#1828: Support encrypted DNS txt records

Signed-off-by: Viacheslav Sychov <[email protected]>
kubernetes-sigs · Apr 28, 2023 · 1b22c95 · 1b22c95
1 parent eaabf71
commit 1b22c95
Show file tree

Hide file tree

Showing 11 changed files with 423 additions and 52 deletions.
diff --git a/docs/registry.md b/docs/registry.md
@@ -13,3 +13,68 @@ The controller will try to create the "new format" TXT records if they are not p
 Later on, the old format will be dropped and only the new format will be kept (<record_type>-<endpoint_name>).
 
 Cleanup will be done by controller itself.
+
+### Encryption of TXT Records
+TXT records may contain sensitive information, such as the internal ingress name or namespace, which attackers could exploit to gather information about your infrastructure. 
+By encrypting TXT records, you can protect this information from unauthorized access. It is strongly recommended to encrypt all TXT records to prevent potential security breaches.
+
+To enable encryption of TXT records, you can use the following parameters:
+- `--txt-encrypt-enabled=true`
+- `--txt-encrypt-aes-key=32bytesKey` (used for AES-256-GCM encryption and should be exactly 32 bytes)
+
+Note that the key used for encryption should be a secure key and properly managed to ensure the security of your TXT records.
+
+### Generating TXT encryption AES key
+Python
+```python
+python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'
+```
+
+Bash
+```shell
+dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\n' | tr -- '+/' '-_'; echo
+```
+
+OpenSSL
+```shell
+openssl rand -base64 32 | tr -- '+/' '-_'
+```
+
+PowerShell
+```powershell
+# Add System.Web assembly to session, just in case
+Add-Type -AssemblyName System.Web
+[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([System.Web.Security.Membership]::GeneratePassword(32,4))).Replace("+","-").Replace("/","_")
+```
+
+Terraform
+```hcl
+resource "random_password" "txt_key" {
+  length           = 32
+  override_special = "-_"
+}
+```
+
+### Manually Encrypt/Decrypt TXT Records
+
+In some cases, you may need to edit labels generated by External-DNS, and in such cases, you can use simple Golang code to do that.
+
+```go
+package main
+
+import (
+	"fmt"
+	"sigs.k8s.io/external-dns/endpoint"
+)
+
+func main() {
+	key := []byte("testtesttesttesttesttesttesttest")
+	encrypted, _ := endpoint.EncryptText(
+		"heritage=external-dns,external-dns/owner=example,external-dns/resource=ingress/default/example",
+		key,
+		nil,
+	)
+	decrypted, _, _ := endpoint.DecryptText(encrypted, key)
+	fmt.Println(decrypted)
+}
+```
diff --git a/endpoint/crypto.go b/endpoint/crypto.go
@@ -0,0 +1,134 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package endpoint
+
+import (
+	"bytes"
+	"compress/gzip"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"io"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// EncryptText gzip input data and encrypts it using the supplied AES key
+func EncryptText(text string, aesKey []byte, nonceEncoded []byte) (string, error) {
+	block, err := aes.NewCipher(aesKey)
+	if err != nil {
+		return "", err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", err
+	}
+
+	nonce := make([]byte, gcm.NonceSize())
+	if nonceEncoded == nil {
+		if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
+			return "", err
+		}
+	} else {
+		if _, err = base64.StdEncoding.Decode(nonce, nonceEncoded); err != nil {
+			return "", err
+		}
+	}
+
+	data, err := compressData([]byte(text))
+	if err != nil {
+		return "", err
+	}
+
+	cipherData := gcm.Seal(nonce, nonce, data, nil)
+	return base64.StdEncoding.EncodeToString(cipherData), nil
+}
+
+// DecryptText decrypt gziped data using a supplied AES encryption key ang ungzip it
+// in case of decryption failed, will return original input and decryption error
+func DecryptText(text string, aesKey []byte) (decryptResult string, encryptNonce string, err error) {
+	block, err := aes.NewCipher(aesKey)
