New feature: client's certificate-based authentication to Infoblox NIOS server #2841
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: skudriavtsev The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/L
skudriavtsev
changed the title
skudriavtsev
changed the title
|
By the way, I would like to put some example YAML-deployment files for Infoblox provider and I found no separate directory for that. Probably I missed something in the project repository's rules ... To the reviewers: which place of the repository should I put the example files in? |
|
Hi @Raffo / @njuettner, Can you please review this PR and share your comments ? |
* TestInfobloxRecords and TestInfobloxRecordsReverse tests performed the same actions. To reduce the amount of test-logic, merged them into one table-driven test. * Added comments for the test function and for each respective test case.
k8s-ci-robot
added
cncf-cla: no
|
Hi @Raffo / @njuettner, it will be really great if you can provide your review comments |
k8s-ci-robot
added
the
needs-rebase
|
@skudriavtsev: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@skudriavtsev Please rebase the PR |
There was a problem hiding this comment.
Thanks for the PR, @skudriavtsev !
I left some comments/questions, hope they'll be helpful.
Didn't look at the unit test part yet, will do later after my questions are clarified.
| @@ -251,11 +253,13 @@ var defaultConfig = &Config{ | |||
| AkamaiEdgercPath: "", | |||
| InfobloxGridHost: "", | |||
| InfobloxWapiPort: 443, | |||
| InfobloxWapiUsername: "admin", | |||
There was a problem hiding this comment.
This may break the existing configurations. I agree that empty user would be more generic choice at the very beginning but admin seems to be a reasonable default.
There was a problem hiding this comment.
This makes not a great sense with an empty password. But need to think of it more, this is one of the controversial points.
| if cfg.InfobloxWapiPassword == "" && cfg.InfobloxClientKey == "" && cfg.InfobloxClientCert == "" { | ||
| return errors.New("neither Infoblox WAPI password nor paths to public/private parts of TLS client certificate specified") |
There was a problem hiding this comment.
This condition allows having client certificate without the key or the other way around: client key without certificate. I think we want both parts for the client certificate auth if the password is empty.
There was a problem hiding this comment.
Yes, you are right.
| } else { | ||
| return nil, fmt.Errorf("neither client-certificate nor username and password are specified for authentication to Infoblox NIOS server") | ||
| } |
There was a problem hiding this comment.
This check is redundant, the config validation already checked this in main.go.
There was a problem hiding this comment.
Agree, just one more over-insurance. I will remove it.
| authMethodCert bool | ||
| ) | ||
| if strings.Trim(ibStartupCfg.View, " \a\b\t\n\r\f\v") == "" { | ||
| return nil, fmt.Errorf("non-empty DNS view's name is required") |
There was a problem hiding this comment.
Why the DNS view is now required? It was working without it even when ibclient version 2 was already in use.
There was a problem hiding this comment.
This is mostly not about the default value. It is about the case when a user specifies formally non-empty string which actually contains no visible characters (ex. only spaces as a result of incorrect work of automation scripts). Treat it as over-insurance :-)
For now, let's leave the default DNS view as 'default'. Under discussion, see below.
| @@ -271,28 +325,38 @@ func (p *ProviderConfig) Records(ctx context.Context) (endpoints []*endpoint.End | |||
| // example: 10.196.38.0/24 becomes 38.196.10.in-addr.arpa | |||
| arpaZone, err := transform.ReverseDomainName(zone.Fqdn) | |||
| if err == nil { | |||
| var resP []ibclient.RecordPTR | |||
| var resPtrStatic, resPtrDynamic []ibclient.RecordPTR | |||
There was a problem hiding this comment.
- Why are we filtering
SYSTEMPTR records? - If we do some filtering why do we care for
DYNAMICrecords? can they even be created by ExternalDNS? - Why don't we do the similar filtering (by the record creator) for the other record types (A, CNAME)?
| @@ -546,11 +631,26 @@ func (p *ProviderConfig) recordSet(ep *endpoint.Endpoint, getObject bool, target | |||
| obj.PtrdName = ep.DNSName | |||
| obj.Ipv4Addr = ep.Targets[targetIndex] | |||
| obj.View = p.view | |||
| sf := map[string]string{ | |||
There was a problem hiding this comment.
What does sf stand for? qp used in ther other parts of the PR looks more intuitive to me.
There was a problem hiding this comment.
qp = query parameters
sf = search fields, actually a part of QP.
| expTypeA := ibclient.NewEmptyRecordA().ObjectType() | ||
| expTypeTXT := ibclient.NewEmptyRecordTXT().ObjectType() | ||
| expTypePTR := ibclient.NewEmptyRecordPTR().ObjectType() | ||
| expTypeCNAME := ibclient.NewEmptyRecordCNAME().ObjectType() |
There was a problem hiding this comment.
It doesn't make much sense to create those variable for each for loop iteration. I think that they are better to be defined in const section at the very top of the file.
There was a problem hiding this comment.
It is fine (better) to move them out of loops but they cannot be easily defined as constants.
There was a problem hiding this comment.
Yes true, they are computed at runtime, so they cannot be constants. var section would be ok too, my thought was to move avoid their creation at each iteration.
| expTypePTR := ibclient.NewEmptyRecordPTR().ObjectType() | ||
| expTypeCNAME := ibclient.NewEmptyRecordCNAME().ObjectType() | ||
| actType := recordSet.obj.ObjectType() | ||
| if actType == expTypeA { |
There was a problem hiding this comment.
More go idiomatic would be to replace these if/elses with a switch.
| @@ -16,6 +16,8 @@ export WAPI_USERNAME=admin | |||
| export WAPI_PASSWORD=infoblox | |||
| ``` | |||
|
|
|||
| **Warning**: Grid's Cloud platform member is not supported yet as a target host to be used by eDNS plugin. | |||
There was a problem hiding this comment.
| **Warning**: Grid's Cloud platform member is not supported yet as a target host to be used by eDNS plugin. | |
| **Warning**: Grid's Cloud platform member is not supported yet as a target host to be used by ExternalDNS plugin. |
| Now external-dns will manage PTR records for you. | ||
|
|
||
| **Important note 1**: you may expect that the reverse-mapping zone must be in the | ||
| form of a subdomain of the 'in-addr.arpa' domain, but in case of eDNS's Infoblox provider and |
There was a problem hiding this comment.
| form of a subdomain of the 'in-addr.arpa' domain, but in case of eDNS's Infoblox provider and | |
| form of a subdomain of the 'in-addr.arpa' domain, but in case of ExternalDNS's Infoblox provider and |
|
@alebedev87, thank you for your review, I will address the comments but today I am going to split this PR into 2-3 separate PRs instead of re-basing this one. That is why I just answered 'agree' instead of just accepting your proposals. I will update this PR with exact links. P.S.: I guess, I will add more comments to the code. |
|
replaced by new PRs: #3067 and skudriavtsev#4 (which will be rebased to the original repo after the 1-st PR will be merged) |
Description
This PR contains changes for a new feature: client's certificate authentication to Infoblox NIOS server. And some bugfixes as well, including the fix for the issue #2198
Fixes #2198
Checklist