KropCloud/cert-manager-webhook-example
1
0
Fork 1
mirror of https://github.com/cert-manager/webhook-example.git synced 2025-07-01 22:35:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Updated to recent version of cert-manager/webhook-example

Browse source
This commit is contained in:
Harald Fielker 2024-04-28 13:54:03 +02:00
parent e57412778d
commit f938bd3ac9
17 changed files with 489 additions and 358 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.gitignore vendored
View file

@ -17,3 +17,7 @@ cert-manager-webhook-example
# Make artifacts
_out
_test
# vscode debugging
.env
__debug*

3
.vscode/settings.json vendored Normal file
View file

@ -0,0 +1,3 @@
{
"go.testEnvFile": "${workspaceFolder}/.env",
}

132
README.md
View file

@ -1,58 +1,106 @@
<p align="center">
<img src="https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png" height="256" width="256" alt="cert-manager project logo" />
</p>
# cert-manager webhook for Namecheap
# ACME webhook example
- This is a Frankenstein version of
- <https://github.com/kelvie/cert-manager-webhook-namecheap>
- <https://github.com/Extrality/cert-manager-webhook-namecheap>
The ACME issuer type supports an optional 'webhook' solver, which can be used
to implement custom DNS01 challenge solving logic.
- This is as good as any other implementation!
- I just had to find out, that my local `dnsmasq` messed around. When the webhook is trying to find out the zone of the domain, it just got back some local info.
- The workaround (for me) - is to use a public DNS for the cert-manager.
- Idea can be found at [Techno Tim's Repo](https://github.com/techno-tim/launchpad/blob/c18b2c3e3bf9cfa30974ae0e993e5c2fc3c37408/kubernetes/traefik-cert-manager/cert-manager/values.yaml#L9)
This is useful if you need to use cert-manager with a DNS provider that is not
officially supported in cert-manager core.
## Why not in core?
As the project & adoption has grown, there has been an influx of DNS provider
pull requests to our core codebase. As this number has grown, the test matrix
has become un-maintainable and so, it's not possible for us to certify that
providers work to a sufficient level.
# Instructions for use with Let's Encrypt
By creating this 'interface' between cert-manager and DNS providers, we allow
users to quickly iterate and test out new integrations, and then packaging
those up themselves as 'extensions' to cert-manager.
Thanks to [Addison van den Hoeven](https://github.com/Addyvan), from https://github.com/jetstack/cert-manager/issues/646
We can also then provide a standardised 'testing framework', or set of
conformance tests, which allow us to validate the a DNS provider works as
expected.
Use helm to deploy this into your `cert-manager` namespace:
## Creating your own webhook
``` sh
# Make sure you're in the right context:
# kubectl config use-context mycontext
Webhook's themselves are deployed as Kubernetes API services, in order to allow
administrators to restrict access to webhooks with Kubernetes RBAC.
# cert-manager is by default in the cert-manager context
helm install -n cert-manager namecheap-webhook deploy/cert-manager-webhook-namecheap/
```
This is important, as otherwise it'd be possible for anyone with access to your
webhook to complete ACME challenge validations and obtain certificates.
Create the cluster issuers:
To make the set up of these webhook's easier, we provide a template repository
that can be used to get started quickly.
``` sh
helm install --set email=yourname@example.com -n cert-manager letsencrypt-namecheap-issuer deploy/letsencrypt-namecheap-issuer/
```
### Creating your own repository
Get your local public ip: `curl https://ifconfig.co/ip`
Go to namecheap and set up your API key (note that you'll need to whitelist the
public IP of the k8s cluster to use the webhook), and set the secret:
``` yaml
apiVersion: v1
kind: Secret
metadata:
name: namecheap-credentials
namespace: cert-manager
type: Opaque
stringData:
apiKey: my_api_key_from_namecheap
apiUser: my_username_from_namecheap
#clientIP: 1.2.3.4 # optional, if your setup can't detect the public IP
```
Now you can create a certificate in staging for testing:
``` yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-cert-stage
namespace: default
spec:
secretName: wildcard-cert-stage
commonName: "*.<domain>"
issuerRef:
kind: ClusterIssuer
name: letsencrypt-stage
dnsNames:
- "*.<domain>"
```
And now validate that it worked:
``` sh
kubectl get certificates -n default
kubectl describe certificate wildcard-cert-stage
```
And finally, create your production cert, and it'll be ready to use in the
`wildcard-cert-prod` secret.
``` yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-cert-prod
namespace: default
spec:
secretName: wildcard-cert-prod
commonName: "*.<domain>"
issuerRef:
kind: ClusterIssuer
name: letsencrypt-prod
dnsNames:
- "*.<domain>"
```
TODO: add simple nginx example to test that it works
### Running the test suite
All DNS providers **must** run the DNS01 provider conformance testing suite,
else they will have undetermined behaviour when used with cert-manager.
#### Steps
**It is essential that you configure and run the test suite when creating a
DNS01 webhook.**
An example Go test file has been provided in [main_test.go](https://github.com/cert-manager/webhook-example/blob/master/main_test.go).
You can run the test suite with:
```bash
$ TEST_ZONE_NAME=example.com. make test
```
The example file has a number of areas you must fill in and replace with your
own options in order for tests to pass.
1. Create testdata/namecheap/apikey.yaml and testdata/namecheap/config.json using your credentials.
2. Run `TEST_ZONE_NAME=example.com. make test` . Note that the domain here should be updated to your own
domain name. Also note that this is a full domain name with a `.` at the end.
3. You should see all tests passing.
4. In case the tests fail: set `useSandbox` to false

