Changed port to 8443, added more rbac items. Removed some labels in deployment template.
This commit is contained in:
parent
24853d497a
commit
078ea5c3c0
@ -26,7 +26,7 @@ FROM alpine:3.18
|
||||
|
||||
RUN apk add --no-cache ca-certificates
|
||||
|
||||
RUN apk add --no-cache bash bind-tools coreutils krb5
|
||||
RUN apk add --no-cache bash bind-tools coreutils krb5 tcpdump
|
||||
COPY ./config/bash.sh /root/.bashrc
|
||||
#COPY ./config/krb5.conf /etc
|
||||
RUN chown -R root:root /root/.bashrc && \
|
||||
|
||||
3
Makefile
3
Makefile
@ -51,6 +51,7 @@ clean:
|
||||
build: rendered-manifest.yaml dependencies bin/buildversion.exe version.txt
|
||||
docker build --pull --rm -f "Dockerfile" -t "stuurmcp/$(IMAGE_NAME):latest" -t "stuurmcp/$(IMAGE_NAME):$(shell head -n 1 version.txt)" "."
|
||||
docker image push "docker.io/stuurmcp/$(IMAGE_NAME):$(shell head -n 1 version.txt)"
|
||||
docker image push "docker.io/stuurmcp/$(IMAGE_NAME):latest"
|
||||
helm package deploy/sthome-webhook -d //truenas/Shared_data/Chris/clusterissuer/charts/
|
||||
|
||||
.PHONY: rendered-manifest.yaml
|
||||
@ -58,7 +59,7 @@ rendered-manifest.yaml: $(OUT)/rendered-manifest.yaml
|
||||
|
||||
$(OUT)/rendered-manifest.yaml: $(HELM_FILES) | $(OUT)
|
||||
helm template \
|
||||
sthome-webhook -n sthome-webhook2\
|
||||
sthome-webhook -n ix-cert-manager\
|
||||
--set image.repository=$(IMAGE_NAME) \
|
||||
--set image.tag=$(shell head -n 1 version.txt) \
|
||||
deploy/sthome-webhook > $@
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
apiVersion: v1
|
||||
appVersion: v0.0.5-alpha.12
|
||||
appVersion: v0.0.5-alpha.21
|
||||
description: Cert-Manager webhook for sthome
|
||||
name: sthome-webhook
|
||||
version: 0.0.5-alpha.12
|
||||
version: 0.0.5-alpha.21
|
||||
|
||||
@ -5,9 +5,6 @@ metadata:
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "sthome-webhook.name" . }}
|
||||
app.kubernetes.io/component: webhook
|
||||
app.kubernetes.io/name: webhook
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion }}
|
||||
chart: {{ include "sthome-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
@ -33,12 +30,13 @@ spec:
|
||||
args:
|
||||
- --tls-cert-file=/tls/tls.crt
|
||||
- --tls-private-key-file=/tls/tls.key
|
||||
- --secure-port=8443
|
||||
env:
|
||||
- name: GROUP_NAME
|
||||
value: {{ .Values.groupName | quote }}
|
||||
ports:
|
||||
- name: https
|
||||
containerPort: 443
|
||||
containerPort: 8443
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
|
||||
@ -9,46 +9,6 @@ metadata:
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
---
|
||||
# Grant the webhook permission to read the secrets containing the credentials
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "sthome-webhook.name" . }}
|
||||
chart: {{ include "sthome-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ''
|
||||
resources:
|
||||
- 'secrets'
|
||||
verbs:
|
||||
- 'get'
|
||||
---
|
||||
# Grant the webhook permission to read the secrets containing the credentials
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "sthome-webhook.name" . }}
|
||||
chart: {{ include "sthome-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ include "sthome-webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
