Changed port to 8443, added more rbac items. Removed some labels in deployment template.
This commit is contained in:
parent
24853d497a
commit
078ea5c3c0
@ -26,7 +26,7 @@ FROM alpine:3.18
|
|||||||
|
|
||||||
RUN apk add --no-cache ca-certificates
|
RUN apk add --no-cache ca-certificates
|
||||||
|
|
||||||
RUN apk add --no-cache bash bind-tools coreutils krb5
|
RUN apk add --no-cache bash bind-tools coreutils krb5 tcpdump
|
||||||
COPY ./config/bash.sh /root/.bashrc
|
COPY ./config/bash.sh /root/.bashrc
|
||||||
#COPY ./config/krb5.conf /etc
|
#COPY ./config/krb5.conf /etc
|
||||||
RUN chown -R root:root /root/.bashrc && \
|
RUN chown -R root:root /root/.bashrc && \
|
||||||
|
|||||||
3
Makefile
3
Makefile
@ -51,6 +51,7 @@ clean:
|
|||||||
build: rendered-manifest.yaml dependencies bin/buildversion.exe version.txt
|
build: rendered-manifest.yaml dependencies bin/buildversion.exe version.txt
|
||||||
docker build --pull --rm -f "Dockerfile" -t "stuurmcp/$(IMAGE_NAME):latest" -t "stuurmcp/$(IMAGE_NAME):$(shell head -n 1 version.txt)" "."
|
docker build --pull --rm -f "Dockerfile" -t "stuurmcp/$(IMAGE_NAME):latest" -t "stuurmcp/$(IMAGE_NAME):$(shell head -n 1 version.txt)" "."
|
||||||
docker image push "docker.io/stuurmcp/$(IMAGE_NAME):$(shell head -n 1 version.txt)"
|
docker image push "docker.io/stuurmcp/$(IMAGE_NAME):$(shell head -n 1 version.txt)"
|
||||||
|
docker image push "docker.io/stuurmcp/$(IMAGE_NAME):latest"
|
||||||
helm package deploy/sthome-webhook -d //truenas/Shared_data/Chris/clusterissuer/charts/
|
helm package deploy/sthome-webhook -d //truenas/Shared_data/Chris/clusterissuer/charts/
|
||||||
|
|
||||||
.PHONY: rendered-manifest.yaml
|
.PHONY: rendered-manifest.yaml
|
||||||
@ -58,7 +59,7 @@ rendered-manifest.yaml: $(OUT)/rendered-manifest.yaml
|
|||||||
|
|
||||||
$(OUT)/rendered-manifest.yaml: $(HELM_FILES) | $(OUT)
|
$(OUT)/rendered-manifest.yaml: $(HELM_FILES) | $(OUT)
|
||||||
helm template \
|
helm template \
|
||||||
sthome-webhook -n sthome-webhook2\
|
sthome-webhook -n ix-cert-manager\
|
||||||
--set image.repository=$(IMAGE_NAME) \
|
--set image.repository=$(IMAGE_NAME) \
|
||||||
--set image.tag=$(shell head -n 1 version.txt) \
|
--set image.tag=$(shell head -n 1 version.txt) \
|
||||||
deploy/sthome-webhook > $@
|
deploy/sthome-webhook > $@
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: v0.0.5-alpha.12
|
appVersion: v0.0.5-alpha.21
|
||||||
description: Cert-Manager webhook for sthome
|
description: Cert-Manager webhook for sthome
|
||||||
name: sthome-webhook
|
name: sthome-webhook
|
||||||
version: 0.0.5-alpha.12
|
version: 0.0.5-alpha.21
|
||||||
|
|||||||
@ -5,9 +5,6 @@ metadata:
|
|||||||
namespace: {{ .Release.Namespace | quote }}
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
labels:
|
labels:
|
||||||
app: {{ include "sthome-webhook.name" . }}
|
app: {{ include "sthome-webhook.name" . }}
|
||||||
app.kubernetes.io/component: webhook
|
|
||||||
app.kubernetes.io/name: webhook
|
|
||||||
app.kubernetes.io/version: {{ .Chart.AppVersion }}
|
|
||||||
chart: {{ include "sthome-webhook.chart" . }}
|
chart: {{ include "sthome-webhook.chart" . }}
|
||||||
release: {{ .Release.Name }}
|
release: {{ .Release.Name }}
|
||||||
heritage: {{ .Release.Service }}
|
heritage: {{ .Release.Service }}
|
||||||
@ -33,12 +30,13 @@ spec:
|
|||||||
args:
|
args:
|
||||||
- --tls-cert-file=/tls/tls.crt
|
- --tls-cert-file=/tls/tls.crt
|
||||||
- --tls-private-key-file=/tls/tls.key
|
- --tls-private-key-file=/tls/tls.key
|
||||||
|
- --secure-port=8443
|
||||||
env:
|
env:
|
||||||
- name: GROUP_NAME
|
- name: GROUP_NAME
|
||||||
value: {{ .Values.groupName | quote }}
|
value: {{ .Values.groupName | quote }}
|
||||||
ports:
|
ports:
|
||||||
- name: https
|
- name: https
|
||||||
containerPort: 443
|
containerPort: 8443
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
|
|||||||
@ -9,46 +9,6 @@ metadata:
|
|||||||