11
env.sample Normal file
View file

@ -0,0 +1,11 @@
# get this from Makefile
OS=linux
ARCH=amd64
KUBEBUILDER_VERSION=1.28.0
TEST_ASSET_ETCD=_test/kubebuilder-${KUBEBUILDER_VERSION}-${OS}-${ARCH}/etcd
TEST_ASSET_KUBE_APISERVER=_test/kubebuilder-${KUBEBUILDER_VERSION}-${OS}-${ARCH}/kube-apiserver
TEST_ASSET_KUBECTL=_test/kubebuilder-${KUBEBUILDER_VERSION}-${OS}-${ARCH}/kubectl
TEST_ZONE_NAME=example.com.

69
example/dns.go
View file

@ -1,69 +0,0 @@
package example
import (
"fmt"
"github.com/miekg/dns"
)
func (e *exampleSolver) handleDNSRequest(w dns.ResponseWriter, req *dns.Msg) {
msg := new(dns.Msg)
msg.SetReply(req)
switch req.Opcode {
case dns.OpcodeQuery:
for _, q := range msg.Question {
if err := e.addDNSAnswer(q, msg, req); err != nil {
msg.SetRcode(req, dns.RcodeServerFailure)
break
}
}
}
w.WriteMsg(msg)
}
func (e *exampleSolver) addDNSAnswer(q dns.Question, msg *dns.Msg, req *dns.Msg) error {
switch q.Qtype {
// Always return loopback for any A query
case dns.TypeA:
rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN A 127.0.0.1", q.Name))
if err != nil {
return err
}
msg.Answer = append(msg.Answer, rr)
return nil
// TXT records are the only important record for ACME dns-01 challenges
case dns.TypeTXT:
e.RLock()
record, found := e.txtRecords[q.Name]
e.RUnlock()
if !found {
msg.SetRcode(req, dns.RcodeNameError)
return nil
}
rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN TXT %s", q.Name, record))
if err != nil {
return err
}
msg.Answer = append(msg.Answer, rr)
return nil
// NS and SOA are for authoritative lookups, return obviously invalid data
case dns.TypeNS:
rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN NS ns.example-acme-webook.invalid.", q.Name))
if err != nil {
return err
}
msg.Answer = append(msg.Answer, rr)
return nil
case dns.TypeSOA:
rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN SOA %s 20 5 5 5 5", "ns.example-acme-webook.invalid.", "ns.example-acme-webook.invalid."))
if err != nil {
return err
}
msg.Answer = append(msg.Answer, rr)
return nil
default:
return fmt.Errorf("unimplemented record type %v", q.Qtype)
}
}

