Removed secret-read permissions from pod
This commit is contained in:
@@ -5,8 +5,8 @@ Have you read it? If you haven't go read it. Cuz I'll keep everything short.
|
|||||||
|
|
||||||
This is a dns01 solver for [FreeDNS](https://freedns.afraid.org/).
|
This is a dns01 solver for [FreeDNS](https://freedns.afraid.org/).
|
||||||
|
|
||||||
Pull requests welcome. I'm completely unfamiliar with golang. I did it by looking at
|
Pull requests welcome. I'm now somewhat familiar with golang. You can also look at
|
||||||
other webhook repos and this is the result.
|
other and choose the one that fits your need.
|
||||||
|
|
||||||
## Install
|
## Install
|
||||||
```bash
|
```bash
|
||||||
@@ -42,18 +42,15 @@ Normally if you haven't changed anything, the default namespace should be
|
|||||||
`cert-manager`. It should be within the same namespace for the webhook when
|
`cert-manager`. It should be within the same namespace for the webhook when
|
||||||
you do `helm install webhook -n cert-manager`.
|
you do `helm install webhook -n cert-manager`.
|
||||||
|
|
||||||
```yaml
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: freedns-auth
|
|
||||||
namespace: cert-manager
|
|
||||||
data:
|
|
||||||
username: [YOUR_USERNAME_IN_BASE64]
|
|
||||||
password: [YOUR_PASSWORD_IN_BASE64]
|
|
||||||
type: Opaque
|
|
||||||
```
|
|
||||||
|
|
||||||
Additionally, the following names can be customized
|
Additionally, the following names can be customized
|
||||||
* acme.freedns.afraid.org
|
* acme.freedns.afraid.org
|
||||||
* freedns-auth
|
|
||||||
|
### UPDATE
|
||||||
|
2024-10-30
|
||||||
|
- Merged from upstream, now works on 1.31 cluster
|
||||||
|
|
||||||
|
2024-11-02
|
||||||
|
- Webhook will now properly logs its actions
|
||||||
|
- Removed permissions to read secrets from pod for obvious reansons
|
||||||
|
- Authentication details are now requested from Helm
|
||||||
|
- You should remove the old secret `freedns-auth`. It is now handled by Helm.
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: "1.0"
|
appVersion: "2024.11.02.05"
|
||||||
description: A Helm chart for Kubernetes
|
description: A FreeDNS webhook dns01 solver for cert-manager
|
||||||
name: freedns-webhook
|
name: freedns-webhook
|
||||||
version: 0.1.0
|
version: 0.1.1
|
||||||
|
|||||||
@@ -29,6 +29,9 @@ spec:
|
|||||||
- --v=2
|
- --v=2
|
||||||
- --tls-cert-file=/tls/tls.crt
|
- --tls-cert-file=/tls/tls.crt
|
||||||
- --tls-private-key-file=/tls/tls.key
|
- --tls-private-key-file=/tls/tls.key
|
||||||
|
envFrom:
|
||||||
|
- secretRef:
|
||||||
|
name: {{ include "freedns-webhook.fullname" . }}-auth
|
||||||
env:
|
env:
|
||||||
- name: GROUP_NAME
|
- name: GROUP_NAME
|
||||||
value: {{ .Values.groupName | quote }}
|
value: {{ .Values.groupName | quote }}
|
||||||
|
|||||||
@@ -8,45 +8,6 @@ metadata:
|
|||||||
release: {{ .Release.Name }}
|
release: {{ .Release.Name }}
|
||||||
heritage: {{ .Release.Service }}
|
heritage: {{ .Release.Service }}
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: Role
|
|
||||||
metadata:
|
|
||||||
name: {{ include "freedns-webhook.fullname" . }}:secret-read
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
app: {{ include "freedns-webhook.name" . }}
|
|
||||||
chart: {{ include "freedns-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- ''
|
|
||||||
resources:
|
|
||||||
- 'secrets'
|
|
||||||
verbs:
|
|
||||||
- 'get'
|
|
||||||
---
|
|
||||||
# Grant the webhook permission to read the secret
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
name: {{ include "freedns-webhook.fullname" . }}:secret-read
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
app: {{ include "freedns-webhook.name" . }}
|
|
||||||
chart: {{ include "freedns-webhook.chart" . }}
|
|
||||||
release: {{ .Release.Name }}
|
|
||||||
heritage: {{ .Release.Service }}
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: Role
|
|
||||||
name: {{ include "freedns-webhook.fullname" . }}:secret-read
|
|
||||||
subjects:
|
|
||||||
- apiGroup: ""
|
|
||||||
kind: ServiceAccount
|
|
||||||
name: {{ include "freedns-webhook.fullname" . }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
