runnerm / simply-dns-webhook Goto Github PK

View Code? Open in Web Editor NEW

11.0 11.0 3.0 739 KB

Webhook support for Simply.com dns provider with cert-manger

Home Page: https://marton.pentek.dk/simply-dns-webhook/README.md

License: Apache License 2.0

Go 62.69% Dockerfile 3.70% Makefile 16.68% Mustache 15.08% Shell 1.84%

cert-manager cert-manager-webhook certificates kubernetes letsencrypt simply

simply-dns-webhook's Introduction

/runnerm

👋 Hi, I’m Marton Pentek I am an enthusisatic software developer!
👀 I’m interested in backend development, cloud native and embedded software.
💞️ I’m looking to collaborate on embedded projects.

Open Source Projects:

Cert-manager webhook(simply.com)

Simple webhook provider implementation with Simply.com dns provider.

Tips, Tricks, Tech and Tools in my shed.

Languages:

Frameworks

Cloud

Tools

Github Stats ⚡

simply-dns-webhook's People

Stargazers

Watchers

Forkers

joysan78 breakslot marklonquist

simply-dns-webhook's Issues

Add update if exist when presenting challenge.

Add update record when the txt record is already there due to failed clean up or other issues.

Alpine 3.16.4 has vulnerability issues(C Rating)

So far there is no patch from alpine yet so I will wait for that and patch when available.

Probably a bump will happen(3.16.4-->3.16.5)

Add quality of life improvements regarding CI

Integrate with GitVersion (use GitHubFlow)

Set up config.
Implement tagger/helm packer pipelines.
Add meta for artifact hub.

Test with new dependencies

Test API integration
Run test suite with cert-manger

[Feature Request] Multi platform support.

Any plans on making a version that works with aarch64? I'm setting up a Raspberry Pi 5 home cluster :)

Logs from cluster:
r: unable to install api resources: unable to setup API &{[com.github.runnerm.cert-manager-simply-webhook/v1alpha1] map[v1alpha1:map[simply-dns-solver:0xc0001a7e40]] v1alpha1 0xc000616a10 {0xc000616a10 0xc000481d88 [{application/json application json true 0xc000233b30 0xc000233b80 0xc000233bd0 0xc00061c6c0} {application/yaml application yaml true 0xc000233c20 0xc000233e00 } {application/vnd.kubernetes.protobuf application vnd.kubernetes.protobuf false 0xc0005f32c0 0xc0005f32c0 0xc00061c750}] 0xc000233b30} 0xc000126c00 map[]}: error in registering resource: simply-dns-solver, resource simply-dns-solver must implement SingularNameProvider

Fix security issues if possible

Update Helm chart and repo

update chart
create release

libcrypto1.1 and libssl1.1 vulnerabilities in base image.

Will create a patch when the new alpine image is out.

[BUG] Well-known challenge never created.

Describe the bug
cert-manager does not create _acme-challenge.[*] record for the ACME challenge at simply.com by using simply.com implementation of dns-01 webhook .

Expected behavior
_well-know record is created based on challenged received.

Additional context

I have a Kubernetes cluster (K3S) that I have installed by using the quickstart guide and then installed cert-manager by using Helm.

I want to use your webhook, since my DNS provider is Simply.com, but unfortunately I ran into a few troubles:

First off: If I install simply-dns-webhook by calling:

helm install simply-dns-webhook simply-dns-webhook/simply-dns-webhook --version 1.5.4

Then I will run into a permission error when I try to issue a certificate using ClusterIssuer.

It appears the role that reads the secrets from the cert-manager namespace is stored in the default namespace and is therefore not allowed to read secrets from the cert-manager namespace.

This is easily mitigated by adding -n cert-manager to the helm install ... command. :-)

Which leads my to my real issue.

I want to use the simply.com webhook to get certificates issued by Let's Encrypt.

Therefore I have created letsencrypt-staging.yaml with the following content:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging-key
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    solvers:
    - dns01:
        webhook:
          groupName: com.github.runnerm.cert-manager-simply-webhook
          solverName: simply-dns-solver
          config:
            secretName: simply-credentials
      selector:
        dnsZones:
        - 'cluster.example.com'
        - '*.cluster.example.com'

To generate my test certificate I have a file called test-certificate.yaml with the following content:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-certificate
spec:
  dnsNames:
  - test.cluster.example.com
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer

  secretName: test-certificate-tls

I should then be able to get a certificate by first creating the ClusterIssuer with kubectl apply -f letsencrypt-staging.yaml and request for a certificate with kubectl apply -f test-certificate.yaml.