68
example/example.go
View file

@ -1,68 +0,0 @@
// package example contains a self-contained example of a webhook that passes the cert-manager
// DNS conformance tests
package example
import (
"fmt"
"os"
"sync"
"github.com/cert-manager/cert-manager/pkg/acme/webhook"
acme "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
"github.com/miekg/dns"
"k8s.io/client-go/rest"
)
type exampleSolver struct {
name string
server *dns.Server
txtRecords map[string]string
sync.RWMutex
}
func (e *exampleSolver) Name() string {
return e.name
}
func (e *exampleSolver) Present(ch *acme.ChallengeRequest) error {
e.Lock()
e.txtRecords[ch.ResolvedFQDN] = ch.Key
e.Unlock()
return nil
}
func (e *exampleSolver) CleanUp(ch *acme.ChallengeRequest) error {
e.Lock()
delete(e.txtRecords, ch.ResolvedFQDN)
e.Unlock()
return nil
}
func (e *exampleSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
go func(done <-chan struct{}) {
<-done
if err := e.server.Shutdown(); err != nil {
fmt.Fprintf(os.Stderr, "%s\n", err.Error())
}
}(stopCh)
go func() {
if err := e.server.ListenAndServe(); err != nil {
fmt.Fprintf(os.Stderr, "%s\n", err.Error())
os.Exit(1)
}
}()
return nil
}
func New(port string) webhook.Solver {
e := &exampleSolver{
name: "example",
txtRecords: make(map[string]string),
}
e.server = &dns.Server{
Addr: ":" + port,
Net: "udp",
Handler: dns.HandlerFunc(e.handleDNSRequest),
}
return e
}

96
example/example_test.go
View file

@ -1,96 +0,0 @@
package example
import (
"crypto/rand"
"math/big"
"testing"
acme "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
"github.com/miekg/dns"
"github.com/stretchr/testify/assert"
)
func TestExampleSolver_Name(t *testing.T) {
port, _ := rand.Int(rand.Reader, big.NewInt(50000))
port = port.Add(port, big.NewInt(15534))
solver := New(port.String())
assert.Equal(t, "example", solver.Name())
}
func TestExampleSolver_Initialize(t *testing.T) {
port, _ := rand.Int(rand.Reader, big.NewInt(50000))
port = port.Add(port, big.NewInt(15534))
solver := New(port.String())
done := make(chan struct{})
err := solver.Initialize(nil, done)
assert.NoError(t, err, "Expected Initialize not to error")
close(done)
}
func TestExampleSolver_Present_Cleanup(t *testing.T) {
port, _ := rand.Int(rand.Reader, big.NewInt(50000))
port = port.Add(port, big.NewInt(15534))
solver := New(port.String())
done := make(chan struct{})
err := solver.Initialize(nil, done)
assert.NoError(t, err, "Expected Initialize not to error")
validTestData := []struct {
hostname string
record string
}{
{"test1.example.com.", "testkey1"},
{"test2.example.com.", "testkey2"},
{"test3.example.com.", "testkey3"},
}
for _, test := range validTestData {
err := solver.Present(&acme.ChallengeRequest{
Action: acme.ChallengeActionPresent,
Type: "dns-01",
ResolvedFQDN: test.hostname,
Key: test.record,
})
assert.NoError(t, err, "Unexpected error while presenting %v", t)
}
// Resolve test data
for _, test := range validTestData {
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.RecursionDesired = true
msg.Question = make([]dns.Question, 1)
msg.Question[0] = dns.Question{dns.Fqdn(test.hostname), dns.TypeTXT, dns.ClassINET}
in, err := dns.Exchange(msg, "127.0.0.1:"+port.String())
assert.NoError(t, err, "Presented record %s not resolvable", test.hostname)
assert.Len(t, in.Answer, 1, "RR response is of incorrect length")
assert.Equal(t, []string{test.record}, in.Answer[0].(*dns.TXT).Txt, "TXT record returned did not match presented record")
}
// Cleanup test data
for _, test := range validTestData {
err := solver.CleanUp(&acme.ChallengeRequest{
Action: acme.ChallengeActionCleanUp,
Type: "dns-01",
ResolvedFQDN: test.hostname,
Key: test.record,
})
assert.NoError(t, err, "Unexpected error while cleaning up %v", t)
}
// Resolve test data
for _, test := range validTestData {
msg := new(dns.Msg)
msg.Id = dns.Id()
msg.RecursionDesired = true
msg.Question = make([]dns.Question, 1)
msg.Question[0] = dns.Question{dns.Fqdn(test.hostname), dns.TypeTXT, dns.ClassINET}
in, err := dns.Exchange(msg, "127.0.0.1:"+port.String())
assert.NoError(t, err, "Presented record %s not resolvable", test.hostname)
assert.Len(t, in.Answer, 0, "RR response is of incorrect length")
assert.Equal(t, dns.RcodeNameError, in.Rcode, "Expexted NXDOMAIN")
}
close(done)
}

