Merge branch dns-zone-manager:master into master

Makefile

@@ -90,11 +90,13 @@ docker-run-dns-zone-manager-server:
 
 docker-run-dns-zone-manager-server-dev:
 	mkdir -p "$(CURDIR)/.tmp"
+	mkdir -p "$(CURDIR)/persistence"
 	docker run -it \
 		-p 16001:16001 -p 53:53 -p 53:53/udp \
 		-v "$(CURDIR)/.tmp:/mounted/.tmp" \
 		-v "$(CURDIR)/zonedb:/usr/lib/zonemgr/zonedb" \
-		localhost/dns-zone-manager-server-dev
+		-v "$(CURDIR)/persistence:/var/lib/zonemgr" \
+		localhost/dns-zone-manager-server-dev 
 
 docker-pytest-dns-zone-manager-server-dev:
 	mkdir -p "$(CURDIR)/.tmp"

deploy/helm/nsd/templates/pvc.yaml

@@ -4,7 +4,7 @@ metadata:
   name: nsd-zonedata-pvc
 spec:
   accessModes:
-    - ReadWriteOnce
+    - ReadWriteMany
   resources:
     requests:
       storage: {{ .Values.volumes.size }}
\ No newline at end of file

docs/build/Readme.md

+# Building TDZM
+
+To build the TDZM refer to the Readme in the repo root [Readme.md](../../README.md)

docs/install/Readme.md

@@ -18,6 +18,9 @@ The UI is reachable at: http://localhost:8001/ui
 
 Deployment in Kubernetes is done via separate Helm charts.
 
+## Scaling Zone Manager:
+The Zone manager requires a shared volume, that can be mounted by all pods. Currently the volume is defined as "ReadWriteMany", but the Cluster you have must properly support this option. It could be done via NFS File System Storage classes, but may vary from provider to provider. Alternatively you can setup pure NSD Server instances, and connect them as Secondary servers through the Configuration options.
+
 ### General Prerequisites:
 When you want to operate the TDZM Component you MUST ensure the following is available:
 
@@ -41,9 +44,15 @@ Configuration of the Deployment is done via the Helm values file. A Reference of
 
 | Property                                       | Description                                    | Default Value                                  |
 | ---------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- |
-| `zoneConfigFileContent` | Content of the zone config file. Contains settings for trust-zone-apex and additional nameserver ip addresses if required. This is where you specify which domain this TDZM is responsible for. | `TF_DOMAIN_NAME=your_federation_zone`<br/>`TF_DOMAIN_IP=1.2.3.4`<br/>`PRIMARY_SERVER_NDS=nameserver1_for_your_federation_zone`<br/>`PRIMARY_SERVER_IP=1.2.3.4` <br/>`SECONDARY_SERVER_1_NDS=nameserver2_for_your_federation_zone` <br/>`SECONDARY_SERVER_1_IP=1.2.3.4`<br/>`SECONDARY_SERVER_2_NDS=nameserver3_for_your_federation_zone` <br/>`SECONDARY_SERVER_2_IP=1.2.3.4` |
-| `authConfigFileContent.KEYCLOAK_URL` | Specified which Oauth Server is allowed. TZDM will check the JWT signature against this issuer. | `<your issuer>` |
-| `authConfigFileContent.REALM` | Specified which Keycloak Realm is allowed. | `<your realm>` |
+| `zoneConfig.TF_DOMAIN_NAME` | Specifies which DNS Domain this Zone Manager is responsible for. Our Demo deployment uses `trust.train1.xfsc.dev` | `your_federation_zone` |
+| `zoneConfig.TF_DOMAIN_IP` | IP Address that your zone should be managed under | `1.2.3.4` |
+| `zoneConfig.PRIMARY_SERVER_NSD` | Domain name of your primary dns server | `nameserver1_for_your_federation_zone` |
+| `zoneConfig.PRIMARY_SERVER_IP` | Public IP Address of your primary dns server | `1.2.3.4` |
+| `zoneConfig.SECONDARY_SERVER_1_NSD` | Domain name of your secondary dns server  | `nameserver2_for_your_federation_zone` |
+| `zoneConfig.SECONDARY_SERVER_1_IP` | Public IP Address of your secondary dns server| `1.2.3.4` |
+| `zoneConfig.SECONDARY_SERVER_2_NSD` | Domain name of your tertiary dns server  | `nameserver3_for_your_federation_zone` |
+| `zoneConfig.SECONDARY_SERVER_2_IP` | Public IP Address of your tertiary dns server | `1.2.3.4` |
+| `authConfigFileContent.ISSUER_URL` | Specified which Oauth Server is allowed. TZDM will check the JWT signature against this issuer. | `<your issuer>` |
 | `authConfigFileContent.CLIENT_ID` | Specified which ClientID /audience should be allowed in a token. If a token does not contain this audience it will be considered Unauthorized. | `<your allowed client/audience>` |
 | `authConfigFileContent.ALLOW_UNSAFE_SSL` | Specify whether you want to check the SSL certs of your configured issuer. **Setting this to "true" has security implications!** | `false` |
 

