diff --git a/Dockerfile b/Dockerfile index f62ef2a..dd6c942 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,7 +26,7 @@ FROM alpine:3.18 RUN apk add --no-cache ca-certificates -RUN apk add --no-cache bash bind-tools coreutils krb5 +RUN apk add --no-cache bash bind-tools coreutils krb5 tcpdump COPY ./config/bash.sh /root/.bashrc #COPY ./config/krb5.conf /etc RUN chown -R root:root /root/.bashrc && \ diff --git a/Makefile b/Makefile index 289381a..dd6d12b 100644 --- a/Makefile +++ b/Makefile @@ -51,6 +51,7 @@ clean: build: rendered-manifest.yaml dependencies bin/buildversion.exe version.txt docker build --pull --rm -f "Dockerfile" -t "stuurmcp/$(IMAGE_NAME):latest" -t "stuurmcp/$(IMAGE_NAME):$(shell head -n 1 version.txt)" "." docker image push "docker.io/stuurmcp/$(IMAGE_NAME):$(shell head -n 1 version.txt)" + docker image push "docker.io/stuurmcp/$(IMAGE_NAME):latest" helm package deploy/sthome-webhook -d //truenas/Shared_data/Chris/clusterissuer/charts/ .PHONY: rendered-manifest.yaml @@ -58,7 +59,7 @@ rendered-manifest.yaml: $(OUT)/rendered-manifest.yaml $(OUT)/rendered-manifest.yaml: $(HELM_FILES) | $(OUT) helm template \ - sthome-webhook -n sthome-webhook2\ + sthome-webhook -n ix-cert-manager\ --set image.repository=$(IMAGE_NAME) \ --set image.tag=$(shell head -n 1 version.txt) \ deploy/sthome-webhook > $@ diff --git a/deploy/sthome-webhook/Chart.yaml b/deploy/sthome-webhook/Chart.yaml index 06ffda0..1ebd2b4 100644 --- a/deploy/sthome-webhook/Chart.yaml +++ b/deploy/sthome-webhook/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: v0.0.5-alpha.12 +appVersion: v0.0.5-alpha.21 description: Cert-Manager webhook for sthome name: sthome-webhook -version: 0.0.5-alpha.12 +version: 0.0.5-alpha.21 diff --git a/deploy/sthome-webhook/templates/deployment.yaml b/deploy/sthome-webhook/templates/deployment.yaml index 1da4b7f..e70d247 100644 --- a/deploy/sthome-webhook/templates/deployment.yaml +++ b/deploy/sthome-webhook/templates/deployment.yaml @@ -5,9 +5,6 @@ metadata: namespace: {{ .Release.Namespace | quote }} labels: app: {{ include "sthome-webhook.name" . }} - app.kubernetes.io/component: webhook - app.kubernetes.io/name: webhook - app.kubernetes.io/version: {{ .Chart.AppVersion }} chart: {{ include "sthome-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -33,12 +30,13 @@ spec: args: - --tls-cert-file=/tls/tls.crt - --tls-private-key-file=/tls/tls.key + - --secure-port=8443 env: - name: GROUP_NAME value: {{ .Values.groupName | quote }} ports: - name: https - containerPort: 443 + containerPort: 8443 protocol: TCP livenessProbe: httpGet: diff --git a/deploy/sthome-webhook/templates/rbac.yaml b/deploy/sthome-webhook/templates/rbac.yaml index f7e17cb..26d1e33 100644 --- a/deploy/sthome-webhook/templates/rbac.yaml +++ b/deploy/sthome-webhook/templates/rbac.yaml @@ -9,46 +9,6 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} --- -# Grant the webhook permission to read the secrets containing the credentials -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "sthome-webhook.fullname" . }}:secrets-reader - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "sthome-webhook.name" . }} - chart: {{ include "sthome-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: - - apiGroups: - - '' - resources: - - 'secrets' - verbs: - - 'get' ---- -# Grant the webhook permission to read the secrets containing the credentials -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "sthome-webhook.fullname" . }}:secrets-reader - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "sthome-webhook.name" . }} - chart: {{ include "sthome-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "sthome-webhook.fullname" . }}:secrets-reader -subjects: - - apiGroup: "" - kind: ServiceAccount - name: {{ include "sthome-webhook.fullname" . }} - namespace: {{ .Release.Namespace }} ---- # Grant the webhook permission to read the ConfigMap containing the Kubernetes # apiserver's