5
go.mod
View file

@ -5,8 +5,10 @@ go 1.20
require (
github.com/cert-manager/cert-manager v1.12.6
github.com/miekg/dns v1.1.50
github.com/namecheap/go-namecheap-sdk/v2 v2.2.0
github.com/stretchr/testify v1.8.4
k8s.io/apiextensions-apiserver v0.27.2
k8s.io/apimachinery v0.27.2
k8s.io/client-go v0.27.2
)
@ -42,6 +44,7 @@ require (
github.com/google/uuid v1.3.0 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/imdario/mergo v0.3.12 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
@ -60,6 +63,7 @@ require (
github.com/spf13/cobra v1.7.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/stoewer/go-strcase v1.2.0 // indirect
github.com/weppos/publicsuffix-go v0.15.0 // indirect
go.etcd.io/etcd/api/v3 v3.5.7 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.5.7 // indirect
go.etcd.io/etcd/client/v3 v3.5.7 // indirect
@ -96,7 +100,6 @@ require (
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/api v0.27.2 // indirect
k8s.io/apimachinery v0.27.2 // indirect
k8s.io/apiserver v0.27.2 // indirect
k8s.io/component-base v0.27.2 // indirect
k8s.io/klog/v2 v2.100.1 // indirect

7
go.sum
View file

@ -131,6 +131,8 @@ github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4
github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@ -164,6 +166,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/namecheap/go-namecheap-sdk/v2 v2.2.0 h1:97uuAKBqwYHfkZVqE4mBfUH2BW6aAPOrQqJQRAvGmPc=
github.com/namecheap/go-namecheap-sdk/v2 v2.2.0/go.mod h1:Op6xLoiTxvFxa1V/kR0fcFcxlBMkrRHirxvcOdTPhNU=
github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@ -204,6 +208,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
github.com/weppos/publicsuffix-go v0.15.0 h1:2uQCwDczZ8YZe5uD0mM3sXRoZYA74xxPuiKK8LdPcGQ=
github.com/weppos/publicsuffix-go v0.15.0/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
@ -273,6 +279,7 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=

