Updated to recent version of cert-manager/webhook-example

.gitignore

@@ -17,3 +17,7 @@ cert-manager-webhook-example
 # Make artifacts
 _out
 _test
+
+# vscode debugging
+.env
+__debug*

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+  "go.testEnvFile": "${workspaceFolder}/.env",
+}

README.md

@@ -1,58 +1,106 @@
-<p align="center">
+# cert-manager webhook for Namecheap
-  <img src="https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png" height="256" width="256" alt="cert-manager project logo" />
-</p>
 
-# ACME webhook example
+- This is a Frankenstein version of
+  - <https://github.com/kelvie/cert-manager-webhook-namecheap>
+  - <https://github.com/Extrality/cert-manager-webhook-namecheap>
 
-The ACME issuer type supports an optional 'webhook' solver, which can be used
+- This is as good as any other implementation!
-to implement custom DNS01 challenge solving logic.
+- I just had to find out, that my local `dnsmasq` messed around. When the webhook is trying to find out the zone of the domain, it just got back some local info.
+- The workaround (for me) - is to use a public DNS for the cert-manager.
+- Idea can be found at [Techno Tim's Repo](https://github.com/techno-tim/launchpad/blob/c18b2c3e3bf9cfa30974ae0e993e5c2fc3c37408/kubernetes/traefik-cert-manager/cert-manager/values.yaml#L9)
 
-This is useful if you need to use cert-manager with a DNS provider that is not
-officially supported in cert-manager core.
 
-## Why not in core?
 
-As the project & adoption has grown, there has been an influx of DNS provider
+# Instructions for use with Let's Encrypt
-pull requests to our core codebase. As this number has grown, the test matrix
-has become un-maintainable and so, it's not possible for us to certify that
-providers work to a sufficient level.
 
-By creating this 'interface' between cert-manager and DNS providers, we allow
+Thanks to [Addison van den Hoeven](https://github.com/Addyvan), from https://github.com/jetstack/cert-manager/issues/646
-users to quickly iterate and test out new integrations, and then packaging
-those up themselves as 'extensions' to cert-manager.
 
-We can also then provide a standardised 'testing framework', or set of
+Use helm to deploy this into your `cert-manager` namespace:
-conformance tests, which allow us to validate the a DNS provider works as
-expected.
 
-## Creating your own webhook
+``` sh
+# Make sure you're in the right context:
+# kubectl config use-context mycontext
 
-Webhook's themselves are deployed as Kubernetes API services, in order to allow
+# cert-manager is by default in the cert-manager context
-administrators to restrict access to webhooks with Kubernetes RBAC.
+helm install -n cert-manager namecheap-webhook deploy/cert-manager-webhook-namecheap/
+```
 
-This is important, as otherwise it'd be possible for anyone with access to your
+Create the cluster issuers:
-webhook to complete ACME challenge validations and obtain certificates.
 
-To make the set up of these webhook's easier, we provide a template repository
+``` sh
-that can be used to get started quickly.
+helm install --set email=yourname@example.com -n cert-manager letsencrypt-namecheap-issuer deploy/letsencrypt-namecheap-issuer/
+```
 
-### Creating your own repository
+Get your local public ip: `curl https://ifconfig.co/ip`
+
+Go to namecheap and set up your API key (note that you'll need to whitelist the
+public IP of the k8s cluster to use the webhook), and set the secret:
+
+``` yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: namecheap-credentials
+  namespace: cert-manager
+type: Opaque
+stringData:
+  apiKey: my_api_key_from_namecheap
+  apiUser: my_username_from_namecheap
+  #clientIP: 1.2.3.4 # optional, if your setup can't detect the public IP
+```
+
+Now you can create a certificate in staging for testing:
+
+``` yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-cert-stage
+  namespace: default
+spec:
+  secretName: wildcard-cert-stage
+  commonName: "*.<domain>"
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt-stage
+  dnsNames:
+  - "*.<domain>"
+```
+
+And now validate that it worked:
+
+``` sh
+kubectl get certificates -n default
+kubectl describe certificate wildcard-cert-stage
+```
+
+And finally, create your production cert, and it'll be ready to use in the
+`wildcard-cert-prod` secret.
+
+``` yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-cert-prod
+  namespace: default
+spec:
+  secretName: wildcard-cert-prod
+  commonName: "*.<domain>"
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt-prod
+  dnsNames:
+  - "*.<domain>"
+```
+
+TODO: add simple nginx example to test that it works
 
 ### Running the test suite
 
-All DNS providers **must** run the DNS01 provider conformance testing suite,
+#### Steps
-else they will have undetermined behaviour when used with cert-manager.
 
