Skip to content
Snippets Groups Projects
Commit 5845236c authored by Thomas Schneider's avatar Thomas Schneider
Browse files

Initial import

parents
No related branches found
No related tags found
No related merge requests found
cert-manager-webhook-rwth
*.config
# If you prefer the allow list template instead of the deny list, see community template:
# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
#
# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib
# Test binary, built with `go test -c`
*.test
# Output of the go coverage tool, specifically when used with LiteIDE
*.out
# Dependency directories (remove the comment below to include it)
# vendor/
# Go workspace file
go.work
go.mod 0 → 100644
module git.fsmpi.rwth-aachen.de/thomas/cert-manager-webhook-rwth
go 1.18
require (
git.fsmpi.rwth-aachen.de/thomas/go-rwthdns v0.1.0
github.com/cert-manager/cert-manager v1.8.1
k8s.io/apiextensions-apiserver v0.23.4
k8s.io/apimachinery v0.23.4
k8s.io/client-go v0.23.4
k8s.io/klog/v2 v2.30.0
)
require (
github.com/NYTimes/gziphandler v1.1.1 // indirect
github.com/PuerkitoBio/purell v1.1.1 // indirect
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/coreos/go-semver v0.3.0 // indirect
github.com/coreos/go-systemd/v22 v22.3.2 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/emicklei/go-restful v2.9.5+incompatible // indirect
github.com/evanphx/json-patch v4.12.0+incompatible // indirect
github.com/felixge/httpsnoop v1.0.1 // indirect
github.com/fsnotify/fsnotify v1.5.1 // indirect
github.com/go-logr/logr v1.2.0 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect
github.com/go-openapi/jsonreference v0.19.5 // indirect
github.com/go-openapi/swag v0.19.14 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/google/go-cmp v0.5.6 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/googleapis/gnostic v0.5.5 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
github.com/imdario/mergo v0.3.12 // indirect
github.com/inconshreveable/mousetrap v1.0.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/mailru/easyjson v0.7.6 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/prometheus/client_golang v1.11.0 // indirect
github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/common v0.28.0 // indirect
github.com/prometheus/procfs v0.6.0 // indirect
github.com/spf13/cobra v1.3.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
go.etcd.io/etcd/api/v3 v3.5.1 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.5.1 // indirect
go.etcd.io/etcd/client/v3 v3.5.0 // indirect
go.opentelemetry.io/contrib v0.20.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0 // indirect
go.opentelemetry.io/otel v0.20.0 // indirect
go.opentelemetry.io/otel/exporters/otlp v0.20.0 // indirect
go.opentelemetry.io/otel/metric v0.20.0 // indirect
go.opentelemetry.io/otel/sdk v0.20.0 // indirect
go.opentelemetry.io/otel/sdk/export/metric v0.20.0 // indirect
go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect
go.opentelemetry.io/otel/trace v0.20.0 // indirect
go.opentelemetry.io/proto/otlp v0.7.0 // indirect
go.uber.org/atomic v1.7.0 // indirect
go.uber.org/goleak v1.1.12 // indirect
go.uber.org/multierr v1.6.0 // indirect
go.uber.org/zap v1.19.1 // indirect
golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871 // indirect
golang.org/x/net v0.0.0-20220107192237-5cfca573fb4d // indirect
golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
golang.org/x/text v0.3.7 // indirect
golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220118154757-00ab72f36ad5 // indirect
google.golang.org/grpc v1.43.0 // indirect
google.golang.org/protobuf v1.27.1 // indirect
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
k8s.io/api v0.23.4 // indirect
k8s.io/apiserver v0.23.4 // indirect
k8s.io/component-base v0.23.4 // indirect
k8s.io/kube-aggregator v0.23.4 // indirect
k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27 // indirect
sigs.k8s.io/gateway-api v0.4.1 // indirect
sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
sigs.k8s.io/yaml v1.3.0 // indirect
)
go.sum 0 → 100644
This diff is collapsed.