|
||||
# apiserver's requestheader-ca-certificate.
|
||||
# This ConfigMap is automatically created by the Kubernetes apiserver.
|
||||
@ -130,6 +90,113 @@ subjects:
|
||||
name: {{ .Values.certManager.serviceAccountName }}
|
||||
namespace: {{ .Values.certManager.namespace }}
|
||||
---
|
||||
# added 2024/04/07
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ include "sthome-webhook.fullname" . }}:secret-reader
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- "secrets"
|
||||
verbs:
|
||||
- "get"
|
||||
- "watch"
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ include "sthome-webhook.fullname" . }}:secret-reader
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ include "sthome-webhook.fullname" . }}:secret-reader
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ include "sthome-webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ include "sthome-webhook.fullname" . }}:flowcontrol-solver
|
||||
labels:
|
||||
app: {{ include "sthome-webhook.name" . }}
|
||||
chart: {{ include "sthome-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "flowcontrol.apiserver.k8s.io"
|
||||
resources:
|
||||
- 'prioritylevelconfigurations'
|
||||
- 'flowschemas'
|
||||
verbs:
|
||||
- 'list'
|
||||
- 'watch'
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ include "sthome-webhook.fullname" . }}:flowcontrol-solver
|
||||
labels:
|
||||
app: {{ include "sthome-webhook.name" . }}
|
||||
chart: {{ include "sthome-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ include "sthome-webhook.fullname" . }}:flowcontrol-solver
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ include "sthome-webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
# end of added 2024/04/07
|
||||
---
|
||||
# Grant the webhook permission to read the secrets containing the credentials
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "sthome-webhook.name" . }}
|
||||
chart: {{ include "sthome-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ''
|
||||
resources:
|
||||
- 'secrets'
|
||||
verbs:
|
||||
- 'get'
|
||||
---
|
||||
# Grant the webhook permission to read the secrets containing the credentials
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "sthome-webhook.name" . }}
|
||||
chart: {{ include "sthome-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ include "sthome-webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
# Grant cert-manager permission to read secrets from cert-manager ns (i.e. to read the api key for sthome)
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
|
||||
@ -31,7 +31,7 @@ clusterIssuer:
|
||||
image:
|
||||
repository: stuurmcp/cert-manager-webhook-sthome
|
||||
#repository: wstat.sthome.net:5000/cert-manager-webhook-sthome
|
||||
tag: 0.0.5-alpha.12
|
||||
tag: 0.0.5-alpha.21
|
||||
#pullPolicy should be IfNotPresent. Set to Always for testing purposes
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
|
||||
@ -13,12 +13,15 @@ func Execute(shell string, arg ...string) (bool, error) {
|
||||
cmd.Stdout = &outb
|
||||
cmd.Stderr = &errb
|
||||
err := cmd.Run()
|
||||
klog.Infof("out:\n%s\n", outb.String())
|
||||
if err != nil {
|
||||
klog.Errorf("Script returned error: %s\nout:\n%serr:\n%s============\n", err, outb.String(), errb.String())
|
||||
klog.Errorf("Script returned error:\nerr:\n")
|
||||
klog.Errorf("%s\n============\n", err)
|
||||
return false, err
|
||||
}
|
||||
klog.Infof("script stdout:\n%s\n", outb.String())
|
||||
klog.Infof("script stderr:\n%s\n", errb.String())
|
||||
if errb.String() != "" {
|
||||
klog.Errorf("stderr:\n%s============\n", errb.String())
|
||||
}
|
||||
klog.Infof("Script returned success\n")
|
||||
return true, nil
|
||||
}
|
||||
|
||||
@ -2,7 +2,6 @@ package dns
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"k8s.io/client-go/kubernetes"
|
||||
"k8s.io/client-go/rest"
|
||||
@ -36,46 +35,47 @@ func (p *LocalDNSProviderSolver) Name() string {
|
||||
// solver has correctly configured the DNS provider.