-**It is essential that you configure and run the test suite when creating a
+1. Create testdata/namecheap/apikey.yaml and testdata/namecheap/config.json using your credentials.
-DNS01 webhook.**
+2. Run `TEST_ZONE_NAME=example.com. make test` . Note that the domain here should be updated to your own
-
+domain name. Also note that this is a full domain name with a `.` at the end.
-An example Go test file has been provided in [main_test.go](https://github.com/cert-manager/webhook-example/blob/master/main_test.go).
+3. You should see all tests passing.
-
+4. In case the tests fail: set `useSandbox` to false
-You can run the test suite with:
-
-```bash
-$ TEST_ZONE_NAME=example.com. make test
-```
-
-The example file has a number of areas you must fill in and replace with your
-own options in order for tests to pass.

env.sample

@@ -0,0 +1,11 @@
+# get this from Makefile
+
+OS=linux
+ARCH=amd64
+KUBEBUILDER_VERSION=1.28.0
+TEST_ASSET_ETCD=_test/kubebuilder-${KUBEBUILDER_VERSION}-${OS}-${ARCH}/etcd
+TEST_ASSET_KUBE_APISERVER=_test/kubebuilder-${KUBEBUILDER_VERSION}-${OS}-${ARCH}/kube-apiserver
+TEST_ASSET_KUBECTL=_test/kubebuilder-${KUBEBUILDER_VERSION}-${OS}-${ARCH}/kubectl
+
+
+TEST_ZONE_NAME=example.com.

example/dns.go

@@ -1,69 +0,0 @@
-package example
-
-import (
-	"fmt"
-
-	"github.com/miekg/dns"
-)
-
-func (e *exampleSolver) handleDNSRequest(w dns.ResponseWriter, req *dns.Msg) {
-	msg := new(dns.Msg)
-	msg.SetReply(req)
-	switch req.Opcode {
-	case dns.OpcodeQuery:
-		for _, q := range msg.Question {
-			if err := e.addDNSAnswer(q, msg, req); err != nil {
-				msg.SetRcode(req, dns.RcodeServerFailure)
-				break
-			}
-		}
-	}
-	w.WriteMsg(msg)
-}
-
-func (e *exampleSolver) addDNSAnswer(q dns.Question, msg *dns.Msg, req *dns.Msg) error {
-	switch q.Qtype {
-	// Always return loopback for any A query
-	case dns.TypeA:
-		rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN A 127.0.0.1", q.Name))
-		if err != nil {
-			return err
-		}
-		msg.Answer = append(msg.Answer, rr)
-		return nil
-
-	// TXT records are the only important record for ACME dns-01 challenges
-	case dns.TypeTXT:
-		e.RLock()
-		record, found := e.txtRecords[q.Name]
-		e.RUnlock()
-		if !found {
-			msg.SetRcode(req, dns.RcodeNameError)
-			return nil
-		}
-		rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN TXT %s", q.Name, record))
-		if err != nil {
-			return err
-		}
-		msg.Answer = append(msg.Answer, rr)
-		return nil
-
-	// NS and SOA are for authoritative lookups, return obviously invalid data
-	case dns.TypeNS:
-		rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN NS ns.example-acme-webook.invalid.", q.Name))
-		if err != nil {
-			return err
-		}
-		msg.Answer = append(msg.Answer, rr)
-		return nil
-	case dns.TypeSOA:
-		rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN SOA %s 20 5 5 5 5", "ns.example-acme-webook.invalid.", "ns.example-acme-webook.invalid."))
-		if err != nil {
-			return err
-		}
-		msg.Answer = append(msg.Answer, rr)
-		return nil
-	default:
-		return fmt.Errorf("unimplemented record type %v", q.Qtype)
-	}
-}

