From f938bd3ac9b9cfde3ff8a394731dbba54d7cb056 Mon Sep 17 00:00:00 2001 From: Harald Fielker Date: Sun, 28 Apr 2024 13:54:03 +0200 Subject: [PATCH] Updated to recent version of cert-manager/webhook-example --- .gitignore | 4 + .vscode/settings.json | 3 + README.md | 132 ++++++--- env.sample | 11 + example/dns.go | 69 ----- example/example.go | 68 ----- example/example_test.go | 96 ------- go.mod | 5 +- go.sum | 7 + main.go | 396 ++++++++++++++++++++++---- main_test.go | 26 +- testdata/my-custom-solver/README.md | 3 - testdata/my-custom-solver/config.json | 1 - testdata/namecheap/.gitignore | 2 + testdata/namecheap/README.md | 5 + testdata/namecheap/apikey.yaml.sample | 8 + testdata/namecheap/config.json.sample | 11 + 17 files changed, 489 insertions(+), 358 deletions(-) create mode 100644 .vscode/settings.json create mode 100644 env.sample delete mode 100644 example/dns.go delete mode 100644 example/example.go delete mode 100644 example/example_test.go delete mode 100644 testdata/my-custom-solver/README.md delete mode 100644 testdata/my-custom-solver/config.json create mode 100644 testdata/namecheap/.gitignore create mode 100644 testdata/namecheap/README.md create mode 100644 testdata/namecheap/apikey.yaml.sample create mode 100644 testdata/namecheap/config.json.sample diff --git a/.gitignore b/.gitignore index a4be81c..435d41a 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,7 @@ cert-manager-webhook-example # Make artifacts _out _test + +# vscode debugging +.env +__debug* \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..780ee5e --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "go.testEnvFile": "${workspaceFolder}/.env", +} diff --git a/README.md b/README.md index 77ca07b..80004b5 100644 --- a/README.md +++ b/README.md @@ -1,58 +1,106 @@ -

- cert-manager project logo -

+# cert-manager webhook for Namecheap -# ACME webhook example +- This is a Frankenstein version of + - + - -The ACME issuer type supports an optional 'webhook' solver, which can be used -to implement custom DNS01 challenge solving logic. +- This is as good as any other implementation! +- I just had to find out, that my local `dnsmasq` messed around. When the webhook is trying to find out the zone of the domain, it just got back some local info. +- The workaround (for me) - is to use a public DNS for the cert-manager. +- Idea can be found at [Techno Tim's Repo](https://github.com/techno-tim/launchpad/blob/c18b2c3e3bf9cfa30974ae0e993e5c2fc3c37408/kubernetes/traefik-cert-manager/cert-manager/values.yaml#L9) -This is useful if you need to use cert-manager with a DNS provider that is not -officially supported in cert-manager core. -## Why not in core? -As the project & adoption has grown, there has been an influx of DNS provider -pull requests to our core codebase. As this number has grown, the test matrix -has become un-maintainable and so, it's not possible for us to certify that -providers work to a sufficient level. +# Instructions for use with Let's Encrypt -By creating this 'interface' between cert-manager and DNS providers, we allow -users to quickly iterate and test out new integrations, and then packaging -those up themselves as 'extensions' to cert-manager. +Thanks to [Addison van den Hoeven](https://github.com/Addyvan), from https://github.com/jetstack/cert-manager/issues/646 -We can also then provide a standardised 'testing framework', or set of -conformance tests, which allow us to validate the a DNS provider works as -expected. +Use helm to deploy this into your `cert-manager` namespace: -## Creating your own webhook +``` sh +# Make sure you're in the right context: +# kubectl config use-context mycontext -Webhook's themselves are deployed as Kubernetes API services, in order to allow -administrators to restrict access to webhooks with Kubernetes RBAC. +# cert-manager is by default in the cert-manager context +helm install -n cert-manager namecheap-webhook deploy/cert-manager-webhook-namecheap/ +``` -This is important, as otherwise it'd be possible for anyone with access to your -webhook to complete ACME challenge validations and obtain certificates. +Create the cluster issuers: -To make the set up of these webhook's easier, we provide a template repository -that can be used to get started