TrueCloudLab/coredns
16
0
Fork 2
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Add private DNS support for azure plugin (#3516)

Browse source 
* plugin/azure: fix bug in setting up plugin

Signed-off-by: darshanime <deathbullet@gmail.com>

* plugin/azure: add support for private zones

Signed-off-by: darshanime <deathbullet@gmail.com>

* plugin/azure: change syntax for access level

Signed-off-by: darshanime <deathbullet@gmail.com>

* plugin/azure: change import alias for azure dns

Signed-off-by: darshanime <deathbullet@gmail.com>

* plugin/azure: reword readme, var names

Signed-off-by: darshanime <deathbullet@gmail.com>

* plugin/azure: remove newline in imports

Signed-off-by: darshanime <deathbullet@gmail.com>

* fix import grouping

Co-authored-by: Chris O'Haver <cohaver@infoblox.com>
This commit is contained in:
Darshan Chaudhary 2020-03-11 00:52:23 +05:30 committed by GitHub
parent 3c19f9f181
commit 085826776f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 188 additions and 60 deletions
Download patch file Download diff file Expand all files Collapse all files

8
plugin/azure/README.md
View file

@ -20,6 +20,7 @@ azure RESOURCE_GROUP:ZONE... {
subscription SUBSCRIPTION_ID subscription SUBSCRIPTION_ID
environment ENVIRONMENT environment ENVIRONMENT
fallthrough [ZONES...] fallthrough [ZONES...]
access private
} }
~~~ ~~~
@ -36,17 +37,20 @@ azure RESOURCE_GROUP:ZONE... {
If **ZONES** is omitted, then fallthrough happens for all zones for which the plugin is If **ZONES** is omitted, then fallthrough happens for all zones for which the plugin is
authoritative. authoritative.
* `access` specifies if the zone is `public` or `private`. Default is `public`.
## Examples ## Examples
Enable the *azure* plugin with Azure credentials for the zone `example.org`: Enable the *azure* plugin with Azure credentials for private zones `example.org`, `example.private`:
~~~ txt ~~~ txt
example.org { example.org {
azure resource_group_foo:example.org { azure resource_group_foo:example.org resource_group_foo:example.private {
tenant 123abc-123abc-123abc-123abc tenant 123abc-123abc-123abc-123abc
client 123abc-123abc-123abc-234xyz client 123abc-123abc-123abc-234xyz
subscription 123abc-123abc-123abc-563abc subscription 123abc-123abc-123abc-563abc
secret mysecret secret mysecret
access private
} }
} }
~~~ ~~~

123
plugin/azure/azure.go
View file

@ -13,7 +13,8 @@ import (
"github.com/coredns/coredns/plugin/pkg/upstream" "github.com/coredns/coredns/plugin/pkg/upstream"
"github.com/coredns/coredns/request" "github.com/coredns/coredns/request"
azuredns "github.com/Azure/azure-sdk-for-go/profiles/latest/dns/mgmt/dns" publicdns "github.com/Azure/azure-sdk-for-go/profiles/latest/dns/mgmt/dns"
privatedns "github.com/Azure/azure-sdk-for-go/profiles/latest/privatedns/mgmt/privatedns"
"github.com/miekg/dns" "github.com/miekg/dns"
) )
@ -21,6 +22,7 @@ type zone struct {
id string id string
z *file.Zone z *file.Zone
zone string zone string
private bool
} }
type zones map[string][]*zone type zones map[string][]*zone
@ -28,7 +30,8 @@ type zones map[string][]*zone
// Azure is the core struct of the azure plugin. // Azure is the core struct of the azure plugin.
type Azure struct { type Azure struct {
zoneNames []string zoneNames []string
client azuredns.RecordSetsClient publicClient publicdns.RecordSetsClient
privateClient privatedns.RecordSetsClient
upstream *upstream.Upstream upstream *upstream.Upstream
zMu sync.RWMutex zMu sync.RWMutex
zones zones zones zones
@ -38,25 +41,37 @@ type Azure struct {
} }
// New validates the input DNS zones and initializes the Azure struct. // New validates the input DNS zones and initializes the Azure struct.
func New(ctx context.Context, dnsClient azuredns.RecordSetsClient, keys map[string][]string) (*Azure, error) { func New(ctx context.Context, publicClient publicdns.RecordSetsClient, privateClient privatedns.RecordSetsClient, keys map[string][]string, accessMap map[string]string) (*Azure, error) {
