ACME/cert-manager-webhook-sthome
ACME/cert-manager-webhook-sthome
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Changed port to 8443, added more rbac items. Removed some labels in deployment template.

Browse Source
This commit is contained in:
Chris Stuurman 2024-04-08 16:29:24 +02:00
parent 24853d497a
commit 078ea5c3c0
9 changed files with 160 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -26,7 +26,7 @@ FROM alpine:3.18
RUN apk add --no-cache ca-certificates
RUN apk add --no-cache bash bind-tools coreutils krb5
RUN apk add --no-cache bash bind-tools coreutils krb5 tcpdump
COPY ./config/bash.sh /root/.bashrc
#COPY ./config/krb5.conf /etc
RUN chown -R root:root /root/.bashrc && \

3
Makefile
View File

@ -51,6 +51,7 @@ clean:
build: rendered-manifest.yaml dependencies bin/buildversion.exe version.txt
docker build --pull --rm -f "Dockerfile" -t "stuurmcp/$(IMAGE_NAME):latest" -t "stuurmcp/$(IMAGE_NAME):$(shell head -n 1 version.txt)" "."
docker image push "docker.io/stuurmcp/$(IMAGE_NAME):$(shell head -n 1 version.txt)"
docker image push "docker.io/stuurmcp/$(IMAGE_NAME):latest"
helm package deploy/sthome-webhook -d //truenas/Shared_data/Chris/clusterissuer/charts/
.PHONY: rendered-manifest.yaml
@ -58,7 +59,7 @@ rendered-manifest.yaml: $(OUT)/rendered-manifest.yaml
$(OUT)/rendered-manifest.yaml: $(HELM_FILES) | $(OUT)
helm template \
sthome-webhook -n sthome-webhook2\
sthome-webhook -n ix-cert-manager\
--set image.repository=$(IMAGE_NAME) \
--set image.tag=$(shell head -n 1 version.txt) \
deploy/sthome-webhook > $@

4
deploy/sthome-webhook/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v1
appVersion: v0.0.5-alpha.12
appVersion: v0.0.5-alpha.21
description: Cert-Manager webhook for sthome
name: sthome-webhook
version: 0.0.5-alpha.12
version: 0.0.5-alpha.21

6
deploy/sthome-webhook/templates/deployment.yaml
View File

@ -5,9 +5,6 @@ metadata:
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "sthome-webhook.name" . }}
app.kubernetes.io/component: webhook
app.kubernetes.io/name: webhook
app.kubernetes.io/version: {{ .Chart.AppVersion }}
chart: {{ include "sthome-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
@ -33,12 +30,13 @@ spec:
args:
- --tls-cert-file=/tls/tls.crt
- --tls-private-key-file=/tls/tls.key
- --secure-port=8443
env:
- name: GROUP_NAME
value: {{ .Values.groupName | quote }}
ports:
- name: https
containerPort: 443
containerPort: 8443
protocol: TCP
livenessProbe:
httpGet:

147
deploy/sthome-webhook/templates/rbac.yaml
View File

@ -9,46 +9,6 @@ metadata:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
---
# Grant the webhook permission to read the secrets containing the credentials
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
namespace: {{ .Release.Namespace }}
labels:
app: {{ include "sthome-webhook.name" . }}
chart: {{ include "sthome-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- ''
resources:
- 'secrets'
verbs:
- 'get'
---
# Grant the webhook permission to read the secrets containing the credentials
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
namespace: {{ .Release.Namespace }}
labels:
app: {{ include "sthome-webhook.name" . }}
chart: {{ include "sthome-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "sthome-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
---
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate.
# This ConfigMap is automatically created by the Kubernetes apiserver.
@ -130,6 +90,113 @@ subjects:
name: {{ .Values.certManager.serviceAccountName }}
namespace: {{ .Values.certManager.namespace }}
---
# added 2024/04/07
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "sthome-webhook.fullname" . }}:secret-reader
rules:
- apiGroups:
- ""
resources:
- "secrets"
verbs:
- "get"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "sthome-webhook.fullname" . }}:secret-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "sthome-webhook.fullname" . }}:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "sthome-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "sthome-webhook.fullname" . }}:flowcontrol-solver
labels:
app: {{ include "sthome-webhook.name" . }}
chart: {{ include "sthome-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- "flowcontrol.apiserver.k8s.io"
resources:
- 'prioritylevelconfigurations'
- 'flowschemas'
verbs:
- 'list'
- 'watch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "sthome-webhook.fullname" . }}:flowcontrol-solver
labels:
app: {{ include "sthome-webhook.name" . }}
chart: {{ include "sthome-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "sthome-webhook.fullname" . }}:flowcontrol-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "sthome-webhook.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
# end of added 2024/04/07
---
# Grant the webhook permission to read the secrets containing the credentials
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
namespace: {{ .Release.Namespace }}
labels:
app: {{ include "sthome-webhook.name" . }}
chart: {{ include "sthome-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- ''
resources:
- 'secrets'
verbs:
- 'get'
---
# Grant the webhook permission to read the secrets containing the credentials
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
namespace: {{ .Release.Namespace }}
labels:
app: {{ include "sthome-webhook.name" . }}
chart: {{ include "sthome-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "sthome-webhook.fullname" . }}:secrets-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "sthome-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
---
# Grant cert-manager permission to read secrets from cert-manager ns (i.e. to read the api key for sthome)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role