release: {{ .Release.Name }}
|
release: {{ .Release.Name }}
|
||||||
heritage: {{ .Release.Service }}
|
heritage: {{ .Release.Service }}
|
||||||
---
|
---
|
||||||
# Grant the webhook permission to read the secrets containing the credentials
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: Role
|
|
||||||
metadata:
|
|
||||||
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
app: {{ include "sthome-webhook.name" . }}
|
|
||||||
chart: {{ include "sthome-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- ''
|
|
||||||
resources:
|
|
||||||
- 'secrets'
|
|
||||||
verbs:
|
|
||||||
- 'get'
|
|
||||||
---
|
|
||||||
# Grant the webhook permission to read the secrets containing the credentials
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
app: {{ include "sthome-webhook.name" . }}
|
|
||||||
chart: {{ include "sthome-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: Role
|
|
||||||
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
|
|
||||||
subjects:
|
|
||||||
- apiGroup: ""
|
|
||||||
kind: ServiceAccount
|
|
||||||
name: {{ include "sthome-webhook.fullname" . }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
---
|
|
||||||
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
|
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
|
||||||
# apiserver's requestheader-ca-certificate.
|
# apiserver's requestheader-ca-certificate.
|
||||||
# This ConfigMap is automatically created by the Kubernetes apiserver.
|
# This ConfigMap is automatically created by the Kubernetes apiserver.
|
||||||
@ -130,6 +90,113 @@ subjects:
|
|||||||
name: {{ .Values.certManager.serviceAccountName }}
|
name: {{ .Values.certManager.serviceAccountName }}
|
||||||
namespace: {{ .Values.certManager.namespace }}
|
namespace: {{ .Values.certManager.namespace }}
|
||||||
---
|
---
|
||||||
|
# added 2024/04/07
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ include "sthome-webhook.fullname" . }}:secret-reader
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- "secrets"
|
||||||
|
verbs:
|
||||||
|
- "get"
|
||||||
|
- "watch"
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "sthome-webhook.fullname" . }}:secret-reader
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ include "sthome-webhook.fullname" . }}:secret-reader
|
||||||
|
subjects:
|
||||||
|
- apiGroup: ""
|
||||||
|
kind: ServiceAccount
|
||||||
|
name: {{ include "sthome-webhook.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ include "sthome-webhook.fullname" . }}:flowcontrol-solver
|
||||||
|
labels:
|
||||||
|
app: {{ include "sthome-webhook.name" . }}
|
||||||
|
chart: {{ include "sthome-webhook.chart" . }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- "flowcontrol.apiserver.k8s.io"
|
||||||
|
resources:
|
||||||
|
- 'prioritylevelconfigurations'
|
||||||
|
- 'flowschemas'
|
||||||
|
verbs:
|
||||||
|
- 'list'
|
||||||
|
- 'watch'
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "sthome-webhook.fullname" . }}:flowcontrol-solver
|
||||||
|
labels:
|
||||||
|
app: {{ include "sthome-webhook.name" . }}
|
||||||
|
chart: {{ include "sthome-webhook.chart" . }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ include "sthome-webhook.fullname" . }}:flowcontrol-solver
|
||||||
|
subjects:
|
||||||
|
- apiGroup: ""
|
||||||
|
kind: ServiceAccount
|
||||||
|
name: {{ include "sthome-webhook.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
# end of added 2024/04/07
|
||||||
|
---
|
||||||
|
# Grant the webhook permission to read the secrets containing the credentials
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "sthome-webhook.name" . }}
|
||||||
|
chart: {{ include "sthome-webhook.chart" . }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- 'secrets'
|
||||||
|
verbs:
|
||||||
|
- 'get'
|
||||||
|
---
|
||||||
|
# Grant the webhook permission to read the secrets containing the credentials
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "sthome-webhook.name" . }}