zones := make(map[string][]*zone, len(keys)) zones := make(map[string][]*zone, len(keys))
names := make([]string, len(keys)) names := make([]string, len(keys))
var private bool
for resourceGroup, znames := range keys { for resourceGroup, znames := range keys {
for _, name := range znames { for _, name := range znames {
if _, err := dnsClient.ListAllByDNSZone(context.Background(), resourceGroup, name, nil, ""); err != nil { switch accessMap[resourceGroup+name] {
case "public":
if _, err := publicClient.ListAllByDNSZone(context.Background(), resourceGroup, name, nil, ""); err != nil {
return nil, err return nil, err
} }
private = false
case "private":
if _, err := privateClient.ListComplete(context.Background(), resourceGroup, name, nil, ""); err != nil {
return nil, err
}
private = true
}
fqdn := dns.Fqdn(name) fqdn := dns.Fqdn(name)
if _, ok := zones[fqdn]; !ok { if _, ok := zones[fqdn]; !ok {
names = append(names, fqdn) names = append(names, fqdn)
} }
zones[fqdn] = append(zones[fqdn], &zone{id: resourceGroup, zone: fqdn, z: file.NewZone(fqdn, "")}) zones[fqdn] = append(zones[fqdn], &zone{id: resourceGroup, zone: name, private: private, z: file.NewZone(fqdn, "")})
} }
} }
return &Azure{ return &Azure{
client: dnsClient, publicClient: publicClient,
privateClient: privateClient,
zones: zones, zones: zones,
zoneNames: names, zoneNames: names,
upstream: upstream.New(), upstream: upstream.New(),
@ -85,14 +100,23 @@ func (h *Azure) Run(ctx context.Context) error {
} }
func (h *Azure) updateZones(ctx context.Context) error { func (h *Azure) updateZones(ctx context.Context) error {
var err error
var publicSet publicdns.RecordSetListResultPage
var privateSet privatedns.RecordSetListResultPage
var newZ *file.Zone
errs := make([]string, 0) errs := make([]string, 0)
for zName, z := range h.zones { for zName, z := range h.zones {
for i, hostedZone := range z { for i, hostedZone := range z {
recordSet, err := h.client.ListByDNSZone(ctx, hostedZone.id, hostedZone.zone, nil, "") if hostedZone.private {
privateSet, err = h.privateClient.List(ctx, hostedZone.id, hostedZone.zone, nil, "")
newZ = updateZoneFromPrivateResourceSet(privateSet, zName)
} else {
publicSet, err = h.publicClient.ListByDNSZone(ctx, hostedZone.id, hostedZone.zone, nil, "")
newZ = updateZoneFromPublicResourceSet(publicSet, zName)
}
if err != nil { if err != nil {
errs = append(errs, fmt.Sprintf("failed to list resource records for %v from azure: %v", hostedZone.zone, err)) errs = append(errs, fmt.Sprintf("failed to list resource records for %v from azure: %v", hostedZone.zone, err))
} }
newZ := updateZoneFromResourceSet(recordSet, zName)
newZ.Upstream = h.upstream newZ.Upstream = h.upstream
h.zMu.Lock() h.zMu.Lock()
(*z[i]).z = newZ (*z[i]).z = newZ
@ -107,7 +131,7 @@ func (h *Azure) updateZones(ctx context.Context) error {
} }
func updateZoneFromResourceSet(recordSet azuredns.RecordSetListResultPage, zName string) *file.Zone { func updateZoneFromPublicResourceSet(recordSet publicdns.RecordSetListResultPage, zName string) *file.Zone {
newZ := file.NewZone(zName, "") newZ := file.NewZone(zName, "")
for _, result := range *(recordSet.Response().Value) { for _, result := range *(recordSet.Response().Value) {
@ -196,6 +220,87 @@ func updateZoneFromResourceSet(recordSet azuredns.RecordSetListResultPage, zName
return newZ return newZ
} }
func updateZoneFromPrivateResourceSet(recordSet privatedns.RecordSetListResultPage, zName string) *file.Zone {
newZ := file.NewZone(zName, "")
for _, result := range *(recordSet.Response().Value) {
resultFqdn := *(result.RecordSetProperties.Fqdn)
resultTTL := uint32(*(result.RecordSetProperties.TTL))
if result.RecordSetProperties.ARecords != nil {
for _, A := range *(result.RecordSetProperties.ARecords) {
a := &dns.A{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: resultTTL},
A: net.ParseIP(*(A.Ipv4Address))}
newZ.Insert(a)
}
}
if result.RecordSetProperties.AaaaRecords != nil {
for _, AAAA := range *(result.RecordSetProperties.AaaaRecords) {
aaaa := &dns.AAAA{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeAAAA, Class: dns.ClassINET, Ttl: resultTTL},
AAAA: net.ParseIP(*(AAAA.Ipv6Address))}
newZ.Insert(aaaa)
}
}
if result.RecordSetProperties.MxRecords != nil {
for _, MX := range *(result.RecordSetProperties.MxRecords) {
mx := &dns.MX{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeMX, Class: dns.ClassINET, Ttl: resultTTL},
Preference: uint16(*(MX.Preference)),
Mx: dns.Fqdn(*(MX.Exchange))}
newZ.Insert(mx)
}
}
if result.RecordSetProperties.PtrRecords != nil {
for _, PTR := range *(result.RecordSetProperties.PtrRecords) {
ptr := &dns.PTR{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypePTR, Class: dns.ClassINET, Ttl: resultTTL},
Ptr: dns.Fqdn(*(PTR.Ptrdname))}
newZ.Insert(ptr)
}
}
if result.RecordSetProperties.SrvRecords != nil {
for _, SRV := range *(result.RecordSetProperties.SrvRecords) {
srv := &dns.SRV{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeSRV, Class: dns.ClassINET, Ttl: resultTTL},
Priority: uint16(*(SRV.Priority)),
Weight: uint16(*(SRV.Weight)),
Port: uint16(*(SRV.Port)),
Target: dns.Fqdn(*(SRV.Target))}
newZ.Insert(srv)
}
}
if result.RecordSetProperties.TxtRecords != nil {
for _, TXT := range *(result.RecordSetProperties.TxtRecords) {
txt := &dns.TXT{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: resultTTL},
Txt: *(TXT.Value)}
newZ.Insert(txt)
}
}
if result.RecordSetProperties.SoaRecord != nil {
SOA := result.RecordSetProperties.SoaRecord
soa := &dns.SOA{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeSOA, Class: dns.ClassINET, Ttl: resultTTL},
Minttl: uint32(*(SOA.MinimumTTL)),
Expire: uint32(*(SOA.ExpireTime)),
Retry: uint32(*(SOA.RetryTime)),
Refresh: uint32(*(SOA.RefreshTime)),
Serial: uint32(*(SOA.SerialNumber)),
Mbox: dns.Fqdn(*(SOA.Email)),
Ns: *(SOA.Host)}
newZ.Insert(soa)
}
if result.RecordSetProperties.CnameRecord != nil {
CNAME := result.RecordSetProperties.CnameRecord.Cname
cname := &dns.CNAME{Hdr: dns.RR_Header{Name: resultFqdn, Rrtype: dns.TypeCNAME, Class: dns.ClassINET, Ttl: resultTTL},
Target: dns.Fqdn(*CNAME)}
newZ.Insert(cname)
}
}
return newZ
}
// ServeDNS implements the plugin.Handler interface. // ServeDNS implements the plugin.Handler interface.
func (h *Azure) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) { func (h *Azure) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) {
state := request.Request{W: w, Req: r} state := request.Request{W: w, Req: r}

62
plugin/azure/setup.go
View file

@ -9,7 +9,8 @@ import (
"github.com/coredns/coredns/plugin/pkg/fall" "github.com/coredns/coredns/plugin/pkg/fall"
clog "github.com/coredns/coredns/plugin/pkg/log" clog "github.com/coredns/coredns/plugin/pkg/log"
azuredns "github.com/Azure/azure-sdk-for-go/profiles/latest/dns/mgmt/dns" publicAzureDNS "github.com/Azure/azure-sdk-for-go/profiles/latest/dns/mgmt/dns"
privateAzureDNS "github.com/Azure/azure-sdk-for-go/profiles/latest/privatedns/mgmt/privatedns"
azurerest "github.com/Azure/go-autorest/autorest/azure" azurerest "github.com/Azure/go-autorest/autorest/azure"
"github.com/Azure/go-autorest/autorest/azure/auth" "github.com/Azure/go-autorest/autorest/azure/auth"
"github.com/caddyserver/caddy" "github.com/caddyserver/caddy"
@ -20,18 +21,23 @@ var log = clog.NewWithPlugin("azure")
func init() { plugin.Register("azure", setup) } func init() { plugin.Register("azure", setup) }
func setup(c *caddy.Controller) error { func setup(c *caddy.Controller) error {
env, keys, fall, err := parse(c) env, keys, accessMap, fall, err := parse(c)
if err != nil { if err != nil {
return plugin.Error("azure", err) return plugin.Error("azure", err)
} }
ctx := context.Background() ctx := context.Background()
