Merge pull request #1993 from ba-work/master

add krb5 realm support
2025-08-06 09:36:58 +02:00 · 2021-04-15 08:41:50 -07:00 · 2021-04-15 08:41:50 -07:00 · a5baad26d7
commit a5baad26d7
parent 43d29f8032 ecbcf27e35
7 changed files with 57 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@ -48,3 +48,6 @@ external-dns
 vendor/

 profile.cov
+
+# github codespaces
+.venv/
--- a/docs/tutorials/rfc2136.md
+++ b/docs/tutorials/rfc2136.md
@ -382,11 +382,10 @@ You'll want to configure `external-dns` similarly to the following:
        - --provider=rfc2136
        - --rfc2136-host=dns-host.yourdomain.com
        - --rfc2136-port=53
-        - --rfc2136-zone=your-domain.com
-        - --rfc2136-gss-tsig
-        - --rfc2136-kerberos-realm=YOUR-REALM.COM # optional; use if your realm's name differs from the DNS zone
+        - --rfc2136-zone=your-zone.com
        - --rfc2136-kerberos-username=your-domain-account
        - --rfc2136-kerberos-password=your-domain-password
+        - --rfc2136-kerberos-realm=your-domain.com
        - --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records.
 ...
 ```
--- a/main.go
+++ b/main.go
@ -293,7 +293,7 @@ func main() {
 			p, err = oci.NewOCIProvider(*config, domainFilter, zoneIDFilter, cfg.DryRun)
 		}
 	case "rfc2136":
-		p, err = rfc2136.NewRfc2136Provider(cfg.RFC2136Host, cfg.RFC2136Port, cfg.RFC2136Zone, cfg.RFC2136Insecure, cfg.RFC2136TSIGKeyName, cfg.RFC2136TSIGSecret, cfg.RFC2136TSIGSecretAlg, cfg.RFC2136TAXFR, domainFilter, cfg.DryRun, cfg.RFC2136MinTTL, cfg.RFC2136GSSTSIG, cfg.RFC2136KerberosRealm, cfg.RFC2136KerberosUsername, cfg.RFC2136KerberosPassword, nil)
+		p, err = rfc2136.NewRfc2136Provider(cfg.RFC2136Host, cfg.RFC2136Port, cfg.RFC2136Zone, cfg.RFC2136Insecure, cfg.RFC2136TSIGKeyName, cfg.RFC2136TSIGSecret, cfg.RFC2136TSIGSecretAlg, cfg.RFC2136TAXFR, domainFilter, cfg.DryRun, cfg.RFC2136MinTTL, cfg.RFC2136GSSTSIG, cfg.RFC2136KerberosUsername, cfg.RFC2136KerberosPassword, cfg.RFC2136KerberosRealm, nil)
 	case "ns1":
 		p, err = ns1.NewNS1Provider(
 			ns1.NS1Config{
--- a/pkg/apis/externaldns/types.go
+++ b/pkg/apis/externaldns/types.go
@ -451,10 +451,10 @@ func (cfg *Config) ParseFlags(args []string) error {
 	app.Flag("rfc2136-tsig-secret-alg", "When using the RFC2136 provider, specify the TSIG (base64) value to attached to DNS messages (required when --rfc2136-insecure=false)").Default(defaultConfig.RFC2136TSIGSecretAlg).StringVar(&cfg.RFC2136TSIGSecretAlg)
 	app.Flag("rfc2136-tsig-axfr", "When using the RFC2136 provider, specify the TSIG (base64) value to attached to DNS messages (required when --rfc2136-insecure=false)").BoolVar(&cfg.RFC2136TAXFR)
 	app.Flag("rfc2136-min-ttl", "When using the RFC2136 provider, specify minimal TTL (in duration format) for records. This value will be used if the provided TTL for a service/ingress is lower than this").Default(defaultConfig.RFC2136MinTTL.String()).DurationVar(&cfg.RFC2136MinTTL)
-	app.Flag("rfc2136-gss-tsig", "When using the RFC2136 provider, specify whether to use secure updates with GSS-TSIG using Kerberos (default: false, requires --rfc2136-kerberos-username and rfc2136-kerberos-password)").Default(strconv.FormatBool(defaultConfig.RFC2136GSSTSIG)).BoolVar(&cfg.RFC2136GSSTSIG)