|
||||||
|
chart: {{ include "sthome-webhook.chart" . }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
|
||||||
|
subjects:
|
||||||
|
- apiGroup: ""
|
||||||
|
kind: ServiceAccount
|
||||||
|
name: {{ include "sthome-webhook.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
---
|
||||||
# Grant cert-manager permission to read secrets from cert-manager ns (i.e. to read the api key for sthome)
|
# Grant cert-manager permission to read secrets from cert-manager ns (i.e. to read the api key for sthome)
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: Role
|
kind: Role
|
||||||
|
|||||||
@ -31,7 +31,7 @@ clusterIssuer:
|
|||||||
image:
|
image:
|
||||||
repository: stuurmcp/cert-manager-webhook-sthome
|
repository: stuurmcp/cert-manager-webhook-sthome
|
||||||
#repository: wstat.sthome.net:5000/cert-manager-webhook-sthome
|
#repository: wstat.sthome.net:5000/cert-manager-webhook-sthome
|
||||||
tag: 0.0.5-alpha.12
|
tag: 0.0.5-alpha.21
|
||||||
#pullPolicy should be IfNotPresent. Set to Always for testing purposes
|
#pullPolicy should be IfNotPresent. Set to Always for testing purposes
|
||||||
pullPolicy: IfNotPresent
|
pullPolicy: IfNotPresent
|
||||||
|
|
||||||
|
|||||||
@ -13,12 +13,15 @@ func Execute(shell string, arg ...string) (bool, error) {
|
|||||||
cmd.Stdout = &outb
|
cmd.Stdout = &outb
|
||||||
cmd.Stderr = &errb
|
cmd.Stderr = &errb
|
||||||
err := cmd.Run()
|
err := cmd.Run()
|
||||||
|
klog.Infof("out:\n%s\n", outb.String())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.Errorf("Script returned error: %s\nout:\n%serr:\n%s============\n", err, outb.String(), errb.String())
|
klog.Errorf("Script returned error:\nerr:\n")
|
||||||
|
klog.Errorf("%s\n============\n", err)
|
||||||
return false, err
|
return false, err
|
||||||
}
|
}
|
||||||
klog.Infof("script stdout:\n%s\n", outb.String())
|
if errb.String() != "" {
|
||||||
klog.Infof("script stderr:\n%s\n", errb.String())
|
klog.Errorf("stderr:\n%s============\n", errb.String())
|
||||||
|
}
|
||||||
klog.Infof("Script returned success\n")
|
klog.Infof("Script returned success\n")
|
||||||
return true, nil
|
return true, nil
|
||||||
}
|
}
|
||||||
|
|||||||
@ -2,7 +2,6 @@ package dns
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"strings"
|
|
||||||
|
|
||||||
"k8s.io/client-go/kubernetes"
|
"k8s.io/client-go/kubernetes"
|
||||||
"k8s.io/client-go/rest"
|
"k8s.io/client-go/rest"
|
||||||
@ -36,46 +35,47 @@ func (p *LocalDNSProviderSolver) Name() string {
|
|||||||
// solver has correctly configured the DNS provider.
|
// solver has correctly configured the DNS provider.
|
||||||
func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
|
func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
|
||||||
//domainName := extractDomainName(ch.ResolvedZone)
|
//domainName := extractDomainName(ch.ResolvedZone)
|
||||||
cfg, err := LoadConfig(ch.Config)
|
_, err := LoadConfig(ch.Config)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
provider, cfg, err := loc.init(ch.Config, ch.ResourceNamespace)
|
provider, cfg, err := loc.init(ch.Config, ch.ResourceNamespace)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed initializing sthome provider: %v", err)
|
return fmt.Errorf("failed initializing sthome provider: %v", err)
|
||||||
}
|
}
|
||||||
if !cfg.IsAllowedZone(ch.ResolvedZone) {
|
if !cfg.IsAllowedZone(ch.ResolvedZone) {
|
||||||
return fmt.Errorf("zone %s may not be edited per config (allowed zones are %v)", ch.ResolvedZone, cfg.AllowedZones)
|
return fmt.Errorf("zone %s may not be edited per config (allowed zones are %v)", ch.ResolvedZone, cfg.AllowedZones)
|
||||||
}
|
}
|
||||||
ctx := context.Background()
|
ctx := context.Background()
|
||||||
records, err := loc.getExistingRecords(ctx, provider, ch.ResolvedZone, ch.ResolvedFQDN)
|
