From: Aleš Mrázek Date: Thu, 27 Mar 2025 13:35:24 +0000 (+0100) Subject: datamodel: stabilize network schema X-Git-Tag: v6.0.17~9^2~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9bec59c1bc15c76356003659142dcc0f0ad7735e;p=thirdparty%2Fknot-resolver.git datamodel: stabilize network schema - files-watchdog renamed to watchdog - removed experimental TLS auto-discovery --- diff --git a/NEWS b/NEWS index 1dc6e2a5e..51dfd4ce8 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,10 @@ Incompatible changes These are mostly experimental and debugging/testing options that are not useful for general users (remain in Lua): - /logging/debugging - /max-workers + - /network/tls/auto-discovery - /webmgmt +- Renamed/moved options in the declarative configuration model (YAML). + - /network/tls/files-watchdog -> /network/tls/watchdog Knot Resolver 6.0.16 (2025-10-30) diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json index a2c2cb3e5..50b7ad017 100644 --- a/doc/_static/config.schema.json +++ b/doc/_static/config.schema.json @@ -252,7 +252,7 @@ "description": "TLS configuration, also affects DNS over TLS and DNS over HTTPS.", "type": "object", "properties": { - "files-watchdog": { + "watchdog": { "anyOf": [ { "type": "string", @@ -264,7 +264,7 @@ "type": "boolean" } ], - "description": "Enables files watchdog for TLS certificate files. Requires the optional 'watchdog' dependency.", + "description": "Enables watchdog of changes in TLS certificate files. Requires the optional 'watchdog' dependency.", "default": "auto" }, "cert-file": { @@ -300,11 +300,6 @@ "description": "Path to file with secret for TLS session resumption via tickets. (RFC 5077).", "default": null }, - "auto-discovery": { - "type": "boolean", - "description": "Experimental automatic discovery of authoritative servers supporting DNS-over-TLS.", - "default": false - }, "padding": { "anyOf": [ { @@ -321,12 +316,11 @@ } }, "default": { - "files_watchdog": true, + "watchdog": true, "cert_file": null, "key_file": null, "sticket_secret": null, "sticket_secret_file": null, - "auto_discovery": false, "padding": true } }, @@ -480,12 +474,11 @@ }, "address_renumbering": null, "tls": { - "files_watchdog": true, + "watchdog": true, "cert_file": null, "key_file": null, "sticket_secret": null, "sticket_secret_file": null, - "auto_discovery": false, "padding": true }, "proxy_protocol": false, diff --git a/python/knot_resolver/datamodel/network_schema.py b/python/knot_resolver/datamodel/network_schema.py index e2753a852..21f3db56f 100644 --- a/python/knot_resolver/datamodel/network_schema.py +++ b/python/knot_resolver/datamodel/network_schema.py @@ -54,44 +54,41 @@ class TLSSchema(ConfigSchema): TLS configuration, also affects DNS over TLS and DNS over HTTPS. --- - files_watchdog: Enables files watchdog for TLS certificate files. Requires the optional 'watchdog' dependency. + watchdog: Enables watchdog of changes in TLS certificate files. Requires the optional 'watchdog' dependency. cert_file: Path to certificate file. key_file: Path to certificate key file. sticket_secret: Secret for TLS session resumption via tickets. (RFC 5077). sticket_secret_file: Path to file with secret for TLS session resumption via tickets. (RFC 5077). - auto_discovery: Experimental automatic discovery of authoritative servers supporting DNS-over-TLS. padding: EDNS(0) padding of queries and answers sent over an encrypted channel. """ - files_watchdog: Union[Literal["auto"], bool] = "auto" + watchdog: Union[Literal["auto"], bool] = "auto" cert_file: Optional[ReadableFile] = None key_file: Optional[ReadableFile] = None sticket_secret: Optional[EscapedStr32B] = None sticket_secret_file: Optional[ReadableFile] = None - auto_discovery: bool = False padding: Union[bool, Int0_512] = True _LAYER = Raw - files_watchdog: bool + watchdog: bool cert_file: Optional[ReadableFile] = None key_file: Optional[ReadableFile] = None sticket_secret: Optional[EscapedStr32B] = None sticket_secret_file: Optional[ReadableFile] = None - auto_discovery: bool = False padding: