-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the DNS-over-TLS enhancement initial draft #987
Add the DNS-over-TLS enhancement initial draft #987
Conversation
641459a
to
a3cd6b2
Compare
/uncc @russellb @JoelSpeed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is detailed and well written. Looks good overall. I've pointed out a few places where we need to tweak the proposed API or fill in some details.
af75e85
to
f6db4ef
Compare
b7f875d
to
923373f
Compare
2aae734
to
8986a06
Compare
72ce808
to
3c28aad
Compare
https://github.com/openshift/enhancements/pull/987/files#r813350736 looks like a blocker. If I want TLS connections, I'm not going to be happy if my secure configuration actually uses an insecure connection. |
Totally agree. I'll adjust this as it'd require a workaround on our part to cater to the failed TLS connection so this makes the work simpler and the end result more secure. |
3c28aad
to
febad75
Compare
Inactive enhancement proposals go stale after 28d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Mark the proposal as fresh by commenting If this proposal is safe to close now please do so with /lifecycle stale |
/remove-lifecycle stale |
febad75
to
cffc110
Compare
862e650
to
daa4fea
Compare
- Address PR feedback for initial proposal - Add the json annotation for the ServerName member - Update the non-goals section to be more clear - Add note about TLS impacting support procedures since packet captures will be encrypted - Update the servername validation to use a pattern - Expand on the ServerName use case - Remove TLSecurityProfile for CoreDNS compatibility - Switch EnableTLS to Transport - Narrow Transport validation and add examples - Note that DNS-over-TLS will stop working post-downgrade - Fix casing of serverName and caBundle - Expand the support statement with packet capture details - Add the answer to the open question about cert storage - Drop Transport for Upstream type as it can't manifest in a Corefile - Update the API and YAML references
daa4fea
to
7ef1256
Compare
Excellent! Thanks! openshift/kubernetes#1247 might warrant a follow-up update to the enhancement. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The linter has a new requirement:
The requirement wasn't there when the PR was posted, and you do provide a user story and plenty of detail, so I'll override the linter CI job. /override ci/prow/markdownlint |
@Miciah: Overrode contexts on behalf of Miciah: ci/prow/markdownlint In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@brandisher: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
No description provided.