dnsClient := azuredns.NewRecordSetsClient(env.Values[auth.SubscriptionID]) publicDNSClient := publicAzureDNS.NewRecordSetsClient(env.Values[auth.SubscriptionID])
if dnsClient.Authorizer, err = env.GetAuthorizer(); err != nil { if publicDNSClient.Authorizer, err = env.GetAuthorizer(); err != nil {
return plugin.Error("azure", err) return plugin.Error("azure", err)
} }
h, err := New(ctx, dnsClient, keys) privateDNSClient := privateAzureDNS.NewRecordSetsClient(env.Values[auth.SubscriptionID])
if privateDNSClient.Authorizer, err = env.GetAuthorizer(); err != nil {
return plugin.Error("azure", err)
}
h, err := New(ctx, publicDNSClient, privateDNSClient, keys, accessMap)
if err != nil { if err != nil {
return plugin.Error("azure", err) return plugin.Error("azure", err)
} }
@ -47,13 +53,17 @@ func setup(c *caddy.Controller) error {
return nil return nil
} }
func parse(c *caddy.Controller) (auth.EnvironmentSettings, map[string][]string, fall.F, error) { func parse(c *caddy.Controller) (auth.EnvironmentSettings, map[string][]string, map[string]string, fall.F, error) {
resourceGroupMapping := map[string][]string{} resourceGroupMapping := map[string][]string{}
accessMap := map[string]string{}
resourceGroupSet := map[string]struct{}{} resourceGroupSet := map[string]struct{}{}
azureEnv := azurerest.PublicCloud azureEnv := azurerest.PublicCloud
env := auth.EnvironmentSettings{Values: map[string]string{}} env := auth.EnvironmentSettings{Values: map[string]string{}}
var fall fall.F var fall fall.F
var access string
var resourceGroup string
var zoneName string
for c.Next() { for c.Next() {
args := c.RemainingArgs() args := c.RemainingArgs()
@ -61,60 +71,70 @@ func parse(c *caddy.Controller) (auth.EnvironmentSettings, map[string][]string,
for i := 0; i < len(args); i++ { for i := 0; i < len(args); i++ {
parts := strings.SplitN(args[i], ":", 2) parts := strings.SplitN(args[i], ":", 2)
if len(parts) != 2 { if len(parts) != 2 {
return env, resourceGroupMapping, fall, c.Errf("invalid resource group/zone: %q", args[i]) return env, resourceGroupMapping, accessMap, fall, c.Errf("invalid resource group/zone: %q", args[i])
} }
resourceGroup, zoneName := parts[0], parts[1] resourceGroup, zoneName = parts[0], parts[1]
if resourceGroup == "" || zoneName == "" { if resourceGroup == "" || zoneName == "" {
return env, resourceGroupMapping, fall, c.Errf("invalid resource group/zone: %q", args[i]) return env, resourceGroupMapping, accessMap, fall, c.Errf("invalid resource group/zone: %q", args[i])
} }
if _, ok := resourceGroupSet[args[i]]; ok { if _, ok := resourceGroupSet[resourceGroup+zoneName]; ok {
return env, resourceGroupMapping, fall, c.Errf("conflicting zone: %q", args[i]) return env, resourceGroupMapping, accessMap, fall, c.Errf("conflicting zone: %q", args[i])
} }
resourceGroupSet[args[i]] = struct{}{} resourceGroupSet[resourceGroup+zoneName] = struct{}{}
accessMap[resourceGroup+zoneName] = "public"
resourceGroupMapping[resourceGroup] = append(resourceGroupMapping[resourceGroup], zoneName) resourceGroupMapping[resourceGroup] = append(resourceGroupMapping[resourceGroup], zoneName)
} }
for c.NextBlock() { for c.NextBlock() {
switch c.Val() { switch c.Val() {
case "subscription": case "subscription":
if !c.NextArg() { if !c.NextArg() {
return env, resourceGroupMapping, fall, c.ArgErr() return env, resourceGroupMapping, accessMap, fall, c.ArgErr()
} }
env.Values[auth.SubscriptionID] = c.Val() env.Values[auth.SubscriptionID] = c.Val()
case "tenant": case "tenant":
if !c.NextArg() { if !c.NextArg() {
return env, resourceGroupMapping, fall, c.ArgErr() return env, resourceGroupMapping, accessMap, fall, c.ArgErr()
} }
env.Values[auth.TenantID] = c.Val() env.Values[auth.TenantID] = c.Val()
case "client": case "client":
if !c.NextArg() { if !c.NextArg() {
return env, resourceGroupMapping, fall, c.ArgErr() return env, resourceGroupMapping, accessMap, fall, c.ArgErr()