396
main.go
View file

@ -1,15 +1,26 @@
package main
import (
"context"
"encoding/json"
"errors"
"fmt"
"net"
"os"
"strings"
extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
"github.com/cert-manager/cert-manager/pkg/acme/webhook/cmd"
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
"github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/util"
namecheap "github.com/namecheap/go-namecheap-sdk/v2/namecheap"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
var GroupName = os.Getenv("GROUP_NAME")
@ -19,53 +30,81 @@ func main() {
panic("GROUP_NAME must be specified")
}
// This will register our custom DNS provider with the webhook serving
// This will register our namecheap DNS provider with the webhook serving
// library, making it available as an API under the provided GroupName.
// You can register multiple DNS provider implementations with a single
// webhook, where the Name() method will be used to disambiguate between
// the different implementations.
cmd.RunWebhookServer(GroupName,
&customDNSProviderSolver{},
&namecheapDNSProviderSolver{},
)
}
// customDNSProviderSolver implements the provider-specific logic needed to
// 'present' an ACME challenge TXT record for your own DNS provider.
// To do so, it must implement the `github.com/cert-manager/cert-manager/pkg/acme/webhook.Solver`
// interface.
type customDNSProviderSolver struct {
// If a Kubernetes 'clientset' is needed, you must:
// 1. uncomment the additional `client` field in this structure below
// 2. uncomment the "k8s.io/client-go/kubernetes" import at the top of the file
// 3. uncomment the relevant code in the Initialize method below
// 4. ensure your webhook's service account has the required RBAC role
// assigned to it for interacting with the Kubernetes APIs you need.
//client kubernetes.Clientset
}
type (
Record struct {
Name *string
Type *string
Address *string
MXPref *int
TTL *int
}
// customDNSProviderConfig is a structure that is used to decode into when
// solving a DNS01 challenge.
// This information is provided by cert-manager, and may be a reference to
// additional configuration that's needed to solve the challenge for this
// particular certificate or issuer.
// This typically includes references to Secret resources containing DNS
// provider credentials, in cases where a 'multi-tenant' DNS solver is being
// created.
// If you do *not* require per-issuer or per-certificate configuration to be
// provided to your webhook, you can skip decoding altogether in favour of
// using CLI flags or similar to provide configuration.
// You should not include sensitive information here. If credentials need to
// be used by your provider here, you should reference a Kubernetes Secret
// resource and fetch these credentials using a Kubernetes clientset.
type customDNSProviderConfig struct {
// Change the two fields below according to the format of the configuration
// to be decoded.
// These fields will be set by users in the
// `issuer.spec.acme.dns01.providers.webhook.config` field.
Domain struct {
Name *string
EmailType *string
Records *[]Record
}
//Email string `json:"email"`
//APIKeySecretRef v1alpha1.SecretKeySelector `json:"apiKeySecretRef"`
}
NamecheapClient interface {
GetDomain(string) (*Domain, error)
SetDomain(Domain) error
}
namecheapClientImpl struct {
client *namecheap.Client
}
// namecheapDNSProviderSolver implements the provider-specific logic needed to
// 'present' an ACME challenge TXT record for your own DNS provider.
// To do so, it must implement the `github.com/cert-manager/cert-manager/pkg/acme/webhook.Solver`
// interface.
namecheapDNSProviderSolver struct {
// If a Kubernetes 'clientset' is needed, you must:
// 1. uncomment the additional `client` field in this structure below
// 2. uncomment the "k8s.io/client-go/kubernetes" import at the top of the file
// 3. uncomment the relevant code in the Initialize method below
// 4. ensure your webhook's service account has the required RBAC role
// assigned to it for interacting with the Kubernetes APIs you need.
ctx context.Context
k8sClient *kubernetes.Clientset
namecheapClient NamecheapClient
}
// namecheapDNSProviderConfig is a structure that is used to decode into when
// solving a DNS01 challenge.
// This information is provided by cert-manager, and may be a reference to
// additional configuration that's needed to solve the challenge for this
// particular certificate or issuer.
// This typically includes references to Secret resources containing DNS
// provider credentials, in cases where a 'multi-tenant' DNS solver is being