Unfortunately this does not happen because output from kubectl get certs reveals the following result:

NAME               READY   SECRET                 AGE
test-certificate   False   test-certificate-tls   52m

Screenshots/Logs

Output from kubectl events gives:

LAST SEEN   TYPE     REASON               OBJECT                                               MESSAGE
53m         Normal   Issuing              Certificate/test-certificate                         Issuing certificate as Secret does not exist
53m         Normal   Generated            Certificate/test-certificate                         Stored new private key in temporary Secret resource "test-certificate-vjnhx"
53m         Normal   Requested            Certificate/test-certificate                         Created new CertificateRequest resource "test-certificate-1"
53m         Normal   WaitingForApproval   CertificateRequest/test-certificate-1                Not signing CertificateRequest until it is Approved
53m         Normal   WaitingForApproval   CertificateRequest/test-certificate-1                Not signing CertificateRequest until it is Approved
53m         Normal   WaitingForApproval   CertificateRequest/test-certificate-1                Not signing CertificateRequest until it is Approved
53m         Normal   WaitingForApproval   CertificateRequest/test-certificate-1                Not signing CertificateRequest until it is Approved
53m         Normal   WaitingForApproval   CertificateRequest/test-certificate-1                Not signing CertificateRequest until it is Approved
53m         Normal   cert-manager.io      CertificateRequest/test-certificate-1                Certificate request has been approved by cert-manager.io
53m         Normal   OrderCreated         CertificateRequest/test-certificate-1                Created Order resource default/test-certificate-1-1965387138
53m         Normal   OrderPending         CertificateRequest/test-certificate-1                Waiting on certificate issuance from order default/test-certificate-1-1965387138: ""
53m         Normal   Created              Order/test-certificate-1-1965387138                  Created Challenge resource "test-certificate-1-1965387138-1295925723" for domain "test.cluster.example.com"
53m         Normal   Started              Challenge/test-certificate-1-1965387138-1295925723   Challenge scheduled for processing
53m         Normal   Presented            Challenge/test-certificate-1-1965387138-1295925723   Presented challenge using DNS-01 challenge mechanism

Output from kubectl describe challenge test-certificate-1-1965387138-1295925723 reveals amongst others the following lines:

Status:
  Presented:   true
  Processing:  true
  Reason:      Waiting for DNS-01 challenge propagation: DNS record for "test.cluster.example.com" not yet propagated
  State:       pending
Events:
  Type    Reason     Age   From                     Message
  ----    ------     ----  ----                     -------
  Normal  Started    59m   cert-manager-challenges  Challenge scheduled for processing
  Normal  Presented  59m   cert-manager-challenges  Presented challenge using DNS-01 challenge mechanism

And when I login Simply.com website then I cannot see any records containing the word _acme-challenge, which is used by the ACME protocol.

I can see In your code that you handoff communication with Simply.com to simply-com-client, but I cannot see any debug information about whether not the client is getting called or if there is an authentication error between the client and Simply.com?

Where can I look to debug further?

401

ime="2023-12-18T13:51:41Z" level=info msg="Cleaning up challenge for: _acme-challenge.markus.fontex.dk."
time="2023-12-18T13:51:41Z" level=debug msg="Loading config..."
time="2023-12-18T13:51:41Z" level=debug msg="Config loaded successfully."
time="2023-12-18T13:51:41Z" level=debug msg="Loading API credentials from secret: simply-auth"
time="2023-12-18T13:51:41Z" level=error msg="Failed request, response code: 401"
time="2023-12-18T13:51:41Z" level=debug msg="Record(0) fetched for cleanup."
time="2023-12-18T13:51:41Z" level=error msg="Failed request, response code: 401"
time="2023-12-18T13:51:41Z" level=error msg="record(0) have not been cleaned up"
time="2023-12-18T13:51:43Z" level=info msg="Presenting challenge for: _acme-challenge.markus.fontex.dk."
time="2023-12-18T13:51:43Z" level=error msg="Failed request, response code: 401"
time="2023-12-18T13:51:43Z" level=error msg="Failed request, response: 401"
time="2023-12-18T13:51:43Z" level=debug msg="Challenge have been created with record id: 0"

webhook version
image: ghcr.io/runnerm/simply-dns-webhook:v1.4.3

cert-manager version
image: quay.io/jetstack/cert-manager-controller:v1.13.3

K8s:
v1.28.1

ive tested the cred with curl and it works fine so the auth and api is ok , ive attached a picture that shows auth and api works .

Vulnerability in alpine 3.16 base image and golang.org/x/net module

Will bump it to 3.16.4 and see if that will solves it. Should be solved by rebuilding the image.
Also Dependabot shown vulnerability golang.org/x/net that will need patching to 0.7.0