main.go 0 → 100644
package main
import (
"context"
"encoding/json"
"fmt"
"net/http"
"git.fsmpi.rwth-aachen.de/thomas/go-rwthdns"
whapi "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
"github.com/cert-manager/cert-manager/pkg/acme/webhook/cmd"
cmmetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
restclient "k8s.io/client-go/rest"
extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
"k8s.io/klog/v2"
)
type solver struct {
client *kubernetes.Clientset
}
func (s *solver) Name() string {
return "rwth"
}
func (s *solver) Present(ch *whapi.ChallengeRequest) error {
client, err := s.newClientFromChallenge(ch)
if err != nil {
return err
}
txt := fmt.Sprintf(`%s IN TXT "%s"`, ch.ResolvedFQDN, ch.Key)
record, err := client.CreateRecord(txt)
klog.V(2).Infof("record %+v", record)
if err != nil {
klog.Error(err)
return err
}
zone, err := client.DeployZone(record.ZoneId)
klog.V(2).Infof("deployed zone %+v", zone)
if err != nil {
klog.Error(err)
}
return err
}
func (s *solver) CleanUp(ch *whapi.ChallengeRequest) error {
client, err := s.newClientFromChallenge(ch)
if err != nil {
return err
}
records, err := client.ListRecords(nil, &ch.ResolvedFQDN)
if err != nil {
return fmt.Errorf("list records: %w", err)
}
var lastErr error
var zones map[int]interface{}
for _, r := range records {
if r.Type != "txt_record" {
continue
}
zones[r.ZoneId] = nil
_, err = client.DestroyRecord(r.Id)
if err != nil {
klog.Error(err)
lastErr = fmt.Errorf("destroy record: %w", err)
}
klog.V(2).Infof("deleted record %+v", r)
}
if lastErr != nil {
return lastErr
}
for zid := range zones {
zone, err := client.DeployZone(zid)
klog.V(2).Infof("deployed zone %+v", zone)
if err != nil {
klog.Error(err)
lastErr = fmt.Errorf("deploy zone: %w", err)
}
}
return lastErr
}
func (s *solver) Initialize(kubeClientConfig *restclient.Config, stopCh <-chan struct{}) error {
cl, err := kubernetes.NewForConfig(kubeClientConfig)
if err != nil {
return err
}
s.client = cl
return nil
}
func (s *solver) getCredentials(keyref cmmetav1.SecretKeySelector, ns string) (string, error) {
secret, err := s.client.CoreV1().Secrets(ns).Get(context.Background(), keyref.Name,
metav1.GetOptions{})
if err != nil {
return "", fmt.Errorf("failed to load secret %q: %w", ns+"/"+keyref.Name, err)
}
if apikey, ok := secret.Data[keyref.Name]; ok {
return string(apikey), nil
} else {
return "", fmt.Errorf("no key %q in secret %q", keyref, ns+"/"+keyref.Name)
}
}
func (s *solver) newClientFromChallenge(ch *whapi.ChallengeRequest) (*rwthdns.Client, error) {
cfgJSON := extapi.JSON(*ch.Config)
cfg, err := loadConfig(&cfgJSON)
if err != nil {
return nil, err
}
klog.V(5).Infof("decoded config: %v", cfg)
apikey, err := s.getCredentials(cfg.APIKeySecretKeyRef, ch.ResourceNamespace)
if err != nil {
return nil, fmt.Errorf("getting credentials: %w", err)
}
client := rwthdns.Client{ApiToken: apikey, Client: http.DefaultClient}
return &client, nil
}
type config struct {
APIKeySecretKeyRef cmmetav1.SecretKeySelector `json:"apiKeySecretKeyRef"`
}
func loadConfig(cfgJSON *extapi.JSON) (config, error) {
cfg := config{}
if cfgJSON == nil {
return cfg, nil
}
err := json.Unmarshal(cfgJSON.Raw, &cfg)
if err != nil {
err = fmt.Errorf("loadConfig: %w", err)
}
return cfg, err
}
func main() {
cmd.RunWebhookServer("cert-manager-webhook-rwth.thomas.fsmpi.eu", &solver{})
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment