diff --git a/.github/workflows/docker-publish.yaml b/.github/workflows/docker-publish.yaml new file mode 100644 index 0000000..4c8157b --- /dev/null +++ b/.github/workflows/docker-publish.yaml @@ -0,0 +1,54 @@ +name: Publish docker images + +on: + push: + branches: + - "main" + tags: + - "v*" + pull_request: + branches: + - "main" + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + docker-publish: + runs-on: ubuntu-latest + + permissions: + contents: read + packages: write + + outputs: + tags: ${{ steps.meta.outputs.tags }} + + steps: + - uses: actions/checkout@v4 + + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Generate docker tags/labels from github build context + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern=v{{version}} + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/helm-publish.yaml b/.github/workflows/helm-publish.yaml new file mode 100644 index 0000000..0a4ed40 --- /dev/null +++ b/.github/workflows/helm-publish.yaml @@ -0,0 +1,40 @@ +name: Publish helm chart +permissions: read-all +on: + push: + tags: + - "v*" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + publish-helm-oci: + runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + packages: write + outputs: + chart-digest: ${{ steps.helm_publish.outputs.digest }} + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: "Extract Version" + id: extract_version + run: | + GIT_TAG=${GITHUB_REF##*/} + VERSION=${GIT_TAG##*v} + echo "version=$(echo $VERSION)" >> $GITHUB_OUTPUT + - name: Helm | Publish + id: helm_publish + uses: peak-scale/github-actions/helm-oci-chart@38322faabccd75abfa581c435e367d446b6d2c3b # v0.1.0 + with: + registry: ghcr.io + repository: ${{ github.repository_owner }}/charts + name: "cert-manager-webhook-pinax" + version: ${{ steps.extract_version.outputs.version }} + app-version: ${{ steps.extract_version.outputs.version }} + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + update-dependencies: "true" # Defaults to false diff --git a/Makefile b/Makefile index 9d3dc55..3cfb31c 100644 --- a/Makefile +++ b/Makefile @@ -2,14 +2,14 @@ GO ?= $(shell which go) OS ?= $(shell $(GO) env GOOS) ARCH ?= $(shell $(GO) env GOARCH) -IMAGE_NAME := "webhook" +IMAGE_NAME := "localhost:5000/cert-manager-webhook-pinax" IMAGE_TAG := "latest" OUT := $(shell pwd)/_out KUBEBUILDER_VERSION=1.28.0 -HELM_FILES := $(shell find deploy/example-webhook) +HELM_FILES := $(shell find deploy/cert-manager-webhook-pinax) test: _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/etcd _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kube-apiserver _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/kubectl TEST_ASSET_ETCD=_test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH)/etcd \ @@ -36,10 +36,10 @@ rendered-manifest.yaml: $(OUT)/rendered-manifest.yaml $(OUT)/rendered-manifest.yaml: $(HELM_FILES) | $(OUT) helm template \ - --name example-webhook \ + --name cert-manager-webhook-pinax \ --set image.repository=$(IMAGE_NAME) \ --set image.tag=$(IMAGE_TAG) \ - deploy/example-webhook > $@ + deploy/cert-manager-webhook-pinax > $@ _test $(OUT) _test/kubebuilder-$(KUBEBUILDER_VERSION)-$(OS)-$(ARCH): mkdir -p $@ diff --git a/OWNERS b/OWNERS deleted file mode 100644 index c0d7290..0000000 --- a/OWNERS +++ /dev/null @@ -1,16 +0,0 @@ -approvers: -- munnerz -- joshvanl -- wallrj -- jakexks -- maelvls -- irbekrm -- inteon -reviewers: -- munnerz -- joshvanl -- wallrj -- jakexks -- maelvls -- irbekrm -- inteon diff --git a/deploy/example-webhook/.helmignore b/charts/cert-manager-webhook-pinax/.helmignore similarity index 100% rename from deploy/example-webhook/.helmignore rename to charts/cert-manager-webhook-pinax/.helmignore diff --git a/charts/cert-manager-webhook-pinax/Chart.yaml b/charts/cert-manager-webhook-pinax/Chart.yaml new file mode 100644 index 0000000..c677ee0 --- /dev/null +++ b/charts/cert-manager-webhook-pinax/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for the custom Pinax's cert-manager webhook +name: cert-manager-webhook-pinax +version: 0.1.0 diff --git a/deploy/example-webhook/templates/NOTES.txt b/charts/cert-manager-webhook-pinax/templates/NOTES.txt similarity index 100% rename from deploy/example-webhook/templates/NOTES.txt rename to charts/cert-manager-webhook-pinax/templates/NOTES.txt diff --git a/deploy/example-webhook/templates/_helpers.tpl b/charts/cert-manager-webhook-pinax/templates/_helpers.tpl similarity index 59% rename from deploy/example-webhook/templates/_helpers.tpl rename to charts/cert-manager-webhook-pinax/templates/_helpers.tpl index d3c474b..3c69102 100644 --- a/deploy/example-webhook/templates/_helpers.tpl +++ b/charts/cert-manager-webhook-pinax/templates/_helpers.tpl @@ -2,7 +2,7 @@ {{/* Expand the name of the chart. */}} -{{- define "example-webhook.name" -}} +{{- define "cert-manager-webhook-pinax.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -11,7 +11,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "example-webhook.fullname" -}} +{{- define "cert-manager-webhook-pinax.fullname" -}} {{- if .Values.fullnameOverride -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} @@ -27,22 +27,22 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "example-webhook.chart" -}} +{{- define "cert-manager-webhook-pinax.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "example-webhook.selfSignedIssuer" -}} -{{ printf "%s-selfsign" (include "example-webhook.fullname" .) }} +{{- define "cert-manager-webhook-pinax.selfSignedIssuer" -}} +{{ printf "%s-selfsign" (include "cert-manager-webhook-pinax.fullname" .) }} {{- end -}} -{{- define "example-webhook.rootCAIssuer" -}} -{{ printf "%s-ca" (include "example-webhook.fullname" .) }} +{{- define "cert-manager-webhook-pinax.rootCAIssuer" -}} +{{ printf "%s-ca" (include "cert-manager-webhook-pinax.fullname" .) }} {{- end -}} -{{- define "example-webhook.rootCACertificate" -}} -{{ printf "%s-ca" (include "example-webhook.fullname" .) }} +{{- define "cert-manager-webhook-pinax.rootCACertificate" -}} +{{ printf "%s-ca" (include "cert-manager-webhook-pinax.fullname" .) }} {{- end -}} -{{- define "example-webhook.servingCertificate" -}} -{{ printf "%s-webhook-tls" (include "example-webhook.fullname" .) }} +{{- define "cert-manager-webhook-pinax.servingCertificate" -}} +{{ printf "%s-webhook-tls" (include "cert-manager-webhook-pinax.fullname" .) }} {{- end -}} diff --git a/deploy/example-webhook/templates/apiservice.yaml b/charts/cert-manager-webhook-pinax/templates/apiservice.yaml similarity index 63% rename from deploy/example-webhook/templates/apiservice.yaml rename to charts/cert-manager-webhook-pinax/templates/apiservice.yaml index 4f6d5ce..802a3ea 100644 --- a/deploy/example-webhook/templates/apiservice.yaml +++ b/charts/cert-manager-webhook-pinax/templates/apiservice.yaml @@ -3,17 +3,17 @@ kind: APIService metadata: name: v1alpha1.{{ .Values.groupName }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-webhook-pinax.name" . }} + chart: {{ include "cert-manager-webhook-pinax.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: - cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "example-webhook.servingCertificate" . }}" + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "cert-manager-webhook-pinax.servingCertificate" . }}" spec: group: {{ .Values.groupName }} groupPriorityMinimum: 1000 versionPriority: 15 service: - name: {{ include "example-webhook.fullname" . }} + name: {{ include "cert-manager-webhook-pinax.fullname" . }} namespace: {{ .Release.Namespace }} version: v1alpha1 diff --git a/deploy/example-webhook/templates/deployment.yaml b/charts/cert-manager-webhook-pinax/templates/deployment.yaml similarity index 77% rename from deploy/example-webhook/templates/deployment.yaml rename to charts/cert-manager-webhook-pinax/templates/deployment.yaml index 057cc42..f44f8da 100644 --- a/deploy/example-webhook/templates/deployment.yaml +++ b/charts/cert-manager-webhook-pinax/templates/deployment.yaml @@ -1,26 +1,26 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "example-webhook.fullname" . }} + name: {{ include "cert-manager-webhook-pinax.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-webhook-pinax.name" . }} + chart: {{ include "cert-manager-webhook-pinax.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: - app: {{ include "example-webhook.name" . }} + app: {{ include "cert-manager-webhook-pinax.name" . }} release: {{ .Release.Name }} template: metadata: labels: - app: {{ include "example-webhook.name" . }} + app: {{ include "cert-manager-webhook-pinax.name" . }} release: {{ .Release.Name }} spec: - serviceAccountName: {{ include "example-webhook.fullname" . }} + serviceAccountName: {{ include "cert-manager-webhook-pinax.fullname" . }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -54,7 +54,7 @@ spec: volumes: - name: certs secret: - secretName: {{ include "example-webhook.servingCertificate" . }} + secretName: {{ include "cert-manager-webhook-pinax.servingCertificate" . }} {{- with .Values.