|
||||
func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
|
||||
//domainName := extractDomainName(ch.ResolvedZone)
|
||||
cfg, err := LoadConfig(ch.Config)
|
||||
_, err := LoadConfig(ch.Config)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
/*
|
||||
provider, cfg, err := loc.init(ch.Config, ch.ResourceNamespace)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed initializing sthome provider: %v", err)
|
||||
}
|
||||
if !cfg.IsAllowedZone(ch.ResolvedZone) {
|
||||
return fmt.Errorf("zone %s may not be edited per config (allowed zones are %v)", ch.ResolvedZone, cfg.AllowedZones)
|
||||
}
|
||||
ctx := context.Background()
|
||||
records, err := loc.getExistingRecords(ctx, provider, ch.ResolvedZone, ch.ResolvedFQDN)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed loading existing records for %s in domain %s: %v", ch.ResolvedFQDN, ch.ResolvedZone, err)
|
||||
}
|
||||
provider, cfg, err := loc.init(ch.Config, ch.ResourceNamespace)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed initializing sthome provider: %v", err)
|
||||
}
|
||||
if !cfg.IsAllowedZone(ch.ResolvedZone) {
|
||||
return fmt.Errorf("zone %s may not be edited per config (allowed zones are %v)", ch.ResolvedZone, cfg.AllowedZones)
|
||||
}
|
||||
ctx := context.Background()
|
||||
records, err := loc.getExistingRecords(ctx, provider, ch.ResolvedZone, ch.ResolvedFQDN)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed loading existing records for %s in domain %s: %v", ch.ResolvedFQDN, ch.ResolvedZone, err)
|
||||
}
|
||||
|
||||
// Add the record, only if it doesn't exist already
|
||||
content := quote(ch.Key)
|
||||
if _, ok := findRecord(records, content); !ok {
|
||||
disabled := false
|
||||
records = append(records, sthome.Record{Disabled: &disabled, Content: &content})
|
||||
}
|
||||
// Add the record, only if it doesn't exist already
|
||||
content := quote(ch.Key)
|
||||
if _, ok := findRecord(records, content); !ok {
|
||||
disabled := false
|
||||
records = append(records, sthome.Record{Disabled: &disabled, Content: &content})
|
||||
}
|
||||
|
||||
// TODO: do something more useful with the decoded configuration
|
||||
klog.Infof("CZ: Presenting record for %s, type: %s, uid: %s, key: %s, ns: %s, fqdn: %s, zone: %s, allowambcred: %t, cfg.secret: %s, cfg.email: %s, cfg.allowz: %s",
|
||||
ch.DNSName,
|
||||
ch.UID,
|
||||
ch.Type,
|
||||
ch.Key,
|
||||
ch.ResourceNamespace,
|
||||
ch.ResolvedFQDN,
|
||||
ch.ResolvedZone,
|
||||
ch.AllowAmbientCredentials,
|
||||
cfg.APIKeySecretRef.Name,
|
||||
cfg.Email,
|
||||
strings.Join(cfg.AllowedZones, ","),
|
||||
)
|
||||
*/
|
||||
// TODO: do something more useful with the decoded configuration
|
||||
klog.Infof("CZ: Presenting record for %s, type: %s, uid: %s, key: %s, ns: %s, fqdn: %s, zone: %s, allowambcred: %t, cfg.secret: %s, cfg.email: %s, cfg.allowz: %s",
|
||||
ch.DNSName,
|
||||
ch.UID,
|
||||
ch.Type,
|
||||
ch.Key,
|
||||
ch.ResourceNamespace,
|
||||
ch.ResolvedFQDN,
|
||||
ch.ResolvedZone,
|
||||
ch.AllowAmbientCredentials,
|
||||
cfg.APIKeySecretRef.Name,
|
||||
cfg.Email,
|
||||
strings.Join(cfg.AllowedZones, ","),
|
||||
)
|
||||
// TODO: convert shell script to golang
|
||||
//localip := GetOutboundIP(Dnsserver_net)
|
||||
success, _ := Execute(
|
||||
@ -87,7 +87,7 @@ func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error
|
||||
ch.Key,
|
||||
"-l",
|
||||
"\"\"", //localip,
|
||||
"-v",
|
||||
//"-v",
|
||||
)
|
||||
klog.Infof("Execute set TXT returned success: %t\n", success)
|
||||
return nil
|
||||
@ -101,7 +101,6 @@ func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error
|
||||
// concurrently.
|
||||
func (loc *LocalDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
|
||||
//domainName := extractDomainName(ch.ResolvedZone)
|
||||
// TODO: add code that deletes a record from the DNS provider's console
|
||||
//localip := GetOutboundIP(Dnsserver_net)
|
||||
success, _ := Execute(
|
||||
Shell,
|
||||
@ -112,7 +111,7 @@ func (loc *LocalDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error
|
||||
ch.Key,
|
||||
"-l",
|
||||
"\"\"", //localip,
|
||||
"-v",
|
||||
//"-v",
|
||||
)
|
||||
klog.Infof("Execute unset TXT returned success: %t\n", success)
|
||||
return nil
|
||||
|
||||
@ -1,3 +1,3 @@
|
||||
0.0.5-alpha.12
|
||||
20240406-2016
|
||||
12
|
||||
0.0.5-alpha.21
|
||||
20240408-1455
|
||||
21
|
||||
Loading…
Reference in New Issue
Block a user