DIGITALOCEAN: support init command

[TomOnTime]

Summary

Register CredsMetadata for DIGITALOCEAN so the provider is offered by the dnscontrol init wizard.

Fields mirror the entries in integrationTest/profiles.json.

CC: @chicks-net

Test plan

• go build ./... passes
• dnscontrol init lists DIGITALOCEAN as an option
• Verify any // TODO: Verify annotations in the diff (e.g. PortalURL)

🤖 Generated with Claude Code

[chicks-net]

The dnscontrol init process works for me until I get to the part where I'd expect it to have issues.

? Compare domains in dnsconfig.js with zones at DigitalOcean? Yes

$ /Users/chicks/Documents/git/dnscontrol/dnscontrol get-zones --format=nameonly -- digitalocean_primary - all

Zones at DigitalOcean compared with dnsconfig.js:
  In both          : (none)
  Only in config   : fini.fun
  Only at provider : almanacvapolitics.org, bettywalls.com, gasp.org, hangmansdaughter.org, hrlug.org, partnersforjustice.com,
 perlclass.org, perlclasses.org, politicsvirginia.org, seaprojects.org, vccinc.net
? Run `dnscontrol preview` now? Yes

$ /Users/chicks/Documents/git/dnscontrol/dnscontrol preview
CONCURRENTLY checking for 1 zone(s)
SERIALLY checking for 0 zone(s)
Waiting for concurrent checking(s) to complete...DONE
******************** Domain: fini.fun
1 correction (digitalocean_primary)
#1: Ensuring zone "fini.fun" exists in "digitalocean_primary"
CONCURRENTLY gathering records of 1 zone(s)
SERIALLY gathering records of 0 zone(s)
Waiting for concurrent gathering(s) to complete...DONE
******************** Domain: fini.fun
INFO#1: Domain "fini.fun" provider digitalocean_primary Error: GET https://api.digitalocean.com/v2/domains/fini.fun/records?pe
r_page=100: 404 (request "bd7893a1-e3fa-4ae7-b523-977499ca7047") Resource not found
Done. 1 corrections.
completed with errors
dnscontrol preview failed: exit status 1

================================================================================

Welcome to the DNSControl community!

Questions, feedback or ideas are always welcome:
  Discussions: https://github.com/StackExchange/dnscontrol/discussions
  Issues:      https://github.com/StackExchange/dnscontrol/issues

Learn more:
  Getting started: https://docs.dnscontrol.org/getting-started/getting-started
  Examples:        https://docs.dnscontrol.org/getting-started/examples
  Migrating zones: https://docs.dnscontrol.org/getting-started/migrating

Want to stay up to date? Releases and the monthly DNSControl community video call
are announced at https://github.com/StackExchange/dnscontrol/discussions/categories/announcements

[TomOnTime]

The dnscontrol init process works for me until I get to the part where I'd expect it to have issues.

Does that mean it needs more work or it "works as expected"?

[chicks-net]

The dnscontrol init process works for me until I get to the part where I'd expect it to have issues.

Does that mean it needs more work or it "works as expected"?

I'm not entirely sure. That's why I included the output. I wasn't surprised it blew up because I put in a domain that I don't have in Digital Ocean yet.

@cafferata The biggest thing I noticed when trying init was that the creds.json ends up containing my raw API token. I'm so in the habit of pulling these things from a crypto vault like 1Password, I wondered if you had considered supporting the templated-version of creds.json. I can see how this might make things too complicated for building a skeleton, but it would be nice to start folks off in a fashion that follows security best practices.

[cafferata]

Thanks for bringing this up. The init command is intentionally kept simple: it generates a working skeleton that newcomers can use right away. Someone who has security best practices in mind will naturally move towards environment variables ($VARIABLE_NAME syntax in creds.json) or secret management tools like 1Password CLI on their own.

Adding vault/template options to the interactive flow would increase complexity for all users while only benefiting the subset that already knows what they want. The documentation covers these patterns for when users are ready to adopt them.

[TomOnTime]

Thanks for bringing this up. The init command is intentionally kept simple: it generates a working skeleton that newcomers can use right away. Someone who has security best practices in mind will naturally move towards environment variables ($VARIABLE_NAME syntax in creds.json) or secret management tools like 1Password CLI on their own.

suggestion: How about always adding this to creds.json (and sorting it so that it always appears at the top):

{
  "0_WARNING": {
    "Comment:": "Never store passwords/secrets/apikeys/etc in Git! Do this instead: https://docs.dnscontrol.org/commands/creds-json"
  },

The creds-json.md file could be improved over time. For example, we should have one example using $ENV_VARIABLES and one using 1password templates. We should also link to https://emailsecurity.blog/using-dnscontrol-with-1password-cli

Personally, I just store the entire dang creds.json file in 1password. I get it out with this script that I callbin/get-creds.sh:

#/bin/sh

op --account my.1password.com read --out-file creds.json "op://redacted/redacted/creds.json"

P.S. I'm a 1password fanboy.

[cafferata]

Fellow 1Password fanboy here! My setup is slightly different: usernames and notification URLs are checked into Git, while secrets are injected from 1Password at runtime via op run --env-file=.env --no-masking -- dnscontrol. And that already illustrates the point: everyone has their own preferred approach, and things get complex fast.

The 0_WARNING idea is a nice low-cost addition though. Feel free to open a follow-up for that and/or improvements to the creds-json.md docs. I'd personally stay away from adding secret management guidance to the init flow itself.

[cafferata]

P.S. We're getting quite off-topic here. Let's continue the init feature discussion in #4300.

[chicks-net]

P.S. We're getting quite off-topic here. Let's continue the init feature discussion in #4300.

Sorry for geek-sniping everyone. 😂

@cafferata So, does this PR look good to you? 👀 Would you like to approve it? 😄