// created.
// If you do *not* require per-issuer or per-certificate configuration to be
// provided to your webhook, you can skip decoding altogether in favour of
// using CLI flags or similar to provide configuration.
// You should not include sensitive information here. If credentials need to
// be used by your provider here, you should reference a Kubernetes Secret
// resource and fetch these credentials using a Kubernetes clientset.
namecheapDNSProviderConfig struct {
// These fields will be set by users in the
// `issuer.spec.acme.dns01.providers.webhook.config` field.
APIKeySecretRef *cmmeta.SecretKeySelector `json:"apiKeySecretRef"`
APIUserSecretRef *cmmeta.SecretKeySelector `json:"apiUserSecretRef"`
ClientIP *string `json:"clientIP"`
UseSandbox bool `json:"useSandbox"`
UsernameSecretRef *cmmeta.SecretKeySelector `json:"usernameSecretRef"`
}
)
// Name is used as the name for this DNS solver when referencing it on the ACME
// Issuer resource.
@ -73,8 +112,8 @@ type customDNSProviderConfig struct {
// solvers configured with the same Name() **so long as they do not co-exist
// within a single webhook deployment**.
// For example, `cloudflare` may be used as the name of a solver.
func (c *customDNSProviderSolver) Name() string {
return "my-custom-solver"
func (c *namecheapDNSProviderSolver) Name() string {
return "namecheap"
}
// Present is responsible for actually presenting the DNS record with the
@ -82,16 +121,34 @@ func (c *customDNSProviderSolver) Name() string {
// This method should tolerate being called multiple times with the same value.
// cert-manager itself will later perform a self check to ensure that the
// solver has correctly configured the DNS provider.
func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
cfg, err := loadConfig(ch.Config)
func (c *namecheapDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
cfg, err := loadConfig((*extapi.JSON)(ch.Config))
if err != nil {
return err
}
// TODO: do something more useful with the decoded configuration
fmt.Printf("Decoded configuration %v", cfg)
zone, domain, err := c.parseChallenge(ch)
if err != nil {
return err
}
if c.namecheapClient == nil {
if err := c.setNamecheapClient(ch, cfg); err != nil {
return err
}
}
d, err := c.namecheapClient.GetDomain(zone)
if err != nil {
return err
}
d.addChallengeRecord(domain, ch.Key)
if err := c.namecheapClient.SetDomain(*d); err != nil {
return err
}
// TODO: add code that sets a record in the DNS provider's console
return nil
}
@ -101,8 +158,34 @@ func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
// value provided on the ChallengeRequest should be cleaned up.
// This is in order to facilitate multiple DNS validations for the same domain
// concurrently.
func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
// TODO: add code that deletes a record from the DNS provider's console
func (c *namecheapDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
cfg, err := loadConfig((*extapi.JSON)(ch.Config))
if err != nil {
return err
}
zone, domain, err := c.parseChallenge(ch)
if err != nil {
return err
}
if c.namecheapClient == nil {
if err := c.setNamecheapClient(ch, cfg); err != nil {
return err
}
}
d, err := c.namecheapClient.GetDomain(zone)
if err != nil {
return err
}
d.removeChallengeRecord(domain, ch.Key)
if err := c.namecheapClient.SetDomain(*d); err != nil {
return err
}
return nil
}
@ -115,25 +198,222 @@ func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
// provider accounts.
// The stopCh can be used to handle early termination of the webhook, in cases
// where a SIGTERM or similar signal is sent to the webhook process.
func (c *customDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
///// UNCOMMENT THE BELOW CODE TO MAKE A KUBERNETES CLIENTSET AVAILABLE TO
///// YOUR CUSTOM DNS PROVIDER
func (c *namecheapDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
cl, err := kubernetes.NewForConfig(kubeClientConfig)
if err != nil {
return err
}
//cl, err := kubernetes.NewForConfig(kubeClientConfig)
//if err != nil {
// return err
//}
//
//c.client = cl
c.k8sClient = cl
c.ctx = context.Background()
///// END OF CODE TO MAKE KUBERNETES CLIENTSET AVAILABLE
return nil
}
func (c *namecheapDNSProviderSolver) getSecret(ref *cmmeta.SecretKeySelector, namespace string) (*string, error) {
if ref.Name == "" {
return nil, fmt.Errorf(
"secret not found in '%s'",
namespace,
)
}
if ref.Key == "" {
return nil, fmt.Errorf(
"no 'key' set in secret '%s/%s'",
namespace,
ref.Name,
)
}