Union[bool, Int0_512] = True - def _files_watchdog(self, obj: Raw) -> Any: - if obj.files_watchdog == "auto": + def _watchdog(self, obj: Raw) -> Any: + if obj.watchdog == "auto": return WATCHDOG_LIB - return obj.files_watchdog + return obj.watchdog def _validate(self): if self.sticket_secret and self.sticket_secret_file: raise ValueError("'sticket_secret' and 'sticket_secret_file' are both defined, only one can be used") if bool(self.cert_file) != bool(self.key_file): raise ValueError("'cert-file' and 'key-file' must be configured together") - if self.cert_file and self.key_file and self.files_watchdog and not WATCHDOG_LIB: + if self.cert_file and self.key_file and self.watchdog and not WATCHDOG_LIB: raise ValueError( "'files-watchdog' is enabled, but the required 'watchdog' dependency (optional) is not installed" ) diff --git a/python/knot_resolver/datamodel/templates/network.lua.j2 b/python/knot_resolver/datamodel/templates/network.lua.j2 index 148db203a..e01ca3303 100644 --- a/python/knot_resolver/datamodel/templates/network.lua.j2 +++ b/python/knot_resolver/datamodel/templates/network.lua.j2 @@ -46,13 +46,6 @@ net.tls_sticket_secret('{{ cfg.network.tls.sticket_secret }}') net.tls_sticket_secret_file('{{ cfg.network.tls.sticket_secret_file }}') {% endif %} -{% if cfg.network.tls.auto_discovery %} --- network.tls.auto-discovery -modules.load('experimental_dot_auth') -{% else %} --- modules.unload('experimental_dot_auth') -{% endif %} - -- network.tls.padding net.tls_padding( {%- if cfg.network.tls.padding == true -%} diff --git a/python/knot_resolver/manager/files/watchdog.py b/python/knot_resolver/manager/files/watchdog.py index b2ba5b90c..952f2662c 100644 --- a/python/knot_resolver/manager/files/watchdog.py +++ b/python/knot_resolver/manager/files/watchdog.py @@ -14,7 +14,7 @@ FilesToWatch = Dict[Path, Optional[str]] def watched_files_config(config: KresConfig) -> List[Any]: return [ - config.network.tls.files_watchdog, + config.network.tls.watchdog, config.network.tls.cert_file, config.network.tls.key_file, config.local_data.rpz, @@ -108,7 +108,7 @@ async def _init_files_watchdog(config: KresConfig, force: bool = False) -> None: files_to_watch: FilesToWatch = {} # network.tls - if config.network.tls.files_watchdog and config.network.tls.cert_file and config.network.tls.key_file: + if config.network.tls.watchdog and config.network.tls.cert_file and config.network.tls.key_file: net_tls = f"net.tls('{config.network.tls.cert_file}', '{config.network.tls.key_file}')" files_to_watch[config.network.tls.cert_file.to_path()] = net_tls files_to_watch[config.network.tls.key_file.to_path()] = net_tls diff --git a/tests/manager/datamodel/test_network_schema.py b/tests/manager/datamodel/test_network_schema.py index 1451ac20e..321f18a73 100644 --- a/tests/manager/datamodel/test_network_schema.py +++ b/tests/manager/datamodel/test_network_schema.py @@ -83,11 +83,11 @@ def test_listen_invalid(listen: Dict[str, Any]): @pytest.mark.parametrize( "tls", [ - {"files-watchdog": "auto"}, - {"files-watchdog": True}, - {"files-watchdog": False}, + {"watchdog": "auto"}, + {"watchdog": True}, + {"watchdog": False}, ], ) -def test_tls_files_watchdog(tls: Dict[str, Any]): - expected: bool = WATCHDOG_LIB if tls["files-watchdog"] == "auto" else tls["files-watchdog"] - assert TLSSchema(tls).files_watchdog == expected +def test_tls_watchdog(tls: Dict[str, Any]): + expected: bool = WATCHDOG_LIB if tls["watchdog"] == "auto" else tls["watchdog"] + assert TLSSchema(tls).watchdog == expected diff --git a/tests/packaging/interactive/tls_cert_watchdog.sh b/tests/packaging/interactive/tls_cert_watchdog.sh index 104bbdd64..d0663d870 100755 --- a/tests/packaging/interactive/tls_cert_watchdog.sh +++ b/tests/packaging/interactive/tls_cert_watchdog.sh @@ -44,7 +44,7 @@ fi # }} # configure TLS certificate files and turn on watchdog -kresctl config set -p /network/tls/files-watchdog true +kresctl config set -p /network/tls/watchdog true if [ "$?" -ne "0" ]; then echo "Could not turn on TLS certificate files watchdog." exit 1