example/example.go

@@ -1,68 +0,0 @@
-// package example contains a self-contained example of a webhook that passes the cert-manager
-// DNS conformance tests
-package example
-
-import (
-	"fmt"
-	"os"
-	"sync"
-
-	"github.com/cert-manager/cert-manager/pkg/acme/webhook"
-	acme "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
-	"github.com/miekg/dns"
-	"k8s.io/client-go/rest"
-)
-
-type exampleSolver struct {
-	name       string
-	server     *dns.Server
-	txtRecords map[string]string
-	sync.RWMutex
-}
-
-func (e *exampleSolver) Name() string {
-	return e.name
-}
-
-func (e *exampleSolver) Present(ch *acme.ChallengeRequest) error {
-	e.Lock()
-	e.txtRecords[ch.ResolvedFQDN] = ch.Key
-	e.Unlock()
-	return nil
-}
-
-func (e *exampleSolver) CleanUp(ch *acme.ChallengeRequest) error {
-	e.Lock()
-	delete(e.txtRecords, ch.ResolvedFQDN)
-	e.Unlock()
-	return nil
-}
-
-func (e *exampleSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
-	go func(done <-chan struct{}) {
-		<-done
-		if err := e.server.Shutdown(); err != nil {
-			fmt.Fprintf(os.Stderr, "%s\n", err.Error())
-		}
-	}(stopCh)
-	go func() {
-		if err := e.server.ListenAndServe(); err != nil {
-			fmt.Fprintf(os.Stderr, "%s\n", err.Error())
-			os.Exit(1)
-		}
-	}()
-	return nil
-}
-
-func New(port string) webhook.Solver {
-	e := &exampleSolver{
-		name:       "example",
-		txtRecords: make(map[string]string),
-	}
-	e.server = &dns.Server{
-		Addr:    ":" + port,
-		Net:     "udp",
-		Handler: dns.HandlerFunc(e.handleDNSRequest),
-	}
-	return e
-}

example/example_test.go

@@ -1,96 +0,0 @@
-package example
-
-import (
-	"crypto/rand"
-	"math/big"
-	"testing"
-
-	acme "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
-	"github.com/miekg/dns"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestExampleSolver_Name(t *testing.T) {
-	port, _ := rand.Int(rand.Reader, big.NewInt(50000))
-	port = port.Add(port, big.NewInt(15534))
-	solver := New(port.String())
-	assert.Equal(t, "example", solver.Name())
-}
-
-func TestExampleSolver_Initialize(t *testing.T) {
-	port, _ := rand.Int(rand.Reader, big.NewInt(50000))
-	port = port.Add(port, big.NewInt(15534))
-	solver := New(port.String())
-	done := make(chan struct{})
-	err := solver.Initialize(nil, done)
-	assert.NoError(t, err, "Expected Initialize not to error")
-	close(done)
-}
-
-func TestExampleSolver_Present_Cleanup(t *testing.T) {
-	port, _ := rand.Int(rand.Reader, big.NewInt(50000))
-	port = port.Add(port, big.NewInt(15534))
-	solver := New(port.String())
-	done := make(chan struct{})
-	err := solver.Initialize(nil, done)
-	assert.NoError(t, err, "Expected Initialize not to error")
-
-	validTestData := []struct {
-		hostname string
-		record   string
-	}{
-		{"test1.example.com.", "testkey1"},
-		{"test2.example.com.", "testkey2"},
-		{"test3.example.com.", "testkey3"},
-	}
-	for _, test := range validTestData {
-		err := solver.Present(&acme.ChallengeRequest{
-			Action:       acme.ChallengeActionPresent,
-			Type:         "dns-01",
-			ResolvedFQDN: test.hostname,
-			Key:          test.record,
-		})
-		assert.NoError(t, err, "Unexpected error while presenting %v", t)
-	}
-
-	// Resolve test data
-	for _, test := range validTestData {
-		msg := new(dns.Msg)
-		msg.Id = dns.Id()
-		msg.RecursionDesired = true
-		msg.Question = make([]dns.Question, 1)
-		msg.Question[0] = dns.Question{dns.Fqdn(test.hostname), dns.TypeTXT, dns.ClassINET}
-		in, err := dns.Exchange(msg, "127.0.0.1:"+port.String())
-
-		assert.NoError(t, err, "Presented record %s not resolvable", test.hostname)
-		assert.Len(t, in.Answer, 1, "RR response is of incorrect length")
-		assert.Equal(t, []string{test.record}, in.Answer[0].(*dns.TXT).Txt, "TXT record returned did not match presented record")
-	}
-
-	// Cleanup test data
-	for _, test := range validTestData {
-		err := solver.CleanUp(&acme.ChallengeRequest{
-			Action:       acme.ChallengeActionCleanUp,
-			Type:         "dns-01",
-			ResolvedFQDN: test.hostname,
-			Key:          test.record,
-		})
-		assert.NoError(t, err, "Unexpected error while cleaning up %v", t)
-	}
-
-	// Resolve test data
-	for _, test := range validTestData {
-		msg := new(dns.Msg)
-		msg.Id = dns.Id()
-		msg.RecursionDesired = true
-		msg.Question = make([]dns.Question, 1)
-		msg.Question[0] = dns.Question{dns.Fqdn(test.hostname), dns.TypeTXT, dns.ClassINET}
-		in, err := dns.Exchange(msg, "127.0.0.1:"+port.String())
-
-		assert.NoError(t, err, "Presented record %s not resolvable", test.hostname)
-		assert.Len(t, in.Answer, 0, "RR response is of incorrect length")
-		assert.Equal(t, dns.RcodeNameError, in.Rcode, "Expexted NXDOMAIN")
-	}
-
-	close(done)
-}

