feat: allow reading api key from secret

Author: kosmoz

challenge_context.go

@@ -9,7 +9,6 @@ import (
 	acmev1alpha1 "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
 	egoscale "github.com/exoscale/egoscale/v3"
 	"github.com/exoscale/egoscale/v3/credentials"
-	apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/klog/v2"
@@ -18,9 +17,9 @@ import (
 type challengeContext struct {
 	k8s        *kubernetes.Clientset
 	exo        *egoscale.Client
-	cfg        customDNSProviderConfig
+	ch         *acmev1alpha1.ChallengeRequest
+	cfg        *customDNSProviderConfig
 	RecordName string
-	RecordKey  string
 	Record     *egoscale.DNSDomainRecord
 	DNSDomain  *egoscale.DNSDomain
 }
@@ -30,21 +29,21 @@ func NewChallengeContext(
 	clientset *kubernetes.Clientset,
 	ch *acmev1alpha1.ChallengeRequest,
 ) (*challengeContext, error) {
-	cc := challengeContext{k8s: clientset, RecordKey: ch.Key}
+	cc := challengeContext{k8s: clientset, ch: ch}
 
-	if err := cc.initConfig(ctx, ch.Config); err != nil {
+	if err := cc.initConfig(ctx); err != nil {
 		return nil, err
 	}
 
-	if err := cc.initExoClient(ctx, ch); err != nil {
+	if err := cc.initExoClient(ctx); err != nil {
 		return nil, err
 	}
 
-	if err := cc.initDomain(ctx, ch.ResolvedFQDN); err != nil {
+	if err := cc.initDomain(ctx); err != nil {
 		return nil, err
 	}
 
-	if err := cc.initRecordName(ch.ResolvedFQDN); err != nil {
+	if err := cc.initRecordName(); err != nil {
 		return nil, err
 	}
 
@@ -55,12 +54,12 @@ func NewChallengeContext(
 	return &cc, nil
 }
 
-func (cc *challengeContext) initConfig(ctx context.Context, cfgJSON *apiext.JSON) error {
+func (cc *challengeContext) initConfig(ctx context.Context) error {
 	log := klog.FromContext(ctx)
-	if cfgJSON == nil {
+	if cc.ch.Config == nil {
 		return nil
 	}
-	if err := json.Unmarshal(cfgJSON.Raw, &cc.cfg); err != nil {
+	if err := json.Unmarshal(cc.ch.Config.Raw, &cc.cfg); err != nil {
 		return fmt.Errorf("error decoding solver config: %v", err)
 	}
 
@@ -69,23 +68,34 @@ func (cc *challengeContext) initConfig(ctx context.Context, cfgJSON *apiext.JSON
 	return nil
 }
 
-func (cc *challengeContext) loadClientCredentials(
-	ctx context.Context,
-	ch *acmev1alpha1.ChallengeRequest,
-) (*credentials.Credentials, error) {
-	if cc.cfg.SecretName != "" {
-		secret, err := cc.k8s.CoreV1().Secrets(ch.ResourceNamespace).Get(ctx, cc.cfg.SecretName, metav1.GetOptions{})
+func (cc *challengeContext) loadClientCredentials(ctx context.Context) (*credentials.Credentials, error) {
+	if apiKey, err := cc.resolveValue(ctx, cc.cfg.APIKey); err != nil {
+		return nil, err
+	} else if apiSecret, err := cc.resolveValue(ctx, cc.cfg.APISecret); err != nil {
+		return nil, err
+	} else {
+		return credentials.NewStaticCredentials(apiKey, apiSecret), nil
+	}
+}
+
+func (cc *challengeContext) resolveValue(ctx context.Context, v valueOrSecretRef) (string, error) {
+	if v.FromSecret != nil {
+		secret, err := cc.k8s.CoreV1().Secrets(cc.ch.ResourceNamespace).
+			Get(ctx, v.FromSecret.Name, metav1.GetOptions{})
 		if err != nil {
-			return nil, err
+			return "", err
+		} else if value, ok := secret.Data[v.FromSecret.Key]; !ok {
+			return "", fmt.Errorf("secret %v does not have key %v", v.FromSecret.Name, v.FromSecret.Key)
+		} else {
+			return string(value), nil
 		}
-		return credentials.NewStaticCredentials(string(secret.Data["apiKey"]), string(secret.Data["apiSecret"])), nil
 	} else {
-		return credentials.NewStaticCredentials(cc.cfg.APIKey, cc.cfg.APISecret), nil
+		return v.Value, nil
 	}
 }
 