quickly. +``` sh +helm install --set email=yourname@example.com -n cert-manager letsencrypt-namecheap-issuer deploy/letsencrypt-namecheap-issuer/ +``` -### Creating your own repository +Get your local public ip: `curl https://ifconfig.co/ip` + +Go to namecheap and set up your API key (note that you'll need to whitelist the +public IP of the k8s cluster to use the webhook), and set the secret: + +``` yaml +apiVersion: v1 +kind: Secret +metadata: + name: namecheap-credentials + namespace: cert-manager +type: Opaque +stringData: + apiKey: my_api_key_from_namecheap + apiUser: my_username_from_namecheap + #clientIP: 1.2.3.4 # optional, if your setup can't detect the public IP +``` + +Now you can create a certificate in staging for testing: + +``` yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-cert-stage + namespace: default +spec: + secretName: wildcard-cert-stage + commonName: "*." + issuerRef: + kind: ClusterIssuer + name: letsencrypt-stage + dnsNames: + - "*." +``` + +And now validate that it worked: + +``` sh +kubectl get certificates -n default +kubectl describe certificate wildcard-cert-stage +``` + +And finally, create your production cert, and it'll be ready to use in the +`wildcard-cert-prod` secret. + +``` yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-cert-prod + namespace: default +spec: + secretName: wildcard-cert-prod + commonName: "*." + issuerRef: + kind: ClusterIssuer + name: letsencrypt-prod + dnsNames: + - "*." +``` + +TODO: add simple nginx example to test that it works ### Running the test suite -All DNS providers **must** run the DNS01 provider conformance testing suite, -else they will have undetermined behaviour when used with cert-manager. +#### Steps -**It is essential that you configure and run the test suite when creating a -DNS01 webhook.** - -An example Go test file has been provided in [main_test.go](https://github.com/cert-manager/webhook-example/blob/master/main_test.go). - -You can run the test suite with: - -```bash -$ TEST_ZONE_NAME=example.com. make test -``` - -The example file has a number of areas you must fill in and replace with your -own options in order for tests to pass. +1. Create testdata/namecheap/apikey.yaml and testdata/namecheap/config.json using your credentials. +2. Run `TEST_ZONE_NAME=example.com. make test` . Note that the domain here should be updated to your own +domain name. Also note that this is a full domain name with a `.` at the end. +3. You should see all tests passing. +4. In case the tests fail: set `useSandbox` to false diff --git a/env.sample b/env.sample new file mode 100644 index 0000000..1780ac1 --- /dev/null +++ b/env.sample @@ -0,0 +1,11 @@ +# get this from Makefile + +OS=linux +ARCH=amd64 +KUBEBUILDER_VERSION=1.28.0 +TEST_ASSET_ETCD=_test/kubebuilder-${KUBEBUILDER_VERSION}-${OS}-${ARCH}/etcd +TEST_ASSET_KUBE_APISERVER=_test/kubebuilder-${KUBEBUILDER_VERSION}-${OS}-${ARCH}/kube-apiserver +TEST_ASSET_KUBECTL=_test/kubebuilder-${KUBEBUILDER_VERSION}-${OS}-${ARCH}/kubectl + + +TEST_ZONE_NAME=example.com. \ No newline at end of file diff --git a/example/dns.go b/example/dns.go deleted file mode 100644 index e29597e..0000000 --- a/example/dns.go +++ /dev/null @@ -1,69 +0,0 @@ -package example - -import ( - "fmt" - - "github.com/miekg/dns" -) - -func (e *exampleSolver) handleDNSRequest(w dns.ResponseWriter, req *dns.Msg) { - msg := new(dns.Msg) - msg.SetReply(req) - switch req.Opcode { - case dns.OpcodeQuery: - for _, q := range msg.Question { - if err := e.addDNSAnswer(q, msg, req); err != nil { - msg.SetRcode(req, dns.RcodeServerFailure) - break - } - } - } - w.WriteMsg(msg) -} - -func (e *exampleSolver) addDNSAnswer(q dns.Question, msg *dns.Msg, req *dns.Msg) error { - switch q.Qtype { - // Always return loopback for any A query - case dns.TypeA: - rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN A 127.0.0.1", q.Name)) - if err != nil { - return err - } - msg.Answer = append(msg.Answer, rr) - return nil - - // TXT records are the only important record for ACME dns-01 challenges - case dns.TypeTXT: - e.RLock() - record, found := e.txtRecords[q.Name] - e.RUnlock() - if !found { - msg.SetRcode(req, dns.RcodeNameError) - return nil - } - rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN