ACME/cert-manager-webhook-sthome
ACME/cert-manager-webhook-sthome
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed messages

Browse Source
This commit is contained in:
Chris Stuurman 2024-04-09 18:43:10 +02:00
parent 824243fa77
commit 0d44d8937e
5 changed files with 29 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
deploy/sthome-webhook/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v1 apiVersion: v1
appVersion: v0.0.5-alpha.23 appVersion: v0.0.5-alpha.24
description: Cert-Manager webhook for sthome description: Cert-Manager webhook for sthome
name: sthome-webhook name: sthome-webhook
version: 0.0.5-alpha.23 version: 0.0.5-alpha.24

2
deploy/sthome-webhook/values.yaml
View File

@ -31,7 +31,7 @@ clusterIssuer:
image: image:
repository: stuurmcp/cert-manager-webhook-sthome repository: stuurmcp/cert-manager-webhook-sthome
#repository: wstat.sthome.net:5000/cert-manager-webhook-sthome #repository: wstat.sthome.net:5000/cert-manager-webhook-sthome
tag: 0.0.5-alpha.23 tag: 0.0.5-alpha.24
#pullPolicy should be IfNotPresent. Set to Always for testing purposes #pullPolicy should be IfNotPresent. Set to Always for testing purposes
pullPolicy: IfNotPresent pullPolicy: IfNotPresent

6
go.mod
View File

@ -13,7 +13,10 @@ require (
require k8s.io/klog/v2 v2.110.1 require k8s.io/klog/v2 v2.110.1
require k8s.io/apimachinery v0.29.0 require (
github.com/miekg/dns v1.1.58
k8s.io/apimachinery v0.29.0
)
require ( require (
cloud.google.com/go/compute v1.23.3 // indirect cloud.google.com/go/compute v1.23.3 // indirect
@ -83,7 +86,6 @@ require (
github.com/json-iterator/go v1.1.12 // indirect github.com/json-iterator/go v1.1.12 // indirect
github.com/mailru/easyjson v0.7.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
github.com/miekg/dns v1.1.58 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect

38
pkg/util/wait.go
View File

@ -20,8 +20,8 @@ import (
"time" "time"
"github.com/miekg/dns" "github.com/miekg/dns"
klog "k8s.io/klog/v2"
logf "github.com/cert-manager/cert-manager/pkg/logs" //logf "github.com/cert-manager/cert-manager/pkg/logs"
) )
type preCheckDNSFunc func(fqdn, value string, nameservers []string, type preCheckDNSFunc func(fqdn, value string, nameservers []string,
@ -91,13 +91,13 @@ func followCNAMEs(fqdn string, nameservers []string, fqdnChain ...string) (strin
if !ok || cn.Hdr.Name != fqdn { if !ok || cn.Hdr.Name != fqdn {
continue continue
} }
logf.V(logf.DebugLevel).Infof("Updating FQDN: %s with its CNAME: %s", fqdn, cn.Target) klog.Infof("Updating FQDN: %s with its CNAME: %s", fqdn, cn.Target)
// Check if we were here before to prevent loops in the chain of CNAME records. // Check if we were here before to prevent loops in the chain of CNAME records.
for _, fqdnInChain := range fqdnChain { for _, fqdnInChain := range fqdnChain {
if cn.Target != fqdnInChain { if cn.Target != fqdnInChain {
continue continue
} }
return "", fmt.Errorf("Found recursive CNAME record to %q when looking up %q", cn.Target, fqdn) return "", fmt.Errorf("found recursive CNAME record to %q when looking up %q", cn.Target, fqdn)
} }
return followCNAMEs(cn.Target, nameservers, append(fqdnChain, fqdn)...) return followCNAMEs(cn.Target, nameservers, append(fqdnChain, fqdn)...)
} }
@ -142,7 +142,7 @@ func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, erro
return false, fmt.Errorf("NS %s returned %s for %s", ns, dns.RcodeToString[r.Rcode], fqdn) return false, fmt.Errorf("NS %s returned %s for %s", ns, dns.RcodeToString[r.Rcode], fqdn)
} }
logf.V(logf.DebugLevel).Infof("Looking up TXT records for %q", fqdn) klog.Infof("Looking up TXT records for %q", fqdn)
var found bool var found bool
for _, rr := range r.Answer { for _, rr := range r.Answer {
if txt, ok := rr.(*dns.TXT); ok { if txt, ok := rr.(*dns.TXT); ok {
@ -157,7 +157,7 @@ func checkAuthoritativeNss(fqdn, value string, nameservers []string) (bool, erro
return false, nil return false, nil
} }
} }
logf.V(logf.DebugLevel).Infof("Selfchecking using the DNS Lookup method was successful") klog.Infof("Selfchecking using the DNS Lookup method was successful")
return true, nil return true, nil
} }
@ -199,7 +199,7 @@ func DNSQuery(fqdn string, rtype uint16, nameservers []string, recursive bool) (
// Try TCP if UDP fails // Try TCP if UDP fails
if (in != nil && in.Truncated) || if (in != nil && in.Truncated) ||
(err != nil && strings.HasPrefix(err.Error(), "read udp") && strings.HasSuffix(err.Error(), "i/o timeout")) { (err != nil && strings.HasPrefix(err.Error(), "read udp") && strings.HasSuffix(err.Error(), "i/o timeout")) {
logf.V(logf.DebugLevel).Infof("UDP dns lookup failed, retrying with TCP: %v", err) klog.Infof("UDP dns lookup failed, retrying with TCP: %v", err)
// If the TCP request succeeds, the err will reset to nil // If the TCP request succeeds, the err will reset to nil
in, _, err = tcp.Exchange(m, ns) in, _, err = tcp.Exchange(m, ns)
} }
@ -293,14 +293,14 @@ func ValidateCAA(domain string, issuerID []string, iswildcard bool, nameservers
var authNS []string var authNS []string
authNS, err = lookupNameservers(queryDomain, nameservers) authNS, err = lookupNameservers(queryDomain, nameservers)
if err != nil { if err != nil {
return fmt.Errorf("Could not validate CAA record: %s", err) return fmt.Errorf("could not validate CAA record: %s", err)
} }
for i, ans := range authNS { for i, ans := range authNS {
authNS[i] = net.JoinHostPort(ans, "53") authNS[i] = net.JoinHostPort(ans, "53")
} }
msg, err = DNSQuery(queryDomain, dns.TypeCAA, authNS, false) msg, err = DNSQuery(queryDomain, dns.TypeCAA, authNS, false)
if err != nil { if err != nil {
return fmt.Errorf("Could not validate CAA record: %s", err) return fmt.Errorf("could not validate CAA record: %s", err)
} }
// domain may not exist, which is fine. It will fail HTTP01 checks // domain may not exist, which is fine. It will fail HTTP01 checks
// but DNS01 checks will create a proper domain // but DNS01 checks will create a proper domain
@ -308,7 +308,7 @@ func ValidateCAA(domain string, issuerID []string, iswildcard bool, nameservers
break break
} }
if msg.Rcode != dns.RcodeSuccess { if msg.Rcode != dns.RcodeSuccess {
return fmt.Errorf("Could not validate CAA: Unexpected response code '%s' for %s", return fmt.Errorf("could not validate CAA: Unexpected response code '%s' for %s",