secret, err := c.k8sClient.CoreV1().Secrets(namespace).Get(
c.ctx, ref.Name, metav1.GetOptions{},
)
if err != nil {
return nil, err
}
keyBytes, ok := secret.Data[ref.Key]
if !ok {
return nil, fmt.Errorf(
"no key '%s' in secret '%s/%s'",
ref.Key,
namespace,
ref.Name,
)
}
s := string(keyBytes)
return &s, nil
}
func (c *namecheapDNSProviderSolver) setNamecheapClient(ch *v1alpha1.ChallengeRequest, cfg namecheapDNSProviderConfig) error {
if cfg.APIKeySecretRef == nil {
return errors.New("Secret field 'apiKeySecretRef' could not be located. Check Spelling.")
}
apiKey, err := c.getSecret(cfg.APIKeySecretRef, ch.ResourceNamespace)
if err != nil {
return err
}
if cfg.APIUserSecretRef == nil {
return errors.New("Secret field 'apiUserSecretRef' could not be located. Check Spelling.")
}
apiUser, err := c.getSecret(cfg.APIUserSecretRef, ch.ResourceNamespace)
if err != nil {
return err
}
opts := &namecheap.ClientOptions{
ApiKey: *apiKey,
ApiUser: *apiUser,
UseSandbox: cfg.UseSandbox,
}
// attempt to set the ClientIp dynamically if not set
// source: https://stackoverflow.com/a/37382208
if cfg.ClientIP == nil {
ip, err := getOutboundIP()
if err != nil {
return err
}
opts.ClientIp = ip.String()
} else {
opts.ClientIp = *cfg.ClientIP
}
// default UserName to APIUser if not set
if cfg.UsernameSecretRef == nil {
opts.UserName = *apiUser
} else {
username, err := c.getSecret(cfg.UsernameSecretRef, ch.ResourceNamespace)
if err != nil {
return err
}
opts.UserName = *username
}
c.namecheapClient = &namecheapClientImpl{
client: namecheap.NewClient(opts),
}
return nil
}
// Get the zone and domain we are setting from the challenge request
// source: https://github.com/ns1/cert-manager-webhook-ns1
func (c *namecheapDNSProviderSolver) parseChallenge(ch *v1alpha1.ChallengeRequest) (
zone string, domain string, err error,
) {
if zone, err = util.FindZoneByFqdn(
ch.ResolvedFQDN, util.RecursiveNameservers,
); err != nil {
return "", "", err
}
zone = util.UnFqdn(zone)
if idx := strings.Index(ch.ResolvedFQDN, "."+ch.ResolvedZone); idx != -1 {
domain = ch.ResolvedFQDN[:idx]
} else {
domain = util.UnFqdn(ch.ResolvedFQDN)
}
return zone, domain, nil
}
// Adds a record to a domain
func (d *Domain) addChallengeRecord(domain, key string) {
*d.Records = append(
*d.Records,
Record{
Name: &domain,
Type: namecheap.String(namecheap.RecordTypeTXT),
Address: namecheap.String(key),
TTL: namecheap.Int(60),
},
)
}
// Removes a record from a domain
func (d *Domain) removeChallengeRecord(domain, key string) {
for i, record := range *d.Records {
if *record.Name == domain &&
*record.Type == namecheap.RecordTypeTXT &&
*record.Address == key {
records := *d.Records
*d.Records = append(records[:i], records[i+1:]...)
return
}
}
}
func (c *namecheapClientImpl) SetDomain(domain Domain) error {
args := &namecheap.DomainsDNSSetHostsArgs{
Domain: domain.Name,
EmailType: domain.EmailType,
}
records := make([]namecheap.DomainsDNSHostRecord, len(*domain.Records))
for i, record := range *domain.Records {
records[i] = namecheap.DomainsDNSHostRecord{
HostName: record.Name,
RecordType: record.Type,
Address: record.Address,
TTL: record.TTL,
}
if record.MXPref != nil {
records[i].MXPref = namecheap.UInt8(uint8(*record.MXPref))
}
}
args.Records = &records
if _, err := c.client.DomainsDNS.SetHosts(args); err != nil {
return err
}
return nil
}
func (c *namecheapClientImpl) GetDomain(domain string) (*Domain, error) {
resp, err := c.client.DomainsDNS.GetHosts(domain)
if err != nil {
return nil, err
}
d := &Domain{
Name: resp.DomainDNSGetHostsResult.Domain,
EmailType: resp.DomainDNSGetHostsResult.EmailType,
}
records := make([]Record, len(*resp.DomainDNSGetHostsResult.Hosts))
for i, r := range *resp.DomainDNSGetHostsResult.Hosts {
records[i] = Record{
Name: r.Name,
Type: r.Type,
Address: r.Address,
MXPref: r.MXPref,
TTL: r.TTL,
}
}
d.Records = &records
return d, nil
}
// Get preferred outbound ip of this machine
func getOutboundIP() (*net.IP, error) {
conn, err := net.Dial("udp", "8.8.8.8:80")
if err != nil {
return nil, err
}
defer conn.Close()
localAddr := conn.LocalAddr().(*net.UDPAddr)
return &localAddr.IP, nil
}
// loadConfig is a small helper function that decodes JSON configuration into
// the typed config struct.
func loadConfig(cfgJSON *extapi.JSON) (customDNSProviderConfig, error) {
cfg := customDNSProviderConfig{}
func loadConfig(cfgJSON *extapi.JSON) (namecheapDNSProviderConfig, error) {
cfg := namecheapDNSProviderConfig{}
// handle the 'base case' where no configuration has been provided
if cfgJSON == nil {
return cfg, nil

