Import cert-manager-webhook-linode

main.go

@@ -0,0 +1,420 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"strings"
+
+	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
+	extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/klog/v2"
+
+	"github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
+	"github.com/cert-manager/cert-manager/pkg/acme/webhook/cmd"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/linode/linodego"
+	"golang.org/x/oauth2"
+)
+
+// GroupName is the K8s API group
+var GroupName = os.Getenv("GROUP_NAME")
+
+// PodNamespace is the namespace of the webhook pod
+var PodNamespace = os.Getenv("POD_NAMESPACE")
+
+// PodSecretName is the name of the secret to obtain the Linode API token from
+var PodSecretName = os.Getenv("POD_SECRET_NAME")
+
+// PodSecretKey is the key of the Linode API token within the secret POD_SECRET_NAME
+var PodSecretKey = os.Getenv("POD_SECRET_KEY")
+
+func main() {
+	if GroupName == "" {
+		panic("GROUP_NAME must be specified")
+	}
+
+	// This will register our external-dns DNS provider with the webhook serving
+	// library, making it available as an API under the provided GroupName.
+	// You can register multiple DNS provider implementations with a single
+	// webhook, where the Name() method will be used to disambiguate between
+	// the different implementations.
+	cmd.RunWebhookServer(GroupName,
+		&linodeDNSProviderSolver{},
+	)
+}
+
+// linodeDNSProviderSolver implements the provider-specific logic needed to
+// 'present' an ACME challenge TXT record to Linode.
+// To do so, it must implement the `github.com/jetstack/cert-manager/pkg/acme/webhook.Solver`
+// interface.
+type linodeDNSProviderSolver struct {
+	// If a Kubernetes 'clientset' is needed, you must:
+	// 1. uncomment the additional `client` field in this structure below
+	// 2. uncomment the "k8s.io/client-go/kubernetes" import at the top of the file
+	// 3. uncomment the relevant code in the Initialize method below
+	// 4. ensure your webhook's service account has the required RBAC role
+	//    assigned to it for interacting with the Kubernetes APIs you need.
+	client *kubernetes.Clientset
+	ctx    context.Context
+}
+
+// linodeDNSProviderConfig is a structure that is used to decode into when
+// solving a DNS01 challenge.
+// This information is provided by cert-manager, and may be a reference to
+// additional configuration that's needed to solve the challenge for this
+// particular certificate or issuer.
+// This typically includes references to Secret resources containing DNS
+// provider credentials, in cases where a 'multi-tenant' DNS solver is being
+// created.
+// If you do *not* require per-issuer or per-certificate configuration to be
+// provided to your webhook, you can skip decoding altogether in favour of
+// using CLI flags or similar to provide configuration.
+// You should not include sensitive information here. If credentials need to
+// be used by your provider here, you should reference a Kubernetes Secret
+// resource and fetch these credentials using a Kubernetes clientset.
+type linodeDNSProviderConfig struct {
+	// Change the two fields below according to the format of the configuration
+	// to be decoded.
+	// These fields will be set by users in the
+	// `issuer.spec.acme.dns01.providers.webhook.config` field.
+
+	// Expect apiKeySecretRef with name: <secret name> and key: <token field in secret>
+	APIKeySecretRef cmmeta.SecretKeySelector `json:"apiKeySecretRef"`
+}
+
+// Name is used as the name for this DNS solver when referencing it on the ACME
+// Issuer resource.
+// This should be unique **within the group name**, i.e. you can have two
+// solvers configured with the same Name() **so long as they do not co-exist
+// within a single webhook deployment**.
+// For example, `cloudflare` may be used as the name of a solver.
