From ebd790da6ba4e8bf7e0ad7a582058488698211f0 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Ale=C5=A1=20Mr=C3=A1zek?= Date: Thu, 27 Mar 2025 14:35:24 +0100 Subject: [PATCH] datamodel: stabilize network schema - files-watchdog renamed to watchdog - removed experimental TLS auto-discovery --- NEWS | 3 +++ doc/_static/config.schema.json | 15 ++++----------- .../knot_resolver/datamodel/network_schema.py | 17 +++++++---------- .../datamodel/templates/network.lua.j2 | 7 ------- python/knot_resolver/manager/files/watchdog.py | 4 ++-- tests/manager/datamodel/test_network_schema.py | 12 ++++++------ .../packaging/interactive/tls_cert_watchdog.sh | 2 +- 7 files changed, 23 insertions(+), 37 deletions(-) diff --git a/NEWS b/NEWS index 5fe7f5cb8..5c1473994 100644 --- a/NEWS +++ b/NEWS @@ -11,7 +11,10 @@ Incompatible changes These are mostly experimental and debugging/testing options that are not useful for general users (remain in Lua): - /logging/debugging - /max-workers + - /network/tls/auto-discovery - /webmgmt +- Renamed/moved options in the declarative configuration model (YAML). + - /network/tls/files-watchdog -> /network/tls/watchdog Knot Resolver 6.0.15 (2025-07-17) diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json index 535985991..cfef3cb8a 100644 --- a/doc/_static/config.schema.json +++ b/doc/_static/config.schema.json @@ -252,7 +252,7 @@ "description": "TLS configuration, also affects DNS over TLS and DNS over HTTPS.", "type": "object", "properties": { - "files-watchdog": { + "watchdog": { "anyOf": [ { "type": "string", @@ -264,7 +264,7 @@ "type": "boolean" } ], - "description": "Enables files watchdog for TLS certificate files. Requires the optional 'watchdog' dependency.", + "description": "Enables watchdog of changes in TLS certificate files. Requires the optional 'watchdog' dependency.", "default": "auto" }, "cert-file": { @@ -300,11 +300,6 @@ "description": "Path to file with secret for TLS session resumption via tickets. (RFC 5077).", "default": null }, - "auto-discovery": { - "type": "boolean", - "description": "Experimental automatic discovery of authoritative servers supporting DNS-over-TLS.", - "default": false - }, "padding": { "anyOf": [ { @@ -321,12 +316,11 @@ } }, "default": { - "files_watchdog": true, + "watchdog": true, "cert_file": null, "key_file": null, "sticket_secret": null, "sticket_secret_file": null, - "auto_discovery": false, "padding": true } }, @@ -480,12 +474,11 @@ }, "address_renumbering": null, "tls": { - "files_watchdog": true, + "watchdog": true, "cert_file": null, "key_file": null, "sticket_secret": null, "sticket_secret_file": null, - "auto_discovery": false, "padding": true }, "proxy_protocol": false, diff --git a/python/knot_resolver/datamodel/network_schema.py b/python/knot_resolver/datamodel/network_schema.py index e2753a852..21f3db56f 100644 --- a/python/knot_resolver/datamodel/network_schema.py +++ b/python/knot_resolver/datamodel/network_schema.py @@ -54,44 +54,41 @@ class TLSSchema(ConfigSchema): TLS configuration, also affects DNS over TLS and DNS over HTTPS. --- - files_watchdog: Enables files watchdog for TLS certificate files. Requires the optional 'watchdog' dependency. + watchdog: Enables watchdog of changes in TLS certificate files. Requires the optional 'watchdog' dependency. cert_file: Path to certificate file. key_file: Path to certificate key file. sticket_secret: Secret for TLS session resumption via tickets. (RFC 5077). sticket_secret_file: Path to file with secret for TLS session resumption via tickets. (RFC 5077). - auto_discovery: Experimental automatic discovery of authoritative servers supporting DNS-over-TLS. padding: EDNS(0) padding of queries and answers sent over an encrypted channel. """ - files_watchdog: Union[Literal["auto"], bool] = "auto" + watchdog: Union[Literal["auto"], bool] = "auto" cert_file: Optional[ReadableFile] = None key_file: Optional[ReadableFile] = None sticket_secret: Optional[EscapedStr32B] = None sticket_secret_file: Optional[ReadableFile] = None - auto_discovery: bool = False padding: Union[bool, Int0_512] = True _LAYER = Raw - files_watchdog: bool + watchdog: bool cert_file: Optional[ReadableFile] = None key_file: Optional[ReadableFile] = None sticket_secret: Optional[EscapedStr32B] = None sticket_secret_file: Optional[ReadableFile] = None - auto_discovery: bool = False padding: Union[bool, Int0_512] = True - def _files_watchdog(self, obj: Raw) -> Any: - if obj.files_watchdog == "auto": + def _watchdog(self, obj: Raw) -> Any: + if obj.watchdog == "auto": return WATCHDOG_LIB - return obj.files_watchdog + return obj.watchdog def _validate(self): if self.sticket_secret and self.sticket_secret_file: raise ValueError("'sticket_secret' and 'sticket_secret_file' are both defined, only one can be used") if bool(self.cert_file) != bool(self.key_file): raise ValueError("'cert-file' and 'key-file' must be configured together") - if self.cert_file and self.key_file and self.files_watchdog and not WATCHDOG_LIB: + if self.cert_file and self.key_file and self.watchdog and not WATCHDOG_LIB: raise ValueError( "'files-watchdog' is enabled, but the required 'watchdog' dependency (optional) is not installed" ) diff --git a/python/knot_resolver/datamodel/templates/network.lua.j2 b/python/knot_resolver/datamodel/templates/network.lua.j2 index cfc152cd3..f80fc9ce2 100644 --- a/python/knot_resolver/datamodel/templates/network.lua.j2 +++ b/python/knot_resolver/datamodel/templates/network.lua.j2 @@ -46,13 +46,6 @@ net.tls_sticket_secret('{{ cfg.network.tls.sticket_secret }}') net.tls_sticket_secret_file('{{ cfg.network.tls.sticket_secret_file }}') {% endif %} -{% if cfg.network.tls.auto_discovery %} --- network.tls.auto-discovery -modules.load('experimental_dot_auth') -{% else %} --- modules.unload('experimental_dot_auth') -{% endif %} - -- network.tls.padding net.tls_padding( {%- if cfg.network.tls.padding == true -%} diff --git a/python/knot_resolver/manager/files/watchdog.py b/python/knot_resolver/manager/files/watchdog.py index e74abec9f..b27bd99ee 100644 --- a/python/knot_resolver/manager/files/watchdog.py +++ b/python/knot_resolver/manager/files/watchdog.py @@ -18,7 +18,7 @@ FilesToWatch = Dict[Path, Optional[str]] def watched_files_config(config: KresConfig) -> List[Any]: return [ - config.network.tls.files_watchdog, + config.network.tls.watchdog, config.network.tls.cert_file, config.network.tls.key_file, config.local_data.rpz, @@ -154,7 +154,7 @@ async def _init_files_watchdog(config: KresConfig) -> None: files_to_watch: FilesToWatch = {} # network.tls - if config.network.tls.files_watchdog and config.network.tls.cert_file and config.network.tls.key_file: + if config.network.tls.watchdog and config.network.tls.cert_file and config.network.tls.key_file: net_tls = f"net.tls('{config.network.tls.cert_file}', '{config.network.tls.key_file}')" files_to_watch[config.network.tls.cert_file.to_path()] = net_tls files_to_watch[config.network.tls.key_file.to_path()] = net_tls diff --git a/tests/manager/datamodel/test_network_schema.py b/tests/manager/datamodel/test_network_schema.py index 1451ac20e..321f18a73 100644 --- a/tests/manager/datamodel/test_network_schema.py +++ b/tests/manager/datamodel/test_network_schema.py @@ -83,11 +83,11 @@ def test_listen_invalid(listen: Dict[str, Any]): @pytest.mark.parametrize( "tls", [ - {"files-watchdog": "auto"}, - {"files-watchdog": True}, - {"files-watchdog": False}, + {"watchdog": "auto"}, + {"watchdog": True}, + {"watchdog": False}, ], ) -def test_tls_files_watchdog(tls: Dict[str, Any]): - expected: bool = WATCHDOG_LIB if tls["files-watchdog"] == "auto" else tls["files-watchdog"] - assert TLSSchema(tls).files_watchdog == expected +def test_tls_watchdog(tls: Dict[str, Any]): + expected: bool = WATCHDOG_LIB if tls["watchdog"] == "auto" else tls["watchdog"] + assert TLSSchema(tls).watchdog == expected diff --git a/tests/packaging/interactive/tls_cert_watchdog.sh b/tests/packaging/interactive/tls_cert_watchdog.sh index 104bbdd64..d0663d870 100755 --- a/tests/packaging/interactive/tls_cert_watchdog.sh +++ b/tests/packaging/interactive/tls_cert_watchdog.sh @@ -44,7 +44,7 @@ fi # }} # configure TLS certificate files and turn on watchdog -kresctl config set -p /network/tls/files-watchdog true +kresctl config set -p /network/tls/watchdog true if [ "$?" -ne "0" ]; then echo "Could not turn on TLS certificate files watchdog." exit 1 -- 2.47.3