26
main_test.go
View file

@ -4,9 +4,7 @@ import (
"os"
"testing"
acmetest "github.com/cert-manager/cert-manager/test/acme"
"github.com/cert-manager/webhook-example/example"
dns "github.com/cert-manager/cert-manager/test/acme"
)
var (
@ -19,23 +17,11 @@ func TestRunsSuite(t *testing.T) {
// ChallengeRequest passed as part of the test cases.
//
// Uncomment the below fixture when implementing your custom DNS provider
//fixture := acmetest.NewFixture(&customDNSProviderSolver{},
// acmetest.SetResolvedZone(zone),
// acmetest.SetAllowAmbientCredentials(false),
// acmetest.SetManifestPath("testdata/my-custom-solver"),
// acmetest.SetBinariesPath("_test/kubebuilder/bin"),
//)
solver := example.New("59351")
fixture := acmetest.NewFixture(solver,
acmetest.SetResolvedZone("example.com."),
acmetest.SetManifestPath("testdata/my-custom-solver"),
acmetest.SetDNSServer("127.0.0.1:59351"),
acmetest.SetUseAuthoritative(false),
fixture := dns.NewFixture(&namecheapDNSProviderSolver{},
dns.SetResolvedZone(zone),
dns.SetAllowAmbientCredentials(false),
dns.SetManifestPath("testdata/namecheap"),
)
//need to uncomment and RunConformance delete runBasic and runExtended once https://github.com/cert-manager/cert-manager/pull/4835 is merged
//fixture.RunConformance(t)
fixture.RunBasic(t)
fixture.RunExtended(t)
fixture.RunConformance(t)
}

3
testdata/my-custom-solver/README.md vendored
View file

@ -1,3 +0,0 @@
# Solver testdata directory
TODO

1
testdata/my-custom-solver/config.json vendored
View file

@ -1 +0,0 @@
{}

2
testdata/namecheap/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
apikey.yaml
config.json

5
testdata/namecheap/README.md vendored Normal file
View file

@ -0,0 +1,5 @@
# Solver testdata directory
Copy config.json.sample to config.json and edit as needed. You don't need to change the apiKeySecretRef part, this is handled in the next step.
Copy api-key.yaml.sample to api-key.yaml. Edit to add your base64 encoded Namecheap API Key. This populates the apiKeySecretRef.

8
testdata/namecheap/apikey.yaml.sample vendored Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: namecheap-credentials
type: Opaque
data:
apiKey: "<<BASE64 ENCODED NAMECHEAP API KEY>>"
apiUser: "<<BASE64 ENCODED NAMECHEAP API USER>>"

11
testdata/namecheap/config.json.sample vendored Normal file
View file

@ -0,0 +1,11 @@
{
"apiKeySecretRef": {
"name": "namecheap-credentials",
"key": "apiKey"
},
"apiUserSecretRef": {
"name": "namecheap-credentials",
"key": "apiUser"
},
"useSandbox": true
}