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} diff --git a/charts/cert-manager-webhook-pinax/templates/pki.yaml b/charts/cert-manager-webhook-pinax/templates/pki.yaml new file mode 100644 index 0000000..a5f0a31 --- /dev/null +++ b/charts/cert-manager-webhook-pinax/templates/pki.yaml @@ -0,0 +1,76 @@ +--- +# Create a selfsigned Issuer, in order to create a root CA certificate for +# signing webhook serving certificates +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "cert-manager-webhook-pinax.selfSignedIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "cert-manager-webhook-pinax.name" . }} + chart: {{ include "cert-manager-webhook-pinax.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + selfSigned: {} + +--- + +# Generate a CA Certificate used to sign certificates for the webhook +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "cert-manager-webhook-pinax.rootCACertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "cert-manager-webhook-pinax.name" . }} + chart: {{ include "cert-manager-webhook-pinax.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + secretName: {{ include "cert-manager-webhook-pinax.rootCACertificate" . }} + duration: 43800h # 5y + issuerRef: + name: {{ include "cert-manager-webhook-pinax.selfSignedIssuer" . }} + commonName: "ca.cert-manager-webhook-pinax.cert-manager" + isCA: true + +--- + +# Create an Issuer that uses the above generated CA certificate to issue certs +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "cert-manager-webhook-pinax.rootCAIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "cert-manager-webhook-pinax.name" . }} + chart: {{ include "cert-manager-webhook-pinax.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + ca: + secretName: {{ include "cert-manager-webhook-pinax.rootCACertificate" . }} + +--- + +# Finally, generate a serving certificate for the webhook to use +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "cert-manager-webhook-pinax.servingCertificate" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "cert-manager-webhook-pinax.name" . }} + chart: {{ include "cert-manager-webhook-pinax.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + secretName: {{ include "cert-manager-webhook-pinax.servingCertificate" . }} + duration: 8760h # 1y + issuerRef: + name: {{ include "cert-manager-webhook-pinax.rootCAIssuer" . }} + dnsNames: + - {{ include "cert-manager-webhook-pinax.fullname" . }} + - {{ include "cert-manager-webhook-pinax.fullname" . }}.{{ .Release.Namespace }} + - {{ include "cert-manager-webhook-pinax.fullname" . }}.{{ .Release.Namespace }}.svc diff --git a/deploy/example-webhook/templates/rbac.yaml b/charts/cert-manager-webhook-pinax/templates/rbac.yaml similarity index 61% rename from deploy/example-webhook/templates/rbac.yaml rename to charts/cert-manager-webhook-pinax/templates/rbac.yaml index 605fcf5..27245fa 100644 --- a/deploy/example-webhook/templates/rbac.yaml +++ b/charts/cert-manager-webhook-pinax/templates/rbac.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "example-webhook.fullname" . }} + name: {{ include "cert-manager-webhook-pinax.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-webhook-pinax.name" . }} + chart: {{ include "cert-manager-webhook-pinax.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} --- @@ -15,11 +15,11 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "example-webhook.fullname" . }}:webhook-authentication-reader + name: {{ include "cert-manager-webhook-pinax.fullname" . }}:webhook-authentication-reader namespace: kube-system labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-webhook-pinax.name" . }} + chart: {{ include "cert-manager-webhook-pinax.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: @@ -29,7 +29,7 @@ roleRef: subjects: - apiGroup: "" kind: ServiceAccount - name: {{ include "example-webhook.fullname" . }} + name: {{ include "cert-manager-webhook-pinax.fullname" . }} namespace: {{ .Release.Namespace }} --- # apiserver gets the auth-delegator role to delegate auth decisions to @@ -37,10 +37,10 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "example-webhook.fullname" . }}:auth-delegator + name: {{ include "cert-manager-webhook-pinax.fullname" . }}:auth-delegator labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-webhook-pinax.name" . }} + chart: {{ include "cert-manager-webhook-pinax.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: @@ -50,17 +50,17 @@ roleRef: subjects: - apiGroup: "" kind: ServiceAccount - name: {{ include "example-webhook.fullname" . }} + name: {{ include "cert-manager-webhook-pinax.fullname" . }} namespace: {{ .Release.Namespace }} --- # Grant cert-manager permission to validate using our apiserver apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "example-webhook.fullname" . }}:domain-solver + name: {{ include "cert-manager-webhook-pinax.fullname" . }}:domain-solver labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-webhook-pinax.name" . }} + chart: {{ include "cert-manager-webhook-pinax.