} }
env.Values[auth.ClientID] = c.Val() env.Values[auth.ClientID] = c.Val()
case "secret": case "secret":
if !c.NextArg() { if !c.NextArg() {
return env, resourceGroupMapping, fall, c.ArgErr() return env, resourceGroupMapping, accessMap, fall, c.ArgErr()
} }
env.Values[auth.ClientSecret] = c.Val() env.Values[auth.ClientSecret] = c.Val()
case "environment": case "environment":
if !c.NextArg() { if !c.NextArg() {
return env, resourceGroupMapping, fall, c.ArgErr() return env, resourceGroupMapping, accessMap, fall, c.ArgErr()
} }
env.Values[auth.ClientSecret] = c.Val() env.Values[auth.ClientSecret] = c.Val()
var err error var err error
if azureEnv, err = azurerest.EnvironmentFromName(c.Val()); err != nil { if azureEnv, err = azurerest.EnvironmentFromName(c.Val()); err != nil {
return env, resourceGroupMapping, fall, c.Errf("cannot set azure environment: %q", err.Error()) return env, resourceGroupMapping, accessMap, fall, c.Errf("cannot set azure environment: %q", err.Error())
} }
case "fallthrough": case "fallthrough":
fall.SetZonesFromArgs(c.RemainingArgs()) fall.SetZonesFromArgs(c.RemainingArgs())
case "access":
if !c.NextArg() {
return env, resourceGroupMapping, accessMap, fall, c.ArgErr()
}
access = c.Val()
if access != "public" && access != "private" {
return env, resourceGroupMapping, accessMap, fall, c.Errf("invalid access value: can be public/private, found: %s", access)
}
accessMap[resourceGroup+zoneName] = access
default: default:
return env, resourceGroupMapping, fall, c.Errf("unknown property: %q", c.Val()) return env, resourceGroupMapping, accessMap, fall, c.Errf("unknown property: %q", c.Val())
} }
} }
} }
env.Values[auth.Resource] = azureEnv.ResourceManagerEndpoint env.Values[auth.Resource] = azureEnv.ResourceManagerEndpoint
env.Environment = azureEnv env.Environment = azureEnv
return env, resourceGroupMapping, accessMap, fall, nil
return env, resourceGroupMapping, fall, nil
} }

31
plugin/azure/setup_test.go
View file

@ -18,34 +18,30 @@ func TestSetup(t *testing.T) {
tenant tenant
}`, true}, }`, true},
{`azure resource_set:zone { {`azure resource_set:zone {
tenant tenant abc
}`, true}, }`, false},
{`azure resource_set:zone { {`azure resource_set:zone {
client client
}`, true}, }`, true},
{`azure resource_set:zone { {`azure resource_set:zone {
secret client abc
}`, true}, }`, false},
{`azure resource_set:zone { {`azure resource_set:zone {
subscription subscription
}`, true}, }`, true},
{`azure resource_set:zone { {`azure resource_set:zone {
upstream 10.0.0.1 subscription abc
}`, true}, }`, false},
{`azure resource_set:zone { {`azure resource_set:zone {
upstream foo
}`, true},
{`azure resource_set:zone {
foobar
}`, true}, }`, true},
{`azure resource_set:zone { {`azure resource_set:zone {
tenant tenant_id tenant tenant_id
client client_id client client_id
secret client_secret secret client_secret
subscription subscription_id subscription subscription_id
access public
}`, false}, }`, false},
{`azure resource_set:zone { {`azure resource_set:zone {
fallthrough fallthrough
}`, false}, }`, false},
@ -56,16 +52,19 @@ func TestSetup(t *testing.T) {
fallthrough fallthrough
}`, true}, }`, true},
{`azure resource_set:zone,zone2 { {`azure resource_set:zone,zone2 {
fallthrough access private
}`, false}, }`, false},
{`azure resource-set { {`azure resource-set:zone {
fallthrough access public
}`, false},
{`azure resource-set:zone {
access foo
}`, true}, }`, true},
} }
for i, test := range tests { for i, test := range tests {
c := caddy.NewTestController("dns", test.body) c := caddy.NewTestController("dns", test.body)
if _, _, _, err := parse(c); (err == nil) == test.expectedError { if _, _, _, _, err := parse(c); (err == nil) == test.expectedError {
t.Fatalf("Unexpected errors: %v in test: %d\n\t%s", err, i, test.body) t.Fatalf("Unexpected errors: %v in test: %d\n\t%s", err, i, test.body)
} }
} }