TXT %s", q.Name, record)) - if err != nil { - return err - } - msg.Answer = append(msg.Answer, rr) - return nil - - // NS and SOA are for authoritative lookups, return obviously invalid data - case dns.TypeNS: - rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN NS ns.example-acme-webook.invalid.", q.Name)) - if err != nil { - return err - } - msg.Answer = append(msg.Answer, rr) - return nil - case dns.TypeSOA: - rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN SOA %s 20 5 5 5 5", "ns.example-acme-webook.invalid.", "ns.example-acme-webook.invalid.")) - if err != nil { - return err - } - msg.Answer = append(msg.Answer, rr) - return nil - default: - return fmt.Errorf("unimplemented record type %v", q.Qtype) - } -} diff --git a/example/example.go b/example/example.go deleted file mode 100644 index 8cfe59e..0000000 --- a/example/example.go +++ /dev/null @@ -1,68 +0,0 @@ -// package example contains a self-contained example of a webhook that passes the cert-manager -// DNS conformance tests -package example - -import ( - "fmt" - "os" - "sync" - - "github.com/cert-manager/cert-manager/pkg/acme/webhook" - acme "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1" - "github.com/miekg/dns" - "k8s.io/client-go/rest" -) - -type exampleSolver struct { - name string - server *dns.Server - txtRecords map[string]string - sync.RWMutex -} - -func (e *exampleSolver) Name() string { - return e.name -} - -func (e *exampleSolver) Present(ch *acme.ChallengeRequest) error { - e.Lock() - e.txtRecords[ch.ResolvedFQDN] = ch.Key - e.Unlock() - return nil -} - -func (e *exampleSolver) CleanUp(ch *acme.ChallengeRequest) error { - e.Lock() - delete(e.txtRecords, ch.ResolvedFQDN) - e.Unlock() - return nil -} - -func (e *exampleSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error { - go func(done <-chan struct{}) { - <-done - if err := e.server.Shutdown(); err != nil { - fmt.Fprintf(os.Stderr, "%s\n", err.Error()) - } - }(stopCh) - go func() { - if err := e.server.ListenAndServe(); err != nil { - fmt.Fprintf(os.Stderr, "%s\n", err.Error()) - os.Exit(1) - } - }() - return nil -} - -func New(port string) webhook.Solver { - e := &exampleSolver{ - name: "example", - txtRecords: make(map[string]string), - } - e.server = &dns.Server{ - Addr: ":" + port, - Net: "udp", - Handler: dns.HandlerFunc(e.handleDNSRequest), - } - return e -} diff --git a/example/example_test.go b/example/example_test.go deleted file mode 100644 index ef4dde3..0000000 --- a/example/example_test.go +++ /dev/null @@ -1,96 +0,0 @@ -package example - -import ( - "crypto/rand" - "math/big" - "testing" - - acme "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1" - "github.com/miekg/dns" - "github.com/stretchr/testify/assert" -) - -func TestExampleSolver_Name(t *testing.T) { - port, _ := rand.Int(rand.Reader, big.NewInt(50000)) - port = port.Add(port, big.NewInt(15534)) - solver := New(port.String()) - assert.Equal(t, "example", solver.Name()) -} - -func TestExampleSolver_Initialize(t *testing.T) { - port, _ := rand.Int(rand.Reader, big.NewInt(50000)) - port = port.Add(port, big.NewInt(15534)) - solver := New(port.String()) - done := make(chan struct{}) - err := solver.Initialize(nil, done) - assert.NoError(t, err, "Expected Initialize not to error") - close(done) -} - -func TestExampleSolver_Present_Cleanup(t *testing.T) { - port, _ := rand.Int(rand.Reader, big.NewInt(50000)) - port = port.Add(port, big.NewInt(15534)) - solver := New(port.String()) - done := make(chan struct{}) - err := solver.Initialize(nil, done) - assert.NoError(t, err, "Expected Initialize not to error") - - validTestData := []struct { - hostname string - record string - }{ - {"test1.example.com.", "testkey1"}, - {"test2.example.com.", "testkey2"}, - {"test3.example.com.", "testkey3"}, - } - for _, test := range validTestData { - err := solver.Present(&acme.ChallengeRequest{ - Action: acme.ChallengeActionPresent, - Type: "dns-01", - ResolvedFQDN: test.hostname, - Key: test.record, - }) - assert.NoError(t, err, "Unexpected error while presenting %v", t) - } - - // Resolve test data - for _, test := range validTestData { - msg := new(dns.Msg) - msg.Id = dns.Id() - msg.RecursionDesired = true - msg.Question = make([]dns.Question, 1) - msg.Question[0] = dns.Question{dns.Fqdn(test.hostname), dns.TypeTXT, dns.ClassINET} - in, err := dns.Exchange(msg, "127.0.0.1:"+port.String()) - - assert.NoError(t, err, "Presented record %s not resolvable", test.hostname) - assert.Len(t, in.Answer, 1, "RR response is of incorrect length") - assert.Equal(t, []string{test.record}, in.Answer[0].