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} rules: @@ -74,16 +74,16 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "example-webhook.fullname" . }}:domain-solver + name: {{ include "cert-manager-webhook-pinax.fullname" . }}:domain-solver labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} + app: {{ include "cert-manager-webhook-pinax.name" . }} + chart: {{ include "cert-manager-webhook-pinax.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "example-webhook.fullname" . }}:domain-solver + name: {{ include "cert-manager-webhook-pinax.fullname" . }}:domain-solver subjects: - apiGroup: "" kind: ServiceAccount diff --git a/charts/cert-manager-webhook-pinax/templates/service.yaml b/charts/cert-manager-webhook-pinax/templates/service.yaml new file mode 100644 index 0000000..38c9657 --- /dev/null +++ b/charts/cert-manager-webhook-pinax/templates/service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: { { include "cert-manager-webhook-pinax.fullname" . } } + namespace: { { .Release.Namespace | quote } } + labels: + app: { { include "cert-manager-webhook-pinax.name" . } } + chart: { { include "cert-manager-webhook-pinax.chart" . } } + release: { { .Release.Name } } + heritage: { { .Release.Service } } +spec: + type: { { .Values.service.type } } + ports: + - port: { { .Values.service.port } } + targetPort: https + protocol: TCP + name: https + selector: + app: { { include "cert-manager-webhook-pinax.name" . } } + release: { { .Release.Name } } diff --git a/charts/cert-manager-webhook-pinax/values.yaml b/charts/cert-manager-webhook-pinax/values.yaml new file mode 100644 index 0000000..e1d44ae --- /dev/null +++ b/charts/cert-manager-webhook-pinax/values.yaml @@ -0,0 +1,25 @@ +groupName: acme.pinax.io + +certManager: + namespace: cert-manager + serviceAccountName: cert-manager + +image: + repository: ghcr.io/pinax-network/cert-manager-webhook-pinax + tag: latest + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + port: 443 + +resources: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/deploy/example-webhook/Chart.yaml b/deploy/example-webhook/Chart.yaml deleted file mode 100644 index 77c6ead..0000000 --- a/deploy/example-webhook/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" -description: A Helm chart for Kubernetes -name: example-webhook -version: 0.1.0 diff --git a/deploy/example-webhook/templates/pki.yaml b/deploy/example-webhook/templates/pki.yaml deleted file mode 100644 index b4b4c23..0000000 --- a/deploy/example-webhook/templates/pki.yaml +++ /dev/null @@ -1,76 +0,0 @@ ---- -# Create a selfsigned Issuer, in order to create a root CA certificate for -# signing webhook serving certificates -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ include "example-webhook.selfSignedIssuer" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - selfSigned: {} - ---- - -# Generate a CA Certificate used to sign certificates for the webhook -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ include "example-webhook.rootCACertificate" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - secretName: {{ include "example-webhook.rootCACertificate" . }} - duration: 43800h # 5y - issuerRef: - name: {{ include "example-webhook.selfSignedIssuer" . }} - commonName: "ca.example-webhook.cert-manager" - isCA: true - ---- - -# Create an Issuer that uses the above generated CA certificate to issue certs -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ include "example-webhook.rootCAIssuer" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - ca: - secretName: {{ include "example-webhook.rootCACertificate" . }} - ---- - -# Finally, generate a serving certificate for the webhook to use -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ include "example-webhook.servingCertificate" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - secretName: {{ include "example-webhook.servingCertificate" . }} - duration: 8760h # 1y - issuerRef: - name: {{ include "example-webhook.rootCAIssuer" . }} - dnsNames: - - {{ include "example-webhook.fullname" . }} - - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }} - - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}.svc diff --git a/deploy/example-webhook/templates/service.yaml b/deploy/example-webhook/templates/service.yaml deleted file mode 100644 index a76ddc7..0000000 --- a/deploy/example-webhook/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "example-webhook.