||
|
||||
@ -212,7 +229,7 @@ func TestRFC2136ValidUpdatePacket(t *testing.T) {
|
||||
t.Fatalf("Error packing expect msg: %v", err)
|
||||
}
|
||||
|
||||
provider, err := NewDNSProviderCredentials(addrstr, "", "", "")
|
||||
provider, err := NewDNSProviderCredentials(addrstr, "", "", "", util.RecursiveNameservers)
|
||||
if err != nil {
|
||||
t.Fatalf("Expected NewDNSProviderCredentials() to return no error but the error was -> %v", err)
|
||||
}
|
||||
|
||||
@ -160,8 +160,8 @@ func newFakeDNSProviders() *fakeDNSProviders {
|
||||
f.call("acmedns", host, accountJson, dns01Nameservers)
|
||||
return nil, nil
|
||||
},
|
||||
rfc2136: func(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret string) (*rfc2136.DNSProvider, error) {
|
||||
f.call("rfc2136", nameserver, tsigAlgorithm, tsigKeyName, tsigSecret)
|
||||
rfc2136: func(nameserver, tsigAlgorithm, tsigKeyName, tsigSecret string, dns01Nameservers []string) (*rfc2136.DNSProvider, error) {
|
||||
f.call("rfc2136", nameserver, tsigAlgorithm, tsigKeyName, tsigSecret, util.RecursiveNameservers)
|
||||
return nil, nil
|
||||
},
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user