+func (c *linodeDNSProviderSolver) Name() string {
+	return "linode"
+}
+
+// Returns a linodego Client object, with Oauth token configured
+func (c *linodeDNSProviderSolver) getLinodeClient(ch *v1alpha1.ChallengeRequest) (*linodego.Client, error) {
+	// Load config parsed from K8s
+	cfg, err := loadConfig(ch.Config)
+	if err != nil {
+		return nil, err
+	}
+
+	// Extract Linode token from K8s secret provided by config apiKeySecretRef
+	apiKey, err := c.getAPIKey(&cfg, ch.ResourceNamespace)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to retrieve Linode API token from secret: %v", err)
+	}
+
+	// Create Linodego Client
+	tokenSource := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: *apiKey})
+
+	oauth2Client := &http.Client{
+		Transport: &oauth2.Transport{
+			Source: tokenSource,
+		},
+	}
+
+	linodeClient := linodego.NewClient(oauth2Client)
+	linodeClient.SetUserAgent(fmt.Sprintf("cert-manager-webhook-linode/v0.2.0 linodego/%s", linodego.Version))
+
+	return &linodeClient, nil
+}
+
+// Returns all record entries in a given Linode DNS Manager zone, specified by the domain parameter
+func (c *linodeDNSProviderSolver) fetchZone(linodeClient *linodego.Client, domain string) (*linodego.Domain, error) {
+	// List domains
+	allZones, err := linodeClient.ListDomains(c.ctx, linodego.NewListOptions(0, ""))
+	if err != nil {
+		return nil, err
+	}
+
+	// Search for desired zone in domains
+	for _, zone := range allZones {
+		if zone.Domain == domain {
+			return &zone, nil
+		}
+	}
+
+	return nil, nil
+}
+
+// Returns the details of a given record entry in a given Linode DNS Manager zone, specified by the zone's ID and the record
+func (c *linodeDNSProviderSolver) fetchRecord(linodeClient *linodego.Client, zoneID int, entry string) (*linodego.DomainRecord, error) {
+	// List records in zone
+	records, err := linodeClient.ListDomainRecords(c.ctx, zoneID, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	// Find entry in zone records
+	for _, record := range records {
+		if record.Name == entry && string(record.Type) == "TXT" {
+			return &record, nil
+		}
+	}
+
+	return nil, nil
+}
+
+// Returns the details of a given record entry in Linode DNS Manager, specified by the domain and record
+// Wraper for fetchZone and fetchRecord
+func (c *linodeDNSProviderSolver) fetchZoneAndRecord(linodeClient *linodego.Client, domain string, entry string) (*linodego.Domain, *linodego.DomainRecord, error) {
+	zone, err := c.fetchZone(linodeClient, domain)
+	if err != nil {
+		return zone, nil, fmt.Errorf("Failed to fetch zone `%s`: %v", domain, err)
+	} else if zone == nil {
+		return zone, nil, fmt.Errorf("Failed to find zone for `%s`", domain)
+	}
+
+	record, err := c.fetchRecord(linodeClient, zone.ID, entry)
+	if err != nil {
+		return zone, record, fmt.Errorf("Failed to fetch record `%s` in zone `%s`: %v", entry, domain, err)
+	}
+
+	return zone, record, nil
+}
+
+// Present is responsible for actually presenting the DNS record with the
+// Linode DNS provider.
+// This method should tolerate being called multiple times with the same value.
+// cert-manager itself will later perform a self check to ensure that the
+// solver has correctly configured the DNS provider.
+func (c *linodeDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
+	klog.Infof("Presented with challenge for fqdn=%s zone=%s", ch.ResolvedFQDN, ch.ResolvedZone)
+
+	linodeClient, err := c.getLinodeClient(ch)
+	if err != nil {
+		return err
+	}
+
+	entry, domain := c.getDomainAndEntry(ch)
+
+	zone, record, err := c.fetchZoneAndRecord(linodeClient, domain, entry)
+	if err != nil {
+		return err
+	}
+
+	if record != nil {
+		// If entry already exists, update it
+		klog.Infof("Updating record for `%s` in zone `%s`", record.Name, zone.Domain)
+		_, err := linodeClient.UpdateDomainRecord(
+			c.ctx,
+			zone.ID,
+			record.ID,
+			linodego.DomainRecordUpdateOptions{
+				Name:     record.Name,
+				Target:   ch.Key,
+				Type:     linodego.RecordTypeTXT,
+				Weight:   getWeight(),
+				Port:     getPort(),
+				Priority: getPriority(),
+				TTLSec:   180,
+			})
+		if err != nil {
+			return fmt.Errorf("Failed to update record: %v", err)
+		}
+	} else {
+		// Create if it does not exist
+		klog.Infof("Creating new record `%s` in zone `%s`", entry, zone.Domain)
+		_, err := linodeClient.CreateDomainRecord(
+			c.ctx,
+			zone.ID,
+			linodego.DomainRecordCreateOptions{
+				Name:     entry,
+				Target:   ch.Key,
+				Type:     linodego.RecordTypeTXT,
+				Weight:   getWeight(),
+				Port:     getPort(),
+				Priority: getPriority(),
+				TTLSec:   180,
+			})
+		if err != nil {
+			return fmt.Errorf("Failed to create record: %v", err)
+		}
+	}
+
+	return nil
+}
+
+// Pointer int wrappers
+func getWeight() *int {
+	weight := 1
+	return &weight
+}
+
+func getPort() *int {
+	port := 0
+	return &port
+}
+
+func getPriority() *int {
+	priority := 0
+	return &priority
+}
+
+// CleanUp should delete the relevant TXT record from the DNS provider console.
+// If multiple TXT records exist with the same record name (e.g.
+// _acme-challenge.example.com) then **only** the record with the same `key`
+// value provided on the ChallengeRequest should be cleaned up.
+// This is in order to facilitate multiple DNS validations for the same domain
+// concurrently.
