akyriako / cert-manager-webhook-opentelekomcloud Goto Github PK
View Code? Open in Web Editor NEWACME DNS01 solver webhook for Open Telekom Cloud DNS
License: Apache License 2.0
ACME DNS01 solver webhook for Open Telekom Cloud DNS
License: Apache License 2.0
Greetings!
Firstly, thank you for the great webhook for the cert manager, having wildcard capability with OTC DNS is great!
To give a background on the topic, we generally deploy multiple independent staging platforms for our customers and developers. As such, we generally use a delegated DNS zone where for example zone dev.domain.com
belongs to development stage of the system whereas qa.domain.com
belongs to the QA stage. The exception to this pattern is the production stage, where the parent domain zone domain.com
is used.
As mentioned, the wildcard certificates were the primary reason we wanted to use ACME dns01. And for testing and general use case I used letsencrypt as the issuer with DNS SANs of domain.com
and *.domain.com
When testing the webhook, I noticed a specific scenario where the webhook can fail with the following message:
error presenting challenge: present failed: present failed: found 2 while expecting 1 for zone
Upon inspection I noticed that this happens when there is a sub DNS zone below a privileged zone and the certificate is being created for the privileged zone. With some digging, I found that the OTC API for Querying Public Zones behind the gophertelekomcloud is by design making a fuzzy search on the name parameter in the form of .*domain\.com
.
As a result, when the zone for domain.com
is search, the result has domain.com
but also dev.domain.com
and all other delegated subzones, breaking the webhook for higher privilege DNS zones.
Since the cert-manager by default, chooses the least privileged zone based on a recursive name lookup, I patched this by checking for the shortest zone name in the list of zones returned by the API in solver_utils.go:
if len(allZones) < 1 {
return nil, fmt.Errorf("%s failed: found %v while expecting 1 for zone %s", action, len(allZones), ch.ResolvedZone)
}
minLen := 256
r := 0
for idx, zone := range allZones {
if len(zone.Name) < minLen {
minLen = len(zone.Name)
r = idx
}
}
return &allZones[r], nil
The idea was that if cert-manager is already providing us the zone name with least privilege, we can use name length to find the highest privileged zone and eliminate lesser zones which wouldn't work anyway. This solution worked for our use case and we were able to get wildcard certs signed via ACME dns01 for all of the zones in the project.
It is possible to specify more complicated DNS delegation structure using CNAME records and cnameStrategy: Follow
according to cert-manager docs. I have not tested this use scenario and simply checking for highest privilege zone may not work for all use cases.
Thank you very much in advance,
Can.
It is possible to specify more complicated DNS delegation structure using CNAME records and cnameStrategy: Follow according to cert-manager docs. I have not tested this use scenario and simply checking for highest privilege zone may not work for all use cases.
related to issue #1
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.