(*dns.TXT).Txt, "TXT record returned did not match presented record") - } - - // Cleanup test data - for _, test := range validTestData { - err := solver.CleanUp(&acme.ChallengeRequest{ - Action: acme.ChallengeActionCleanUp, - Type: "dns-01", - ResolvedFQDN: test.hostname, - Key: test.record, - }) - assert.NoError(t, err, "Unexpected error while cleaning up %v", t) - } - - // Resolve test data - for _, test := range validTestData { - msg := new(dns.Msg) - msg.Id = dns.Id() - msg.RecursionDesired = true - msg.Question = make([]dns.Question, 1) - msg.Question[0] = dns.Question{dns.Fqdn(test.hostname), dns.TypeTXT, dns.ClassINET} - in, err := dns.Exchange(msg, "127.0.0.1:"+port.String()) - - assert.NoError(t, err, "Presented record %s not resolvable", test.hostname) - assert.Len(t, in.Answer, 0, "RR response is of incorrect length") - assert.Equal(t, dns.RcodeNameError, in.Rcode, "Expexted NXDOMAIN") - } - - close(done) -} diff --git a/go.mod b/go.mod index c62945a..5553673 100644 --- a/go.mod +++ b/go.mod @@ -5,8 +5,10 @@ go 1.20 require ( github.com/cert-manager/cert-manager v1.12.6 github.com/miekg/dns v1.1.50 + github.com/namecheap/go-namecheap-sdk/v2 v2.2.0 github.com/stretchr/testify v1.8.4 k8s.io/apiextensions-apiserver v0.27.2 + k8s.io/apimachinery v0.27.2 k8s.io/client-go v0.27.2 ) @@ -42,6 +44,7 @@ require ( github.com/google/uuid v1.3.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect + github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/imdario/mergo v0.3.12 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect @@ -60,6 +63,7 @@ require ( github.com/spf13/cobra v1.7.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/stoewer/go-strcase v1.2.0 // indirect + github.com/weppos/publicsuffix-go v0.15.0 // indirect go.etcd.io/etcd/api/v3 v3.5.7 // indirect go.etcd.io/etcd/client/pkg/v3 v3.5.7 // indirect go.etcd.io/etcd/client/v3 v3.5.7 // indirect @@ -96,7 +100,6 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/api v0.27.2 // indirect - k8s.io/apimachinery v0.27.2 // indirect k8s.io/apiserver v0.27.2 // indirect k8s.io/component-base v0.27.2 // indirect k8s.io/klog/v2 v2.100.1 // indirect diff --git a/go.sum b/go.sum index d13978f..e522c49 100644 --- a/go.sum +++ b/go.sum @@ -131,6 +131,8 @@ github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= +github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= @@ -164,6 +166,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/namecheap/go-namecheap-sdk/v2 v2.2.0 h1:97uuAKBqwYHfkZVqE4mBfUH2BW6aAPOrQqJQRAvGmPc= +github.com/namecheap/go-namecheap-sdk/v2 v2.2.0/go.mod h1:Op6xLoiTxvFxa1V/kR0fcFcxlBMkrRHirxvcOdTPhNU= github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -204,6 +208,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= +github.com/weppos/publicsuffix-go v0.15.0 h1:2uQCwDczZ8YZe5uD0mM3sXRoZYA74xxPuiKK8LdPcGQ= +github.com/weppos/publicsuffix-go v0.15.0/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= @@ -273,6 +279,7 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= diff --git a/main.go b/main.go index 969e6d2..f672efb 100644 --- a/main.go +++ b/main.go @@ -1,15 +1,26 @@ package main import ( + "context" "encoding/json" + "errors" "fmt" + "net" "os" + "strings" extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1" "github.com/cert-manager/cert-manager/pkg/acme/webhook/cmd" + cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" + "github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/util" + + namecheap "github.com/namecheap/go-namecheap-sdk/v2/namecheap" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) var GroupName = os.Getenv("GROUP_NAME") @@ -19,53 +30,81 @@ func main() { panic("GROUP_NAME must be specified") } - // This will register our custom DNS provider with the webhook serving + // This will register our namecheap DNS provider with the webhook serving // library, making it available as an API under the provided GroupName. // You