go.mod

@@ -5,8 +5,10 @@ go 1.20
 require (
 	github.com/cert-manager/cert-manager v1.12.6
 	github.com/miekg/dns v1.1.50
+	github.com/namecheap/go-namecheap-sdk/v2 v2.2.0
 	github.com/stretchr/testify v1.8.4
 	k8s.io/apiextensions-apiserver v0.27.2
+	k8s.io/apimachinery v0.27.2
 	k8s.io/client-go v0.27.2
 )
 
@@ -42,6 +44,7 @@ require (
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -60,6 +63,7 @@ require (
 	github.com/spf13/cobra v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
+	github.com/weppos/publicsuffix-go v0.15.0 // indirect
 	go.etcd.io/etcd/api/v3 v3.5.7 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.7 // indirect
 	go.etcd.io/etcd/client/v3 v3.5.7 // indirect
@@ -96,7 +100,6 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.27.2 // indirect
-	k8s.io/apimachinery v0.27.2 // indirect
 	k8s.io/apiserver v0.27.2 // indirect
 	k8s.io/component-base v0.27.2 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect

go.sum

@@ -131,6 +131,8 @@ github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
 github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -164,6 +166,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/namecheap/go-namecheap-sdk/v2 v2.2.0 h1:97uuAKBqwYHfkZVqE4mBfUH2BW6aAPOrQqJQRAvGmPc=
+github.com/namecheap/go-namecheap-sdk/v2 v2.2.0/go.mod h1:Op6xLoiTxvFxa1V/kR0fcFcxlBMkrRHirxvcOdTPhNU=
 github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
 github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -204,6 +208,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
+github.com/weppos/publicsuffix-go v0.15.0 h1:2uQCwDczZ8YZe5uD0mM3sXRoZYA74xxPuiKK8LdPcGQ=
+github.com/weppos/publicsuffix-go v0.15.0/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
@@ -273,6 +279,7 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=

main.go

@@ -1,15 +1,26 @@
 package main
 
 import (
+	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"net"
 	"os"
+	"strings"
 
 	extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 
 	"github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
 	"github.com/cert-manager/cert-manager/pkg/acme/webhook/cmd"
+	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
+	"github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/util"
+
+	namecheap "github.com/namecheap/go-namecheap-sdk/v2/namecheap"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 var GroupName = os.Getenv("GROUP_NAME")
@@ -19,53 +30,81 @@ func main() {
 		panic("GROUP_NAME must be specified")
 	}
 
-	// This will register our custom DNS provider with the webhook serving
+	// This will register our namecheap DNS provider with the webhook serving
 	// library, making it available as an API under the provided GroupName.
 	// You can register multiple DNS provider implementations with a single
 	// webhook, where the Name() method will be used to disambiguate between
 	// the different implementations.
 	cmd.RunWebhookServer(GroupName,
-		&customDNSProviderSolver{},
+		&namecheapDNSProviderSolver{},
 	)
 }
 
