Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TXT Registry] Make the nonce stable when generating delete records #3901

Merged
merged 1 commit into from
Oct 17, 2023

Conversation

Sewci0
Copy link
Contributor

@Sewci0 Sewci0 commented Aug 31, 2023

This PR addresses the issue of the current behavior being incompatible with Route53 when using TXT registry with encryption enabled. AWS requires the Delete change request to be called with the exact same record set that is currently present in Route53. However, this is not happening due to the following reasons:

  1. The generateTXTRecord function generates both old and new format TXT records, each encrypted with a new random nonce.
  2. The Records() function stores only one of these records in the labelsMap when iterating through the TXT labels.
  3. The call to generateTXTRecord within Records() results in the deletion of the nonce from the labels.
  4. The final call to generateTXTRecord within ApplyChanges regenerates the nonce again, leading to an entirely different target.

To resolve this issue, this PR disables the generation of old-style TXT records and old to new migrations when encryption is enabled. It also ensures that the txtEncryptionNonce does not get removed from labels, instead it is ignored when serializing.

Nonce generation has been moved outside of the EncryptText and the nonce get's added to the record's labels. This is required in order to ensure that the nonce exists on the record when it gets added to the cache.

Fixes: #3668
Supersedes: #3808

Checklist

  • Unit tests updated

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 31, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @Sewci0. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Aug 31, 2023
@Sewci0 Sewci0 changed the title Make the nonce stable when generating delete records [TXT Registry] Make the nonce stable when generating delete records; Fix #3668 Aug 31, 2023
@k8s-ci-robot k8s-ci-robot added the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Aug 31, 2023
@Sewci0 Sewci0 changed the title [TXT Registry] Make the nonce stable when generating delete records; Fix #3668 [TXT Registry] Make the nonce stable when generating delete records Aug 31, 2023
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Aug 31, 2023
@mloiseleur
Copy link
Contributor

mloiseleur commented Sep 1, 2023

I'm unsure if and how the change in labels.go should be tested 🤔
Thanks for the test in registry.

/ok-to-test
/lgtm

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 1, 2023
@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Sep 1, 2023
@Sewci0 Sewci0 force-pushed the fix/txt-encrypt-stable-nonce branch from f1be914 to cee0ea2 Compare September 5, 2023 15:06
@Sewci0
Copy link
Contributor Author

Sewci0 commented Sep 5, 2023

/test pull-external-dns-lint

@Sewci0
Copy link
Contributor Author

Sewci0 commented Sep 5, 2023

/retest

1 similar comment
@mloiseleur
Copy link
Contributor

/retest

@Sewci0
Copy link
Contributor Author

Sewci0 commented Sep 6, 2023

/assign @njuettner

@mloiseleur
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Sep 11, 2023
@k8s-ci-robot k8s-ci-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Sep 18, 2023
@Sewci0
Copy link
Contributor Author

Sewci0 commented Sep 21, 2023

/retest

@mloiseleur
Copy link
Contributor

@Sewci0 If you commit --amend --no-edit and push, it should refresh the failed job.

@Sewci0
Copy link
Contributor Author

Sewci0 commented Oct 5, 2023

@mloiseleur Thanks for looking into it, I had to do a few force pushes but it should be all good now.

@Sewci0 Sewci0 force-pushed the fix/txt-encrypt-stable-nonce branch from 9a2b5f2 to 350c546 Compare October 5, 2023 19:05
@Sewci0 Sewci0 force-pushed the fix/txt-encrypt-stable-nonce branch from 350c546 to 66b5b25 Compare October 5, 2023 19:07
@mloiseleur
Copy link
Contributor

/lgtm
/assign @Raffo
/assign @johngmyers

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 6, 2023
@szuecs
Copy link
Contributor

szuecs commented Oct 17, 2023

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: szuecs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 17, 2023
@szuecs szuecs merged commit 4e906c1 into kubernetes-sigs:master Oct 17, 2023
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

When enable encryption of TXT record, Deletion of the DNS record failed.
7 participants