requestheader-ca-certificate. # This ConfigMap is automatically created by the Kubernetes apiserver. @@ -130,6 +90,113 @@ subjects: name: {{ .Values.certManager.serviceAccountName }} namespace: {{ .Values.certManager.namespace }} --- +# added 2024/04/07 +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "sthome-webhook.fullname" . }}:secret-reader +rules: + - apiGroups: + - "" + resources: + - "secrets" + verbs: + - "get" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "sthome-webhook.fullname" . }}:secret-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "sthome-webhook.fullname" . }}:secret-reader +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "sthome-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "sthome-webhook.fullname" . }}:flowcontrol-solver + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - "flowcontrol.apiserver.k8s.io" + resources: + - 'prioritylevelconfigurations' + - 'flowschemas' + verbs: + - 'list' + - 'watch' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "sthome-webhook.fullname" . }}:flowcontrol-solver + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "sthome-webhook.fullname" . }}:flowcontrol-solver +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "sthome-webhook.fullname" . }} + namespace: {{ .Release.Namespace | quote }} +# end of added 2024/04/07 +--- +# Grant the webhook permission to read the secrets containing the credentials +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "sthome-webhook.fullname" . }}:secrets-reader + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - '' + resources: + - 'secrets' + verbs: + - 'get' +--- +# Grant the webhook permission to read the secrets containing the credentials +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "sthome-webhook.fullname" . }}:secrets-reader + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "sthome-webhook.name" . }} + chart: {{ include "sthome-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "sthome-webhook.fullname" . }}:secrets-reader +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "sthome-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +--- # Grant cert-manager permission to read secrets from cert-manager ns (i.e. to read the api key for sthome) apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/deploy/sthome-webhook/values.yaml b/deploy/sthome-webhook/values.yaml index bf86756..44539d7 100644 --- a/deploy/sthome-webhook/values.yaml +++ b/deploy/sthome-webhook/values.yaml @@ -31,7 +31,7 @@ clusterIssuer: image: repository: stuurmcp/cert-manager-webhook-sthome #repository: wstat.sthome.net:5000/cert-manager-webhook-sthome - tag: 0.0.5-alpha.12 + tag: 0.0.5-alpha.21 #pullPolicy should be IfNotPresent. Set to Always for testing purposes pullPolicy: IfNotPresent diff --git a/pkg/dns/shell.go b/pkg/dns/shell.go index 6d9b3a1..c93c6ff 100644 --- a/pkg/dns/shell.go +++ b/pkg/dns/shell.go @@ -13,12 +13,15 @@ func Execute(shell string, arg ...string) (bool, error) { cmd.Stdout = &outb cmd.Stderr = &errb err := cmd.Run() + klog.Infof("out:\n%s\n", outb.String()) if err != nil { - klog.Errorf("Script returned error: %s\nout:\n%serr:\n%s============\n", err, outb.String(), errb.String()) + klog.Errorf("Script returned error:\nerr:\n") + klog.Errorf("%s\n============\n", err) return false, err } - klog.Infof("script stdout:\n%s\n", outb.String()) - klog.Infof("script stderr:\n%s\n", errb.String()) + if errb.String() != "" { + klog.Errorf("stderr:\n%s============\n", errb.String()) + } klog.Infof("Script returned success\n") return true, nil } diff --git a/pkg/dns/solver_local.go b/pkg/dns/solver_local.go index 27ad21d..59925ac 100644 --- a/pkg/dns/solver_local.go +++ b/pkg/dns/solver_local.go @@ -2,7 +2,6 @@ package dns import ( "fmt" - "strings" "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" @@ -36,46 +35,47 @@ func (p *LocalDNSProviderSolver) Name() string { // solver has correctly configured the DNS