add OpenAPIConfig

2025-07-01 22:35:49 +02:00 · 2023-03-07 13:38:43 +01:00 · 2023-03-07 13:38:43 +01:00 · b885b26add
commit b885b26add
parent 3bf5d39e69
7 changed files with 14981 additions and 16 deletions
--- a/go.mod
+++ b/go.mod
@ -6,10 +6,16 @@ require (
 	github.com/cert-manager/cert-manager v1.11.0
 	github.com/cert-manager/webhook-example v0.0.0-20230119163313-9ea71aef37e6
 	github.com/miekg/dns v1.1.51
+	github.com/pluralsh/acme v0.0.2
 	github.com/pluralsh/gqlclient v1.3.9
+	github.com/spf13/cobra v1.6.1
 	github.com/stretchr/testify v1.8.2
 	k8s.io/apiextensions-apiserver v0.26.2
+	k8s.io/apimachinery v0.26.2
+	k8s.io/apiserver v0.26.2
 	k8s.io/client-go v0.26.2
+	k8s.io/component-base v0.26.2
+	k8s.io/kube-openapi v0.0.0-20230109183929-3758b55a6596
 )

 require (
@ -19,7 +25,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/coreos/go-semver v0.3.0 // indirect
 	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@ -62,7 +68,6 @@ require (
 	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/schollz/progressbar/v3 v3.8.6 // indirect
-	github.com/spf13/cobra v1.6.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/vektah/gqlparser/v2 v2.5.1 // indirect
@ -83,7 +88,7 @@ require (
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
 	golang.org/x/crypto v0.5.0 // indirect
-	golang.org/x/mod v0.7.0 // indirect
+	golang.org/x/mod v0.8.0 // indirect
 	golang.org/x/net v0.7.0 // indirect
 	golang.org/x/oauth2 v0.4.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
@ -91,7 +96,7 @@ require (
 	golang.org/x/term v0.5.0 // indirect
 	golang.org/x/text v0.7.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.4.0 // indirect
+	golang.org/x/tools v0.6.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef // indirect
 	google.golang.org/grpc v1.51.0 // indirect
@ -101,13 +106,9 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.26.2 // indirect
-	k8s.io/apimachinery v0.26.2 // indirect
-	k8s.io/apiserver v0.26.2 // indirect
-	k8s.io/component-base v0.26.2 // indirect
 	k8s.io/klog/v2 v2.80.1 // indirect
 	k8s.io/kms v0.26.2 // indirect
 	k8s.io/kube-aggregator v0.26.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20230109183929-3758b55a6596 // indirect
 	k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.35 // indirect
 	sigs.k8s.io/controller-runtime v0.14.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -70,8 +70,9 @@ github.com/cert-manager/webhook-example v0.0.0-20230119163313-9ea71aef37e6 h1:dN
 github.com/cert-manager/webhook-example v0.0.0-20230119163313-9ea71aef37e6/go.mod h1:u2R1CV+HH7OAm6dE5cOh37JRDR58DnB9DYYHI9OjNWs=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@ -286,6 +287,8 @@ github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pluralsh/acme v0.0.2 h1:vpQxUXGPH7TIOZXdRPXQfiwJDExYWKoHTKPu4B/1EY4=
+github.com/pluralsh/acme v0.0.2/go.mod h1:Go83DGuFMvznmGc4ILLjrEyFWcoVT9+BjgyZgHTK7HI=
 github.com/pluralsh/gqlclient v1.3.9 h1:cJ6Vu+N1pI5z46JS2o13fh4Oc9CbnTljwu3HTTQCPN8=
 github.com/pluralsh/gqlclient v1.3.9/go.mod h1:VHjVCSOaD9lzOI3u7tOuaQY7vrLdiAKPSbeihaWYX28=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@ -455,8 +458,9 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=
 golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -637,8 +641,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
-golang.org/x/tools v0.4.0 h1:7mTAgkunk3fr4GAloyyCasadO6h9zSsQZbwvcaIciV4=
-golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
+golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/main.go
+++ b/main.go
@ -5,12 +5,11 @@ import (
 	"fmt"
 	"os"

+	"github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
+	"github.com/pluralsh/plural-certmanager-webhook/pkg/cmd"
+	"github.com/pluralsh/plural-certmanager-webhook/plural"
 	extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/client-go/rest"
-
-	"github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
-	"github.com/cert-manager/cert-manager/pkg/acme/webhook/cmd"
-	"github.com/pluralsh/plural-certmanager-webhook/plural"
 )