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: https - protocol: TCP - name: https - selector: - app: {{ include "example-webhook.name" . }} - release: {{ .Release.Name }} diff --git a/deploy/example-webhook/values.yaml b/deploy/example-webhook/values.yaml deleted file mode 100644 index 31eb151..0000000 --- a/deploy/example-webhook/values.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# The GroupName here is used to identify your company or business unit that -# created this webhook. -# For example, this may be "acme.mycompany.com". -# This name will need to be referenced in each Issuer's `webhook` stanza to -# inform cert-manager of where to send ChallengePayload resources in order to -# solve the DNS01 challenge. -# This group name should be **unique**, hence using your own company's domain -# here is recommended. -groupName: acme.mycompany.com - -certManager: - namespace: cert-manager - serviceAccountName: cert-manager - -image: - repository: mycompany/webhook-image - tag: latest - pullPolicy: IfNotPresent - -nameOverride: "" -fullnameOverride: "" - -service: - type: ClusterIP - port: 443 - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} diff --git a/example/dns.go b/example/dns.go deleted file mode 100644 index e29597e..0000000 --- a/example/dns.go +++ /dev/null @@ -1,69 +0,0 @@ -package example - -import ( - "fmt" - - "github.com/miekg/dns" -) - -func (e *exampleSolver) handleDNSRequest(w dns.ResponseWriter, req *dns.Msg) { - msg := new(dns.Msg) - msg.SetReply(req) - switch req.Opcode { - case dns.OpcodeQuery: - for _, q := range msg.Question { - if err := e.addDNSAnswer(q, msg, req); err != nil { - msg.SetRcode(req, dns.RcodeServerFailure) - break - } - } - } - w.WriteMsg(msg) -} - -func (e *exampleSolver) addDNSAnswer(q dns.Question, msg *dns.Msg, req *dns.Msg) error { - switch q.Qtype { - // Always return loopback for any A query - case dns.TypeA: - rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN A 127.0.0.1", q.Name)) - if err != nil { - return err - } - msg.Answer = append(msg.Answer, rr) - return nil - - // TXT records are the only important record for ACME dns-01 challenges - case dns.TypeTXT: - e.RLock() - record, found := e.txtRecords[q.Name] - e.RUnlock() - if !found { - msg.SetRcode(req, dns.RcodeNameError) - return nil - } - rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN TXT %s", q.Name, record)) - if err != nil { - return err - } - msg.Answer = append(msg.Answer, rr) - return nil - - // NS and SOA are for authoritative lookups, return obviously invalid data - case dns.TypeNS: - rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN NS ns.example-acme-webook.invalid.", q.Name)) - if err != nil { - return err - } - msg.Answer = append(msg.Answer, rr) - return nil - case dns.TypeSOA: - rr, err := dns.NewRR(fmt.Sprintf("%s 5 IN SOA %s 20 5 5 5 5", "ns.example-acme-webook.invalid.", "ns.example-acme-webook.invalid.")) - if err != nil { - return err - } - msg.Answer = append(msg.Answer, rr) - return nil - default: - return fmt.Errorf("unimplemented record type %v", q.Qtype) - } -} diff --git a/example/example.go b/example/example.go deleted file mode 100644 index 8cfe59e..0000000 --- a/example/example.go +++ /dev/null @@ -1,68 +0,0 @@ -// package example contains a self-contained example of a webhook that passes the cert-manager -// DNS conformance tests -package example - -import ( - "fmt" - "os" - "sync" - - "github.com/cert-manager/cert-manager/pkg/acme/webhook" - acme "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1" - "github.com/miekg/dns" - "k8s.io/client-go/rest" -) - -type exampleSolver struct { - name string - server *dns.Server - txtRecords map[string]string - sync.RWMutex -} - -func (e *exampleSolver) Name() string { - return e.name -} - -func (e *exampleSolver) Present(ch *acme.ChallengeRequest) error { - e.Lock() - e.txtRecords[ch.ResolvedFQDN] = ch.Key - e.Unlock() - return nil -} - -func (e *exampleSolver) CleanUp(ch *acme.ChallengeRequest) error { - e.Lock() - delete(e.txtRecords, ch.ResolvedFQDN) - e.Unlock() - return nil -} - -func (e *exampleSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error { - go func(done <-chan struct{}) { - <-done - if err := e.server.Shutdown(); err != nil { - fmt.Fprintf(os.Stderr, "%s\n", err.Error()) - } - }(stopCh) - go func() { - if err := e.server.ListenAndServe(); err != nil { - fmt.Fprintf(os.Stderr, "%s\n", err.Error()) - os.Exit(1) - } - }() - return