feat: Become IDNA aware in Plan and DomainFilter #5049
Conversation
|
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
cncf-cla: no
|
Hi @kimsondrup. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
needs-ok-to-test
| func normalizeDomain(domain string) string { | ||
| s, err := idna.Lookup.ToUnicode(strings.TrimSuffix(domain, ".")) | ||
| if err != nil { | ||
| log.Warnf(`Got error while parsing domain %s: %v`, domain, err) |
There was a problem hiding this comment.
You may need to do
if err != nil {
log.Warnf(`Got error while parsing domain %s: %v`, domain, err)
return domain
}
There was a problem hiding this comment.
Agreed, we might as well
There was a problem hiding this comment.
It has been so long since I started this PR that I myself forgot why I did it the way I did.
The raw domain fallback allows unintended bypasses. A single failing subdomain prevents the rest of the domain from being encoded.
Normalizing each part of the domain is possible, but I'm unsure it's the most elegant solution if we are to also use dna.Lookup.ToUnicode in other places.
There was a problem hiding this comment.
I like to just trust that the IDNA lib developers know more about how to handle this problem then whatever we can come up with. But one solution could be something like this (not tested yet, just an example)
// normalizeDomain converts a domain to a canonical form, so that we can filter on it.
// it: trim "." suffix, get Unicode version of domain compliant with Section 5 of RFC 5891
func normalizeDomain(domain string) string {
domain = strings.TrimSuffix(domain, ".")
labels := strings.Split(domain, ".")
normalizedLabels := make([]string, len(labels))
for i, label := range labels {
s, err := idna.Lookup.ToUnicode(label)
if err != nil {
log.Warnf(`Got error while parsing domain label %s of domain %s: %v`, label, domain, err)
normalizedLabels[i] = label // Use original label on error
} else {
normalizedLabels[i] = s // Use normalized label on success
}
}
return strings.Join(normalizedLabels, ".")
}There was a problem hiding this comment.
Example of solutions when using input xn--nordic--w1a.xn--xn--kItty-pd34d-hn01b3542b.com
| Logic | Output |
|---|---|
Return domain on err != nil |
xn--nordic--w1a.xn--xn--kItty-pd34d-hn01b3542b.com |
Encode each label seperatly and skip encoding on err != nil |
nordic-ø.xn--xn--kItty-pd34d-hn01b3542b.com |
Always return result of idna.Lookup.ToUnicode() |
nordic-ø.xn--kitty-點看pd34d.com |
Given the goal here is to normalize the domain and in the spirit of keeping it simple I believe that we should return the result of idna.Lookup.ToUnicode() even if some of the encoding experiences errors.
|
/label tide/merge-method-squash |
k8s-ci-robot
added
tide/merge-method-squash
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
fixes #5090 |
|
@kimsondrup Do you think you can address review comments and rebase this PR ? |
|
Hi all, My ingress config can be found in my original issue, but I believe this PR to not fix the issue I described. Also, I've got a |
|
Worth to submit a soluiton, if this PR is not going to resolve it |
|
I'm just providing whatever context I have, if I had a solution I'd have submitted a PR instead of an issue. I hope this is enough to help someone make the necessary adjustments. I'll keep poking at it myself as well. |
|
I managed to resolve the problem! Horrible hack, but this works for me. Up to you folks if this is a "good" fix or not, but I'd wager it breaks things unrelated to my specific usecase. func (z ZoneIDName) FindZone(hostname string) (suitableZoneID, suitableZoneName string) {
+ name, err := idna.Lookup.ToUnicode(hostname)
+ if err != nil {
+ name = hostname
+ }
for zoneID, zoneName := range z {
- if hostname == zoneName || strings.HasSuffix(hostname, "."+zoneName) {
+ if name == zoneName || strings.HasSuffix(name, "."+zoneName) {
if suitableZoneName == "" || len(zoneName) > len(suitableZoneName) {
suitableZoneID = zoneID
suitableZoneName = zoneName
}
}
}
return
} |
|
Hi @lexisother. Would you mind creating a pull request? |
k8s-ci-robot
added
cncf-cla: no
|
@kimsondrup You need to fix the cla before we can proceed |
Working on the CLA. But I also noticed that a suggested changes has some unintended side effects, so I am also awaiting feedback on that. |
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
cncf-cla: no
|
Hi @kimsondrup have you tested on a cluster real or local? Could you also provide a set of manual test steps using manifests and kubectl commands and arguments for external-dns? Example |
|
Hi @ivankatliarchuk, Yep I tested it, but it was some months ago. If anyone else want to do it before me then some sample domains can be found in the units tests of this PR. |
Description
Ensure support for Internationalized Domain Names for Applications (aka. domains using Unicode) using golang.org/x/net/idna
Disclaimer, this is my first Go code so please look at it with extra skepticism
This PR replaces #4689 as I no longer have access to the neticdk organization
Checklist
End user documentation updated