dns.RcodeToString[msg.Rcode], domain) dns.RcodeToString[msg.Rcode], domain)
} }
oldQuery := queryDomain oldQuery := queryDomain
@ -376,10 +376,10 @@ func matchCAA(caas []*dns.CAA, issuerIDs map[string]bool, iswildcard bool) bool
func lookupNameservers(fqdn string, nameservers []string) ([]string, error) { func lookupNameservers(fqdn string, nameservers []string) ([]string, error) {
var authoritativeNss []string var authoritativeNss []string
logf.V(logf.DebugLevel).Infof("Searching fqdn %q using seed nameservers [%s]", fqdn, strings.Join(nameservers, ", ")) klog.Infof("Searching fqdn %q using seed nameservers [%s]", fqdn, strings.Join(nameservers, ", "))
zone, err := FindZoneByFqdn(fqdn, nameservers) zone, err := FindZoneByFqdn(fqdn, nameservers)
if err != nil { if err != nil {
return nil, fmt.Errorf("Could not determine the zone for %q: %v", fqdn, err) return nil, fmt.Errorf("could not determine the zone for %q: %v", fqdn, err)
} }
r, err := DNSQuery(zone, dns.TypeNS, nameservers, true) r, err := DNSQuery(zone, dns.TypeNS, nameservers, true)
@ -394,10 +394,10 @@ func lookupNameservers(fqdn string, nameservers []string) ([]string, error) {
} }
if len(authoritativeNss) > 0 { if len(authoritativeNss) > 0 {
logf.V(logf.DebugLevel).Infof("Returning authoritative nameservers [%s]", strings.Join(authoritativeNss, ", ")) klog.Infof("Returning authoritative nameservers [%s]", strings.Join(authoritativeNss, ", "))
return authoritativeNss, nil return authoritativeNss, nil
} }
return nil, fmt.Errorf("Could not determine authoritative nameservers for %q", fqdn) return nil, fmt.Errorf("could not determine authoritative nameservers for %q", fqdn)
} }
// FindZoneByFqdn determines the zone apex for the given fqdn by recursing up the // FindZoneByFqdn determines the zone apex for the given fqdn by recursing up the
@ -407,7 +407,7 @@ func FindZoneByFqdn(fqdn string, nameservers []string) (string, error) {
// Do we have it cached? // Do we have it cached?
if zone, ok := fqdnToZone[fqdn]; ok { if zone, ok := fqdnToZone[fqdn]; ok {
fqdnToZoneLock.RUnlock() fqdnToZoneLock.RUnlock()
logf.V(logf.DebugLevel).Infof("Returning cached zone record %q for fqdn %q", zone, fqdn) klog.Infof("Returning cached zone record %q for fqdn %q", zone, fqdn)
return zone, nil return zone, nil
} }
fqdnToZoneLock.RUnlock() fqdnToZoneLock.RUnlock()
@ -444,7 +444,7 @@ func FindZoneByFqdn(fqdn string, nameservers []string) (string, error) {
// Any non-successful response code, other than NXDOMAIN, is treated as an error // Any non-successful response code, other than NXDOMAIN, is treated as an error
// and interrupts the search. // and interrupts the search.
if in.Rcode != dns.RcodeSuccess { if in.Rcode != dns.RcodeSuccess {
return "", fmt.Errorf("When querying the SOA record for the domain '%s' using nameservers %v, rcode was expected to be 'NOERROR' or 'NXDOMAIN', but got '%s'", return "", fmt.Errorf("when querying the SOA record for the domain '%s' using nameservers %v, rcode was expected to be 'NOERROR' or 'NXDOMAIN', but got '%s'",
domain, nameservers, dns.RcodeToString[in.Rcode]) domain, nameservers, dns.RcodeToString[in.Rcode])
} }
@ -461,13 +461,13 @@ func FindZoneByFqdn(fqdn string, nameservers []string) (string, error) {
zone := soa.Hdr.Name zone := soa.Hdr.Name
fqdnToZone[fqdn] = zone fqdnToZone[fqdn] = zone
logf.V(logf.DebugLevel).Infof("Returning discovered zone record %q for fqdn %q", zone, fqdn) klog.Infof("Returning discovered zone record %q for fqdn %q", zone, fqdn)
return zone, nil return zone, nil
} }
} }
} }
return "", fmt.Errorf("Could not find the SOA record in the DNS tree for the domain '%s' using nameservers %v", fqdn, nameservers) return "", fmt.Errorf("could not find the SOA record in the DNS tree for the domain '%s' using nameservers %v", fqdn, nameservers)
} }
// dnsMsgContainsCNAME checks for a CNAME answer in msg // dnsMsgContainsCNAME checks for a CNAME answer in msg
@ -505,7 +505,7 @@ func WaitFor(timeout, interval time.Duration, f func() (bool, error)) error {
for { for {
select { select {
case <-timeup: case <-timeup:
return fmt.Errorf("Time limit exceeded. Last error: %s", lastErr) return fmt.Errorf("time limit exceeded. Last error: %s", lastErr)
default: default:
} }

6
version.txt
View File

@ -1,3 +1,3 @@
0.0.5-alpha.23 0.0.5-alpha.24
20240409-1736 20240409-1838
23 24