-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encryption of TXT records not working as per documentation #3992
Comments
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale This issue is being discussed in #4063 |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/remove-lifecycle rotten as being discussed |
What happened:
external-dns pod was crashing because of
"the AES Encryption key must have a length of 32 bytes"
after following the documentation, using a url-base64 encoding for the key.Instead, using a 32 character-long string "works", meaning that the key is successfully taken by external-dns but it then fails with other errors related to old TXT records not being encrypted.
Moreover, 32 characters are not 32 bytes of entropy, because people will likely use only alphanumerical characters. As such, it should be discouraged to just update the documentation to use 32 characters.
What you expected to happen: external-dns should pick the key, decode it using base64 and use it to encrypt/decrypt TXT records
How to reproduce it (as minimally and precisely as possible):
As an example, just use the following arguments:
and see it not working.
On the other hand, this configuration works:
Anything else we need to know?: Moreover, it is not clear how the migration path works from having non-encrypted TXT records to encrypted ones
Environment:
external-dns --version
): v0.13.6The text was updated successfully, but these errors were encountered: