mirror of
https://github.com/cert-manager/webhook-example.git
synced 2025-07-05 08:05:49 +02:00
299 lines
11 KiB
Go
299 lines
11 KiB
Go
package main
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"os"
|
|
|
|
"github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
|
|
"github.com/cert-manager/cert-manager/pkg/acme/webhook/cmd"
|
|
v1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
|
|
extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/client-go/kubernetes"
|
|
"k8s.io/client-go/rest"
|
|
)
|
|
|
|
var GroupName = os.Getenv("GROUP_NAME")
|
|
|
|
func main() {
|
|
if GroupName == "" {
|
|
panic("GROUP_NAME must be specified")
|
|
}
|
|
|
|
// This will register our custom DNS provider with the webhook serving
|
|
// library, making it available as an API under the provided GroupName.
|
|
// You can register multiple DNS provider implementations with a single
|
|
// webhook, where the Name() method will be used to disambiguate between
|
|
// the different implementations.
|
|
cmd.RunWebhookServer(GroupName,
|
|
&sotoonDNSProviderSolver{},
|
|
)
|
|
}
|
|
|
|
// sotoonDNSProviderSolver implements Sotoon DNS logic needed to
|
|
// 'present' an ACME challenge TXT record. To do so, it must implement
|
|
// the `github.com/cert-manager/cert-manager/pkg/acme/webhook.Solver`
|
|
// interface.
|
|
type sotoonDNSProviderSolver struct {
|
|
// If a Kubernetes 'clientset' is needed, you must:
|
|
// 1. uncomment the additional `client` field in this structure below
|
|
// 2. uncomment the "k8s.io/client-go/kubernetes" import at the top of the file
|
|
// 3. uncomment the relevant code in the Initialize method below
|
|
// 4. ensure your webhook's service account has the required RBAC role
|
|
// assigned to it for interacting with the Kubernetes APIs you need.
|
|
client *kubernetes.Clientset
|
|
}
|
|
|
|
// sootonNSProviderConfig is a structure that is used to decode into when
|
|
// solving a DNS01 challenge.
|
|
// This information is provided by cert-manager, and a reference to credentials
|
|
// that's needed to add TXT record in Sotoon to solve the challenge for this
|
|
// particular certificate. If credentials need to be used by your provider here,
|
|
// you should reference a Kubernetes Secret resource and fetch these credentials
|
|
// using a Kubernetes clientset.
|
|
type sotoonDNSProviderConfig struct {
|
|
// This field will be set by users in the
|
|
// `issuer.spec.acme.dns01.providers.webhook.config` field.
|
|
|
|
APIKeySecretRef v1.SecretKeySelector `json:"apiKeySecretRef"`
|
|
BaseUrl string `json:"baseUrl"`
|
|
}
|
|
|
|
// Name is used as the name for this DNS solver when referencing it on the ACME
|
|
// Issuer resource.
|
|
// This should be unique **within the group name**, i.e. you can have two
|
|
// solvers configured with the same Name() **so long as they do not co-exist
|
|
// within a single webhook deployment**.
|
|
// For example, `cloudflare` may be used as the name of a solver.
|
|
func (s *sotoonDNSProviderSolver) Name() string {
|
|
return "sotoon"
|
|
}
|
|
|
|
// removeDotFromEnd will remove . at the end of resolvedZone
|
|
// Sotoon doesn't recognize dot at the end of zone names.
|
|
func removeDotFromEnd(resolvedZone string) string {
|
|
if resolvedZone[len(resolvedZone)-1:] == "." {
|
|
return resolvedZone[0 : len(resolvedZone)-1]
|
|
}
|
|
return resolvedZone
|
|
}
|
|
|
|
// normalizeResolvedFQDN will remove resolvedZone from resolvedFQDN
|
|
// Sotoon doesn't recognize full names that include zone in them and will consider them part
|
|
// of the name. For example if `ResolvedFQDN` is "_acme-challenge.example.com" in "example.com"
|
|
// zone the record will be "_acme-challenge.example.com.example.com", so we need to remove
|
|
// the added ".example.com" from it.
|
|
func normalizeResolvedFQDN(resolvedFQDN, resolvedZone string) string {
|
|
if resolvedFQDN[len(resolvedFQDN)-len(resolvedZone):] == resolvedZone {
|
|
// Example: resolvedFQDN = "_acme-challenge.example.com.", resolvedZone = "example.com."