-	app.Flag("rfc2136-kerberos-realm", "When using the RFC2136 provider with GSS-TSIG, specify the Kerberos realm used for authentication (default: the value of --rfc2316-zone converted to uppercase)").Default(defaultConfig.RFC2136KerberosRealm).StringVar(&cfg.RFC2136KerberosRealm)
+	app.Flag("rfc2136-gss-tsig", "When using the RFC2136 provider, specify whether to use secure updates with GSS-TSIG using Kerberos (default: false, requires --rfc2136-kerberos-realm, --rfc2136-kerberos-username, and rfc2136-kerberos-password)").Default(strconv.FormatBool(defaultConfig.RFC2136GSSTSIG)).BoolVar(&cfg.RFC2136GSSTSIG)
 	app.Flag("rfc2136-kerberos-username", "When using the RFC2136 provider with GSS-TSIG, specify the username of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)").Default(defaultConfig.RFC2136KerberosUsername).StringVar(&cfg.RFC2136KerberosUsername)
 	app.Flag("rfc2136-kerberos-password", "When using the RFC2136 provider with GSS-TSIG, specify the password of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)").Default(defaultConfig.RFC2136KerberosPassword).StringVar(&cfg.RFC2136KerberosPassword)
+	app.Flag("rfc2136-kerberos-realm", "When using the RFC2136 provider with GSS-TSIG, specify the realm of the user with permissions to update DNS records (required when --rfc2136-gss-tsig=true)").Default(defaultConfig.RFC2136KerberosRealm).StringVar(&cfg.RFC2136KerberosRealm)

 	// Flags related to TransIP provider
 	app.Flag("transip-account", "When using the TransIP provider, specify the account name (required when --provider=transip)").Default(defaultConfig.TransIPAccountName).StringVar(&cfg.TransIPAccountName)
--- a/pkg/apis/externaldns/validation/validation.go
+++ b/pkg/apis/externaldns/validation/validation.go
@ -92,8 +92,8 @@ func ValidateConfig(cfg *externaldns.Config) error {
 		}

 		if cfg.RFC2136GSSTSIG {
-			if cfg.RFC2136KerberosPassword == "" || cfg.RFC2136KerberosUsername == "" {
-				return errors.New("--rfc2136-kerberos-username and --rfc2136-kerberos-password both required when specifying --rfc2136-gss-tsig option")
+			if cfg.RFC2136KerberosPassword == "" || cfg.RFC2136KerberosUsername == "" || cfg.RFC2136KerberosRealm == "" {
+				return errors.New("--rfc2136-kerberos-realm, --rfc2136-kerberos-username, and --rfc2136-kerberos-password are required when specifying --rfc2136-gss-tsig option")
 			}
 		}
 	}
--- a/pkg/apis/externaldns/validation/validation_test.go
+++ b/pkg/apis/externaldns/validation/validation_test.go
@ -158,6 +158,7 @@ func TestValidateBadRfc2136GssTsigConfig(t *testing.T) {
 			Sources:                 []string{"test-source"},
 			Provider:                "rfc2136",
 			RFC2136GSSTSIG:          true,
+			RFC2136KerberosRealm:    "test-realm",
 			RFC2136KerberosUsername: "test-user",
 			RFC2136KerberosPassword: "",
 			RFC2136MinTTL:           3600,
@ -167,6 +168,7 @@ func TestValidateBadRfc2136GssTsigConfig(t *testing.T) {
 			Sources:                 []string{"test-source"},
 			Provider:                "rfc2136",
 			RFC2136GSSTSIG:          true,
+			RFC2136KerberosRealm:    "test-realm",
 			RFC2136KerberosUsername: "",
 			RFC2136KerberosPassword: "test-pass",
 			RFC2136MinTTL:           3600,
@ -177,6 +179,48 @@ func TestValidateBadRfc2136GssTsigConfig(t *testing.T) {
 			Provider:                "rfc2136",
