Authorization header support (#45)

* feat: suppert auth headers * docs: update readme optional config * fix: update setup --------- Co-authored-by: Simon Tien <simontien47@gmail.com>
zachomedia · Aug 11, 2023 · eda5e49 · eda5e49
1 parent d473389
commit eda5e49
Show file tree

Hide file tree

Showing 8 changed files with 78 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -57,6 +57,16 @@ spec:
               ### OPTIONAL
               ###
 
+              # API Key scheme https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
+              # default: no scheme ""
+              apiKeyScheme: ""
+
+              # Header name for API key
+              #
+              # This defaults to X-API-Key when unset but supports customizations
+              # e.g. Authorization 
+              apiKeyHeaderName: ""
+
               # Server ID for the PowerDNS API.
               # When unset, defaults to "localhost".
               #

diff --git a/main.go b/main.go
@@ -28,6 +28,11 @@ import (
 	"github.com/joeig/go-powerdns/v3"
 )
 
+const (
+	defaultAuthHeader = "X-API-Key"
+	defaultScheme     = ""
+)
+
 var GroupName = os.Getenv("GROUP_NAME")
 
 func main() {
@@ -81,6 +86,17 @@ type powerDNSProviderConfig struct {
 	// secret which contains the PowerDNS API Key.
 	APIKeySecretRef *cmmeta.SecretKeySelector `json:"apiKeySecretRef"`
 
+	// Scheme supports HTTP AuthSchemes
+	// https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
+	//
+	// +optional default ""
+	APIKeyScheme string `json:"apiKeyScheme"`
+
+	// APIKeyHeaderName is the header name where apiKey will be set
+	//
+	// +optional default "X-API-Key"
+	APIKeyHeaderName string `json:"apiKeyHeaderName"`
+
 	// ServerID is the server ID in the PowerDNS API.
 	// When unset, defaults to "localhost".
 	ServerID string `json:"serverID"`
@@ -245,7 +261,10 @@ func (c *powerDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stopC
 // loadConfig is a small helper function that decodes JSON configuration into
 // the typed config struct.
 func loadConfig(cfgJSON *apiextensionsv1.JSON) (*powerDNSProviderConfig, error) {
-	cfg := &powerDNSProviderConfig{}
+	cfg := &powerDNSProviderConfig{
+		APIKeyScheme:     defaultScheme,
+		APIKeyHeaderName: defaultAuthHeader,
+	}
 	// handle the 'base case' where no configuration has been provided
 	if cfgJSON == nil {
 		return cfg, nil
@@ -325,7 +344,9 @@ func (c *powerDNSProviderSolver) init(config *apiextensionsv1.JSON, namespace st
 
 	// Add request headers
 	headers := map[string]string{
-		"X-API-Key":    apiKey,
+		cfg.APIKeyHeaderName: strings.TrimLeft(
+			strings.Trim(cfg.APIKeyScheme, " ")+" "+apiKey,
+			" "),
 		"Content-Type": "application/json",
 	}
 	maps.Copy(headers, cfg.Headers)

diff --git a/main_test.go b/main_test.go
@@ -32,10 +32,18 @@ func TestNoProxyNoTLS(t *testing.T) {
 	test(t, "_out/testdata/no-tls")
 }
 
+func TestNoProxyNoTLSAuthHdr(t *testing.T) {
+	test(t, "_out/testdata/no-tls-auth-hdr")
+}
+
 func TestNoProxyTLS(t *testing.T) {
 	test(t, "_out/testdata/tls")
 }
 
+func TestNoProxyTLSAuthHdr(t *testing.T) {
+	test(t, "_out/testdata/tls-auth-hdr")
+}
+
 func TestProxyNoTLS(t *testing.T) {
 	test(t, "_out/testdata/no-tls-with-proxy")
 }

diff --git a/scripts/setup-tests.sh b/scripts/setup-tests.sh
@@ -21,14 +21,14 @@ EOF
 
 openssl req -x509 -config _out/openssl.conf -newkey rsa:4096 -keyout _out/key.pem -out _out/cert.pem -sha256 -days 30 -nodes -subj '/CN=localhost'
 
-for suite in tls tls-with-proxy; do
+for suite in tls tls-with-proxy tls-auth-hdr; do
   mkdir -p _out/testdata/${suite}
   cp testdata/pdns/test/${suite}/apikey.yml _out/testdata/${suite}/apikey.yml
   sed "s#__CERT__#$(base64 -w0 _out/cert.pem)#g" testdata/pdns/test/${suite}/config.json > _out/testdata/${suite}/config.json
 done
 
 # No TLS
-for suite in no-tls no-tls-with-proxy; do
+for suite in no-tls no-tls-with-proxy no-tls-auth-hdr; do
   mkdir -p _out/testdata/${suite}
   cp testdata/pdns/test/${suite}/{config.json,apikey.yml} _out/testdata/${suite}
 done
diff --git a/testdata/pdns/test/no-tls-auth-hdr/apikey.yml b/testdata/pdns/test/no-tls-auth-hdr/apikey.yml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pdns-api-key
+type: Opaque
+data:
+  key: dGVzdDEyMw==
diff --git a/testdata/pdns/test/no-tls-auth-hdr/config.json b/testdata/pdns/test/no-tls-auth-hdr/config.json
@@ -0,0 +1,10 @@
+{
+    "host": "http://127.0.0.1:8080",
+    "apiKeySecretRef": {
+        "name": "pdns-api-key",
+        "key": "key"
+    },
+    "apiKeyScheme": "",
+    "apiKeyHeaderName": "X-API-Key",
+    "ttl": 10
+}
diff --git a/testdata/pdns/test/tls-auth-hdr/apikey.yml b/testdata/pdns/test/tls-auth-hdr/apikey.yml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pdns-api-key
+type: Opaque
+data:
+  key: dGVzdDEyMw==
diff --git a/testdata/pdns/test/tls-auth-hdr/config.json b/testdata/pdns/test/tls-auth-hdr/config.json
@@ -0,0 +1,11 @@
+{
+    "host": "https://127.0.0.1:8443",
+    "apiKeySecretRef": {
+        "name": "pdns-api-key",
+        "key": "key"
+    },
+    "apiKeyScheme": "",
+    "apiKeyHeaderName": "X-API-Key",
+    "ttl": 10,
+    "caBundle": "__CERT__"
+}