docs/operations/Readme.md

+# Operations information
+
+The TDZM Component generally does not require much related to operations. It is mainly managed through the TFM component and should not be used interactively by a human operator. There is one detail to watch out for:
+
+## DNS Key Rollover:
+
+To rollover the DNSSEC Keys it is necessary to completely remove the existing TDZM deployment. Please follow the steps outlined in the security concept here: https://gitlab.eclipse.org/eclipse/xfsc/train/TRAIN-Documentation/-/tree/main/concepts/security?ref_type=heads#zone-manager-tspa
+
+And follow the last paragraph about DNSSEC Key Rollover.
+
+## REST API
+The Rest API is documented in [ZM_swagger.yaml](./ZM_swagger.yaml)
\ No newline at end of file

requirements.txt

+falcon==3.1.1
+gunicorn==19.9.0
+SQLAlchemy==2.0.1
+pyjwt[crypto] == 2.5.0
+requests >= 2.31.0
+marshmallow >= 3.20.2
\ No newline at end of file

requirements_dev.txt

+pylint
+pytest
+mypy
+types-requests
+coverage
+third-party-license-file-generator
+pylint_junit

script.sh

@@ -8,8 +8,6 @@
 # The Zone Manager server will start at $PORT number.
 set -eu -o pipefail
 
-RUNNER=${RUNNER:-dns-zone-manager-server}
-echo "[INFO] ====>>> STARTING ZONE MANAGER SERVICE SETUP"
 RUNNER=${RUNNER:-dns-zone-manager-server}
 echo "[INFO] ====>>> STARTING ZONE MANAGER SERVICE SETUP"
 
@@ -57,82 +55,81 @@ VAR_PATH="/var/lib/zonemgr/"	# path for variables including DB, zonefile and DNS
 SQLITE_DB="sqlite:///${VAR_PATH}zones.db"
 SERVER_PORT=${1}
 
-# set permissions, add user and copy the ZM service to system folder
-chmod 777 -R "$ZM_PATH" || true
-adduser --system --home "$VAR_PATH" zonemgr
+# skip DB configuration in case of ZM reload (already existing DB in persistent storage volume)
+if [ ! -f "${VAR_PATH}zones.db" ]; then
+  echo "[INFO] Initializing intermediate DB and adding records to it and to the zone file..."
+  echo "[INFO] NSD server will be reload and reconfigured several times."
+  echo "[INFO] This will print 'ok' and 'reconfig start' messages repeatedly:"
+  echo
 