2
deploy/sthome-webhook/values.yaml
View File

@ -31,7 +31,7 @@ clusterIssuer:
image:
repository: stuurmcp/cert-manager-webhook-sthome
#repository: wstat.sthome.net:5000/cert-manager-webhook-sthome
tag: 0.0.5-alpha.12
tag: 0.0.5-alpha.21
#pullPolicy should be IfNotPresent. Set to Always for testing purposes
pullPolicy: IfNotPresent

9
pkg/dns/shell.go
View File

@ -13,12 +13,15 @@ func Execute(shell string, arg ...string) (bool, error) {
cmd.Stdout = &outb
cmd.Stderr = &errb
err := cmd.Run()
klog.Infof("out:\n%s\n", outb.String())
if err != nil {
klog.Errorf("Script returned error: %s\nout:\n%serr:\n%s============\n", err, outb.String(), errb.String())
klog.Errorf("Script returned error:\nerr:\n")
klog.Errorf("%s\n============\n", err)
return false, err
}
klog.Infof("script stdout:\n%s\n", outb.String())
klog.Infof("script stderr:\n%s\n", errb.String())
if errb.String() != "" {
klog.Errorf("stderr:\n%s============\n", errb.String())
}
klog.Infof("Script returned success\n")
return true, nil
}

11
pkg/dns/solver_local.go
View File

@ -2,7 +2,6 @@ package dns
import (
"fmt"
"strings"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
@ -36,7 +35,7 @@ func (p *LocalDNSProviderSolver) Name() string {
// solver has correctly configured the DNS provider.
func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
//domainName := extractDomainName(ch.ResolvedZone)
cfg, err := LoadConfig(ch.Config)
_, err := LoadConfig(ch.Config)
if err != nil {
return err
}
@ -61,7 +60,7 @@ func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error
disabled := false
records = append(records, sthome.Record{Disabled: &disabled, Content: &content})
}
*/
// TODO: do something more useful with the decoded configuration
klog.Infof("CZ: Presenting record for %s, type: %s, uid: %s, key: %s, ns: %s, fqdn: %s, zone: %s, allowambcred: %t, cfg.secret: %s, cfg.email: %s, cfg.allowz: %s",
ch.DNSName,
@ -76,6 +75,7 @@ func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error
cfg.Email,
strings.Join(cfg.AllowedZones, ","),
)
*/
// TODO: convert shell script to golang
//localip := GetOutboundIP(Dnsserver_net)
success, _ := Execute(
@ -87,7 +87,7 @@ func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error
ch.Key,
"-l",
"\"\"", //localip,
"-v",
//"-v",
)
klog.Infof("Execute set TXT returned success: %t\n", success)
return nil
@ -101,7 +101,6 @@ func (loc *LocalDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error
// concurrently.
func (loc *LocalDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
//domainName := extractDomainName(ch.ResolvedZone)
// TODO: add code that deletes a record from the DNS provider's console
//localip := GetOutboundIP(Dnsserver_net)
success, _ := Execute(
Shell,
@ -112,7 +111,7 @@ func (loc *LocalDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error
ch.Key,
"-l",
"\"\"", //localip,
"-v",
//"-v",
)
klog.Infof("Execute unset TXT returned success: %t\n", success)
return nil

6
version.txt
View File

@ -1,3 +1,3 @@
0.0.5-alpha.12
20240406-2016
12
0.0.5-alpha.21
20240408-1455
21