-
Notifications
You must be signed in to change notification settings - Fork 0
/
solver.go
158 lines (135 loc) · 5.29 KB
/
solver.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
package main
import (
cmacmev1alpha1 "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
cmmetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
"github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/util"
"go.uber.org/zap"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
)
// VultrProviderConfig is a structure that is used to decode into when
// solving a DNS01 challenge.
// This information is provided by cert-manager, and may be a reference to
// additional configuration that's needed to solve the challenge for this
// particular certificate or issuer.
// This typically includes references to Secret resources containing DNS
// provider credentials, in cases where a 'multi-tenant' DNS solver is being
// created.
type VultrProviderConfig struct {
APIKeySecretRef cmmetav1.SecretKeySelector `json:"apiKeySecretRef"`
}
// VultrSolver implements the provider-specific logic needed to
// 'present' an ACME challenge TXT record for your own DNS provider.
// To do so, it must implement the `github.com/cert-manager/cert-manager/pkg/acme/webhook.Solver`
// interface.
type VultrSolver struct {
logger *zap.Logger
client *kubernetes.Clientset
}
// Name is used as the name for this DNS solver when referencing it on the ACME
// Issuer resource.
// This should be unique **within the group name**, i.e. you can have two
// solvers configured with the same Name() **so long as they do not co-exist
// within a single webhook deployment**.
func (v *VultrSolver) Name() string {
return "vultr"
}
// Initialize will be called when the webhook first starts.
// This method can be used to instantiate the webhook, i.e. initializing
// connections or warming up caches.
// Typically, the kubeClientConfig parameter is used to build a Kubernetes
// client that can be used to fetch resources from the Kubernetes API, e.g.
// Secret resources containing credentials used to authenticate with DNS
// provider accounts.
// The stopCh can be used to handle early termination of the webhook, in cases
// where a SIGTERM or similar signal is sent to the webhook process.
func (v *VultrSolver) Initialize(kubeClientConfig *rest.Config, _ <-chan struct{}) error {
client, err := kubernetes.NewForConfig(kubeClientConfig)
if err != nil {
v.logger.Error(err.Error())
return err
}
v.client = client
return nil
}
// Present is responsible for actually presenting the DNS record with the
// DNS provider.
// This method should tolerate being called multiple times with the same value.
// cert-manager itself will later perform a self check to ensure that the
// solver has correctly configured the DNS provider.
func (v *VultrSolver) Present(req *cmacmev1alpha1.ChallengeRequest) error {
// Remove trailing . from ResolvedZone because the Vultr API
// doesn't like it.
zone := util.UnFqdn(req.ResolvedZone)
fqdn := util.UnFqdn(req.ResolvedFQDN)
// create a logger with standard fields
logger := v.logger.With(zap.Any("uid", req.UID), zap.String("zone", zone), zap.String("fqdn", fqdn), zap.String("key", req.Key))
client, err := vultrClient(v.client, req)
if err != nil {
logger.Error("error creating vultr client", zap.Error(err))
return err
}
// validate that the wanted zone exists before we
// even try to continue
err = client.zoneExists(zone)
if err != nil {
logger.Error("vultr zone error", zap.Error(err))
return err
}
// lookup the record, vultr will error if we try to create
// the same record with the same key. Return nil if one exists.
record, err := client.getTXTRecord(zone, fqdn, req.Key)
if err != nil {
logger.Error("error getting DNS records", zap.Error(err))
return err
}
if record != nil {
logger.Info("record exists")
return nil
}
logger.Info("creating TXT record")
err = client.createTXTRecord(zone, fqdn, req.Key)
if err != nil {
logger.Error("error creating record", zap.Error(err))
return err
}
// Return because we created the Record
return nil
}
// CleanUp should delete the relevant TXT record from the DNS provider console.
// If multiple TXT records exist with the same record name (e.g.
// _acme-challenge.example.com) then **only** the record with the same `key`
// value provided on the ChallengeRequest should be cleaned up.
// This is in order to facilitate multiple DNS validations for the same domain
// concurrently.
func (v *VultrSolver) CleanUp(req *cmacmev1alpha1.ChallengeRequest) error {
// Remove trailing . from ResolvedZone because the Vultr API
// doesn't like it.
zone := util.UnFqdn(req.ResolvedZone)
fqdn := util.UnFqdn(req.ResolvedFQDN)
// create a logger with standard fields
logger := v.logger.With(zap.Any("uid", req.UID), zap.String("zone", zone), zap.String("fqdn", fqdn))
client, err := vultrClient(v.client, req)
if err != nil {
logger.Error("error creating vultr client", zap.Error(err))
return err
}
// lookup the record, vultr will error if we try to create
// the same record with the same key. Return nil if one exists.
record, err := client.getTXTRecord(zone, fqdn, req.Key)
if err != nil {
logger.Error("error getting DNS records", zap.Error(err))
return err
}
if record == nil {
logger.Info("record doesn't exist")
return nil
}
err = client.deleteTXTRecord(zone, record)
if err != nil {
logger.Error("error deleting record", zap.Error(err))
return err
}
logger.Info("record deleted")
return nil
}