using secret on acmesh

Author: springhack

acmesh/Dockerfile

@@ -1,18 +1,14 @@
-FROM golang:1.16-alpine AS build_deps
+FROM golang:alpine AS builder
 RUN apk add --no-cache git curl ca-certificates socat bash openssl
 WORKDIR /workspace
-COPY go.mod .
-COPY go.sum .
-RUN go mod download
-
-FROM build_deps AS build
 COPY . .
+RUN go mod download
 RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
 RUN curl -fsSL https://get.acme.sh | sh -s email=infinity-server@dosk.host
 
 FROM alpine
-COPY --from=build /workspace/webhook /usr/local/bin/webhook
-COPY --from=build /root/.acme.sh /root/.acme.sh
+COPY --from=builder /workspace/webhook /usr/local/bin/webhook
+COPY --from=builder /root/.acme.sh /root/.acme.sh
 ADD acme_delegate /root/acme_delegate
 RUN apk add --no-cache ca-certificates curl socat bash openssl && chmod 755 /root/acme_delegate
 

acmesh/go.mod

@@ -5,6 +5,7 @@ go 1.13
 require (
 	github.com/jetstack/cert-manager v1.2.0
 	k8s.io/apiextensions-apiserver v0.19.0
+	k8s.io/apimachinery v0.19.0
 	k8s.io/client-go v0.19.0
 	k8s.io/klog v1.0.0
 )

acmesh/main.go

@@ -1,18 +1,20 @@
 package main
 
 import (
-  "encoding/json"
-  "fmt"
-  "github.com/jetstack/cert-manager/pkg/issuer/acme/dns/util"
-  "k8s.io/client-go/kubernetes"
   "os"
+  "fmt"
+  "context"
+  "encoding/json"
 
-  extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
-  "k8s.io/client-go/rest"
   "k8s.io/klog"
+  "k8s.io/client-go/rest"
+  "k8s.io/client-go/kubernetes"
+  extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 
-  "github.com/jetstack/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
   "github.com/jetstack/cert-manager/pkg/acme/webhook/cmd"
+  "github.com/jetstack/cert-manager/pkg/issuer/acme/dns/util"
+  "github.com/jetstack/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
+  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 const (
@@ -36,51 +38,51 @@ type customDNSProviderSolver struct {
   client *kubernetes.Clientset
 }
 
+type envSecretRef struct {
+  Name          string                  `json:"name"`
+  Namespace     string                  `json:"namespace"`
+}
+
 type customDNSProviderConfig struct {
-  TTL          *uint64                  `json:"ttl"`
-  DNSAPI       string                   `json:"dnsapi"`
-  Env          []string                 `json:"env"`
+  TTL           *uint64                 `json:"ttl"`
+  DNSAPI        string                  `json:"dnsapi"`
+  EnvSecretRef  envSecretRef            `json:"env"`
 }
 
+type envFromSecret []string
+
 func (c *customDNSProviderSolver) Name() string {
   return "acmesh"
 }
 
-func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
+func (c *customDNSProviderSolver) DoDNSAPI(action string, ch *v1alpha1.ChallengeRequest) error {
   cfg, err := loadConfig(ch.Config)
   if err != nil {
     klog.Errorf("Failed to log config %v: %v", ch.Config, err)
     return err
   }
 
-  procAttr := &os.ProcAttr{
-    Files: []*os.File{os.Stdin, os.Stdout, os.Stderr},
-    Env: cfg.Env,
-  }
-  process, err := os.StartProcess(acmeDelegate, []string{
-    acmeDelegate, cfg.DNSAPI, "add", util.UnFqdn(ch.ResolvedFQDN), ch.Key,
-  }, procAttr)
+  envSecret, err := c.client.CoreV1().Secrets(cfg.EnvSecretRef.Namespace).Get(context.TODO(), cfg.EnvSecretRef.Name, metav1.GetOptions{})
   if err != nil {
     return err
   }
 
