Removed secret-read permissions from pod

2024-11-02 11:04:53 +00:00
parent 2da56a0aaf
commit 74a7eb3828
7 changed files with 48 additions and 75 deletions
@@ -5,8 +5,8 @@ Have you read it? If you haven't go read it. Cuz I'll keep everything short.

 This is a dns01 solver for [FreeDNS](https://freedns.afraid.org/).

-Pull requests welcome. I'm completely unfamiliar with golang. I did it by looking at
-other webhook repos and this is the result.
+Pull requests welcome. I'm now somewhat familiar with golang. You can also look at
+other and choose the one that fits your need.

 ## Install
 ```bash
@@ -42,18 +42,15 @@ Normally if you haven't changed anything, the default namespace should be
 `cert-manager`. It should be within the same namespace for the webhook when
 you do `helm install webhook -n cert-manager`.

-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: freedns-auth
-  namespace: cert-manager
-data:
-  username: [YOUR_USERNAME_IN_BASE64]
-  password: [YOUR_PASSWORD_IN_BASE64]
-type: Opaque
-```
-
 Additionally, the following names can be customized
 * acme.freedns.afraid.org
-* freedns-auth
+
+### UPDATE
+2024-10-30
+- Merged from upstream, now works on 1.31 cluster
+
+2024-11-02
+- Webhook will now properly logs its actions
+- Removed permissions to read secrets from pod for obvious reansons
+  - Authentication details are now requested from Helm
+  - You should remove the old secret `freedns-auth`. It is now handled by Helm.
@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion: "1.0"
-description: A Helm chart for Kubernetes
+appVersion: "2024.11.02.05"
+description: A FreeDNS webhook dns01 solver for cert-manager
 name: freedns-webhook
-version: 0.1.0
+version: 0.1.1
@@ -29,6 +29,9 @@ spec:
            - --v=2
            - --tls-cert-file=/tls/tls.crt
            - --tls-private-key-file=/tls/tls.key
+          envFrom:
+            - secretRef:
+                name: {{ include "freedns-webhook.fullname" . }}-auth
          env:
            - name: GROUP_NAME
              value: {{ .Values.groupName | quote }}
@@ -8,45 +8,6 @@ metadata:
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "freedns-webhook.fullname" . }}:secret-read
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: {{ include "freedns-webhook.name" . }}
-    chart: {{ include "freedns-webhook.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - 'secrets'
-    verbs:
-      - 'get'
---
-# Grant the webhook permission to read the secret
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "freedns-webhook.fullname" . }}:secret-read
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: {{ include "freedns-webhook.name" . }}
-    chart: {{ include "freedns-webhook.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "freedns-webhook.fullname" . }}:secret-read
-subjects:
-  - apiGroup: ""
-    kind: ServiceAccount
-    name: {{ include "freedns-webhook.fullname" . }}
-    namespace: {{ .Release.Namespace }}
---
 # Grant the webhook permission to read the ConfigMap containing the Kubernetes
 # apiserver's requestheader-ca-certificate.
 # This ConfigMap is automatically created by the Kubernetes apiserver.
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+data:
+  FREEDNS_USERNAME: {{ required "Please provide the value of freedns.auth.FREEDNS_USERNAME" .Values.freedns.auth.FREEDNS_USERNAME | b64enc | quote }}
+  FREEDNS_PASSWORD: {{ required "Please provide the value of freedns.auth.FREEDNS_PASSWORD" .Values.freedns.auth.FREEDNS_PASSWORD | b64enc | quote }}
+metadata:
+  name: {{ include "freedns-webhook.fullname" . }}-auth
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    app: {{ include "freedns-webhook.name" . }}
+    chart: {{ include "freedns-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+type: Opaque
@@ -14,7 +14,7 @@ certManager:

 image:
  repository: penguinade/cert-manager-webhook-freedns
-  tag: 2024.11.02.04
+  tag: 2024.11.02.05
  pullPolicy: IfNotPresent

 nameOverride: ""
@@ -24,6 +24,11 @@ service:
  type: ClusterIP
  port: 443

+freedns:
+  auth:
+    FREEDNS_USERNAME:
+    FREEDNS_PASSWORD:
+
 resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
@@ -1,14 +1,12 @@
 package main

 import (
-	"context"
 	"encoding/json"
 	"fmt"
 	"os"
 	"strings"

 	extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"

@@ -19,11 +17,19 @@ import (
 )

 var GroupName = os.Getenv("GROUP_NAME")
+var UserName = os.Getenv("FREEDNS_USERNAME")
+var Password = os.Getenv("FREEDNS_PASSWORD")

 func main() {
 	if GroupName == "" {
 		panic("GROUP_NAME must be specified")
 	}
+	if UserName == "" {
+		panic("FREEDNS_USERNAME must be specified")
+	}
+	if Password == "" {
+		panic("FREEDNS_PASSWORD must be specified")
+	}

 	// This will register our custom DNS provider with the webhook serving
 	// library, making it available as an API under the provided GroupName.
@@ -91,22 +97,8 @@ func (c *customDNSProviderSolver) Name() string {
 // cert-manager itself will later perform a self check to ensure that the
 // solver has correctly configured the DNS provider.
 func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
-	cfg, err := loadConfig(ch.Config)
-	if err != nil {
-		return err
-	}
-
-	secretName := cfg.SecretRef
-	secretObj, err := c.client.CoreV1().Secrets(ch.ResourceNamespace).Get(context.Background(), secretName, metav1.GetOptions{})
-	if err != nil {
-		return fmt.Errorf("Unable to get secret `%s/%s`; %v", secretName, ch.ResourceNamespace, err)
-	}
-
-	username := string(secretObj.Data["username"])
-	password := string(secretObj.Data["password"])
-
 	dnsObj := freedns.FreeDNS{}
-	err = dnsObj.Login(username, password)
+	err := dnsObj.Login(UserName, Password)
 	if err != nil {
 		return err
 	}