mirror of
https://github.com/cert-manager/webhook-example.git
synced 2025-07-01 22:35:49 +02:00
426 lines
12 KiB
Go
426 lines
12 KiB
Go
package main
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"os"
|
|
"strings"
|
|
|
|
extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
|
"k8s.io/client-go/kubernetes"
|
|
"k8s.io/client-go/rest"
|
|
|
|
"github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
|
|
"github.com/cert-manager/cert-manager/pkg/acme/webhook/cmd"
|
|
cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
|
|
"github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/util"
|
|
|
|
namecheap "github.com/namecheap/go-namecheap-sdk/v2/namecheap"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
)
|
|
|
|
var GroupName = os.Getenv("GROUP_NAME")
|
|
|
|
func main() {
|
|
if GroupName == "" {
|
|
panic("GROUP_NAME must be specified")
|
|
}
|
|
|
|
// This will register our namecheap DNS provider with the webhook serving
|
|
// library, making it available as an API under the provided GroupName.
|
|
// You can register multiple DNS provider implementations with a single
|
|
// webhook, where the Name() method will be used to disambiguate between
|
|
// the different implementations.
|
|
cmd.RunWebhookServer(GroupName,
|
|
&namecheapDNSProviderSolver{},
|
|
)
|
|
}
|
|
|
|
type (
|
|
Record struct {
|
|
Name *string
|
|
Type *string
|
|
Address *string
|
|
MXPref *int
|
|
TTL *int
|
|
}
|
|
|
|
Domain struct {
|
|
Name *string
|
|
EmailType *string
|
|
Records *[]Record
|
|
}
|
|
|
|
NamecheapClient interface {
|
|
GetDomain(string) (*Domain, error)
|
|
SetDomain(Domain) error
|
|
}
|
|
|
|
namecheapClientImpl struct {
|
|
client *namecheap.Client
|
|
}
|
|
|
|
// namecheapDNSProviderSolver implements the provider-specific logic needed to
|
|
// 'present' an ACME challenge TXT record for your own DNS provider.
|
|
// To do so, it must implement the `github.com/cert-manager/cert-manager/pkg/acme/webhook.Solver`
|
|
// interface.
|
|
namecheapDNSProviderSolver struct {
|
|
// If a Kubernetes 'clientset' is needed, you must:
|
|
// 1. uncomment the additional `client` field in this structure below
|
|
// 2. uncomment the "k8s.io/client-go/kubernetes" import at the top of the file
|
|
// 3. uncomment the relevant code in the Initialize method below
|
|
// 4. ensure your webhook's service account has the required RBAC role
|
|
// assigned to it for interacting with the Kubernetes APIs you need.
|
|
ctx context.Context
|
|
k8sClient *kubernetes.Clientset
|
|
namecheapClient NamecheapClient
|
|
}
|
|
|
|
// namecheapDNSProviderConfig is a structure that is used to decode into when
|
|
// solving a DNS01 challenge.
|
|
// This information is provided by cert-manager, and may be a reference to
|
|
// additional configuration that's needed to solve the challenge for this
|
|
// particular certificate or issuer.
|
|
// This typically includes references to Secret resources containing DNS
|
|
// provider credentials, in cases where a 'multi-tenant' DNS solver is being
|
|
// created.
|
|
// If you do *not* require per-issuer or per-certificate configuration to be
|
|
// provided to your webhook, you can skip decoding altogether in favour of
|
|
// using CLI flags or similar to provide configuration.
|
|
// You should not include sensitive information here. If credentials need to
|
|
// be used by your provider here, you should reference a Kubernetes Secret
|
|
// resource and fetch these credentials using a Kubernetes clientset.
|
|
namecheapDNSProviderConfig struct {
|
|
// These fields will be set by users in the
|
|
// `issuer.spec.acme.dns01.providers.webhook.config` field.
|
|
|
|
APIKeySecretRef *cmmeta.SecretKeySelector `json:"apiKeySecretRef"`
|
|
APIUserSecretRef *cmmeta.SecretKeySelector `json:"apiUserSecretRef"`
|
|
ClientIP *string `json:"clientIP"`
|
|
UseSandbox bool `json:"useSandbox"`
|
|
UsernameSecretRef *cmmeta.SecretKeySelector `json:"usernameSecretRef"`
|
|
}
|
|
)
|
|
|
|
// Name is used as the name for this DNS solver when referencing it on the ACME
|
|
// Issuer resource.
|
|
// This should be unique **within the group name**, i.e. you can have two
|
|
// solvers configured with the same Name() **so long as they do not co-exist
|
|
// within a single webhook deployment**.
|
|
// For example, `cloudflare` may be used as the name of a solver.
|
|
func (c *namecheapDNSProviderSolver) Name() string {
|
|
return "namecheap"
|
|
}
|
|
|
|
// Present is responsible for actually presenting the DNS record with the
|
|
// DNS provider.