|
|
// resolvedFQDN[:len(resolvedFQDN)-len(resolvedZone)-1] = _acme-challenge
|
|
return resolvedFQDN[:len(resolvedFQDN)-len(resolvedZone)-1]
|
|
}
|
|
return removeDotFromEnd(resolvedFQDN)
|
|
}
|
|
|
|
// getApiKey retrieves apiKey from secret provided to solver in `APIKeySecretRef`
|
|
func (s *sotoonDNSProviderSolver) getApiKey(secretNamespace string, secretRef v1.SecretKeySelector) (string, error) {
|
|
secret, err := s.client.CoreV1().Secrets(secretNamespace).Get(
|
|
context.Background(), secretRef.Name, metav1.GetOptions{})
|
|
if err != nil {
|
|
return "", fmt.Errorf("couldn't retrieve secret %s from namespace %s", secretRef.Name, secretNamespace)
|
|
}
|
|
|
|
secretByteString, ok := secret.Data[secretRef.Key]
|
|
if !ok {
|
|
return "", fmt.Errorf("couldn't fetch apikey from key %q of secret %s in namespace %s",
|
|
secretRef.Key, secretRef.Name, secretNamespace)
|
|
}
|
|
|
|
return string(secretByteString), nil
|
|
}
|
|
|
|
// getAllRecords retrieves all records from Sotoon DNS and returns them in a map of string to interface{}
|
|
func (s *sotoonDNSProviderSolver) getAllRecords(baseUrl, resolvedZone, apiKey string) (map[string]interface{}, error) {
|
|
httpClient := &http.Client{}
|
|
dnsUrl := fmt.Sprintf("%s/%s", baseUrl, resolvedZone)
|
|
req, err := http.NewRequest("GET", dnsUrl, nil)
|
|
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", apiKey))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("couldn't create http request object with error %v", err)
|
|
}
|
|
|
|
response, err := httpClient.Do(req)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("request to Sotoon API failed with error %v", err)
|
|
}
|
|
|
|
body, err := io.ReadAll(response.Body)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("couldn't read Sotoon dns response's body with error %v", err)
|
|
}
|
|
|
|
var dnsData map[string]interface{}
|
|
err = json.Unmarshal(body, &dnsData)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("couldn't parse Sotoon dns response's body %s", string(body))
|
|
}
|
|
|
|
return dnsData, nil
|
|
}
|
|
|
|
// dnsChangeQuery receives a payload in query in the format of `[{"op":"<op>","path":"<path>"}]` and
|
|
// updates DNS records based on it. For more information look at the requests that ocean panel sends
|
|
// to Sotoon's API.
|
|
func (s *sotoonDNSProviderSolver) dnsChangeQuery(baseUrl, resolvedZone, apiKey, query string) error {
|
|
httpClient := &http.Client{}
|
|
dnsUrl := fmt.Sprintf("%s/%s", baseUrl, resolvedZone)
|
|
patchPayload := []byte(query)
|
|
req, err := http.NewRequest("PATCH", dnsUrl, bytes.NewBuffer(patchPayload))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", apiKey))
|
|
req.Header.Set("Content-type", "application/json-patch+json")
|
|
|
|
response, err := httpClient.Do(req)
|
|
if err != nil {
|
|
return fmt.Errorf("request to Sotoon API failed with error %v", err)
|
|
}
|
|
|
|
if response.StatusCode != 200 {
|
|
return fmt.Errorf("couldn't change record in zone %s with response status code of: %d",
|
|
resolvedZone, response.StatusCode)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Present is responsible for actually presenting the DNS record with the
|
|
// DNS provider.
|
|
// This method should tolerate being called multiple times with the same value.
|
|
// cert-manager itself will later perform a self check to ensure that the
|
|
// solver has correctly configured the DNS provider.
