From 4fdeef3f2fecec6a0a33ae3c5fa01320a5dc39d2 Mon Sep 17 00:00:00 2001 From: mburtless Date: Mon, 8 Apr 2019 15:15:02 -0400 Subject: [PATCH 1/2] Add flags for configuring custom NS1 endpoint and ignoring SSL verification for PrivateDNS support --- main.go | 2 ++ pkg/apis/externaldns/types.go | 6 ++++++ pkg/apis/externaldns/types_test.go | 6 ++++++ provider/ns1.go | 25 ++++++++++++++++++++++++- 4 files changed, 38 insertions(+), 1 deletion(-) diff --git a/main.go b/main.go index 174e03bba..e1bc7161d 100644 --- a/main.go +++ b/main.go @@ -206,6 +206,8 @@ func main() { provider.NS1Config{ DomainFilter: domainFilter, ZoneIDFilter: zoneIDFilter, + NS1Endpoint: cfg.NS1Endpoint, + NS1IgnoreSSL: cfg.NS1IgnoreSSL, DryRun: cfg.DryRun, }, ) diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go index 18ba6e00e..77db9ffc6 100644 --- a/pkg/apis/externaldns/types.go +++ b/pkg/apis/externaldns/types.go @@ -113,6 +113,8 @@ type Config struct { RFC2136TSIGSecret string `secure:"yes"` RFC2136TSIGSecretAlg string RFC2136TAXFR bool + NS1Endpoint string + NS1IgnoreSSL bool } var defaultConfig = &Config{ @@ -186,6 +188,8 @@ var defaultConfig = &Config{ RFC2136TSIGSecret: "", RFC2136TSIGSecretAlg: "", RFC2136TAXFR: true, + NS1Endpoint: "", + NS1IgnoreSSL: false, } // NewConfig returns new Config object @@ -288,6 +292,8 @@ func (cfg *Config) ParseFlags(args []string) error { app.Flag("pdns-server", "When using the PowerDNS/PDNS provider, specify the URL to the pdns server (required when --provider=pdns)").Default(defaultConfig.PDNSServer).StringVar(&cfg.PDNSServer) app.Flag("pdns-api-key", "When using the PowerDNS/PDNS provider, specify the API key to use to authorize requests (required when --provider=pdns)").Default(defaultConfig.PDNSAPIKey).StringVar(&cfg.PDNSAPIKey) app.Flag("pdns-tls-enabled", "When using the PowerDNS/PDNS provider, specify whether to use TLS (default: false, requires --tls-ca, optionally specify --tls-client-cert and --tls-client-cert-key)").Default(strconv.FormatBool(defaultConfig.PDNSTLSEnabled)).BoolVar(&cfg.PDNSTLSEnabled) + app.Flag("ns1-endpoint", "When using the NS1 provider, specify the endpoint to target if not using Managed DNS (optional)").Default(defaultConfig.NS1Endpoint).StringVar(&cfg.NS1Endpoint) + app.Flag("ns1-ignoressl", "When using the NS1 provider, specify whether to verify the SSL certificate (default: false)").Default(strconv.FormatBool(defaultConfig.NS1IgnoreSSL)).BoolVar(&cfg.NS1IgnoreSSL) // Flags related to TLS communication app.Flag("tls-ca", "When using TLS communication, the path to the certificate authority to verify server communications (optionally specify --tls-client-cert for two-way TLS)").Default(defaultConfig.TLSCA).StringVar(&cfg.TLSCA) diff --git a/pkg/apis/externaldns/types_test.go b/pkg/apis/externaldns/types_test.go index ab474b498..ae802f49d 100644 --- a/pkg/apis/externaldns/types_test.go +++ b/pkg/apis/externaldns/types_test.go @@ -143,6 +143,8 @@ var ( CRDSourceAPIVersion: "test.k8s.io/v1alpha1", CRDSourceKind: "Endpoint", RcodezeroTXTEncrypt: true, + NS1Endpoint: "https://api.example.com/v1", + NS1IgnoreSSL: true, } // minimal config with istio gateway source and multiple ingressgateway load balancer services @@ -284,6 +286,8 @@ func TestParseFlags(t *testing.T) { "--crd-source-apiversion=test.k8s.io/v1alpha1", "--crd-source-kind=Endpoint", "--rcodezero-txt-encrypt", + "--ns1-endpoint=https://api.example.com/v1", + "--ns1-ignoressl", }, envVars: map[string]string{}, expected: overriddenConfig, @@ -349,6 +353,8 @@ func TestParseFlags(t *testing.T) { "EXTERNAL_DNS_CRD_SOURCE_APIVERSION": "test.k8s.io/v1alpha1", "EXTERNAL_DNS_CRD_SOURCE_KIND": "Endpoint", "EXTERNAL_DNS_RCODEZERO_TXT_ENCRYPT": "1", + "EXTERNAL_DNS_NS1_ENDPOINT": "https://api.example.com/v1", + "EXTERNAL_DNS_NS1_IGNORESSL": "1", }, expected: overriddenConfig, }, diff --git a/provider/ns1.go b/provider/ns1.go index 31341f0d9..9ac7e2200 100644 --- a/provider/ns1.go +++ b/provider/ns1.go @@ -17,6 +17,7 @@ limitations under the License. package provider import ( + "crypto/tls" "fmt" "net/http" "os" @@ -85,6 +86,8 @@ func (n NS1DomainService) ListZones() ([]*dns.Zone, *http.Response, error) { type NS1Config struct { DomainFilter DomainFilter ZoneIDFilter ZoneIDFilter + NS1Endpoint string + NS1IgnoreSSL bool DryRun bool } @@ -106,8 +109,28 @@ func newNS1ProviderWithHTTPClient(config NS1Config, client *http.Client) (*NS1Pr if !ok { return nil, fmt.Errorf("NS1_APIKEY environment variable is not set") } + clientArgs := []func(*api.Client){api.SetAPIKey(token)} + if config.NS1Endpoint != "" { + log.Infof("ns1-endpoint flag is set, targeting endpoint at %s", config.NS1Endpoint) + clientArgs = append(clientArgs, api.SetEndpoint(config.NS1Endpoint)) + } - apiClient := api.NewClient(client, api.SetAPIKey(token)) + if config.NS1IgnoreSSL == true { + log.Info("ns1-ignoressl flag is True, skipping SSL verification") + defaultTransport := http.DefaultTransport.(*http.Transport) + tr := &http.Transport{ + Proxy: defaultTransport.Proxy, + DialContext: defaultTransport.DialContext, + MaxIdleConns: defaultTransport.MaxIdleConns, + IdleConnTimeout: defaultTransport.IdleConnTimeout, + ExpectContinueTimeout: defaultTransport.ExpectContinueTimeout, + TLSHandshakeTimeout: defaultTransport.TLSHandshakeTimeout, + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + client.Transport = tr + } + + apiClient := api.NewClient(client, clientArgs...) provider := &NS1Provider{ client: NS1DomainService{apiClient}, From 171e87d9ec9b44a7d06fde20ba249751f6ce62cd Mon Sep 17 00:00:00 2001 From: mburtless Date: Fri, 26 Apr 2019 11:12:26 -0400 Subject: [PATCH 2/2] Fix wording on flag description --- pkg/apis/externaldns/types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go index 77db9ffc6..9bd8a9c51 100644 --- a/pkg/apis/externaldns/types.go +++ b/pkg/apis/externaldns/types.go @@ -292,7 +292,7 @@ func (cfg *Config) ParseFlags(args []string) error { app.Flag("pdns-server", "When using the PowerDNS/PDNS provider, specify the URL to the pdns server (required when --provider=pdns)").Default(defaultConfig.PDNSServer).StringVar(&cfg.PDNSServer) app.Flag("pdns-api-key", "When using the PowerDNS/PDNS provider, specify the API key to use to authorize requests (required when --provider=pdns)").Default(defaultConfig.PDNSAPIKey).StringVar(&cfg.PDNSAPIKey) app.Flag("pdns-tls-enabled", "When using the PowerDNS/PDNS provider, specify whether to use TLS (default: false, requires --tls-ca, optionally specify --tls-client-cert and --tls-client-cert-key)").Default(strconv.FormatBool(defaultConfig.PDNSTLSEnabled)).BoolVar(&cfg.PDNSTLSEnabled) - app.Flag("ns1-endpoint", "When using the NS1 provider, specify the endpoint to target if not using Managed DNS (optional)").Default(defaultConfig.NS1Endpoint).StringVar(&cfg.NS1Endpoint) + app.Flag("ns1-endpoint", "When using the NS1 provider, specify the URL of the API endpoint to target (default: https://api.nsone.net/v1/)").Default(defaultConfig.NS1Endpoint).StringVar(&cfg.NS1Endpoint) app.Flag("ns1-ignoressl", "When using the NS1 provider, specify whether to verify the SSL certificate (default: false)").Default(strconv.FormatBool(defaultConfig.NS1IgnoreSSL)).BoolVar(&cfg.NS1IgnoreSSL) // Flags related to TLS communication