+	if err != nil {
+		return "", "", err
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", "", err
+	}
+	nonceSize := gcm.NonceSize()
+	data, err := base64.StdEncoding.DecodeString(text)
+	if err != nil {
+		return "", "", err
+	}
+	if len(data) <= nonceSize {
+		return "", "", fmt.Errorf("the encoded data from text %#v is shorter than %#v bytes and can't be decoded", text, nonceSize)
+	}
+	nonce, ciphertext := data[:nonceSize], data[nonceSize:]
+	plaindata, err := gcm.Open(nil, nonce, ciphertext, nil)
+	if err != nil {
+		return "", "", err
+	}
+	plaindata, err = decompressData(plaindata)
+	if err != nil {
+		log.Debugf("Failed to decompress data based on the base64 encoded text %#v. Got error %#v.", text, err)
+		return "", "", err
+	}
+
+	return string(plaindata), base64.StdEncoding.EncodeToString(nonce), nil
+}
+
+// decompressData gzip compressed data
+func decompressData(data []byte) (resData []byte, err error) {
+	gz, err := gzip.NewReader(bytes.NewBuffer(data))
+	if err != nil {
+		return nil, err
+	}
+	defer gz.Close()
+	var b bytes.Buffer
+	if _, err = b.ReadFrom(gz); err != nil {
+		return nil, err
+	}
+
+	return b.Bytes(), nil
+}
+
+// compressData by gzip, for minify data stored in registry
+func compressData(data []byte) (compressedData []byte, err error) {
+	var b bytes.Buffer
+	gz, err := gzip.NewWriterLevel(&b, gzip.BestCompression)
+	if err != nil {
+		return nil, err
+	}
+
+	defer gz.Close()
+	if _, err = gz.Write(data); err != nil {
+		return nil, err
+	}
+
+	if err = gz.Flush(); err != nil {
+		return nil, err
+	}
+
+	if err = gz.Close(); err != nil {
+		return nil, err
+	}
+
+	return b.Bytes(), nil
+}
diff --git a/endpoint/crypto_test.go b/endpoint/crypto_test.go
@@ -0,0 +1,58 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package endpoint
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestEncrypt(t *testing.T) {
+	// Verify that text encryption and decryption works
+	aesKey := []byte("s%zF`.*'5`9.AhI2!B,.~hmbs^.*TL?;")
+	plaintext := "Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum."
+	encryptedtext, err := EncryptText(plaintext, aesKey, nil)
+	require.NoError(t, err)
+	decryptedtext, _, err := DecryptText(encryptedtext, aesKey)
+	require.NoError(t, err)
+	if plaintext != decryptedtext {
+		t.Errorf("Original plain text %#v differs from the resulting decrypted text %#v", plaintext, decryptedtext)
+	}
+
+	// Verify that decrypt returns an error and empty data if wrong AES encryption key is used
+	decryptedtext, _, err = DecryptText(encryptedtext, []byte("s'J!jD`].LC?g&Oa11AgTub,j48ts/96"))
+	require.Error(t, err)
+	if decryptedtext != "" {
+		t.Error("Data decryption failed, empty string should be as result")
+	}
+
+	// Verify that decrypt returns an error and empty data if unencrypted input is is supplied
+	decryptedtext, _, err = DecryptText(plaintext, aesKey)
+	require.Error(t, err)
+	if decryptedtext != "" {
+		t.Errorf("Data decryption failed, empty string should be as result")
+	}
+
+	// Verify that a known encrypted text is decrypted to what is expected
+	encryptedtext = "0Mfzf6wsN8llrfX0ucDZ6nlc2+QiQfKKedjPPLu5atb2I35L9nUZeJcCnuLVW7CVW3K0h94vSuBLdXnMrj8Vcm0M09shxaoF48IcCpD03XtQbKXqk2hPbsW6+JybvplHIQGr16/PcjUSObGmR9yjf38+qEltApkKvrPjsyw43BX4eE10rL0Bln33UJD7/w+zazRDPFlAcbGtkt0ETKHnvyB3/aCddLipvrhjCXj2ZY/ktRF6h716kJRgXU10dCIQHFYU45MIdxI+k10HK3yZqhI2V0Gp2xjrFV/LRQ7/OS9SFee4asPWUYxbCEsnOzp8qc0dCPFSo1dtADzWnUZnsAcbnjtudT4milfLJc5CxDk1v3ykqQ/ajejwHjWQ7b8U6AsTErbezfdcqrb5IzkLgHb5TosnfrdDmNc9GcKfpsrCHbVY8KgNwMVdtwavLv7d9WM6sooUlZ3t0sABGkzagXQmPRvwLnkSOlie5XrnzWo8/8/4UByLga29CaXO"
+	decryptedtext, _, err = DecryptText(encryptedtext, aesKey)
+	require.NoError(t, err)
+	if decryptedtext != plaintext {
+		t.Error("Decryption of text didn't result in expected plaintext result.")
+	}
+}
diff --git a/endpoint/labels.go b/endpoint/labels.go
@@ -17,6 +17,8 @@ limitations under the License.
 package endpoint
 