|
|
// This method should tolerate being called multiple times with the same value.
|
|
// cert-manager itself will later perform a self check to ensure that the
|
|
// solver has correctly configured the DNS provider.
|
|
func (c *namecheapDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
|
|
cfg, err := loadConfig((*extapi.JSON)(ch.Config))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
zone, domain, err := c.parseChallenge(ch)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if c.namecheapClient == nil {
|
|
if err := c.setNamecheapClient(ch, cfg); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
d, err := c.namecheapClient.GetDomain(zone)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
d.addChallengeRecord(domain, ch.Key)
|
|
|
|
if err := c.namecheapClient.SetDomain(*d); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// CleanUp should delete the relevant TXT record from the DNS provider console.
|
|
// If multiple TXT records exist with the same record name (e.g.
|
|
// _acme-challenge.example.com) then **only** the record with the same `key`
|
|
// value provided on the ChallengeRequest should be cleaned up.
|
|
// This is in order to facilitate multiple DNS validations for the same domain
|
|
// concurrently.
|
|
func (c *namecheapDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
|
|
cfg, err := loadConfig((*extapi.JSON)(ch.Config))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
zone, domain, err := c.parseChallenge(ch)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if c.namecheapClient == nil {
|
|
if err := c.setNamecheapClient(ch, cfg); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
d, err := c.namecheapClient.GetDomain(zone)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
d.removeChallengeRecord(domain, ch.Key)
|
|
|
|
if err := c.namecheapClient.SetDomain(*d); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Initialize will be called when the webhook first starts.
|
|
// This method can be used to instantiate the webhook, i.e. initialising
|
|
// connections or warming up caches.
|
|
// Typically, the kubeClientConfig parameter is used to build a Kubernetes
|
|
// client that can be used to fetch resources from the Kubernetes API, e.g.
|
|
// Secret resources containing credentials used to authenticate with DNS
|
|
// provider accounts.
|
|
// The stopCh can be used to handle early termination of the webhook, in cases
|
|
// where a SIGTERM or similar signal is sent to the webhook process.
|
|
func (c *namecheapDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
|
|
cl, err := kubernetes.NewForConfig(kubeClientConfig)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
c.k8sClient = cl
|
|
c.ctx = context.Background()
|
|
|
|
return nil
|
|
}
|
|
|
|
func (c *namecheapDNSProviderSolver) getSecret(ref *cmmeta.SecretKeySelector, namespace string) (*string, error) {
|
|
if ref.Name == "" {
|
|
return nil, fmt.Errorf(
|
|
"secret not found in '%s'",
|
|
namespace,
|
|
)
|
|
}
|
|
if ref.Key == "" {
|
|
return nil, fmt.Errorf(
|
|
"no 'key' set in secret '%s/%s'",
|
|
namespace,
|
|
ref.Name,
|
|
)
|
|
}
|
|
|
|
secret, err := c.k8sClient.CoreV1().Secrets(namespace).Get(
|
|
c.ctx, ref.Name, metav1.GetOptions{},
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
keyBytes, ok := secret.Data[ref.Key]
|
|
if !ok {
|
|
return nil, fmt.Errorf(
|
|
"no key '%s' in secret '%s/%s'",
|
|
ref.Key,
|
|
namespace,
|
|
ref.Name,
|
|
)
|
|
}
|
|
s := string(keyBytes)
|
|
return &s, nil
|
|
}
|
|
|
|
func (c *namecheapDNSProviderSolver) setNamecheapClient(ch *v1alpha1.ChallengeRequest, cfg namecheapDNSProviderConfig) error {
|
|
if cfg.APIKeySecretRef == nil {
|
|
return errors.New("Secret field 'apiKeySecretRef' could not be located. Check Spelling.")
|
|
}
|
|
apiKey, err := c.getSecret(cfg.APIKeySecretRef, ch.ResourceNamespace)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if cfg.APIUserSecretRef == nil {
|
|
return errors.New("Secret field 'apiUserSecretRef' could not be located. Check Spelling.")