+func (c *linodeDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
+	klog.Infof("Cleaning up challenge for fqdn=%s zone=%s", ch.ResolvedFQDN, ch.ResolvedZone)
+
+	linodeClient, err := c.getLinodeClient(ch)
+	if err != nil {
+		return err
+	}
+
+	entry, domain := c.getDomainAndEntry(ch)
+
+	zone, record, err := c.fetchZoneAndRecord(linodeClient, domain, entry)
+	if err != nil {
+		return err
+	}
+
+	if record != nil {
+		// If entry already exists, delete it
+		klog.Infof("Deleting record `%s` from zone `%s`", record.Name, zone.Domain)
+		err := linodeClient.DeleteDomainRecord(c.ctx, zone.ID, record.ID)
+		if err != nil {
+			return fmt.Errorf("Failed to delete record: %v", err)
+		}
+	}
+
+	return nil
+}
+
+// Initialize will be called when the webhook first starts.
+// This method can be used to instantiate the webhook, i.e. initialising
+// connections or warming up caches.
+// Typically, the kubeClientConfig parameter is used to build a Kubernetes
+// client that can be used to fetch resources from the Kubernetes API, e.g.
+// Secret resources containing credentials used to authenticate with DNS
+// provider accounts.
+// The stopCh can be used to handle early termination of the webhook, in cases
+// where a SIGTERM or similar signal is sent to the webhook process.
+func (c *linodeDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
+	klog.Info("Initializing")
+
+	// Make a Kubernetes clientset available
+	var err error
+	c.client, err = kubernetes.NewForConfig(kubeClientConfig)
+	if err != nil {
+		return err
+	}
+
+	// Make context
+	c.ctx = context.Background()
+
+	return nil
+}
+
+// Returns a given data key from a given secret as a string
+func (c *linodeDNSProviderSolver) stringFromSecret(namespace, secretName, key string) (*string, error) {
+	// Get secret
+	secret, err := c.client.CoreV1().Secrets(namespace).Get(c.ctx,
+		secretName, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	// Extract token from secret
+	tokenBinary, ok := secret.Data[key]
+	if !ok {
+		return nil, fmt.Errorf("Key `%q` not found in secret `%s/%s`",
+			key, namespace, secretName)
+	}
+
+	token := string(tokenBinary)
+	return &token, nil
+}
+
+func (c *linodeDNSProviderSolver) certNamespaceToken(namespace string, secretRef cmmeta.SecretKeySelector) (*string, error) {
+	if secretRef.LocalObjectReference.Name == "" {
+		return nil, fmt.Errorf("Linode API token secret in certificate namespace not specified")
+	}
+
+	token, err := c.stringFromSecret(namespace, secretRef.LocalObjectReference.Name, secretRef.Key)
+	if err != nil {
+		return nil, err
+	}
+
+	return token, nil
+}
+
+func (c *linodeDNSProviderSolver) podNamespaceToken() (*string, error) {
+	// Get pod namespace
+	namespace := PodNamespace
+	if namespace == "" {
+		data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+		if err != nil {
+			return nil, fmt.Errorf("Failed to find the webhook pod namespace: %v", err)
+		}
+		namespace = strings.TrimSpace(string(data))
+		if len(namespace) == 0 {
+			return nil, fmt.Errorf("Invalid webhook pod namespace provided")
+		}
+	}
+
+	// Get secret
+	token, err := c.stringFromSecret(namespace, PodSecretName, PodSecretKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return token, nil
+}
+
+// Get Linode API token from Kubernetes secret.
+func (c *linodeDNSProviderSolver) getAPIKey(cfg *linodeDNSProviderConfig, namespace string) (*string, error) {
+	// Get token from secret in the same namespace as the certificate if possible
+	token, err := c.certNamespaceToken(namespace, cfg.APIKeySecretRef)
+	if err == nil {
+		return token, nil
+	}
+
+	// Fallback to default secret in the same namespace as the webhook pod
+	klog.Infof("Failed to use certificate namespace Linode API token secret: %v", err)
+	klog.Info("Trying webhook pod namespace Linode API token secret")
+	token, err = c.podNamespaceToken()
+	if err == nil {
+		return token, nil
+	}
+
+	return nil, fmt.Errorf("Failed to read Linode API token secret: %v", err)
+}
+
+// loadConfig is a small helper function that decodes JSON configuration into
+// the typed config struct.
+func loadConfig(cfgJSON *extapi.JSON) (linodeDNSProviderConfig, error) {
+	cfg := linodeDNSProviderConfig{}
+	// handle the 'base case' where no configuration has been provided
+	if cfgJSON == nil {
+		return cfg, nil
+	}
+	if err := json.Unmarshal(cfgJSON.Raw, &cfg); err != nil {
+		return cfg, fmt.Errorf("error decoding solver config: %v", err)
+	}
+
+	return cfg, nil
+}
+
+func (c *linodeDNSProviderSolver) getDomainAndEntry(ch *v1alpha1.ChallengeRequest) (string, string) {
+	// Strip the zone from the fqdn to yield the entry (subdomain)
+	entry := strings.TrimSuffix(ch.ResolvedFQDN, ch.ResolvedZone)
+	entry = strings.TrimSuffix(entry, ".") // Also remove any stray .
+
+	// Remove trailing . from domain
+	domain := strings.TrimSuffix(ch.ResolvedZone, ".")
+
+	return entry, domain
+}