 var GroupName = os.Getenv("GROUP_NAME")
--- a/pkg/api/generated/openapi/zz_generated.openapi.go
+++ b/pkg/api/generated/openapi/zz_generated.openapi.go
--- a/pkg/cmd/cmd.go
+++ b/pkg/cmd/cmd.go
@ -0,0 +1,37 @@
+package cmd
+
+import (
+	"flag"
+	"os"
+	"runtime"
+
+	"github.com/cert-manager/cert-manager/cmd/util"
+	"github.com/cert-manager/cert-manager/pkg/acme/webhook"
+	logf "github.com/cert-manager/cert-manager/pkg/logs"
+	"github.com/pluralsh/plural-certmanager-webhook/pkg/server"
+	"k8s.io/component-base/logs"
+)
+
+// RunWebhookServer creates and starts a new apiserver that acts as a external
+// webhook server for solving DNS challenges using the provided solver
+// implementations. This can be used as an entry point by external webhook
+// implementations, see
+// https://github.com/cert-manager/webhook-example/blob/899c408751425f8d0842b61c0e62fd8035d00316/main.go#L23-L31
+func RunWebhookServer(groupName string, hooks ...webhook.Solver) {
+	stopCh, exit := util.SetupExitHandler(util.GracefulShutdown)
+	defer exit() // This function might call os.Exit, so defer last
+
+	logs.InitLogs()
+	defer logs.FlushLogs()
+
+	if len(os.Getenv("GOMAXPROCS")) == 0 {
+		runtime.GOMAXPROCS(runtime.NumCPU())
+	}
+
+	cmd := server.NewCommandStartWebhookServer(os.Stdout, os.Stderr, stopCh, groupName, hooks...)
+	cmd.Flags().AddGoFlagSet(flag.CommandLine)
+	if err := cmd.Execute(); err != nil {
+		logf.Log.Error(err, "error executing command")
+		util.SetExitCode(err)
+	}
+}
--- a/pkg/server/acme.go
+++ b/pkg/server/acme.go
@ -0,0 +1,14 @@
+package server
+
+import (
+	"github.com/pluralsh/acme/pkg/apis/v1alpha1/acme"
+	pkgruntime "k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+func init() {
+	utilruntime.Must(acme.AddToScheme(scheme))
+	utilruntime.Must(scheme.SetVersionPriority(acme.SchemeGroupVersion))
+}
+
+var scheme = pkgruntime.NewScheme()
--- a/pkg/server/start.go
+++ b/pkg/server/start.go
@ -0,0 +1,123 @@
+package server
+
+import (
+	"fmt"
+	"io"
+	"net"
+
+	"github.com/cert-manager/cert-manager/pkg/acme/webhook"
+	whapi "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
+	"github.com/cert-manager/cert-manager/pkg/acme/webhook/apiserver"
+	"github.com/pluralsh/plural-certmanager-webhook/pkg/api/generated/openapi"
+	"github.com/spf13/cobra"
+	openapinamer "k8s.io/apiserver/pkg/endpoints/openapi"
+	genericapiserver "k8s.io/apiserver/pkg/server"
+	genericoptions "k8s.io/apiserver/pkg/server/options"
+)
+
+const defaultEtcdPathPrefix = "/registry/acme.cert-manager.io"
+
+type WebhookServerOptions struct {
+	RecommendedOptions *genericoptions.RecommendedOptions
+
+	SolverGroup string
+	Solvers     []webhook.Solver
+
+	StdOut io.Writer
+	StdErr io.Writer
+}
+
+func NewWebhookServerOptions(out, errOut io.Writer, groupName string, solvers ...webhook.Solver) *WebhookServerOptions {
+	o := &WebhookServerOptions{
+		// TODO we will nil out the etcd storage options.  This requires a later level of k8s.io/apiserver
+		RecommendedOptions: genericoptions.NewRecommendedOptions(
+			defaultEtcdPathPrefix,
+			apiserver.Codecs.LegacyCodec(whapi.SchemeGroupVersion),
+		),
+
+		SolverGroup: groupName,
+		Solvers:     solvers,
+
+		StdOut: out,
+		StdErr: errOut,
+	}
+	o.RecommendedOptions.Etcd = nil
+	o.RecommendedOptions.Admission = nil
+
+	return o
+}
+
+func NewCommandStartWebhookServer(out, errOut io.Writer, stopCh <-chan struct{}, groupName string, solvers ...webhook.Solver) *cobra.Command {
+	o := NewWebhookServerOptions(out, errOut, groupName, solvers...)
+
+	cmd := &cobra.Command{
+		Short: "Launch an ACME solver API server",
+		Long:  "Launch an ACME solver API server",
+		RunE: func(c *cobra.Command, args []string) error {
+			if err := o.Complete(); err != nil {
+				return err
+			}
+			if err := o.Validate(args); err != nil {
+				return err
+			}
+			if err := o.RunWebhookServer(stopCh); err != nil {
+				return err
+			}
+			return nil
+		},
+	}
+
+	flags := cmd.Flags()
+	o.RecommendedOptions.AddFlags(flags)
+
+	return cmd
+}
+
+func (o WebhookServerOptions) Validate(args []string) error {
+	return nil
+}
+
+func (o *WebhookServerOptions) Complete() error {
+	return nil
+}
+
+// Config creates a new webhook server config that includes generic upstream
+// apiserver options, rest client config and the Solvers configured for this
+// webhook server
+func (o WebhookServerOptions) Config() (*apiserver.Config, error) {
+	// TODO have a "real" external address
+	if err := o.RecommendedOptions.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
+		return nil, fmt.Errorf("error creating self-signed certificates: %v", err)
+	}
+
+	serverConfig := genericapiserver.NewRecommendedConfig(apiserver.Codecs)
+	if err := o.RecommendedOptions.ApplyTo(serverConfig); err != nil {
+		return nil, err
+	}
+	serverConfig.OpenAPIConfig = genericapiserver.DefaultOpenAPIConfig(openapi.GetOpenAPIDefinitions, openapinamer.NewDefinitionNamer(scheme))
+
+	config := &apiserver.Config{
+		GenericConfig: serverConfig,
+		ExtraConfig: apiserver.ExtraConfig{
+			SolverGroup: o.SolverGroup,
+			Solvers:     o.Solvers,
+		},
+	}
+	return config, nil
+}
+
+// RunWebhookServer creates a new apiserver, registers an API Group for each of
+// the configured solvers and runs the new apiserver.
+func (o WebhookServerOptions) RunWebhookServer(stopCh <-chan struct{}) error {
+	config, err := o.Config()
+	if err != nil {
+		return err
+	}
+
+	server, err := config.Complete().New()
+	if err != nil {
+		return err
+	}
+
+	return server.GenericAPIServer.PrepareRun().Run(stopCh)
+}