Merge pull request #6 from artemlive/feature/add-role-binding-for-sec…

…rets Feature/add role binding for secrets reading
DEVmachine-fr · Oct 21, 2020 · f4b5c97 · f4b5c97
2 parents 994dd33 + 7f246b8
commit f4b5c97
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 9 deletions.
diff --git a/charts/alidns-webhook/Chart.yaml b/charts/alidns-webhook/Chart.yaml
@@ -2,4 +2,4 @@ apiVersion: v1
 appVersion: "1.0"
 description: A Helm chart for Kubernetes
 name: alidns-webhook
-version: 0.1.1
+version: 0.1.2
diff --git a/charts/alidns-webhook/templates/rbac.yaml b/charts/alidns-webhook/templates/rbac.yaml
@@ -8,6 +8,46 @@ metadata:
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 ---
+# Grant permissions to read secrets inside the cert-manager namespace to get credentials
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "alidns-webhook.fullname" . }}:secrets-reader
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "alidns-webhook.name" . }}
+    chart: {{ include "alidns-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}    
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - 'secrets'
+    verbs:
+      - 'get'
+---
+# Bind the previously created role to the webhook service account to allow reading from secrets in a cert-manager namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "alidns-webhook.fullname" . }}:secrets-reader
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "alidns-webhook.name" . }}
+    chart: {{ include "alidns-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}    
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "alidns-webhook.fullname" . }}:secrets-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "alidns-webhook.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
 # Grant the webhook permission to read the ConfigMap containing the Kubernetes
 # apiserver's requestheader-ca-certificate.
 # This ConfigMap is automatically created by the Kubernetes apiserver.

diff --git a/main.go b/main.go
@@ -3,15 +3,17 @@ package main
 import (
 	"encoding/json"
 	"fmt"
+
 	"github.com/aliyun/alibaba-cloud-sdk-go/sdk"
 	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials"
 	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests"
 	"github.com/aliyun/alibaba-cloud-sdk-go/services/alidns"
 
-	"github.com/pkg/errors"
 	"os"
 	"strings"
 
+	"github.com/pkg/errors"
+
 	extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
@@ -102,7 +104,7 @@ func (c *aliDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
 	}
 
 	// TODO: do something more useful with the decoded configuration
-	fmt.Printf("Decoded configuration %v", cfg)
+	fmt.Printf("Decoded configuration: %v\n", cfg)
 
 	accessToken, err := c.loadSecretData(cfg.AccessToken, ch.ResourceNamespace)
 	secretKey, err := c.loadSecretData(cfg.SecretToken, ch.ResourceNamespace)
@@ -118,14 +120,14 @@ func (c *aliDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
 
 	_, zoneName, err := c.getHostedZone(ch.ResolvedZone)
 	if err != nil {
-		return fmt.Errorf("alicloud: %v", err)
+		return fmt.Errorf("alicloud: error getting hosted zones: %v", err)
 	}
 
 	recordAttributes := c.newTxtRecord(zoneName, ch.ResolvedFQDN, ch.Key)
 
 	_, err = c.aliDNSClient.AddDomainRecord(recordAttributes)
 	if err != nil {
-		return fmt.Errorf("alicloud: API call failed: %v", err)
+		return fmt.Errorf("alicloud: error adding domain record: %v", err)
 	}
 	return nil
 }
@@ -139,7 +141,7 @@ func (c *aliDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
 func (c *aliDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
 	records, err := c.findTxtRecords(ch.ResolvedZone, ch.ResolvedFQDN)
 	if err != nil {
-		return fmt.Errorf("alicloud: %v", err)
+		return fmt.Errorf("alicloud: error finding txt records: %v", err)
 	}
 
 	_, _, err = c.getHostedZone(ch.ResolvedZone)
@@ -153,7 +155,7 @@ func (c *aliDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
 			request.RecordId = rec.RecordId
 			_, err = c.aliDNSClient.DeleteDomainRecord(request)
 			if err != nil {
-				return fmt.Errorf("alicloud: %v", err)
+				return fmt.Errorf("alicloud: error deleting domain record: %v", err)
 			}
 		}
 	}
@@ -206,7 +208,7 @@ func (c *aliDNSProviderSolver) getHostedZone(resolvedZone string) (string, strin
 
 		response, err := c.aliDNSClient.DescribeDomains(request)
 		if err != nil {
-			return "", "", fmt.Errorf("API call failed: %v", err)
+			return "", "", fmt.Errorf("alicloud: error describing domains: %v", err)
 		}
 
 		domains = append(domains, response.Domains.Domain...)
@@ -254,7 +256,7 @@ func (c *aliDNSProviderSolver) findTxtRecords(domain string, fqdn string) ([]ali
 
 	result, err := c.aliDNSClient.DescribeDomainRecords(request)
 	if err != nil {
-		return records, fmt.Errorf("API call has failed: %v", err)
+		return records, fmt.Errorf("alicloud: error describing domain records: %v", err)
 	}
 
 	recordName := c.extractRecordName(fqdn, zoneName)