-  process.Wait()
-  return nil
-}
+  envData, ok := envSecret.Data["env"]
+  if !ok {
+    return fmt.Errorf("no env in secret")
+  }
 
-func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
-  cfg, err := loadConfig(ch.Config)
-  if err != nil {
-    klog.Errorf("Failed to log config %v: %v", ch.Config, err)
+  env := envFromSecret{}
+  if err := json.Unmarshal(envData, &env); err != nil {
     return err
   }
 
   procAttr := &os.ProcAttr{
     Files: []*os.File{os.Stdin, os.Stdout, os.Stderr},
-    Env: cfg.Env,
+    Env: env,
   }
   process, err := os.StartProcess(acmeDelegate, []string{
-    acmeDelegate, cfg.DNSAPI, "rm", util.UnFqdn(ch.ResolvedFQDN), ch.Key,
+    acmeDelegate, cfg.DNSAPI, "add", util.UnFqdn(ch.ResolvedFQDN), ch.Key,
   }, procAttr)
   if err != nil {
     return err
@@ -90,6 +92,14 @@ func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
   return nil
 }
 
+func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
+  return c.DoDNSAPI("add", ch)
+}
+
+func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
+  return c.DoDNSAPI("rm", ch)
+}
+
 func (c *customDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
   cl, err := kubernetes.NewForConfig(kubeClientConfig)
   if err != nil {

charts/cert-manager-webhook-acmesh/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: 1.2.0
 description: cert-manager webhook solver for acmesh
 name: cert-manager-webhook-acmesh
-version: 1.3.0
+version: 1.3.3
 type: application
 maintainers:
 - name: springhack

charts/cert-manager-webhook-acmesh/templates/pki.yaml

@@ -106,10 +106,9 @@ spec:
           config:
             ttl: {{ .Values.clusterIssuer.ttl }}
             dnsapi: {{ required ".Values.clusterIssuer.dnsapi is required" .Values.clusterIssuer.dnsapi }}
-            env:
-              {{- range .Values.clusterIssuer.env}}
-                - {{ . }}
-              {{- end}}
+            envSecretRef:
+              name: {{ include "acmesh-webhook.fullname" . }}-secret
+              namespace: {{ .Values.certManager.namespace }}
       {{- if .Values.clusterIssuer.selector }}
       selector: {{ toYaml .Values.clusterIssuer.selector | nindent 8 }}
       {{- end }}

charts/cert-manager-webhook-acmesh/templates/rbac.yaml

@@ -127,3 +127,41 @@ subjects:
   kind: ServiceAccount
   name: {{ include "acmesh-webhook.fullname" . }}
   namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "acmesh-webhook.fullname" . }}:flowcontrol-solver
+  labels:
+    app: {{ include "acmesh-webhook.name" . }}
+    chart: {{ include "acmesh-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+  - "flowcontrol.apiserver.k8s.io"
+  resources:
+  - "prioritylevelconfigurations"
+  - "flowschemas"
+  verbs:
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "acmesh-webhook.fullname" . }}:flowcontrol-solver
+  labels:
+    app: {{ include "acmesh-webhook.name" . }}
+    chart: {{ include "acmesh-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "acmesh-webhook.fullname" . }}:flowcontrol-solver
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: {{ include "acmesh-webhook.fullname" . }}
+  namespace: {{ .Release.Namespace }}

charts/cert-manager-webhook-acmesh/templates/secret.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.clusterIssuer.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "acmesh-webhook.fullname" . }}-secret
+  namespace: {{ .Values.certManager.namespace }}
+  labels:
+    app: {{ include "acmesh-webhook.name" . }}
+    chart: {{ include "acmesh-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+type: Opaque
+data:
+  env: {{ required ".Values.clusterIssuer.env is required" .Values.clusterIssuer.env | mustToJson | b64enc | quote }}
+{{- end }}