nil -} - -func New(port string) webhook.Solver { - e := &exampleSolver{ - name: "example", - txtRecords: make(map[string]string), - } - e.server = &dns.Server{ - Addr: ":" + port, - Net: "udp", - Handler: dns.HandlerFunc(e.handleDNSRequest), - } - return e -} diff --git a/example/example_test.go b/example/example_test.go deleted file mode 100644 index ef4dde3..0000000 --- a/example/example_test.go +++ /dev/null @@ -1,96 +0,0 @@ -package example - -import ( - "crypto/rand" - "math/big" - "testing" - - acme "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1" - "github.com/miekg/dns" - "github.com/stretchr/testify/assert" -) - -func TestExampleSolver_Name(t *testing.T) { - port, _ := rand.Int(rand.Reader, big.NewInt(50000)) - port = port.Add(port, big.NewInt(15534)) - solver := New(port.String()) - assert.Equal(t, "example", solver.Name()) -} - -func TestExampleSolver_Initialize(t *testing.T) { - port, _ := rand.Int(rand.Reader, big.NewInt(50000)) - port = port.Add(port, big.NewInt(15534)) - solver := New(port.String()) - done := make(chan struct{}) - err := solver.Initialize(nil, done) - assert.NoError(t, err, "Expected Initialize not to error") - close(done) -} - -func TestExampleSolver_Present_Cleanup(t *testing.T) { - port, _ := rand.Int(rand.Reader, big.NewInt(50000)) - port = port.Add(port, big.NewInt(15534)) - solver := New(port.String()) - done := make(chan struct{}) - err := solver.Initialize(nil, done) - assert.NoError(t, err, "Expected Initialize not to error") - - validTestData := []struct { - hostname string - record string - }{ - {"test1.example.com.", "testkey1"}, - {"test2.example.com.", "testkey2"}, - {"test3.example.com.", "testkey3"}, - } - for _, test := range validTestData { - err := solver.Present(&acme.ChallengeRequest{ - Action: acme.ChallengeActionPresent, - Type: "dns-01", - ResolvedFQDN: test.hostname, - Key: test.record, - }) - assert.NoError(t, err, "Unexpected error while presenting %v", t) - } - - // Resolve test data - for _, test := range validTestData { - msg := new(dns.Msg) - msg.Id = dns.Id() - msg.RecursionDesired = true - msg.Question = make([]dns.Question, 1) - msg.Question[0] = dns.Question{dns.Fqdn(test.hostname), dns.TypeTXT, dns.ClassINET} - in, err := dns.Exchange(msg, "127.0.0.1:"+port.String()) - - assert.NoError(t, err, "Presented record %s not resolvable", test.hostname) - assert.Len(t, in.Answer, 1, "RR response is of incorrect length") - assert.Equal(t, []string{test.record}, in.Answer[0].(*dns.TXT).Txt, "TXT record returned did not match presented record") - } - - // Cleanup test data - for _, test := range validTestData { - err := solver.CleanUp(&acme.ChallengeRequest{ - Action: acme.ChallengeActionCleanUp, - Type: "dns-01", - ResolvedFQDN: test.hostname, - Key: test.record, - }) - assert.NoError(t, err, "Unexpected error while cleaning up %v", t) - } - - // Resolve test data - for _, test := range validTestData { - msg := new(dns.Msg) - msg.Id = dns.Id() - msg.RecursionDesired = true - msg.Question = make([]dns.Question, 1) - msg.Question[0] = dns.Question{dns.Fqdn(test.hostname), dns.TypeTXT, dns.ClassINET} - in, err := dns.Exchange(msg, "127.0.0.1:"+port.String()) - - assert.NoError(t, err, "Presented record %s not resolvable", test.hostname) - assert.Len(t, in.Answer, 0, "RR response is of incorrect length") - assert.Equal(t, dns.RcodeNameError, in.Rcode, "Expexted NXDOMAIN") - } - - close(done) -} diff --git a/go.mod b/go.mod index 83744cb..167acb4 100644 --- a/go.mod +++ b/go.mod @@ -1,12 +1,9 @@ -module github.com/cert-manager/webhook-example +module github.com/pinax-network/cert-manager-webhook-pinax go 1.22.0 require ( github.com/cert-manager/cert-manager v1.15.1 - github.com/miekg/dns v1.1.61 - github.com/stretchr/testify v1.9.0 - k8s.io/apiextensions-apiserver v0.30.2 k8s.io/client-go v0.30.2 ) @@ -51,7 +48,6 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_golang v1.18.0 // indirect github.com/prometheus/client_model v0.6.1 // indirect github.com/prometheus/common v0.46.0 // indirect @@ -75,7 +71,6 @@ require ( go.uber.org/zap v1.27.0 // indirect golang.org/x/crypto v0.24.0 // indirect golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect - golang.org/x/mod v0.18.0 // indirect golang.org/x/net v0.26.0 // indirect golang.org/x/oauth2 v0.20.0 // indirect golang.org/x/sync v0.7.0 // indirect @@ -94,6 +89,7 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/api v0.30.2 // indirect + k8s.io/apiextensions-apiserver v0.30.2 // indirect k8s.io/apimachinery v0.30.2 // indirect k8s.io/apiserver v0.30.2 // indirect