+  # initialize DB
+  ${RUNNER} --database "$SQLITE_DB" init
 
-echo "[INFO] Initializing intermediate DB and adding records to it and to the zone file..."
-echo "[INFO] NSD server will be reload and reconfigured several times."
-echo "[INFO] This will print 'ok' and 'reconfig start' messages repeatedly:"
-echo
-
-# initialize DB
-${RUNNER} --database "$SQLITE_DB" init
-
-# add default environment
-${RUNNER} \
-  --database $SQLITE_DB \
-  add-environment \
-	--environment network \
-	--nsd-name "${PRIMARY_SERVER_NSD}" \
-	--nsd-conf "$VAR_PATH"nsd.zones.conf \
-	--nsd-reload "$ZM_PATH"reload-nsd.sh \
-	--key-file "$VAR_PATH"private_key.tmp
-
-# add default zone with given trust framework domain
-${RUNNER} \
-  --database $SQLITE_DB \
-  add-zone \
-	--environment network \
-	--apex "${TF_DOMAIN_NAME}" \
-	--pattern network
-
-chown -R zonemgr: /var/lib/zonemgr
-
-# add required NS records and related IP addresses
-${RUNNER} \
-  --database $SQLITE_DB \
-  add-record \
+  # add default environment
+  ${RUNNER} \
+    --database $SQLITE_DB \
+    add-environment \
     --environment network \
-    --apex "${TF_DOMAIN_NAME}" \
-    "$TF_DOMAIN_NAME" NS \
-      "$PRIMARY_SERVER_NSD" \
-      "$SECONDARY_SERVER_1_NSD"
-
-${RUNNER} \
-  --database $SQLITE_DB \
-  add-record \
-    --environment network \
-    --apex "$TF_DOMAIN_NAME" \
-      "$TF_DOMAIN_NAME" A "$TF_DOMAIN_IP"
-
-${RUNNER} \
-  --database $SQLITE_DB \
-  add-record \
+    --nsd-name "${PRIMARY_SERVER_NSD}" \
+    --nsd-conf "$VAR_PATH"nsd.zones.conf \
+    --nsd-reload "$ZM_PATH"reload-nsd.sh \
+    --key-file "$VAR_PATH"private_key.tmp
+
+  # add default zone with given trust framework domain
+  ${RUNNER} \
+    --database $SQLITE_DB \
+    add-zone \
     --environment network \
-    --apex "$TF_DOMAIN_NAME" \
-      "$PRIMARY_SERVER_NSD" A "$PRIMARY_SERVER_IP"
-
-${RUNNER} \
-  --database $SQLITE_DB \
-  add-record \
-    --environment network \
-    --apex "$TF_DOMAIN_NAME" \
-      "$SECONDARY_SERVER_1_NSD" A "$SECONDARY_SERVER_1_IP"
-
-${RUNNER} \
-  --database $SQLITE_DB \
-  add-record \
-    --environment network \
-    --apex "$TF_DOMAIN_NAME" \
-      "$SECONDARY_SERVER_2_NSD" A "$SECONDARY_SERVER_2_IP"
-
-echo
-echo "[INFO] Adding cron job for resigning..."
+    --apex "${TF_DOMAIN_NAME}" \
+    --pattern network
+
+  # add required NS records and related IP addresses
+  ${RUNNER} \
+    --database $SQLITE_DB \
+    add-record \
+      --environment network \
+      --apex "${TF_DOMAIN_NAME}" \
+      "$TF_DOMAIN_NAME" NS \
+        "$PRIMARY_SERVER_NSD" \
+        "$SECONDARY_SERVER_1_NSD"
+
+  ${RUNNER} \
+    --database $SQLITE_DB \
+    add-record \
+      --environment network \
+      --apex "$TF_DOMAIN_NAME" \
+        "$TF_DOMAIN_NAME" A "$TF_DOMAIN_IP"
+
+  ${RUNNER} \
+    --database $SQLITE_DB \
+    add-record \
+      --environment network \
+      --apex "$TF_DOMAIN_NAME" \
+        "$PRIMARY_SERVER_NSD" A "$PRIMARY_SERVER_IP"
+
+  ${RUNNER} \
+    --database $SQLITE_DB \
+    add-record \
+      --environment network \
+      --apex "$TF_DOMAIN_NAME" \
+        "$SECONDARY_SERVER_1_NSD" A "$SECONDARY_SERVER_1_IP"
+
+  ${RUNNER} \
+    --database $SQLITE_DB \
+    add-record \
+      --environment network \
+      --apex "$TF_DOMAIN_NAME" \
+        "$SECONDARY_SERVER_2_NSD" A "$SECONDARY_SERVER_2_IP"
+
+  echo
+  echo "[INFO] Adding cron job for resigning..."
+
+  # Install the DNSSEC resigning cronjob:
+  crontab -u zonemgr "$ZM_PATH"etc/crontab
 
-# Install the DNSSEC resigning cronjob:
-crontab -u zonemgr "$ZM_PATH"etc/crontab
+else
+  echo "A zone DB file was found. Zone manager reload"
+fi
 
 echo
 echo "[INFO] Configuring NSD for ZM..."