---
|
|
||||||
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
|
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
|
||||||
# apiserver's requestheader-ca-certificate.
|
# apiserver's requestheader-ca-certificate.
|
||||||
# This ConfigMap is automatically created by the Kubernetes apiserver.
|
# This ConfigMap is automatically created by the Kubernetes apiserver.
|
||||||
|
|||||||
@@ -0,0 +1,15 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
FREEDNS_USERNAME: {{ required "Please provide the value of freedns.auth.FREEDNS_USERNAME" .Values.freedns.auth.FREEDNS_USERNAME | b64enc | quote }}
|
||||||
|
FREEDNS_PASSWORD: {{ required "Please provide the value of freedns.auth.FREEDNS_PASSWORD" .Values.freedns.auth.FREEDNS_PASSWORD | b64enc | quote }}
|
||||||
|
metadata:
|
||||||
|
name: {{ include "freedns-webhook.fullname" . }}-auth
|
||||||
|
namespace: {{ .Release.Namespace | quote }}
|
||||||
|
labels:
|
||||||
|
app: {{ include "freedns-webhook.name" . }}
|
||||||
|
chart: {{ include "freedns-webhook.chart" . }}
|
||||||
|
release: {{ .Release.Name }}
|
||||||
|
heritage: {{ .Release.Service }}
|
||||||
|
type: Opaque
|
||||||
@@ -14,7 +14,7 @@ certManager:
|
|||||||
|
|
||||||
image:
|
image:
|
||||||
repository: penguinade/cert-manager-webhook-freedns
|
repository: penguinade/cert-manager-webhook-freedns
|
||||||
tag: 2024.11.02.04
|
tag: 2024.11.02.05
|
||||||
pullPolicy: IfNotPresent
|
pullPolicy: IfNotPresent
|
||||||
|
|
||||||
nameOverride: ""
|
nameOverride: ""
|
||||||
@@ -24,6 +24,11 @@ service:
|
|||||||
type: ClusterIP
|
type: ClusterIP
|
||||||
port: 443
|
port: 443
|
||||||
|
|
||||||
|
freedns:
|
||||||
|
auth:
|
||||||
|
FREEDNS_USERNAME:
|
||||||
|
FREEDNS_PASSWORD:
|
||||||
|
|
||||||
resources: {}
|
resources: {}
|
||||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
||||||
# choice for the user. This also increases chances charts run on environments with little
|
# choice for the user. This also increases chances charts run on environments with little
|
||||||
|
|||||||
@@ -1,14 +1,12 @@
|
|||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
||||||
"k8s.io/client-go/kubernetes"
|
"k8s.io/client-go/kubernetes"
|
||||||
"k8s.io/client-go/rest"
|
"k8s.io/client-go/rest"
|
||||||
|
|
||||||
@@ -19,11 +17,19 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
var GroupName = os.Getenv("GROUP_NAME")
|
var GroupName = os.Getenv("GROUP_NAME")
|
||||||
|
var UserName = os.Getenv("FREEDNS_USERNAME")
|
||||||
|
var Password = os.Getenv("FREEDNS_PASSWORD")
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
if GroupName == "" {
|
if GroupName == "" {
|
||||||
panic("GROUP_NAME must be specified")
|
panic("GROUP_NAME must be specified")
|
||||||
}
|
}
|
||||||
|
if UserName == "" {
|
||||||
|
panic("FREEDNS_USERNAME must be specified")
|
||||||
|
}
|
||||||
|
if Password == "" {
|
||||||
|
panic("FREEDNS_PASSWORD must be specified")
|
||||||
|
}
|
||||||
|
|
||||||
// This will register our custom DNS provider with the webhook serving
|
// This will register our custom DNS provider with the webhook serving
|
||||||
// library, making it available as an API under the provided GroupName.
|
// library, making it available as an API under the provided GroupName.
|
||||||
@@ -91,22 +97,8 @@ func (c *customDNSProviderSolver) Name() string {
|
|||||||
// cert-manager itself will later perform a self check to ensure that the
|
// cert-manager itself will later perform a self check to ensure that the
|
||||||
// solver has correctly configured the DNS provider.
|
// solver has correctly configured the DNS provider.
|
||||||
func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
|
func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
|
||||||
cfg, err := loadConfig(ch.Config)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
secretName := cfg.SecretRef
|
|
||||||
secretObj, err := c.client.CoreV1().Secrets(ch.ResourceNamespace).Get(context.Background(), secretName, metav1.GetOptions{})
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("Unable to get secret `%s/%s`; %v", secretName, ch.ResourceNamespace, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
username := string(secretObj.Data["username"])
|
|
||||||
password := string(secretObj.Data["password"])
|
|
||||||
|
|
||||||
dnsObj := freedns.FreeDNS{}
|
dnsObj := freedns.FreeDNS{}
|
||||||
err = dnsObj.Login(username, password)
|
err := dnsObj.Login(UserName, Password)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user