-// customDNSProviderSolver implements the provider-specific logic needed to
+type (
-// 'present' an ACME challenge TXT record for your own DNS provider.
+	Record struct {
-// To do so, it must implement the `github.com/cert-manager/cert-manager/pkg/acme/webhook.Solver`
+		Name    *string
-// interface.
+		Type    *string
-type customDNSProviderSolver struct {
+		Address *string
+		MXPref  *int
+		TTL     *int
+	}
+
+	Domain struct {
+		Name      *string
+		EmailType *string
+		Records   *[]Record
+	}
+
+	NamecheapClient interface {
+		GetDomain(string) (*Domain, error)
+		SetDomain(Domain) error
+	}
+
+	namecheapClientImpl struct {
+		client *namecheap.Client
+	}
+
+	// namecheapDNSProviderSolver implements the provider-specific logic needed to
+	// 'present' an ACME challenge TXT record for your own DNS provider.
+	// To do so, it must implement the `github.com/cert-manager/cert-manager/pkg/acme/webhook.Solver`
+	// interface.
+	namecheapDNSProviderSolver struct {
 		// If a Kubernetes 'clientset' is needed, you must:
 		// 1. uncomment the additional `client` field in this structure below
 		// 2. uncomment the "k8s.io/client-go/kubernetes" import at the top of the file
 		// 3. uncomment the relevant code in the Initialize method below
 		// 4. ensure your webhook's service account has the required RBAC role
 		//    assigned to it for interacting with the Kubernetes APIs you need.
-	//client kubernetes.Clientset
+		ctx             context.Context
-}
+		k8sClient       *kubernetes.Clientset
+		namecheapClient NamecheapClient
+	}
 
-// customDNSProviderConfig is a structure that is used to decode into when
+	// namecheapDNSProviderConfig is a structure that is used to decode into when
-// solving a DNS01 challenge.
+	// solving a DNS01 challenge.
-// This information is provided by cert-manager, and may be a reference to
+	// This information is provided by cert-manager, and may be a reference to
-// additional configuration that's needed to solve the challenge for this
+	// additional configuration that's needed to solve the challenge for this
-// particular certificate or issuer.
+	// particular certificate or issuer.
-// This typically includes references to Secret resources containing DNS
+	// This typically includes references to Secret resources containing DNS
-// provider credentials, in cases where a 'multi-tenant' DNS solver is being
+	// provider credentials, in cases where a 'multi-tenant' DNS solver is being
-// created.
+	// created.
-// If you do *not* require per-issuer or per-certificate configuration to be
+	// If you do *not* require per-issuer or per-certificate configuration to be
-// provided to your webhook, you can skip decoding altogether in favour of
+	// provided to your webhook, you can skip decoding altogether in favour of
-// using CLI flags or similar to provide configuration.
+	// using CLI flags or similar to provide configuration.
-// You should not include sensitive information here. If credentials need to
+	// You should not include sensitive information here. If credentials need to
-// be used by your provider here, you should reference a Kubernetes Secret
+	// be used by your provider here, you should reference a Kubernetes Secret
-// resource and fetch these credentials using a Kubernetes clientset.
+	// resource and fetch these credentials using a Kubernetes clientset.
-type customDNSProviderConfig struct {
+	namecheapDNSProviderConfig struct {
-	// Change the two fields below according to the format of the configuration
-	// to be decoded.
 		// These fields will be set by users in the
 		// `issuer.spec.acme.dns01.providers.webhook.config` field.
 
-	//Email           string `json:"email"`
+		APIKeySecretRef   *cmmeta.SecretKeySelector `json:"apiKeySecretRef"`
-	//APIKeySecretRef v1alpha1.SecretKeySelector `json:"apiKeySecretRef"`
+		APIUserSecretRef  *cmmeta.SecretKeySelector `json:"apiUserSecretRef"`
-}
+		ClientIP          *string                   `json:"clientIP"`
+		UseSandbox        bool                      `json:"useSandbox"`
+		UsernameSecretRef *cmmeta.SecretKeySelector `json:"usernameSecretRef"`
+	}
+)
 
 // Name is used as the name for this DNS solver when referencing it on the ACME
 // Issuer resource.
@@ -73,8 +112,8 @@ type customDNSProviderConfig struct {
 // solvers configured with the same Name() **so long as they do not co-exist
 // within a single webhook deployment**.
 // For example, `cloudflare` may be used as the name of a solver.
-func (c *customDNSProviderSolver) Name() string {
+func (c *namecheapDNSProviderSolver) Name() string {
-	return "my-custom-solver"
+	return "namecheap"
 }
 
