Skip to content

Commit

Permalink
try add cert-manager-webhook-acmesh
Browse files Browse the repository at this point in the history
  • Loading branch information
springhack committed Nov 11, 2022
1 parent 54a9eea commit 944d222
Show file tree
Hide file tree
Showing 15 changed files with 1,542 additions and 0 deletions.
42 changes: 42 additions & 0 deletions .github/workflows/acmesh.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
on:
push:
branches:
- main
paths:
- .github/workflows/acmesh.yml
- acmesh/**
jobs:
acmesh:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
with:
submodules: true
- name: Login
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
- name: Setup QEMU
uses: docker/setup-qemu-action@v1
- name: Setup Docker
uses: docker/setup-buildx-action@v1
- name: Build Docker
uses: docker/build-push-action@v2
with:
push: true
context: ${{ github.job }}
file: ${{ github.job }}/Dockerfile
platforms: linux/amd64,linux/arm64/v8
tags: ${{ secrets.DOCKER_HUB_USERNAME }}/${{ github.job }}:latest
cache-from: type=registry,ref=${{ secrets.DOCKER_HUB_USERNAME }}/${{ github.job }}:buildcache
cache-to: type=registry,ref=${{ secrets.DOCKER_HUB_USERNAME }}/${{ github.job }}:buildcache,mode=max
- name: Push Docker Description
uses: peter-evans/dockerhub-description@v2
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_PASSWORD }}
repository: ${{ secrets.DOCKER_HUB_USERNAME }}/${{ github.job }}
short-description: '使用参考 README,信息参考:https://www.dosk.win/'
19 changes: 19 additions & 0 deletions acmesh/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
FROM golang:1.16-alpine AS build_deps
RUN apk add --no-cache git curl ca-certificates socat bash openssl
WORKDIR /workspace
COPY go.mod .
COPY go.sum .
RUN go mod download

FROM build_deps AS build
COPY . .
RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
RUN curl -fsSL https://get.acme.sh | sh -s email=infinity-server@dosk.host

FROM alpine
COPY --from=build /workspace/webhook /usr/local/bin/webhook
COPY --from=build /root/.acme.sh /root/.acme.sh
ADD acme_delegate /root/acme_delegate
RUN apk add --no-cache ca-certificates curl socat bash openssl && chmod 755 /root/acme_delegate

ENTRYPOINT ["webhook"]
17 changes: 17 additions & 0 deletions acmesh/acme_delegate
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#!/bin/bash

echo '__________________________ acme.sh environments __________________________'
export HOME=/root
cd /root
export

dosk_dnsapi="$1"
dosk_action="$2"
dosk_fulldomain="$3"
dosk_txtvalue="$4"

echo '__________________________ acme.sh delegate __________________________'
source /root/.acme.sh/acme.sh --info
source /root/.acme.sh/dnsapi/${dosk_dnsapi}.sh
${dosk_dnsapi}_${dosk_action} "$dosk_fulldomain" "$dosk_txtvalue"
echo '__________________________ acme.sh finish __________________________'
10 changes: 10 additions & 0 deletions acmesh/go.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
module github.com/infinity-server/dockerset

go 1.13

require (
github.com/jetstack/cert-manager v1.2.0
k8s.io/apiextensions-apiserver v0.19.0
k8s.io/client-go v0.19.0
k8s.io/klog v1.0.0
)
873 changes: 873 additions & 0 deletions acmesh/go.sum

Large diffs are not rendered by default.

124 changes: 124 additions & 0 deletions acmesh/main.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
package main

import (
"encoding/json"
"fmt"
"github.com/jetstack/cert-manager/pkg/issuer/acme/dns/util"
"k8s.io/client-go/kubernetes"
"os"
"strings"

extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
"k8s.io/client-go/rest"
"k8s.io/klog"

"github.com/jetstack/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
"github.com/jetstack/cert-manager/pkg/acme/webhook/cmd"
)

const (
defaultTTL = 600
acmeDelegate = "/root/acme_delegate"
)

var GroupName = os.Getenv("GROUP_NAME")

func main() {
if GroupName == "" {
panic("GROUP_NAME must be specified")
}

cmd.RunWebhookServer(GroupName,
&customDNSProviderSolver{},
)
}

type customDNSProviderSolver struct {
client *kubernetes.Clientset
}

type customDNSProviderConfig struct {
TTL *uint64 `json:"ttl"`
DNSAPI string `json:"dnsapi"`
Env []string `json:"env"`
}

func (c *customDNSProviderSolver) Name() string {
return "acmesh"
}


func extractRecordName(fqdn, zone string) string {
if idx := strings.Index(fqdn, "."+zone); idx != -1 {
return fqdn[:idx]
}