-func (cc *challengeContext) initExoClient(ctx context.Context, ch *acmev1alpha1.ChallengeRequest) error {
-	if creds, err := cc.loadClientCredentials(ctx, ch); err != nil {
+func (cc *challengeContext) initExoClient(ctx context.Context) error {
+	if creds, err := cc.loadClientCredentials(ctx); err != nil {
 		return err
 	} else if client, err := egoscale.NewClient(creds); err != nil {
 		return err
@@ -95,7 +105,8 @@ func (cc *challengeContext) initExoClient(ctx context.Context, ch *acmev1alpha1.
 	}
 }
 
-func (cc *challengeContext) initDomain(ctx context.Context, fqdn string) error {
+func (cc *challengeContext) initDomain(ctx context.Context) error {
+	log := klog.FromContext(ctx)
 	if cc.cfg.DomainID != "" {
 		if domain, err := cc.exo.GetDNSDomain(ctx, cc.cfg.DomainID); err != nil {
 			return err
@@ -109,14 +120,16 @@ func (cc *challengeContext) initDomain(ctx context.Context, fqdn string) error {
 		} else {
 			var found *egoscale.DNSDomain
 			for _, domain := range result.DNSDomains {
-				if isInZone(fqdn, domain.UnicodeName) && (found == nil || len(domain.UnicodeName) > len(found.UnicodeName)) {
+				if isInZone(cc.ch.ResolvedFQDN, domain.UnicodeName) &&
+					(found == nil || len(domain.UnicodeName) > len(found.UnicodeName)) {
 					found = &domain
 				}
 			}
 
 			if found == nil {
-				return fmt.Errorf("no zone found to host FQDN %v", fqdn)
+				return fmt.Errorf("no zone found to host FQDN %v", cc.ch.ResolvedFQDN)
 			}
+			log.Info(fmt.Sprintf("found domain %+v", found))
 			cc.DNSDomain = found
 			return nil
 		}
@@ -137,18 +150,18 @@ func normalizeZone(zone string) string {
 	return zone
 }
 
-func (cc *challengeContext) initRecordName(fqdn string) error {
-	if !isInZone(fqdn, cc.DNSDomain.UnicodeName) {
-		return fmt.Errorf("%v is not a subdomain of %v", fqdn, cc.DNSDomain.UnicodeName)
+func (cc *challengeContext) initRecordName() error {
+	if !isInZone(cc.ch.ResolvedFQDN, cc.DNSDomain.UnicodeName) {
+		return fmt.Errorf("%v is not a subdomain of %v", cc.ch.ResolvedFQDN, cc.DNSDomain.UnicodeName)
 	}
-	cc.RecordName = strings.TrimSuffix(fqdn, normalizeZone(cc.DNSDomain.UnicodeName))
+	cc.RecordName = strings.TrimSuffix(cc.ch.ResolvedFQDN, normalizeZone(cc.DNSDomain.UnicodeName))
 	return nil
 }
 
 func (cc *challengeContext) initRecord(ctx context.Context) error {
-	log := klog.FromContext(ctx).WithValues("recordName", cc.RecordName, "recordKey", cc.RecordKey)
+	log := klog.FromContext(ctx).WithValues("recordName", cc.RecordName, "recordKey", cc.ch.Key)
 	log.Info(fmt.Sprintf("looking for existing record in domain %+v", cc.DNSDomain))
-	expectedContent := fmt.Sprintf(`"%v"`, cc.RecordKey)
+	expectedContent := fmt.Sprintf(`"%v"`, cc.ch.Key)
 	if result, err := cc.exo.ListDNSDomainRecords(ctx, cc.DNSDomain.ID); err != nil {
 		return err
 	} else {
@@ -171,7 +184,7 @@ func (cc *challengeContext) CreateRecord(ctx context.Context) (*egoscale.Operati
 	log := klog.FromContext(ctx)
 	req := egoscale.CreateDNSDomainRecordRequest{
 		Name:    cc.RecordName,
-		Content: cc.RecordKey,
+		Content: cc.ch.Key,
 		Type:    egoscale.CreateDNSDomainRecordRequestTypeTXT,
 		Ttl:     60,
 	}