can register multiple DNS provider implementations with a single // webhook, where the Name() method will be used to disambiguate between // the different implementations. cmd.RunWebhookServer(GroupName, - &customDNSProviderSolver{}, + &namecheapDNSProviderSolver{}, ) } -// customDNSProviderSolver implements the provider-specific logic needed to -// 'present' an ACME challenge TXT record for your own DNS provider. -// To do so, it must implement the `github.com/cert-manager/cert-manager/pkg/acme/webhook.Solver` -// interface. -type customDNSProviderSolver struct { - // If a Kubernetes 'clientset' is needed, you must: - // 1. uncomment the additional `client` field in this structure below - // 2. uncomment the "k8s.io/client-go/kubernetes" import at the top of the file - // 3. uncomment the relevant code in the Initialize method below - // 4. ensure your webhook's service account has the required RBAC role - // assigned to it for interacting with the Kubernetes APIs you need. - //client kubernetes.Clientset -} +type ( + Record struct { + Name *string + Type *string + Address *string + MXPref *int + TTL *int + } -// customDNSProviderConfig is a structure that is used to decode into when -// solving a DNS01 challenge. -// This information is provided by cert-manager, and may be a reference to -// additional configuration that's needed to solve the challenge for this -// particular certificate or issuer. -// This typically includes references to Secret resources containing DNS -// provider credentials, in cases where a 'multi-tenant' DNS solver is being -// created. -// If you do *not* require per-issuer or per-certificate configuration to be -// provided to your webhook, you can skip decoding altogether in favour of -// using CLI flags or similar to provide configuration. -// You should not include sensitive information here. If credentials need to -// be used by your provider here, you should reference a Kubernetes Secret -// resource and fetch these credentials using a Kubernetes clientset. -type customDNSProviderConfig struct { - // Change the two fields below according to the format of the configuration - // to be decoded. - // These fields will be set by users in the - // `issuer.spec.acme.dns01.providers.webhook.config` field. + Domain struct { + Name *string + EmailType *string + Records *[]Record + } - //Email string `json:"email"` - //APIKeySecretRef v1alpha1.SecretKeySelector `json:"apiKeySecretRef"` -} + NamecheapClient interface { + GetDomain(string) (*Domain, error) + SetDomain(Domain) error + } + + namecheapClientImpl struct { + client *namecheap.Client + } + + // namecheapDNSProviderSolver implements the provider-specific logic needed to + // 'present' an ACME challenge TXT record for your own DNS provider. + // To do so, it must implement the `github.com/cert-manager/cert-manager/pkg/acme/webhook.Solver` + // interface. + namecheapDNSProviderSolver struct { + // If a Kubernetes 'clientset' is needed, you must: + // 1. uncomment the additional `client` field in this structure below + // 2. uncomment the "k8s.io/client-go/kubernetes" import at the top of the file + // 3. uncomment the relevant code in the Initialize method below + // 4. ensure your webhook's service account has the required RBAC role + // assigned to it for interacting with the Kubernetes APIs you need. + ctx context.Context + k8sClient *kubernetes.Clientset + namecheapClient NamecheapClient + } + + // namecheapDNSProviderConfig is a structure that is used to decode into when + // solving a DNS01 challenge. + // This information is provided by cert-manager, and may be a reference to + // additional configuration that's needed to solve the challenge for this + // particular certificate or issuer. + // This typically includes references to Secret resources containing DNS + // provider credentials, in cases where a 'multi-tenant' DNS solver is being + // created. + // If you do *not* require per-issuer or per-certificate configuration to be + // provided to your webhook, you can skip decoding altogether in favour of + // using CLI flags or similar to provide configuration. + // You should not include sensitive information here. If credentials need to + // be used by your provider here, you should reference