return util.UnFqdn(fqdn)
}

func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
cfg, err := loadConfig(ch.Config)
if err != nil {
klog.Errorf("Failed to log config %v: %v", ch.Config, err)
return err
}

procAttr := &os.ProcAttr{
Files: []*os.File{os.Stdin, os.Stdout, os.Stderr},
Env: cfg.Env,
}
process, err := os.StartProcess(acmeDelegate, []string{
acmeDelegate, cfg.DNSAPI, "add", extractRecordName(ch.ResolvedFQDN, ch.ResolvedZone), ch.Key,
}, procAttr)
if err != nil {
return err
}

process.Wait()
return nil
}

func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
cfg, err := loadConfig(ch.Config)
if err != nil {
klog.Errorf("Failed to log config %v: %v", ch.Config, err)
return err
}

procAttr := &os.ProcAttr{
Files: []*os.File{os.Stdin, os.Stdout, os.Stderr},
Env: cfg.Env,
}
process, err := os.StartProcess(acmeDelegate, []string{
acmeDelegate, cfg.DNSAPI, "rm", extractRecordName(ch.ResolvedFQDN, ch.ResolvedZone), ch.Key,
}, procAttr)
if err != nil {
return err
}

process.Wait()
return nil
}

func (c *customDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
cl, err := kubernetes.NewForConfig(kubeClientConfig)
if err != nil {
klog.Errorf("Failed to new kubernetes client: %v", err)
return err
}
c.client = cl
return nil
}

func loadConfig(cfgJSON *extapi.JSON) (customDNSProviderConfig, error) {
ttl := uint64(defaultTTL)
cfg := customDNSProviderConfig{TTL: &ttl}
if cfgJSON == nil {
return cfg, nil
}
if err := json.Unmarshal(cfgJSON.Raw, &cfg); err != nil {
return cfg, fmt.Errorf("error decoding solver config: %v", err)
}

return cfg, nil
}
8 changes: 8 additions & 0 deletions charts/cert-manager-webhook-acmesh/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v2
appVersion: 1.2.0
description: cert-manager webhook solver for acmesh
name: cert-manager-webhook-acmesh
version: 1.2.3
type: application
maintainers:
- name: springhack
Empty file.
56 changes: 56 additions & 0 deletions charts/cert-manager-webhook-acmesh/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "acmesh-webhook.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "acmesh-webhook.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "acmesh-webhook.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{- define "acmesh-webhook.selfSignedIssuer" -}}
{{ printf "%s-selfsign" (include "acmesh-webhook.fullname" .) }}
{{- end -}}

{{- define "acmesh-webhook.rootCAIssuer" -}}
{{ printf "%s-ca" (include "acmesh-webhook.fullname" .) }}
{{- end -}}

{{- define "acmesh-webhook.rootCACertificate" -}}
{{ printf "%s-ca" (include "acmesh-webhook.fullname" .) }}
{{- end -}}

{{- define "acmesh-webhook.servingCertificate" -}}
{{ printf "%s-webhook-tls" (include "acmesh-webhook.fullname" .) }}
{{- end -}}

{{- define "acmesh-webhook.clusterIssuer" -}}
{{- if .Values.clusterIssuer.name -}}
{{ .Values.clusterIssuer.name }}
{{- else -}}
{{ printf "%s-cluster-issuer" (include "acmesh-webhook.fullname" .) }}
{{- end -}}
{{- end -}}
19 changes: 19 additions & 0 deletions charts/cert-manager-webhook-acmesh/templates/apiservice.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.{{ .Values.groupName }}
labels:
app: {{ include "acmesh-webhook.name" . }}
chart: {{ include "acmesh-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "acmesh-webhook.servingCertificate" . }}"
spec:
group: {{ .Values.groupName }}
groupPriorityMinimum: 1000
versionPriority: 15
service:
name: {{ include "acmesh-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
version: v1alpha1
68 changes: 68 additions & 0 deletions charts/cert-manager-webhook-acmesh/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "acmesh-webhook.fullname" . }}
labels:
app: {{ include "acmesh-webhook.name" . }}
chart: {{ include "acmesh-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ include "acmesh-webhook.name" . }}
release: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ include "acmesh-webhook.name" . }}
release: {{ .Release.Name }}
spec:
serviceAccountName: {{ include "acmesh-webhook.fullname" . }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- --tls-cert-file=/tls/tls.crt
- --tls-private-key-file=/tls/tls.key
env:
- name: GROUP_NAME
value: {{ .Values.groupName | quote }}
ports:
- name: https
containerPort: 443
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: https
readinessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: https
volumeMounts:
- name: certs
mountPath: /tls
readOnly: true
resources:
{{ toYaml .Values.resources | indent 12 }}
volumes:
- name: certs
secret:
secretName: {{ include "acmesh-webhook.servingCertificate" . }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
Loading

0 comments on commit 944d222

Please sign in to comment.