Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encryption of TXT records not working as per documentation #4063

Closed
wants to merge 11 commits into from
Closed

Encryption of TXT records not working as per documentation #4063

wants to merge 11 commits into from
+34 −19

Conversation

theloneexplorerquest
Copy link
Contributor

@theloneexplorerquest theloneexplorerquest commented Nov 22, 2023
edited
Loading

Description
Fix the issue that Encryption of TXT records does take base64 encryption key.

  1. Use base64.URLEncoding instead of base64.StdEncoding: Since TXT records are often used in DNS settings, which can be included in URLs, it makes sense to use URL-safe characters to avoid potential issues with special characters that have different meanings in URLs. Also per document https://github.com/kubernetes-sigs/external-dns/blob/master/docs/registry/txt.md#encryption the key we generated is URL safe.
  2. Update function EncryptText and DecryptText to take encode aes key as input however decode before encrypt and decrypt. Matching doc description.
  3. update unit test.

Fixes #3992

Checklist

  • Unit tests updated
  • End user documentation updated

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 22, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign johngmyers for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 22, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @theloneexplorerquest. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Nov 22, 2023
@theloneexplorerquest theloneexplorerquest changed the title fix the encrption key problem Encryption of TXT records not working as per documentation Nov 22, 2023
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 23, 2023
@theloneexplorerquest theloneexplorerquest marked this pull request as ready for review November 23, 2023 12:02
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 23, 2023
@mloiseleur
Copy link
Contributor

Interesting.
🤔 How users are supposed to move from current encryption to this system ?
/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 23, 2023
@theloneexplorerquest
Copy link
Contributor Author

Interesting. 🤔 How users are supposed to move from current encryption to this system ? /ok-to-test

I am not sure haha. Probably need some more investigation.

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Dec 1, 2023
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Dec 1, 2023
@mloiseleur
Copy link
Contributor

For the migration path, there are various options:

  • Documentation on how to migrate manually
  • CLI arg to restore previous behavior
  • CLI arg to launch a specific, one-time, migration command

@theloneexplorerquest
Copy link
Contributor Author

Hi @mloiseleur

Thank you for your suggestion. I'm inclined towards documenting the process for a manual migration.

However, even when proceeding manually, the process appears to be non-trivial. Here's my query:

Is it necessary to always keep at least one encrypted TXT record in the system for the sake of high availability?
I am considering a method where individuals manually delete the TXT record at the provider's end and then the newly recreated record will be created automatically (after they update the key).

@mloiseleur
Copy link
Contributor

If I understand correctly external-dns documentation about this feature, the txt records contains only metadata.

=> But I'm unsure, is this really safe to stop external-dns previous version, remove TXT records and start external-dns new version ? 🤔 Will this really just re-create new encrypted TXT records without any unexpected side effects ?

szuecs
szuecs reviewed Jan 5, 2024
View reviewed changes
endpoint/crypto.go
decodedaesKey, err := base64.URLEncoding.DecodeString(string(aesKey))
if err != nil {
fmt.Println("Error decoding base64 when decrypt text:", err)
return "", "", err
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will break users that are already using txt encryption as far as I understand.
Maybe we should provide a migration path, so for example if it fails to decrypt we use the former StdEncoding.

@szuecs
Copy link
Contributor

szuecs commented Jan 5, 2024

I think we should have a fallback on the read path to ensure we can read old encrypted txt records, which we will update in the next iteration anyways.
Maybe that's something to validate that we re-encrypt old encrypted txt records if we use a different encoding....

Right now I think we would just break users, which is not acceptable.

@theloneexplorerquest
Copy link
Contributor Author

@szuecs thanks for suggestion.

Sorry I was a bit busy in last few weeks.

do you think we should:

  1. provide additional boolean argument, if the argument is supplied, we use the old encryption protocol.
  2. have a try-fail logic in code, if we cannot decrypt with new protocol, attempt to decrypt with old protocol. --> I think this is what you mean by fallback?
    Thanks!

@bennesp bennesp mentioned this pull request Feb 2, 2024
Closed
@mloiseleur
Copy link
Contributor

@theloneexplorerquest I know you didn't ask me but both options sound good to me.

@szuecs
Copy link
Contributor

szuecs commented Apr 30, 2024

I would go for option 2, because users should not care about configuring some option correctly. I expect that if we re-encrypt then it will not do much harm and does the automatic migration.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 29, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle rotten
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 28, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Reopen this PR with /reopen
  • Mark this PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

@k8s-ci-robot
Copy link
Contributor

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Reopen this PR with /reopen
  • Mark this PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@mloiseleur mloiseleur mentioned this pull request Jan 3, 2025
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@szuecs szuecs szuecs left review comments

@johngmyers johngmyers Awaiting requested review from johngmyers

@mloiseleur mloiseleur Awaiting requested review from mloiseleur

@njuettner njuettner Awaiting requested review from njuettner

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Encryption of TXT records not working as per documentation
5 participants
@theloneexplorerquest @k8s-ci-robot @mloiseleur @szuecs @k8s-triage-robot