deploy/cert-manager-webhook-exoscale/templates/rbac.yaml

@@ -74,3 +74,41 @@ subjects:
     kind: ServiceAccount
     name: {{ .Values.certManager.serviceAccountName }}
     namespace: {{ .Values.certManager.namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "cert-manager-webhook-exoscale.fullname" . }}:secret-reader
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cert-manager-webhook-exoscale.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+    {{- with .Values.issuerSecrets }}
+    resourceNames:
+    {{ toYaml . | indent 2 }}
+    {{- end }}
+    verbs:
+      - "get"
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "cert-manager-webhook-exoscale.fullname" . }}:secret-reader
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cert-manager-webhook-exoscale.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "cert-manager-webhook-exoscale.fullname" . }}:secret-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "cert-manager-webhook-exoscale.fullname" . }}
+    namespace: {{ .Release.Namespace }}

deploy/cert-manager-webhook-exoscale/values.yaml

@@ -8,6 +8,11 @@
 # here is recommended.
 groupName: acme.mycompany.com
 
+# Names of secrets the webhook should be allowed to read in order to access Exoscale API keys.
+# If you leave this empty, it is allowed to read all secrets in the namespace it was installed in
+issuerSecrets:
+  # - exoscale-api-secret
+
 certManager:
   namespace: cert-manager
   serviceAccountName: cert-manager

examples/cluster-issuer/certificate.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: test
+spec:
+  secretName: test-tls
+  dnsNames:
+    - hello-webhook-1.kosmoz.local.gkube.eu
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: exoscale-example

examples/cluster-issuer/cluster-issuer.yaml

@@ -0,0 +1,24 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: exoscale-example
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: exoscale-example-account-key
+    email: [email protected]
+    solvers:
+      - dns01:
+          webhook:
+            groupName: acme.mycompany.com
+            solverName: exoscale
+            config:
+              apiKey:
+                fromSecret:
+                  name: exoscale-api
+                  key: apiKey
+              apiSecret:
+                fromSecret:
+                  name: exoscale-api
+                  key: apiSecret

go.mod

@@ -5,7 +5,7 @@ go 1.23.0
 require (
 	github.com/cert-manager/cert-manager v1.16.3
 	github.com/exoscale/egoscale/v3 v3.1.9
-	k8s.io/apiextensions-apiserver v0.31.1
+	k8s.io/api v0.31.1
 	k8s.io/apimachinery v0.31.1
 	k8s.io/client-go v0.31.1
 	k8s.io/klog/v2 v2.130.1
@@ -117,7 +117,7 @@ require (
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.31.1 // indirect
+	k8s.io/apiextensions-apiserver v0.31.1 // indirect
 	k8s.io/apiserver v0.31.1 // indirect
 	k8s.io/component-base v0.31.1 // indirect
 	k8s.io/kms v0.31.1 // indirect

main.go

@@ -7,6 +7,7 @@ import (
 	acmev1alpha1 "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
 	"github.com/cert-manager/cert-manager/pkg/acme/webhook/cmd"
 	egoscale "github.com/exoscale/egoscale/v3"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
@@ -63,10 +64,14 @@ type customDNSProviderConfig struct {
 	// These fields will be set by users in the
 	// `issuer.spec.acme.dns01.providers.webhook.config` field.
 
-	APIKey     string        `json:"apiKey"`
-	APISecret  string        `json:"apiSecret"`
-	SecretName string        `json:"secretName"`
-	DomainID   egoscale.UUID `json:"domainId"`
+	APIKey    valueOrSecretRef `json:"apiKey"`
+	APISecret valueOrSecretRef `json:"apiSecret"`
+	DomainID  egoscale.UUID    `json:"domainId"`
+}
+
+type valueOrSecretRef struct {
+	Value      string                    `json:"value"`
+	FromSecret *corev1.SecretKeySelector `json:"fromSecret"`
 }
 
 // Name is used as the name for this DNS solver when referencing it on the ACME

testdata/exoscale-solver/README.md

@@ -4,8 +4,8 @@ Config format:
 
 ```json
 {
-  "apiKey": "EXO.....................",
-  "apiSecret": ".........................",
-  "domainId": ".........................."
+  "apiKey": "EXOf2b10337b1a9dd059ade5890",
+  "apiSecret": "tx11Nh3oVb6HYuT085uolfga1RNK7ykJo0JQlUXJ7rw",
+  "domainId": "89083a5c-b648-474a-0000-0000001223e3"
 }
 ```