k8s.io/component-base v0.30.2 // indirect diff --git a/go.sum b/go.sum index 52239a3..b6f905b 100644 --- a/go.sum +++ b/go.sum @@ -104,8 +104,6 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/miekg/dns v1.1.61 h1:nLxbwF3XxhwVSm8g9Dghm9MHPaUZuqhPiGL+675ZmEs= -github.com/miekg/dns v1.1.61/go.mod h1:mnAarhS3nWaW+NVP2wTkYVIZyHNJ098SJZUki3eykwQ= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -207,8 +205,6 @@ golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJ golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= -golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= diff --git a/main.go b/main.go index 969e6d2..3aff9a3 100644 --- a/main.go +++ b/main.go @@ -1,146 +1,44 @@ package main import ( - "encoding/json" - "fmt" + "log" "os" - extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - "k8s.io/client-go/rest" - - "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1" + acme "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1" "github.com/cert-manager/cert-manager/pkg/acme/webhook/cmd" + "k8s.io/client-go/rest" ) var GroupName = os.Getenv("GROUP_NAME") func main() { - if GroupName == "" { - panic("GROUP_NAME must be specified") - } - - // This will register our custom DNS provider with the webhook serving - // library, making it available as an API under the provided GroupName. - // You can register multiple DNS provider implementations with a single - // webhook, where the Name() method will be used to disambiguate between - // the different implementations. cmd.RunWebhookServer(GroupName, - &customDNSProviderSolver{}, + &exampleSolver{ + name: "pinax-webhook-solver", + }, ) } -// customDNSProviderSolver implements the provider-specific logic needed to -// 'present' an ACME challenge TXT record for your own DNS provider. -// To do so, it must implement the `github.com/cert-manager/cert-manager/pkg/acme/webhook.Solver` -// interface. -type customDNSProviderSolver struct { - // If a Kubernetes 'clientset' is needed, you must: - // 1. uncomment the additional `client` field in this structure below - // 2. uncomment the "k8s.io/client-go/kubernetes" import at the top of the file - // 3. uncomment the relevant code in the Initialize method below - // 4. ensure your webhook's service account has the required RBAC role - // assigned to it for interacting with the Kubernetes APIs you need. - //client kubernetes.Clientset -} - -// customDNSProviderConfig is a structure that is used to decode into when -// solving a DNS01 challenge. -// This information is provided by cert-manager, and may be a reference to -// additional configuration that's needed to solve the challenge for this -// particular certificate or issuer. -// This typically includes references to Secret resources containing DNS -// provider credentials, in cases where a 'multi-tenant' DNS solver is being -// created. -// If you do *not* require per-issuer or per-certificate configuration to be -// provided to your webhook, you can skip decoding altogether in favour of -// using CLI flags or similar to provide configuration. -// You should not include sensitive information here. If credentials need to -// be used by your provider here, you should reference a Kubernetes Secret -// resource and fetch these credentials using a Kubernetes clientset. -type customDNSProviderConfig struct { - // Change the two fields below according to the format of the configuration - // to be decoded. - // These fields will be set by users in the - // `issuer.spec.acme.dns01.providers.webhook.config` field. - - //Email string `json:"email"` - //APIKeySecretRef v1alpha1.SecretKeySelector `json:"apiKeySecretRef"` +type exampleSolver struct { + name string } -// Name is used as the name for this DNS solver when referencing it on the ACME -// Issuer resource. -// This should be unique **within the group name**, i.e. you can have two -// solvers configured with the same Name() **so long as they do not co-exist -// within a single webhook deployment**. -// For example, `cloudflare` may be used as the name of a solver. -func (c *customDNSProviderSolver) Name() string { - return "my-custom-solver" +func (e *exampleSolver) Name() string { + return e.name } -// Present is responsible for actually presenting the DNS record with the -// DNS provider. -// This method should tolerate being called multiple times with the same value. -// cert-manager itself will later perform a self check to ensure that the -// solver has correctly configured the DNS provider. -func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error { - cfg, err := loadConfig(ch.Config) - if err != nil { - return err - } - - // TODO: do something more useful with the decoded configuration - fmt.Printf("Decoded configuration %v", cfg) - - // TODO: add code that sets a record in the DNS provider's console +func (e *exampleSolver) Present(ch *acme.ChallengeRequest) error { + // Log that a challenge is being requested, but don't take any action + log.Println("Presenting DNS challenge, but passing to k8s_gateway") return nil } -// CleanUp should delete the relevant TXT record from the DNS provider console. -// If multiple TXT records exist with the same record name (e.g. -// _acme-challenge.example.com) then **only** the record with the same `key` -// value provided on the ChallengeRequest should be cleaned up. -// This is in order to facilitate multiple DNS validations for the same domain -// concurrently. -func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error { - // TODO: add code that deletes a record from the DNS provider's console +func (e *exampleSolver) CleanUp(ch *acme.ChallengeRequest) error { + log.Println("Cleaning up DNS challenge, but passing to k8s_gateway") return nil } -// Initialize will be called when the webhook first starts. -// This method can be used to instantiate the webhook, i.e. initialising -// connections or warming up caches. -// Typically, the kubeClientConfig parameter is used to build a Kubernetes -// client that can be used to fetch resources from the Kubernetes API, e.g. -// Secret resources containing credentials used to authenticate with DNS -// provider accounts. -// The stopCh can be used to handle early termination of the webhook, in cases -// where a SIGTERM or similar signal is sent to the webhook process. -func (c *customDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error { - ///// UNCOMMENT THE BELOW CODE TO MAKE A KUBERNETES CLIENTSET AVAILABLE TO - ///// YOUR CUSTOM DNS PROVIDER - - //cl, err := kubernetes.NewForConfig(kubeClientConfig) - //if err != nil { - // return err - //} - // - //c.client = cl - - ///// END OF CODE TO MAKE KUBERNETES CLIENTSET AVAILABLE +func (e *exampleSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error { + log.Println("Initialize, doing nothing...") return nil } - -// loadConfig is a small helper function that decodes JSON configuration into -// the typed config struct. -func loadConfig(cfgJSON *extapi.JSON) (customDNSProviderConfig, error) { - cfg := customDNSProviderConfig{} - // handle the 'base case' where no configuration has been provided - if cfgJSON == nil { - return cfg, nil - } - if err := json.Unmarshal(cfgJSON.Raw, &cfg); err != nil { - return cfg, fmt.Errorf("error decoding solver config: %v", err) - } - - return cfg, nil -} diff --git a/main_test.go b/main_test.go deleted file mode 100644 index 1d7d5ff..0000000 --- a/main_test.go +++ /dev/null @@ -1,41 +0,0 @@ -package main - -import ( - "os" - "testing" - - acmetest "github.com/cert-manager/cert-manager/test/acme" - - "github.com/cert-manager/webhook-example/example" -) - -var ( - zone = os.Getenv("TEST_ZONE_NAME") -) - -func TestRunsSuite(t *testing.T) { - // The manifest path should contain a file named config.json that is a - // snippet of valid configuration that should be included on the - // ChallengeRequest passed as part of the test cases. - // - - // Uncomment the below fixture when implementing your custom DNS provider - //fixture := acmetest.NewFixture(&customDNSProviderSolver{}, - // acmetest.SetResolvedZone(zone), - // acmetest.SetAllowAmbientCredentials(false), - // acmetest.SetManifestPath("testdata/my-custom-solver"), - // acmetest.SetBinariesPath("_test/kubebuilder/bin"), - //) - solver := example.New("59351") - fixture := acmetest.NewFixture(solver, - acmetest.SetResolvedZone("example.com."), - acmetest.SetManifestPath("testdata/my-custom-solver"), - acmetest.SetDNSServer("127.0.0.1:59351"), - acmetest.SetUseAuthoritative(false), - ) - //need to uncomment and RunConformance delete runBasic and runExtended once https://github.com/cert-manager/cert-manager/pull/4835 is merged - //fixture.RunConformance(t) - fixture.RunBasic(t) - fixture.RunExtended(t) - -} diff --git a/testdata/my-custom-solver/README.md b/testdata/pinax-webhook-solver/README.md similarity index 100% rename from testdata/my-custom-solver/README.md rename to testdata/pinax-webhook-solver/README.md diff --git a/testdata/my-custom-solver/config.json b/testdata/pinax-webhook-solver/config.json similarity index 100% rename from testdata/my-custom-solver/config.json rename to testdata/pinax-webhook-solver/config.json