a Kubernetes Secret + // resource and fetch these credentials using a Kubernetes clientset. + namecheapDNSProviderConfig struct { + // These fields will be set by users in the + // `issuer.spec.acme.dns01.providers.webhook.config` field. + + APIKeySecretRef *cmmeta.SecretKeySelector `json:"apiKeySecretRef"` + APIUserSecretRef *cmmeta.SecretKeySelector `json:"apiUserSecretRef"` + ClientIP *string `json:"clientIP"` + UseSandbox bool `json:"useSandbox"` + UsernameSecretRef *cmmeta.SecretKeySelector `json:"usernameSecretRef"` + } +) // Name is used as the name for this DNS solver when referencing it on the ACME // Issuer resource. @@ -73,8 +112,8 @@ type customDNSProviderConfig struct { // solvers configured with the same Name() **so long as they do not co-exist // within a single webhook deployment**. // For example, `cloudflare` may be used as the name of a solver. -func (c *customDNSProviderSolver) Name() string { - return "my-custom-solver" +func (c *namecheapDNSProviderSolver) Name() string { + return "namecheap" } // Present is responsible for actually presenting the DNS record with the @@ -82,16 +121,34 @@ func (c *customDNSProviderSolver) Name() string { // This method should tolerate being called multiple times with the same value. // cert-manager itself will later perform a self check to ensure that the // solver has correctly configured the DNS provider. -func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error { - cfg, err := loadConfig(ch.Config) +func (c *namecheapDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error { + cfg, err := loadConfig((*extapi.JSON)(ch.Config)) if err != nil { return err } - // TODO: do something more useful with the decoded configuration - fmt.Printf("Decoded configuration %v", cfg) + zone, domain, err := c.parseChallenge(ch) + if err != nil { + return err + } + + if c.namecheapClient == nil { + if err := c.setNamecheapClient(ch, cfg); err != nil { + return err + } + } + + d, err := c.namecheapClient.GetDomain(zone) + if err != nil { + return err + } + + d.addChallengeRecord(domain, ch.Key) + + if err := c.namecheapClient.SetDomain(*d); err != nil { + return err + } - // TODO: add code that sets a record in the DNS provider's console return nil } @@ -101,8 +158,34 @@ func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error { // value provided on the ChallengeRequest should be cleaned up. // This is in order to facilitate multiple DNS validations for the same domain // concurrently. -func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error { - // TODO: add code that deletes a record from the DNS provider's console +func (c *namecheapDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error { + cfg, err := loadConfig((*extapi.JSON)(ch.Config)) + if err != nil { + return err + } + + zone, domain, err := c.parseChallenge(ch) + if err != nil { + return err + } + + if c.namecheapClient == nil { + if err := c.setNamecheapClient(ch, cfg); err != nil { + return err + } + } + + d, err := c.namecheapClient.GetDomain(zone) + if err != nil { + return err + } + + d.removeChallengeRecord(domain, ch.Key) + + if err := c.namecheapClient.SetDomain(*d); err != nil { + return err + } + return nil } @@ -115,25 +198,222 @@ func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error { // provider accounts. // The stopCh can be used to handle early termination of the webhook, in cases // where a SIGTERM or similar signal is sent to the webhook process. -func (c *customDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error { - ///// UNCOMMENT THE BELOW CODE TO MAKE A KUBERNETES CLIENTSET AVAILABLE TO - ///// YOUR CUSTOM DNS PROVIDER +func (c *namecheapDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error { + cl, err := kubernetes.NewForConfig(kubeClientConfig) + if err != nil { + return err + } - //cl, err := kubernetes.NewForConfig(kubeClientConfig) - //if err != nil { - // return err - //} - // - //c.client = cl + c.k8sClient = cl + c.ctx = context.Background() - ///// END OF CODE TO MAKE KUBERNETES CLIENTSET AVAILABLE return nil } +func (c *namecheapDNSProviderSolver) getSecret(ref *cmmeta.SecretKeySelector, namespace string) (*string, error) { + if ref.Name == "" { + return nil, fmt.Errorf( + "secret not found in '%s'", + namespace, + ) + } + if ref.Key == "" { + return nil, fmt.Errorf( + "no 'key' set in secret '%s/%s'", + namespace, + ref.Name, + ) + } + + secret, err := c.k8sClient.CoreV1().Secrets(namespace).Get( + c.ctx, ref.Name, metav1.GetOptions{}, + ) + if err != nil { + return nil, err + } + keyBytes, ok := secret.Data[ref.Key] + if !ok { + return nil, fmt.Errorf( + "no key '%s' in secret '%s/%s'", + ref.Key, + namespace, + ref.Name, + ) + } + s := string(keyBytes) + return &s, nil +} + +func (c *namecheapDNSProviderSolver) setNamecheapClient(ch *v1alpha1.ChallengeRequest, cfg namecheapDNSProviderConfig) error { + if cfg.APIKeySecretRef == nil { + return errors.New("Secret field 'apiKeySecretRef' could not be located. Check Spelling.") + } + apiKey, err := c.getSecret(cfg.APIKeySecretRef, ch.ResourceNamespace) + if err != nil { + return err + } + + if cfg.APIUserSecretRef == nil { + return errors.New("Secret field 'apiUserSecretRef' could not be located. Check Spelling.") + } + apiUser, err := c.getSecret(cfg.APIUserSecretRef, ch.ResourceNamespace) + if err != nil { + return err + } + + opts := &namecheap.ClientOptions{ + ApiKey: *apiKey, + ApiUser: *apiUser, + UseSandbox: cfg.UseSandbox, + } + + // attempt to set the ClientIp dynamically if not set + // source: https://stackoverflow.com/a/37382208 + if cfg.ClientIP == nil { + ip, err := getOutboundIP() + if err != nil { + return err + } + opts.ClientIp = ip.String() + } else { + opts.ClientIp = *cfg.ClientIP + } + + // default UserName to APIUser if not set + if cfg.UsernameSecretRef == nil { + opts.UserName = *apiUser + } else { + username, err := c.getSecret(cfg.UsernameSecretRef, ch.ResourceNamespace) + if err != nil { + return err + } + opts.UserName = *username + } + + c.namecheapClient = &namecheapClientImpl{ + client: namecheap.NewClient(opts), + } + + return nil +} + +// Get the zone and domain we are setting from the challenge request +// source: https://github.com/ns1/cert-manager-webhook-ns1 +func (c *namecheapDNSProviderSolver) parseChallenge(ch *v1alpha1.ChallengeRequest) ( + zone string, domain string, err error, +) { + + if zone, err = util.FindZoneByFqdn( + ch.ResolvedFQDN, util.RecursiveNameservers, + ); err != nil { + return "", "", err + } + zone = util.UnFqdn(zone) + + if idx := strings.Index(ch.ResolvedFQDN, "."+ch.ResolvedZone); idx != -1 { + domain = ch.ResolvedFQDN[:idx] + } else { + domain = util.UnFqdn(ch.ResolvedFQDN) + } + + return zone, domain, nil +} + +// Adds a record to a domain +func (d *Domain) addChallengeRecord(domain, key string) { + *d.Records = append( + *d.Records, + Record{ + Name: &domain, + Type: namecheap.String(namecheap.RecordTypeTXT), + Address: namecheap.String(key), + TTL: namecheap.Int(60), + }, + ) +} + +// Removes a record from a domain +func (d *Domain) removeChallengeRecord(domain, key string) { + for i, record := range *d.Records { + if *record.Name == domain && + *record.Type == namecheap.RecordTypeTXT && + *record.Address == key { + records := *d.Records + *d.Records = append(records[:i], records[i+1:]...) + return + } + } +} + +func (c *namecheapClientImpl) SetDomain(domain Domain) error { + args := &namecheap.DomainsDNSSetHostsArgs{ + Domain: domain.Name, + EmailType: domain.EmailType, + } + + records := make([]namecheap.DomainsDNSHostRecord, len(*domain.Records)) + for i, record := range *domain.Records { + records[i] = namecheap.DomainsDNSHostRecord{ + HostName: record.Name, + RecordType: record.Type, + Address: record.Address, + TTL: record.TTL, + } + + if record.MXPref != nil { + records[i].MXPref = namecheap.UInt8(uint8(*record.MXPref)) + } + } + args.Records = &records + + if _, err := c.client.DomainsDNS.SetHosts(args); err != nil { + return err + } + return nil +} + +func (c *namecheapClientImpl) GetDomain(domain string) (*Domain, error) { + resp, err := c.client.DomainsDNS.GetHosts(domain) + if err != nil { + return nil, err + } + + d := &Domain{ + Name: resp.DomainDNSGetHostsResult.Domain, + EmailType: resp.DomainDNSGetHostsResult.EmailType, + } + records := make([]Record, len(*resp.DomainDNSGetHostsResult.Hosts)) + for i, r := range *resp.DomainDNSGetHostsResult.Hosts { + records[i] = Record{ + Name: r.Name, + Type: r.Type, + Address: r.Address, + MXPref: r.MXPref, + TTL: r.TTL, + } + } + d.Records = &records + + return d, nil +} + +// Get preferred outbound ip of this machine +func getOutboundIP() (*net.IP, error) { + conn, err := net.Dial("udp", "8.8.8.8:80") + if err != nil { + return nil, err + } + defer conn.Close() + + localAddr := conn.LocalAddr().