metal-dns

command module
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 28, 2022 License: MIT Imports: 8 Imported by: 0

README

metal-dns

Actions Go Reference Go Report Card codecov License

Acts as a authorization proxy in front of a powerdns resolver. Metal-DNS will restrict access to specific domains and subdomains. Access to certain api actions can also be restricted.

A POC external-dns implementation is also available https://github.com/majst01/external-dns/tree/metal-dns-support .

Open Topics:

  • Management of authorization tokens and who is able to modify certain domains.
  • actually there is a Token create endpoint which can be used to create tokens with domains and permissions specified.

Authorization

Standard JWT token authorization is implemented.

  • get/list/create/update domains if not already present
  • add/delete/update records

Example JWT Payload:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "domains": [
     "a.example.com",
     "b.example.com"
  ],
  "permissions": [
    "/api.v1.DomainService/Get",
    "/api.v1.DomainService/List",
    "/api.v1.DomainService/Create",
    "/api.v1.DomainService/Update",
    "/api.v1.DomainService/Delete",
    "/api.v1.RecordService/Create",
    "/api.v1.RecordService/List",
    "/api.v1.RecordService/Update",
    "/api.v1.RecordService/Delete"
  ]
}

Usage

Server

1.) start Powerdns:

docker run -d --rm \
  --name powerdns \
  -p 8081:80 \
  -p 5533:53 powerdns/pdns-auth-47 \
    --api=yes \
    --api-key=apipw \
    --webserver=yes \
    --webserver-address=0.0.0.0 \
    --webserver-port=80 \
    --webserver-allow-from=0.0.0.0/0 \
    --disable-syslog=yes \
    --loglevel=9 \
    --log-dns-queries=yes \
    --log-dns-details=yes \
    --query-logging=yes

2.) start metal-dns api server pointing to the powerdns api endpoint

make certs
docker run -d --rm \
  --name metal-dns \
  -p 50051:50051 \
  -v $PWD/certs:/certs ghcr.io/majst01/metal-dns \
    --pdns-api-password=apipw \
    --pdns-api-url=http://localhost:8081 \
    --pdns-api-vhost=localhost \
    --secret=YOUR-JWT-TOKEN-SECRET
Client

go get github.com/majst01/metal-dns

import (
  "context"
  "os"

  v1 "github.com/majst01/metal-dns/api/v1"
  "github.com/majst01/metal-dns/pkg/client"
)

func main() {
  ctx := context.Background()
  addr := "localhost:50051"
  dialConfig := client.DialConfig{
    Address: &addr,
    Token: os.Getenv("JWT_TOKEN"),
  }
  c, err = client.NewClient(ctx, dialConfig)
  if err != nil {
    panic(err)
  }

  dcr := &v1.DomainCreateRequest{
    Name:        "a.example.com.",
    Nameservers: []string{"ns1.example.com."},
  }
  d, err := c.Domain().Create(ctx, dcr)
  if err != nil {
    panic(err)
  }
  fmt.Println("Domain created:" + d)

  rcr := &v1.RecordCreateRequest{
    Type: v1.RecordType_A,
    Name: "www.a.example.com.",
    Data: "1.2.3.4",
    Ttl: uint32(600),
  }

  r, err := c.Record().Create(ctx, rcr)
  if err != nil {
    panic(err)
  }
  fmt.Println("Record created:" + r)
}

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
api
v1
v1/apiv1connect
pkg
auth
client
policies
server
service
token

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.