 // Present is responsible for actually presenting the DNS record with the
@@ -82,16 +121,34 @@ func (c *customDNSProviderSolver) Name() string {
 // This method should tolerate being called multiple times with the same value.
 // cert-manager itself will later perform a self check to ensure that the
 // solver has correctly configured the DNS provider.
-func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
+func (c *namecheapDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
-	cfg, err := loadConfig(ch.Config)
+	cfg, err := loadConfig((*extapi.JSON)(ch.Config))
 	if err != nil {
 		return err
 	}
 
-	// TODO: do something more useful with the decoded configuration
+	zone, domain, err := c.parseChallenge(ch)
-	fmt.Printf("Decoded configuration %v", cfg)
+	if err != nil {
+		return err
+	}
+
+	if c.namecheapClient == nil {
+		if err := c.setNamecheapClient(ch, cfg); err != nil {
+			return err
+		}
+	}
+
+	d, err := c.namecheapClient.GetDomain(zone)
+	if err != nil {
+		return err
+	}
+
+	d.addChallengeRecord(domain, ch.Key)
+
+	if err := c.namecheapClient.SetDomain(*d); err != nil {
+		return err
+	}
 
-	// TODO: add code that sets a record in the DNS provider's console
 	return nil
 }
 
@@ -101,8 +158,34 @@ func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
 // value provided on the ChallengeRequest should be cleaned up.
 // This is in order to facilitate multiple DNS validations for the same domain
 // concurrently.
-func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
+func (c *namecheapDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
-	// TODO: add code that deletes a record from the DNS provider's console
+	cfg, err := loadConfig((*extapi.JSON)(ch.Config))
+	if err != nil {
+		return err
+	}
+
+	zone, domain, err := c.parseChallenge(ch)
+	if err != nil {
+		return err
+	}
+
+	if c.namecheapClient == nil {
+		if err := c.setNamecheapClient(ch, cfg); err != nil {
+			return err
+		}
+	}
+
+	d, err := c.namecheapClient.GetDomain(zone)
+	if err != nil {
+		return err
+	}
+
+	d.removeChallengeRecord(domain, ch.Key)
+
+	if err := c.namecheapClient.SetDomain(*d); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -115,25 +198,222 @@ func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
 // provider accounts.
 // The stopCh can be used to handle early termination of the webhook, in cases
 // where a SIGTERM or similar signal is sent to the webhook process.
-func (c *customDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
+func (c *namecheapDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
-	///// UNCOMMENT THE BELOW CODE TO MAKE A KUBERNETES CLIENTSET AVAILABLE TO
+	cl, err := kubernetes.NewForConfig(kubeClientConfig)
-	///// YOUR CUSTOM DNS PROVIDER
+	if err != nil {
+		return err
+	}
 
-	//cl, err := kubernetes.NewForConfig(kubeClientConfig)
+	c.k8sClient = cl
-	//if err != nil {
+	c.ctx = context.Background()
-	//	return err
-	//}
-	//
-	//c.client = cl
 