(*net.UDPAddr) + + return &localAddr.IP, nil +} + // loadConfig is a small helper function that decodes JSON configuration into // the typed config struct. -func loadConfig(cfgJSON *extapi.JSON) (customDNSProviderConfig, error) { - cfg := customDNSProviderConfig{} +func loadConfig(cfgJSON *extapi.JSON) (namecheapDNSProviderConfig, error) { + cfg := namecheapDNSProviderConfig{} // handle the 'base case' where no configuration has been provided if cfgJSON == nil { return cfg, nil diff --git a/main_test.go b/main_test.go index 1d7d5ff..11ba8dd 100644 --- a/main_test.go +++ b/main_test.go @@ -4,9 +4,7 @@ import ( "os" "testing" - acmetest "github.com/cert-manager/cert-manager/test/acme" - - "github.com/cert-manager/webhook-example/example" + dns "github.com/cert-manager/cert-manager/test/acme" ) var ( @@ -19,23 +17,11 @@ func TestRunsSuite(t *testing.T) { // ChallengeRequest passed as part of the test cases. // - // Uncomment the below fixture when implementing your custom DNS provider - //fixture := acmetest.NewFixture(&customDNSProviderSolver{}, - // acmetest.SetResolvedZone(zone), - // acmetest.SetAllowAmbientCredentials(false), - // acmetest.SetManifestPath("testdata/my-custom-solver"), - // acmetest.SetBinariesPath("_test/kubebuilder/bin"), - //) - solver := example.New("59351") - fixture := acmetest.NewFixture(solver, - acmetest.SetResolvedZone("example.com."), - acmetest.SetManifestPath("testdata/my-custom-solver"), - acmetest.SetDNSServer("127.0.0.1:59351"), - acmetest.SetUseAuthoritative(false), + fixture := dns.NewFixture(&namecheapDNSProviderSolver{}, + dns.SetResolvedZone(zone), + dns.SetAllowAmbientCredentials(false), + dns.SetManifestPath("testdata/namecheap"), ) - //need to uncomment and RunConformance delete runBasic and runExtended once https://github.com/cert-manager/cert-manager/pull/4835 is merged - //fixture.RunConformance(t) - fixture.RunBasic(t) - fixture.RunExtended(t) + fixture.RunConformance(t) } diff --git a/testdata/my-custom-solver/README.md b/testdata/my-custom-solver/README.md deleted file mode 100644 index feb4cbd..0000000 --- a/testdata/my-custom-solver/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Solver testdata directory - -TODO diff --git a/testdata/my-custom-solver/config.json b/testdata/my-custom-solver/config.json deleted file mode 100644 index 0967ef4..0000000 --- a/testdata/my-custom-solver/config.json +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/testdata/namecheap/.gitignore b/testdata/namecheap/.gitignore new file mode 100644 index 0000000..e0a56d6 --- /dev/null +++ b/testdata/namecheap/.gitignore @@ -0,0 +1,2 @@ +apikey.yaml +config.json \ No newline at end of file diff --git a/testdata/namecheap/README.md b/testdata/namecheap/README.md new file mode 100644 index 0000000..92c4c1c --- /dev/null +++ b/testdata/namecheap/README.md @@ -0,0 +1,5 @@ +# Solver testdata directory + +Copy config.json.sample to config.json and edit as needed. You don't need to change the apiKeySecretRef part, this is handled in the next step. + +Copy api-key.yaml.sample to api-key.yaml. Edit to add your base64 encoded Namecheap API Key. This populates the apiKeySecretRef. \ No newline at end of file diff --git a/testdata/namecheap/apikey.yaml.sample b/testdata/namecheap/apikey.yaml.sample new file mode 100644 index 0000000..20e81e8 --- /dev/null +++ b/testdata/namecheap/apikey.yaml.sample @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: namecheap-credentials +type: Opaque +data: + apiKey: "<>" + apiUser: "<>" \ No newline at end of file diff --git a/testdata/namecheap/config.json.sample b/testdata/namecheap/config.json.sample new file mode 100644 index 0000000..abff71a --- /dev/null +++ b/testdata/namecheap/config.json.sample @@ -0,0 +1,11 @@ +{ + "apiKeySecretRef": { + "name": "namecheap-credentials", + "key": "apiKey" + }, + "apiUserSecretRef": { + "name": "namecheap-credentials", + "key": "apiUser" + }, + "useSandbox": true +} \ No newline at end of file