cert-manager-webhook-sthome/pkg/dns/config.go

package dns

import (
	"net"
	"strings"

	v1 "k8s.io/api/core/v1"
	"k8s.io/klog/v2"
)

const (
	SthomeAccessKeyEnv = "STHOME_ACCESS_KEY"
	SthomeSecretKeyEnv = "STHOME_SECRET_KEY"

	providerName = "sthome"
	shell        = "/bin/bash"
	acmeAuthCmd  = "/acme/acmeauth.sh"

	dnsserver_net  = "10.0.0.15"
	dnsserver_lan  = "192.168.2.1"
	hostserver_net = "truenas.sthome.net"
	hostserver_lan = "truenas.sthome.lan"
)

// localDNSProviderConfig is a structure that is used to decode into when
// solving a DNS01 challenge.
// This information is provided by cert-manager, and may be a reference to
// additional configuration that's needed to solve the challenge for this
// particular certificate or issuer.
// This typically includes references to Secret resources containing DNS
// provider credentials, in cases where a 'multi-tenant' DNS solver is being
// created.
// If you do *not* require per-issuer or per-certificate configuration to be
// provided to your webhook, you can skip decoding altogether in favour of
// using CLI flags or similar to provide configuration.
// You should not include sensitive information here. If credentials need to
// be used by your provider here, you should reference a Kubernetes Secret
// resource and fetch these credentials using a Kubernetes clientset.
type LocalDNSProviderConfig struct {
	AccessKey *v1.SecretKeySelector `json:"accessKeySecretRef,omitempty"`
	SecretKey *v1.SecretKeySelector `json:"secretKeySecretRef,omitempty"`

	// Change the two fields below according to the format of the configuration
	// to be decoded.
	// These fields will be set by users in the
	// `issuer.spec.acme.dns01.providers.webhook.config` field.

	Email string `json:"email"`
	// APIKeySecretRef contains the reference information for the Kubernetes
	// secret which contains the sthome API Key.
	APIKeySecretRef v1.SecretKeySelector `json:"apiKeySecretRef"`
	// Host is the Base URL (e.g. https://dns.example.ca) of the sthome API.
	//Host string `json:"host"`

	// Scheme supports HTTP AuthSchemes
	// https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
	//
	// +optional default ""
	//APIKeyScheme string `json:"apiKeyScheme"`

	// APIKeyHeaderName is the header name where apiKey will be set
	//
	// +optional default "X-API-Key"
	//APIKeyHeaderName string `json:"apiKeyHeaderName"`

	// ServerID is the server ID in the sthome API.
	// When unset, defaults to "localhost".
	//ServerID string `json:"serverID"`

	// Headers are additional headers added to requests to the
	// sthome API server.
	//Headers map[string]string `json:"headers"`

	// CABundle is a PEM encoded CA bundle which will be used in
	// certificate validation when connecting to the sthome server.
	//
	// When left blank, the default system store will be used.
	//
	// +optional
	//CABundle []byte `json:"caBundle"`

	// TTL is the time-to-live value of the inserted DNS records.
	//
	// +optional
	//TTL int `json:"ttl"`

	// Timeout is the timeout value for requests to the sthome API.
	// The value is specified in seconds.
	//
	// +optional
	//Timeout int `json:"timeout"`

	// AllowedZones is the list of zones that may be edited. If the list is
	// empty, all zones are permitted.
	AllowedZones []string `json:"allowed-zones"`
}

// IsAllowedZone checks if the webhook is allowed to edit the given zone, per
// AllowedZones setting. All zones allowed if AllowedZones is empty (the default setting)
func (cfg LocalDNSProviderConfig) IsAllowedZone(zone string) bool {
	if len(cfg.AllowedZones) == 0 {
		return true
	}

	for _, allowed := range cfg.AllowedZones {
		if zone == allowed || strings.HasSuffix(zone, "."+allowed) {
			return true
		}
	}
	return false
}

// Get preferred outbound ip of this machine
func getOutboundIP(dest string) string {
	conn, err := net.Dial("udp", dest+":80")
	if err != nil {
		klog.Errorf("net.Dial error: %s", err)
		return "0.0.0.0"
	}
	defer conn.Close()

	localAddr := conn.LocalAddr().(*net.UDPAddr)

	return localAddr.IP.String()
}