-	///// END OF CODE TO MAKE KUBERNETES CLIENTSET AVAILABLE
 	return nil
 }
 
+func (c *namecheapDNSProviderSolver) getSecret(ref *cmmeta.SecretKeySelector, namespace string) (*string, error) {
+	if ref.Name == "" {
+		return nil, fmt.Errorf(
+			"secret not found in '%s'",
+			namespace,
+		)
+	}
+	if ref.Key == "" {
+		return nil, fmt.Errorf(
+			"no 'key' set in secret '%s/%s'",
+			namespace,
+			ref.Name,
+		)
+	}
+
+	secret, err := c.k8sClient.CoreV1().Secrets(namespace).Get(
+		c.ctx, ref.Name, metav1.GetOptions{},
+	)
+	if err != nil {
+		return nil, err
+	}
+	keyBytes, ok := secret.Data[ref.Key]
+	if !ok {
+		return nil, fmt.Errorf(
+			"no key '%s' in secret '%s/%s'",
+			ref.Key,
+			namespace,
+			ref.Name,
+		)
+	}
+	s := string(keyBytes)
+	return &s, nil
+}
+
+func (c *namecheapDNSProviderSolver) setNamecheapClient(ch *v1alpha1.ChallengeRequest, cfg namecheapDNSProviderConfig) error {
+	if cfg.APIKeySecretRef == nil {
+		return errors.New("Secret field 'apiKeySecretRef' could not be located. Check Spelling.")
+	}
+	apiKey, err := c.getSecret(cfg.APIKeySecretRef, ch.ResourceNamespace)
+	if err != nil {
+		return err
+	}
+
+	if cfg.APIUserSecretRef == nil {
+		return errors.New("Secret field 'apiUserSecretRef' could not be located. Check Spelling.")
+	}
+	apiUser, err := c.getSecret(cfg.APIUserSecretRef, ch.ResourceNamespace)
+	if err != nil {
+		return err
+	}
+
+	opts := &namecheap.ClientOptions{
+		ApiKey:     *apiKey,
+		ApiUser:    *apiUser,
+		UseSandbox: cfg.UseSandbox,
+	}
+
+	// attempt to set the ClientIp dynamically if not set
+	// source: https://stackoverflow.com/a/37382208
+	if cfg.ClientIP == nil {
+		ip, err := getOutboundIP()
+		if err != nil {
+			return err
+		}
+		opts.ClientIp = ip.String()
+	} else {
+		opts.ClientIp = *cfg.ClientIP
+	}
+
+	// default UserName to APIUser if not set
+	if cfg.UsernameSecretRef == nil {
+		opts.UserName = *apiUser
+	} else {
+		username, err := c.getSecret(cfg.UsernameSecretRef, ch.ResourceNamespace)
+		if err != nil {
+			return err
+		}
+		opts.UserName = *username
+	}
+
+	c.namecheapClient = &namecheapClientImpl{
+		client: namecheap.NewClient(opts),
+	}
+
+	return nil
+}
+
+// Get the zone and domain we are setting from the challenge request
+// source: https://github.com/ns1/cert-manager-webhook-ns1
+func (c *namecheapDNSProviderSolver) parseChallenge(ch *v1alpha1.ChallengeRequest) (
+	zone string, domain string, err error,
+) {
+
+	if zone, err = util.FindZoneByFqdn(
+		ch.ResolvedFQDN, util.RecursiveNameservers,
+	); err != nil {
+		return "", "", err
+	}
+	zone = util.UnFqdn(zone)
+
+	if idx := strings.Index(ch.ResolvedFQDN, "."+ch.ResolvedZone); idx != -1 {
+		domain = ch.ResolvedFQDN[:idx]
+	} else {
+		domain = util.UnFqdn(ch.ResolvedFQDN)
+	}
+
+	return zone, domain, nil
+}
+
+// Adds a record to a domain
+func (d *Domain) addChallengeRecord(domain, key string) {
+	*d.Records = append(
+		*d.Records,
+		Record{
+			Name:    &domain,
+			Type:    namecheap.String(namecheap.RecordTypeTXT),
+			Address: namecheap.String(key),
+			TTL:     namecheap.Int(60),
+		},
+	)
+}
+
+// Removes a record from a domain
+func (d *Domain) removeChallengeRecord(domain, key string) {
+	for i, record := range *d.Records {
+		if *record.Name == domain &&
+			*record.Type == namecheap.RecordTypeTXT &&
+			*record.Address == key {
+			records := *d.Records
+			*d.Records = append(records[:i], records[i+1:]...)
+			return
+		}
+	}
+}
+
+func (c *namecheapClientImpl) SetDomain(domain Domain) error {
+	args := &namecheap.DomainsDNSSetHostsArgs{
+		Domain:    domain.Name,
+		EmailType: domain.EmailType,
+	}
+
+	records := make([]namecheap.DomainsDNSHostRecord, len(*domain.Records))
+	for i, record := range *domain.Records {
+		records[i] = namecheap.DomainsDNSHostRecord{
+			HostName:   record.Name,
+			RecordType: record.Type,
+			Address:    record.Address,
+			TTL:        record.TTL,
+		}
+
+		if record.MXPref != nil {
+			records[i].MXPref = namecheap.UInt8(uint8(*record.MXPref))
+		}
+	}
+	args.Records = &records
+
+	if _, err := c.client.DomainsDNS.SetHosts(args); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *namecheapClientImpl) GetDomain(domain string) (*Domain, error) {
+	resp, err := c.client.DomainsDNS.GetHosts(domain)
+	if err != nil {
+		return nil, err
+	}
+
+	d := &Domain{
+		Name:      resp.DomainDNSGetHostsResult.Domain,
+		EmailType: resp.DomainDNSGetHostsResult.EmailType,
+	}
+	records := make([]Record, len(*resp.DomainDNSGetHostsResult.Hosts))
+	for i, r := range *resp.DomainDNSGetHostsResult.Hosts {
+		records[i] = Record{
+			Name:    r.Name,
+			Type:    r.Type,
+			Address: r.Address,
+			MXPref:  r.MXPref,
+			TTL:     r.TTL,
+		}
+	}
+	d.Records = &records
+
+	return d, nil
+}
+
+// Get preferred outbound ip of this machine
+func getOutboundIP() (*net.IP, error) {
+	conn, err := net.Dial("udp", "8.8.8.8:80")
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+
+	localAddr := conn.LocalAddr().(*net.UDPAddr)
+
+	return &localAddr.IP, nil
+}
+
 // loadConfig is a small helper function that decodes JSON configuration into
 // the typed config struct.
-func loadConfig(cfgJSON *extapi.JSON) (customDNSProviderConfig, error) {
+func loadConfig(cfgJSON *extapi.JSON) (namecheapDNSProviderConfig, error) {
-	cfg := customDNSProviderConfig{}
+	cfg := namecheapDNSProviderConfig{}
 	// handle the 'base case' where no configuration has been provided
 	if cfgJSON == nil {
 		return cfg, nil

