From 202f30fb52ad23f5f2df65967cd533fa7cba295f Mon Sep 17 00:00:00 2001 From: qnb59bny5x <108427982+qnb59bny5x@users.noreply.github.com> Date: Wed, 4 Oct 2023 23:27:10 +0200 Subject: [PATCH] clusterissuer: add ACME DNS issuer (#11483) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit **Description** ⚒️ Fixes # Add support for ACME DNS issuer: https://cert-manager.io/docs/configuration/acme/dns01/acme-dns/ **⚙️ Type of change** - [x] ⚙️ Feature/App addition - [ ] 🪛 Bugfix - [ ] ⚠️ Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] 🔃 Refactor of current code **🧪 How Has This Been Tested?** **📃 Notes:** **✔️ Checklist:** - [ ] ⚖️ My code follows the style guidelines of this project - [x] 👀 I have performed a self-review of my own code - [ ] #️⃣ I have commented my code, particularly in hard-to-understand areas - [ ] 📄 I have made corresponding changes to the documentation - [ ] ⚠️ My changes generate no new warnings - [ ] 🧪 I have added tests to this description that prove my fix is effective or that my feature works - [x] ⬆️ I increased versions for any altered app according to semantic versioning **➕ App addition** If this PR is an app addition please make sure you have done the following. - [ ] 🪞 I have opened a PR on [truecharts/containers](https://github.com/truecharts/containers) adding the container to TrueCharts mirror repo. - [ ] 🖼️ I have added an icon in the Chart's root directory called `icon.png` --- _Please don't blindly check all the boxes. Read them and only check those that apply. Those checkboxes are there for the reviewer to see what is this all about and the status of this PR with a quick glance._ --------- Signed-off-by: qnb59bny5x <108427982+qnb59bny5x@users.noreply.github.com> Signed-off-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com> Co-authored-by: Stavros kois Co-authored-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com> --- charts/enterprise/clusterissuer/Chart.yaml | 2 +- .../enterprise/clusterissuer/questions.yaml | 61 ++++++++++++++++++- .../templates/clusterissuer/_ACME.tpl | 24 +++++++- charts/enterprise/clusterissuer/values.yaml | 14 ++++- 4 files changed, 95 insertions(+), 6 deletions(-) diff --git a/charts/enterprise/clusterissuer/Chart.yaml b/charts/enterprise/clusterissuer/Chart.yaml index e04da90491f..cac31c4a984 100644 --- a/charts/enterprise/clusterissuer/Chart.yaml +++ b/charts/enterprise/clusterissuer/Chart.yaml @@ -21,7 +21,7 @@ sources: - https://github.com/truecharts/charts/tree/master/charts/enterprise/clusterissuer - https://cert-manager.io/ type: application -version: 4.0.2 +version: 4.1.0 annotations: truecharts.org/catagories: | - core diff --git a/charts/enterprise/clusterissuer/questions.yaml b/charts/enterprise/clusterissuer/questions.yaml index e6f06610d85..2ae5abf1af0 100644 --- a/charts/enterprise/clusterissuer/questions.yaml +++ b/charts/enterprise/clusterissuer/questions.yaml @@ -47,6 +47,8 @@ questions: description: rfc2136 (Advanced) - value: HTTP01 description: HTTP01 (Experimental) + - value: acmedns + description: ACME DNS (Advanced) - variable: server label: Server description: "Server for ACME, for example: letsencrypt" @@ -195,7 +197,64 @@ questions: type: string required: true default: "" - + - variable: acmednsHost + label: ACME DNS host + description: "ACME DNS API server address" + schema: + show_if: [["type", "=", "acmedns"]] + type: string + required: true + default: "https://auth.acme-dns.io" + - variable: acmednsConfig + label: ACME DNS config + description: "ACME DNS per-domain auth configuration" + schema: + show_if: [["type", "=", "acmedns"]] + type: list + default: [] + items: + - variable: acmednsEntry + label: 