|
|
func (s *sotoonDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
|
|
cfg, err := loadConfig(ch.Config)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
apiKey, err := s.getApiKey(ch.ResourceNamespace, cfg.APIKeySecretRef)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
dnsData, err := s.getAllRecords(cfg.BaseUrl, removeDotFromEnd(ch.ResolvedZone), apiKey)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
normalizedResolvedFQDN := normalizeResolvedFQDN(ch.ResolvedFQDN, ch.ResolvedZone)
|
|
// Check whether the key is already present in DNS
|
|
for recordName, records := range dnsData["spec"].(map[string]interface{})["records"].(map[string]interface{}) {
|
|
if recordName == normalizedResolvedFQDN {
|
|
for _, record := range records.([]interface{}) {
|
|
val, ok := record.(map[string]interface{})["TXT"]
|
|
if ok && val.(string) == ch.Key {
|
|
return nil
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// If code reaches here the key is not present and we should add a record containing that key
|
|
patchPayload := fmt.Sprintf(`[{"op":"add","path":"/spec/records/%s","value":[{"TXT":"%s","ttl":300}]}]`,
|
|
normalizedResolvedFQDN, ch.Key)
|
|
err = s.dnsChangeQuery(cfg.BaseUrl, removeDotFromEnd(ch.ResolvedZone), apiKey, patchPayload)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// CleanUp should delete the relevant TXT record from the DNS provider console.
|
|
// If multiple TXT records exist with the same record name (e.g.
|
|
// _acme-challenge.example.com) then **only** the record with the same `key`
|
|
// value provided on the ChallengeRequest should be cleaned up.
|
|
// This is in order to facilitate multiple DNS validations for the same domain
|
|
// concurrently.
|
|
func (s *sotoonDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
|
|
cfg, err := loadConfig(ch.Config)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
apiKey, err := s.getApiKey(ch.ResourceNamespace, cfg.APIKeySecretRef)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
dnsData, err := s.getAllRecords(cfg.BaseUrl, removeDotFromEnd(ch.ResolvedZone), apiKey)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Find record and delete it
|
|
normalizedResolvedFQDN := normalizeResolvedFQDN(ch.ResolvedFQDN, ch.ResolvedZone)
|
|
for recordName, records := range dnsData["spec"].(map[string]interface{})["records"].(map[string]interface{}) {
|
|
if recordName == normalizedResolvedFQDN {
|
|
for recordIndex, record := range records.([]interface{}) {
|
|
val, ok := record.(map[string]interface{})["TXT"]
|
|
if ok && val.(string) == ch.Key {
|
|
// Record found
|
|
patchPayload := fmt.Sprintf(`[{"op":"remove","path":"/spec/records/%s/%d"}]`,
|
|
normalizedResolvedFQDN, recordIndex)
|
|
err := s.dnsChangeQuery(cfg.BaseUrl, removeDotFromEnd(ch.ResolvedZone), apiKey, patchPayload)
|
|
if err != nil {
|
|
return fmt.Errorf("an error occurred while deleting DNS Record %s with value of %s",
|
|
normalizedResolvedFQDN, ch.Key)
|
|
}
|
|
break
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Initialize will be called when the webhook first starts.
|
|
// This method can be used to instantiate the webhook, i.e. initialising
|
|
// connections or warming up caches.
|
|
// Typically, the kubeClientConfig parameter is used to build a Kubernetes
|
|
// client that can be used to fetch resources from the Kubernetes API, e.g.
|
|
// Secret resources containing credentials used to authenticate with DNS
|
|
// provider accounts.
|
|
// The stopCh can be used to handle early termination of the webhook, in cases
|
|
// where a SIGTERM or similar signal is sent to the webhook process.
|
|
func (s *sotoonDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
|
|
// Initializing kubernetes client to access credentials secret
|
|
cl, err := kubernetes.NewForConfig(kubeClientConfig)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
s.client = cl
|
|
|
|
return nil
|
|
}
|
|
|
|
// loadConfig is a small helper function that decodes JSON configuration into
|
|
// the typed config struct.
|
|
func loadConfig(cfgJSON *extapi.JSON) (sotoonDNSProviderConfig, error) {
|
|
cfg := sotoonDNSProviderConfig{}
|
|
// handle the 'base case' where no configuration has been provided
|
|
if cfgJSON == nil {
|
|
return cfg, nil
|
|
}
|
|
if err := json.Unmarshal(cfgJSON.Raw, &cfg); err != nil {
|
|
return cfg, fmt.Errorf("error decoding solver config: %v", err)
|
|
}
|
|
|
|
return cfg, nil
|
|
}
|