 			RFC2136GSSTSIG:          true,
 			RFC2136Insecure:         true,
+			RFC2136KerberosRealm:    "test-realm",
+			RFC2136KerberosUsername: "test-user",
+			RFC2136KerberosPassword: "test-pass",
+			RFC2136MinTTL:           3600,
+		},
+		{
+			LogFormat:               "json",
+			Sources:                 []string{"test-source"},
+			Provider:                "rfc2136",
+			RFC2136GSSTSIG:          true,
+			RFC2136KerberosRealm:    "",
+			RFC2136KerberosUsername: "test-user",
+			RFC2136KerberosPassword: "",
+			RFC2136MinTTL:           3600,
+		},
+		{
+			LogFormat:               "json",
+			Sources:                 []string{"test-source"},
+			Provider:                "rfc2136",
+			RFC2136GSSTSIG:          true,
+			RFC2136KerberosRealm:    "",
+			RFC2136KerberosUsername: "",
+			RFC2136KerberosPassword: "test-pass",
+			RFC2136MinTTL:           3600,
+		},
+		{
+			LogFormat:               "json",
+			Sources:                 []string{"test-source"},
+			Provider:                "rfc2136",
+			RFC2136GSSTSIG:          true,
+			RFC2136Insecure:         true,
+			RFC2136KerberosRealm:    "",
+			RFC2136KerberosUsername: "test-user",
+			RFC2136KerberosPassword: "test-pass",
+			RFC2136MinTTL:           3600,
+		},
+		{
+			LogFormat:               "json",
+			Sources:                 []string{"test-source"},
+			Provider:                "rfc2136",
+			RFC2136GSSTSIG:          true,
+			RFC2136KerberosRealm:    "",
 			RFC2136KerberosUsername: "test-user",
 			RFC2136KerberosPassword: "test-pass",
 			RFC2136MinTTL:           3600,
@ -198,6 +242,7 @@ func TestValidateGoodRfc2136GssTsigConfig(t *testing.T) {
 			Provider:                "rfc2136",
 			RFC2136GSSTSIG:          true,
 			RFC2136Insecure:         false,
+			RFC2136KerberosRealm:    "test-realm",
 			RFC2136KerberosUsername: "test-user",
 			RFC2136KerberosPassword: "test-pass",
 			RFC2136MinTTL:           3600,
--- a/provider/rfc2136/rfc2136.go
+++ b/provider/rfc2136/rfc2136.go
@ -85,7 +85,7 @@ type rfc2136Actions interface {
 }

 // NewRfc2136Provider is a factory function for OpenStack rfc2136 providers
-func NewRfc2136Provider(host string, port int, zoneName string, insecure bool, keyName string, secret string, secretAlg string, axfr bool, domainFilter endpoint.DomainFilter, dryRun bool, minTTL time.Duration, gssTsig bool, krb5Realm string, krb5Username string, krb5Password string, actions rfc2136Actions) (provider.Provider, error) {
+func NewRfc2136Provider(host string, port int, zoneName string, insecure bool, keyName string, secret string, secretAlg string, axfr bool, domainFilter endpoint.DomainFilter, dryRun bool, minTTL time.Duration, gssTsig bool, krb5Username string, krb5Password string, krb5Realm string, actions rfc2136Actions) (provider.Provider, error) {
 	secretAlgChecked, ok := tsigAlgs[secretAlg]
 	if !ok && !insecure && !gssTsig {
 		return nil, errors.Errorf("%s is not supported TSIG algorithm", secretAlg)
@ -102,7 +102,7 @@ func NewRfc2136Provider(host string, port int, zoneName string, insecure bool, k
 		gssTsig:      gssTsig,
 		krb5Username: krb5Username,
 		krb5Password: krb5Password,
-		krb5Realm:    krb5Realm,
+		krb5Realm:    strings.ToUpper(krb5Realm),
 		domainFilter: domainFilter,
 		dryRun:       dryRun,
 		axfr:         axfr,