'ACME DNS entry' + schema: + type: dict + attrs: + - variable: domain + label: Domain + schema: + type: string + required: true + - variable: username + label: Username + schema: + type: string + required: true + - variable: password + label: Password + schema: + type: string + required: true + - variable: fulldomain + label: Full domain + schema: + type: string + required: true + - variable: subdomain + label: Subdomain + schema: + type: string + required: true + - variable: allowFrom + label: Allow from + schema: + type: list + default: [] + items: + - variable: cidr + label: CIDR + schema: + type: ipaddr + cidr: true + required: true - variable: CA label: Certificate Authority Issuer schema: diff --git a/charts/enterprise/clusterissuer/templates/clusterissuer/_ACME.tpl b/charts/enterprise/clusterissuer/templates/clusterissuer/_ACME.tpl index 0922452e79e..7f8b2aa451a 100644 --- a/charts/enterprise/clusterissuer/templates/clusterissuer/_ACME.tpl +++ b/charts/enterprise/clusterissuer/templates/clusterissuer/_ACME.tpl @@ -11,14 +11,21 @@ {{- end -}} {{- range .Values.clusterIssuer.ACME }} - {{- if not (mustRegexMatch "^[a-z]+(-?[a-z]){0,63}-?[a-z]+$" .name) -}} + {{- if or (not .name) (not (mustRegexMatch "^[a-z]+(-?[a-z]){0,63}-?[a-z]+$" .name)) -}} {{- fail "ACME - Expected name to be all lowercase with hyphens, but not start or end with a hyphen" -}} {{- end -}} - {{- $validTypes := list "HTTP01" "cloudflare" "route53" "digitalocean" "akamai" "rfc2136" -}} + {{- $validTypes := list "HTTP01" "cloudflare" "route53" "digitalocean" "akamai" "rfc2136" "acmedns" -}} {{- if not (mustHas .type $validTypes) -}} {{- fail (printf "Expected ACME type to be one of [%s], but got [%s]" (join ", " $validTypes) .type) -}} {{- end -}} {{- $issuerSecretName := printf "%s-clusterissuer-secret" .name }} + {{- $acmednsDict := dict -}} + {{- if and (eq .type "acmedns") (not .acmednsConfigJson) }} + {{- range .acmednsConfig }} + {{/* Transform to a dict with domain as a key, also remove domain from the dict */}} + {{- $_ := set $acmednsDict .domain (omit . "domain") -}} + {{- end }} + {{- end -}} --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer @@ -85,6 +92,12 @@ spec: tsigSecretSecretRef: name: {{ $issuerSecretName }} key: rfctsigSecret + {{- else if eq .type "acmedns" }} + acmeDNS: + host: {{ .acmednsHost }} + accountSecretRef: + name: {{ $issuerSecretName }} + key: acmednsJson {{- end -}} {{- end }} --- @@ -103,5 +116,10 @@ stringData: akaccessToken: {{ .akaccessToken | default "" }} doaccessToken: {{ .doaccessToken | default "" }} rfctsigSecret: {{ $rfctsigSecret }} -{{- end }} +{{- if .acmednsConfigJson }} + acmednsJson: {{ .acmednsConfigJson }} +{{- else if $acmednsDict }} + acmednsJson: {{ toJson $acmednsDict }} +{{- end -}} + {{- end -}} {{- end -}} diff --git a/charts/enterprise/clusterissuer/values.yaml b/charts/enterprise/clusterissuer/values.yaml index 264f47ed254..4903d7a582f 100644 --- a/charts/enterprise/clusterissuer/values.yaml +++ b/charts/enterprise/clusterissuer/values.yaml @@ -59,7 +59,7 @@ clusterIssuer: # # Used primarily for the SCALE GUI # customServer: 'https://acme-staging-v02.api.letsencrypt.org/directory' # email: "" -# # Options: HTTP01, cloudflare, route53 +# # Options: HTTP01, cloudflare, route53, akamai, digitalocean, rfc2136, acmedns # type: "" # # for cloudflare # cfapikey: "" @@ -82,3 +82,15 @@ clusterIssuer: # tsigKeyName: "" # tsigAlgorithm: "" # rfctsigSecret: "" +# # for acmedns +# name: sd +# acmednsHost: asdf +# # Pick one of the bellow acmednsConfig +# acmednsConfigJson: +# acmednsConfig: +# - domain: "" +# username: "" +# password: "" +# fulldomain: "" +# subdomain: "" +# allowFrom: []