|
|
}
|
|
apiUser, err := c.getSecret(cfg.APIUserSecretRef, ch.ResourceNamespace)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
opts := &namecheap.ClientOptions{
|
|
ApiKey: *apiKey,
|
|
ApiUser: *apiUser,
|
|
UseSandbox: cfg.UseSandbox,
|
|
}
|
|
|
|
// attempt to set the ClientIp dynamically if not set
|
|
// source: https://stackoverflow.com/a/37382208
|
|
if cfg.ClientIP == nil {
|
|
ip, err := getOutboundIP()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
opts.ClientIp = ip.String()
|
|
} else {
|
|
opts.ClientIp = *cfg.ClientIP
|
|
}
|
|
|
|
// default UserName to APIUser if not set
|
|
if cfg.UsernameSecretRef == nil {
|
|
opts.UserName = *apiUser
|
|
} else {
|
|
username, err := c.getSecret(cfg.UsernameSecretRef, ch.ResourceNamespace)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
opts.UserName = *username
|
|
}
|
|
|
|
c.namecheapClient = &namecheapClientImpl{
|
|
client: namecheap.NewClient(opts),
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Get the zone and domain we are setting from the challenge request
|
|
// source: https://github.com/ns1/cert-manager-webhook-ns1
|
|
func (c *namecheapDNSProviderSolver) parseChallenge(ch *v1alpha1.ChallengeRequest) (
|
|
zone string, domain string, err error,
|
|
) {
|
|
|
|
if zone, err = util.FindZoneByFqdn(
|
|
ch.ResolvedFQDN, util.RecursiveNameservers,
|
|
); err != nil {
|
|
return "", "", err
|
|
}
|
|
zone = util.UnFqdn(zone)
|
|
|
|
if idx := strings.Index(ch.ResolvedFQDN, "."+ch.ResolvedZone); idx != -1 {
|
|
domain = ch.ResolvedFQDN[:idx]
|
|
} else {
|
|
domain = util.UnFqdn(ch.ResolvedFQDN)
|
|
}
|
|
|
|
return zone, domain, nil
|
|
}
|
|
|
|
// Adds a record to a domain
|
|
func (d *Domain) addChallengeRecord(domain, key string) {
|
|
*d.Records = append(
|
|
*d.Records,
|
|
Record{
|
|
Name: &domain,
|
|
Type: namecheap.String(namecheap.RecordTypeTXT),
|
|
Address: namecheap.String(key),
|
|
TTL: namecheap.Int(60),
|
|
},
|
|
)
|
|
}
|
|
|
|
// Removes a record from a domain
|
|
func (d *Domain) removeChallengeRecord(domain, key string) {
|
|
for i, record := range *d.Records {
|
|
if *record.Name == domain &&
|
|
*record.Type == namecheap.RecordTypeTXT &&
|
|
*record.Address == key {
|
|
records := *d.Records
|
|
*d.Records = append(records[:i], records[i+1:]...)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
func (c *namecheapClientImpl) SetDomain(domain Domain) error {
|
|
args := &namecheap.DomainsDNSSetHostsArgs{
|
|
Domain: domain.Name,
|
|
EmailType: domain.EmailType,
|
|
}
|
|
|
|
records := make([]namecheap.DomainsDNSHostRecord, len(*domain.Records))
|
|
for i, record := range *domain.Records {
|
|
records[i] = namecheap.DomainsDNSHostRecord{
|
|
HostName: record.Name,
|
|
RecordType: record.Type,
|
|
Address: record.Address,
|
|
TTL: record.TTL,
|
|
}
|
|
|
|
if record.MXPref != nil {
|
|
records[i].MXPref = namecheap.UInt8(uint8(*record.MXPref))
|
|
}
|
|
}
|
|
args.Records = &records
|
|
|
|
if _, err := c.client.DomainsDNS.SetHosts(args); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (c *namecheapClientImpl) GetDomain(domain string) (*Domain, error) {
|
|
resp, err := c.client.DomainsDNS.GetHosts(domain)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
d := &Domain{
|
|
Name: resp.DomainDNSGetHostsResult.Domain,
|
|
EmailType: resp.DomainDNSGetHostsResult.EmailType,
|
|
}
|
|
records := make([]Record, len(*resp.DomainDNSGetHostsResult.Hosts))
|
|
for i, r := range *resp.DomainDNSGetHostsResult.Hosts {
|
|
records[i] = Record{
|
|
Name: r.Name,
|
|
Type: r.Type,
|
|
Address: r.Address,
|
|
MXPref: r.MXPref,
|
|
TTL: r.TTL,
|
|
}
|
|
}
|
|
d.Records = &records
|
|
|
|
return d, nil
|
|
}
|
|
|
|
// Get preferred outbound ip of this machine
|
|
func getOutboundIP() (*net.IP, error) {
|
|
conn, err := net.Dial("udp", "8.8.8.8:80")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer conn.Close()
|
|
|
|
localAddr := conn.LocalAddr().(*net.UDPAddr)
|
|
|
|
return &localAddr.IP, nil
|
|
}
|
|
|
|
// loadConfig is a small helper function that decodes JSON configuration into
|
|
// the typed config struct.
|
|
func loadConfig(cfgJSON *extapi.JSON) (namecheapDNSProviderConfig, error) {
|
|
cfg := namecheapDNSProviderConfig{}
|
|
// handle the 'base case' where no configuration has been provided
|
|
if cfgJSON == nil {
|
|
return cfg, nil
|
|
}
|
|
if err := json.Unmarshal(cfgJSON.Raw, &cfg); err != nil {
|
|
return cfg, fmt.Errorf("error decoding solver config: %v", err)
|
|
}
|
|
|
|
return cfg, nil
|
|
}
|