101 lines
3.3 KiB
Go
101 lines
3.3 KiB
Go
package sthome
|
|
|
|
import (
|
|
"strings"
|
|
|
|
v1 "k8s.io/api/core/v1"
|
|
)
|
|
|
|
const (
|
|
SthomeAccessKeyEnv = "STHOME_ACCESS_KEY"
|
|
SthomeSecretKeyEnv = "STHOME_SECRET_KEY"
|
|
)
|
|
|
|
// localDNSProviderConfig is a structure that is used to decode into when
|
|
// solving a DNS01 challenge.
|
|
// This information is provided by cert-manager, and may be a reference to
|
|
// additional configuration that's needed to solve the challenge for this
|
|
// particular certificate or issuer.
|
|
// This typically includes references to Secret resources containing DNS
|
|
// provider credentials, in cases where a 'multi-tenant' DNS solver is being
|
|
// created.
|
|
// If you do *not* require per-issuer or per-certificate configuration to be
|
|
// provided to your webhook, you can skip decoding altogether in favour of
|
|
// using CLI flags or similar to provide configuration.
|
|
// You should not include sensitive information here. If credentials need to
|
|
// be used by your provider here, you should reference a Kubernetes Secret
|
|
// resource and fetch these credentials using a Kubernetes clientset.
|
|
type LocalDNSProviderConfig struct {
|
|
AccessKey *v1.SecretKeySelector `json:"accessKeySecretRef,omitempty"`
|
|
SecretKey *v1.SecretKeySelector `json:"secretKeySecretRef,omitempty"`
|
|
|
|
// Change the two fields below according to the format of the configuration
|
|
// to be decoded.
|
|
// These fields will be set by users in the
|
|
// `issuer.spec.acme.dns01.providers.webhook.config` field.
|
|
|
|
Email string `json:"email"`
|
|
// APIKeySecretRef contains the reference information for the Kubernetes
|
|
// secret which contains the sthome API Key.
|
|
APIKeySecretRef v1.SecretKeySelector `json:"apiKeySecretRef"`
|
|
// Host is the Base URL (e.g. https://dns.example.ca) of the sthome API.
|
|
Host string `json:"host"`
|
|
|
|
// Scheme supports HTTP AuthSchemes
|
|
// https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
|
|
//
|
|
// +optional default ""
|
|
APIKeyScheme string `json:"apiKeyScheme"`
|
|
|
|
// APIKeyHeaderName is the header name where apiKey will be set
|
|
//
|
|
// +optional default "X-API-Key"
|
|
APIKeyHeaderName string `json:"apiKeyHeaderName"`
|
|
|
|
// ServerID is the server ID in the sthome API.
|
|
// When unset, defaults to "localhost".
|
|
ServerID string `json:"serverID"`
|
|
|
|
// Headers are additional headers added to requests to the
|
|
// sthome API server.
|
|
Headers map[string]string `json:"headers"`
|
|
|
|
// CABundle is a PEM encoded CA bundle which will be used in
|
|
// certificate validation when connecting to the sthome server.
|
|
//
|
|
// When left blank, the default system store will be used.
|
|
//
|
|
// +optional
|
|
CABundle []byte `json:"caBundle"`
|
|
|
|
// TTL is the time-to-live value of the inserted DNS records.
|
|
//
|
|
// +optional
|
|
TTL int `json:"ttl"`
|
|
|
|
// Timeout is the timeout value for requests to the sthome API.
|
|
// The value is specified in seconds.
|
|
//
|
|
// +optional
|
|
Timeout int `json:"timeout"`
|
|
|
|
// AllowedZones is the list of zones that may be edited. If the list is
|
|
// empty, all zones are permitted.
|
|
AllowedZones []string `json:"allowed-zones"`
|
|
}
|
|
|
|
// IsAllowedZone checks if the webhook is allowed to edit the given zone, per
|
|
// AllowedZones setting. All zones allowed if AllowedZones is empty (the default setting)
|
|
func (cfg LocalDNSProviderConfig) IsAllowedZone(zone string) bool {
|
|
if len(cfg.AllowedZones) == 0 {
|
|
return true
|
|
}
|
|
|
|
for _, allowed := range cfg.AllowedZones {
|
|
if zone == allowed || strings.HasSuffix(zone, "."+allowed) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|