records, err := loc.getExistingRecords(ctx, provider, ch.ResolvedZone, ch.ResolvedFQDN)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed loading existing records for %s in domain %s: %v", ch.ResolvedFQDN, ch.ResolvedZone, err)
|
return fmt.Errorf("failed loading existing records for %s in domain %s: %v", ch.ResolvedFQDN, ch.ResolvedZone, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Add the record, only if it doesn't exist already
|
// Add the record, only if it doesn't exist already
|
||||||
content := quote(ch.Key)
|
content := quote(ch.Key)
|
||||||
if _, ok := findRecord(records, content); !ok {
|
if _, ok := findRecord(records, content); !ok {
|
||||||
disabled := false
|
disabled := false
|
||||||
records = append(records, sthome.Record{Disabled: &disabled, Content: &content})
|
records = append(records, sthome.Record{Disabled: &disabled, Content: &content})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO: do something more useful with the decoded configuration
|
||||||
|
klog.Infof("CZ: Presenting record for %s, type: %s, uid: %s, key: %s, ns: %s, fqdn: %s, zone: %s, allowambcred: %t, cfg.secret: %s, cfg.email: %s, cfg.allowz: %s",
|
||||||
|
ch.DNSName,
|
||||||
|
ch.UID,
|
||||||
|
ch.Type,
|
||||||
|
ch.Key,
|
||||||
|
ch.ResourceNamespace,
|
||||||
|
ch.ResolvedFQDN,
|
||||||
|
ch.ResolvedZone,
|
||||||
|
ch.AllowAmbientCredentials,
|
||||||
|
cfg.APIKeySecretRef.Name,
|
||||||
|
cfg.Email,
|
||||||
|
strings.Join(cfg.AllowedZones, ","),
|
||||||
|
)
|
||||||
*/
|
*/
|
||||||
// TODO: do something more useful with the decoded configuration
|
|
||||||
klog.Infof("CZ: Presenting record for %s, type: %s, uid: %s, key: %s, ns: %s, fqdn: %s, zone: %s, allowambcred: %t, cfg.secret: %s, cfg.email: %s, cfg.allowz: %s",
|
|
||||||
ch.DNSName,
|
|
||||||
ch.UID,
|
|
||||||
ch.Type,
|
|
||||||
ch.Key,
|
|
||||||
ch.ResourceNamespace,
|
|
||||||
ch.ResolvedFQDN,
|
|
||||||
ch.ResolvedZone,
|
|
||||||
ch.AllowAmbientCredentials,
|
|
||||||
cfg.APIKeySecretRef.Name,
|
|
||||||
cfg.Email,
|
|
||||||
strings.Join(cfg.AllowedZones, ","),
|
|
||||||
)
|
|
||||||
// TODO: convert shell script to golang
|
// TODO: convert shell script to golang
|
||||||
//localip := GetOutboundIP(Dnsserver_net)
|
//localip := GetOutboundIP(Dnsserver_net)
|
||||||
success, _ := Execute(
|
success, _ := Execute(
|
||||||
@ -87,7 +87,7 @@ func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error
|
|||||||
ch.Key,
|
ch.Key,
|
||||||
"-l",
|
"-l",
|
||||||
"\"\"", //localip,
|
"\"\"", //localip,
|
||||||
"-v",
|
//"-v",
|
||||||
)
|
)
|
||||||
klog.Infof("Execute set TXT returned success: %t\n", success)
|
klog.Infof("Execute set TXT returned success: %t\n", success)
|
||||||
return nil
|
return nil
|
||||||
@ -101,7 +101,6 @@ func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error
|
|||||||
// concurrently.
|
// concurrently.
|
||||||
func (loc *LocalDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
|
func (loc *LocalDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
|
||||||
//domainName := extractDomainName(ch.ResolvedZone)
|
//domainName := extractDomainName(ch.ResolvedZone)
|
||||||
// TODO: add code that deletes a record from the DNS provider's console
|
|
||||||
//localip := GetOutboundIP(Dnsserver_net)
|
//localip := GetOutboundIP(Dnsserver_net)
|
||||||
success, _ := Execute(
|
success, _ := Execute(
|
||||||
Shell,
|
Shell,
|
||||||
@ -112,7 +111,7 @@ func (loc *LocalDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error
|
|||||||
ch.Key,
|
ch.Key,
|
||||||
"-l",
|
"-l",
|
||||||
"\"\"", //localip,
|
"\"\"", //localip,
|
||||||
"-v",
|
//"-v",
|
||||||
)
|
)
|
||||||
klog.Infof("Execute unset TXT returned success: %t\n", success)
|
klog.Infof("Execute unset TXT returned success: %t\n", success)
|
||||||
return nil
|
return nil
|
||||||
|
|||||||
@ -1,3 +1,3 @@
|
|||||||
0.0.5-alpha.12
|
0.0.5-alpha.21
|
||||||
20240406-2016
|
20240408-1455
|
||||||
12
|
21
|
||||||
Loading…
Reference in New Issue
Block a user