 import (
+	log "github.com/sirupsen/logrus"
+
 	"errors"
 	"fmt"
 	"sort"
@@ -41,6 +43,9 @@ const (
 
 	// DualstackLabelKey is the name of the label that identifies dualstack endpoints
 	DualstackLabelKey = "dualstack"
+
+	// txtEncryptionNonce label for keep same nonce for same txt records, for prevent different result of encryption for same txt record, it can cause issues for some providers
+	txtEncryptionNonce = "txt-encryption-nonce"
 )
 
 // Labels store metadata related to the endpoint
@@ -55,7 +60,7 @@ func NewLabels() Labels {
 // NewLabelsFromString constructs endpoints labels from a provided format string
 // if heritage set to another value is found then error is returned
 // no heritage automatically assumes is not owned by external-dns and returns invalidHeritage error
-func NewLabelsFromString(labelText string) (Labels, error) {
+func NewLabelsFromStringPlain(labelText string) (Labels, error) {
 	endpointLabels := map[string]string{}
 	labelText = strings.Trim(labelText, "\"") // drop quotes
 	tokens := strings.Split(labelText, ",")
@@ -85,9 +90,26 @@ func NewLabelsFromString(labelText string) (Labels, error) {
 	return endpointLabels, nil
 }
 
-// Serialize transforms endpoints labels into a external-dns recognizable format string
+func NewLabelsFromString(labelText string, aesKey []byte) (Labels, error) {
+	if len(aesKey) != 0 {
+		decryptedText, encryptionNonce, err := DecryptText(strings.Trim(labelText, "\""), aesKey)
+		//in case if we have decryption error, just try process original text
+		//decryption errors should be ignored here, because we can already have plain-text labels in registry
+		if err == nil {
+			labels, err := NewLabelsFromStringPlain(decryptedText)
+			if err == nil {
+				labels[txtEncryptionNonce] = encryptionNonce
+			}
+
+			return labels, err
+		}
+	}
+	return NewLabelsFromStringPlain(labelText)
+}
+
+// SerializePlain transforms endpoints labels into a external-dns recognizable format string
 // withQuotes adds additional quotes
-func (l Labels) Serialize(withQuotes bool) string {
+func (l Labels) SerializePlain(withQuotes bool) string {
 	var tokens []string
 	tokens = append(tokens, fmt.Sprintf("heritage=%s", heritage))
 	var keys []string
@@ -104,3 +126,31 @@ func (l Labels) Serialize(withQuotes bool) string {
 	}
 	return strings.Join(tokens, ",")
 }
+
+// Serialize same to SerializePlain, but encrypt data, if encryption enabled
+func (l Labels) Serialize(withQuotes bool, txtEncryptEnabled bool, aesKey []byte) string {
+	if !txtEncryptEnabled {
+		return l.SerializePlain(withQuotes)
+	}
+
+	var encryptionNonce []byte = nil
+	if extractedNonce, nonceExists := l[txtEncryptionNonce]; nonceExists {
+		encryptionNonce = []byte(extractedNonce)
+		delete(l, txtEncryptionNonce)
+	}
+
+	text := l.SerializePlain(false)
+	log.Debugf("Encrypt the serialized text %#v before returning it.", text)
+	var err error
+	text, err = EncryptText(text, aesKey, encryptionNonce)
+
+	if err != nil {
+		log.Fatalf("Failed to encrypt the text %#v using the encryption key %#v. Got error %#v.", text, aesKey, err)
+	}
+
+	if withQuotes {
+		text = fmt.Sprintf("\"%s\"", text)
+	}
+	log.Debugf("Serialized text after encryption is %#v.", text)
+	return text
+}