main_test.go

@@ -4,9 +4,7 @@ import (
 	"os"
 	"testing"
 
-	acmetest "github.com/cert-manager/cert-manager/test/acme"
+	dns "github.com/cert-manager/cert-manager/test/acme"
-
-	"github.com/cert-manager/webhook-example/example"
 )
 
 var (
@@ -19,23 +17,11 @@ func TestRunsSuite(t *testing.T) {
 	// ChallengeRequest passed as part of the test cases.
 	//
 
-	// Uncomment the below fixture when implementing your custom DNS provider
+	fixture := dns.NewFixture(&namecheapDNSProviderSolver{},
-	//fixture := acmetest.NewFixture(&customDNSProviderSolver{},
+		dns.SetResolvedZone(zone),
-	//	acmetest.SetResolvedZone(zone),
+		dns.SetAllowAmbientCredentials(false),
-	//	acmetest.SetAllowAmbientCredentials(false),
+		dns.SetManifestPath("testdata/namecheap"),
-	//	acmetest.SetManifestPath("testdata/my-custom-solver"),
-	//	acmetest.SetBinariesPath("_test/kubebuilder/bin"),
-	//)
-	solver := example.New("59351")
-	fixture := acmetest.NewFixture(solver,
-		acmetest.SetResolvedZone("example.com."),
-		acmetest.SetManifestPath("testdata/my-custom-solver"),
-		acmetest.SetDNSServer("127.0.0.1:59351"),
-		acmetest.SetUseAuthoritative(false),
 	)
-	//need to uncomment and  RunConformance delete runBasic and runExtended once https://github.com/cert-manager/cert-manager/pull/4835 is merged
-	//fixture.RunConformance(t)
-	fixture.RunBasic(t)
-	fixture.RunExtended(t)
 
+	fixture.RunConformance(t)
 }

testdata/my-custom-solver/README.md

@@ -1,3 +0,0 @@
-# Solver testdata directory
-
-TODO

testdata/my-custom-solver/config.json

@@ -1 +0,0 @@
-{}

testdata/namecheap/.gitignore

@@ -0,0 +1,2 @@
+apikey.yaml
+config.json

testdata/namecheap/README.md

@@ -0,0 +1,5 @@
+# Solver testdata directory
+
+Copy config.json.sample to config.json and edit as needed. You don't need to change the apiKeySecretRef part, this is handled in the next step.
+
+Copy api-key.yaml.sample to api-key.yaml. Edit to add your base64 encoded Namecheap API Key. This populates the apiKeySecretRef.

testdata/namecheap/apikey.yaml.sample

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: namecheap-credentials
+type: Opaque
+data:
+  apiKey: "<<BASE64 ENCODED NAMECHEAP API KEY>>"
+  apiUser: "<<BASE64 ENCODED NAMECHEAP API USER>>"

testdata/namecheap/config.json.sample

@@ -0,0 +1,11 @@
+{
+    "apiKeySecretRef": {
+        "name": "namecheap-credentials",
+        "key": "apiKey"
+    },
+    "apiUserSecretRef": {
+        "name": "namecheap-credentials",
+        "key": "apiUser"
+    },
+    "useSandbox": true
+}