provider. func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error { //domainName := extractDomainName(ch.ResolvedZone) - cfg, err := LoadConfig(ch.Config) + _, err := LoadConfig(ch.Config) if err != nil { return err } /* - provider, cfg, err := loc.init(ch.Config, ch.ResourceNamespace) - if err != nil { - return fmt.Errorf("failed initializing sthome provider: %v", err) - } - if !cfg.IsAllowedZone(ch.ResolvedZone) { - return fmt.Errorf("zone %s may not be edited per config (allowed zones are %v)", ch.ResolvedZone, cfg.AllowedZones) - } - ctx := context.Background() - records, err := loc.getExistingRecords(ctx, provider, ch.ResolvedZone, ch.ResolvedFQDN) - if err != nil { - return fmt.Errorf("failed loading existing records for %s in domain %s: %v", ch.ResolvedFQDN, ch.ResolvedZone, err) - } + provider, cfg, err := loc.init(ch.Config, ch.ResourceNamespace) + if err != nil { + return fmt.Errorf("failed initializing sthome provider: %v", err) + } + if !cfg.IsAllowedZone(ch.ResolvedZone) { + return fmt.Errorf("zone %s may not be edited per config (allowed zones are %v)", ch.ResolvedZone, cfg.AllowedZones) + } + ctx := context.Background() + records, err := loc.getExistingRecords(ctx, provider, ch.ResolvedZone, ch.ResolvedFQDN) + if err != nil { + return fmt.Errorf("failed loading existing records for %s in domain %s: %v", ch.ResolvedFQDN, ch.ResolvedZone, err) + } - // Add the record, only if it doesn't exist already - content := quote(ch.Key) - if _, ok := findRecord(records, content); !ok { - disabled := false - records = append(records, sthome.Record{Disabled: &disabled, Content: &content}) - } + // Add the record, only if it doesn't exist already + content := quote(ch.Key) + if _, ok := findRecord(records, content); !ok { + disabled := false + records = append(records, sthome.Record{Disabled: &disabled, Content: &content}) + } + + // TODO: do something more useful with the decoded configuration + klog.Infof("CZ: Presenting record for %s, type: %s, uid: %s, key: %s, ns: %s, fqdn: %s, zone: %s, allowambcred: %t, cfg.secret: %s, cfg.email: %s, cfg.allowz: %s", + ch.DNSName, + ch.UID, + ch.Type, + ch.Key, + ch.ResourceNamespace, + ch.ResolvedFQDN, + ch.ResolvedZone, + ch.AllowAmbientCredentials, + cfg.APIKeySecretRef.Name, + cfg.Email, + strings.Join(cfg.AllowedZones, ","), + ) */ - // TODO: do something more useful with the decoded configuration - klog.Infof("CZ: Presenting record for %s, type: %s, uid: %s, key: %s, ns: %s, fqdn: %s, zone: %s, allowambcred: %t, cfg.secret: %s, cfg.email: %s, cfg.allowz: %s", - ch.DNSName, - ch.UID, - ch.Type, - ch.Key, - ch.ResourceNamespace, - ch.ResolvedFQDN, - ch.ResolvedZone, - ch.AllowAmbientCredentials, - cfg.APIKeySecretRef.Name, - cfg.Email, - strings.Join(cfg.AllowedZones, ","), - ) // TODO: convert shell script to golang //localip := GetOutboundIP(Dnsserver_net) success, _ := Execute( @@ -87,7 +87,7 @@ func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error ch.Key, "-l", "\"\"", //localip, - "-v", + //"-v", ) klog.Infof("Execute set TXT returned success: %t\n", success) return nil @@ -101,7 +101,6 @@ func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error // concurrently. func (loc *LocalDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error { //domainName := extractDomainName(ch.ResolvedZone) - // TODO: add code that deletes a record from the DNS provider's console //localip := GetOutboundIP(Dnsserver_net) success, _ := Execute( Shell, @@ -112,7 +111,7 @@ func (loc *LocalDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error ch.Key, "-l", "\"\"", //localip, - "-v", + //"-v", ) klog.Infof("Execute unset TXT returned success: %t\n", success) return nil diff --git a/version.txt b/version.txt index 85a57ab..3a80594 100644 --- a/version.txt +++ b/version.txt @@ -1,3 +1,3 @@ -0.0.5-alpha.12 -20240406-2016 -12 \ No newline at end of file +0.0.5-alpha.21 +20240408-1455 +21 \ No newline at end of file