From cb49fd4b3f86c5efa7505a09fa6299a6c15dd9fb Mon Sep 17 00:00:00 2001 From: Artem Miroshnychenko Date: Mon, 19 Oct 2020 16:43:40 +0300 Subject: [PATCH 1/4] feat: add rolebinding to allow webhook to read credentials from secret --- deploy/alidns-webhook/templates/rbac.yaml | 39 +++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/deploy/alidns-webhook/templates/rbac.yaml b/deploy/alidns-webhook/templates/rbac.yaml index 7d7efce..6145088 100644 --- a/deploy/alidns-webhook/templates/rbac.yaml +++ b/deploy/alidns-webhook/templates/rbac.yaml @@ -8,6 +8,45 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} --- +# Grant permissions to read secrets inside the cert-manager namespace to get credentials +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "alidns-webhook.fullname" . }}:secrets-reader + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "alidns-webhook.name" . }} + chart: {{ include "alidns-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - '' + resources: + - 'secrets' + verbs: + - 'get' +# Bind the previously created role to the webhook service account to allow reading from secrets in a cert-manager namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "alidns-webhook.fullname" . }}:secrets-reader + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "alidns-webhook.name" . }} + chart: {{ include "alidns-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "alidns-webhook.fullname" . }}:secrets-reader +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "alidns-webhook.fullname" . }} + namespace: {{ .Values.certManager.namespace }} +--- # Grant the webhook permission to read the ConfigMap containing the Kubernetes # apiserver's requestheader-ca-certificate. # This ConfigMap is automatically created by the Kubernetes apiserver. From 1633804d397c91bdd48b74d1e56542ff6b3ac135 Mon Sep 17 00:00:00 2001 From: Artem Miroshnychenko Date: Mon, 19 Oct 2020 16:49:42 +0300 Subject: [PATCH 2/4] fix: improve error messages for better understanding errors purposes --- deploy/alidns-webhook/Chart.yaml | 2 +- main.go | 18 ++++++++++-------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/deploy/alidns-webhook/Chart.yaml b/deploy/alidns-webhook/Chart.yaml index 08779aa..62f0be0 100644 --- a/deploy/alidns-webhook/Chart.yaml +++ b/deploy/alidns-webhook/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v1 appVersion: "1.0" description: A Helm chart for Kubernetes name: alidns-webhook -version: 0.1.1 +version: 0.1.2 diff --git a/main.go b/main.go index c1e420c..6cc54d0 100644 --- a/main.go +++ b/main.go @@ -3,15 +3,17 @@ package main import ( "encoding/json" "fmt" + "github.com/aliyun/alibaba-cloud-sdk-go/sdk" "github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials" "github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests" "github.com/aliyun/alibaba-cloud-sdk-go/services/alidns" - "github.com/pkg/errors" "os" "strings" + "github.com/pkg/errors" + extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" @@ -102,7 +104,7 @@ func (c *aliDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error { } // TODO: do something more useful with the decoded configuration - fmt.Printf("Decoded configuration %v", cfg) + fmt.Printf("Decoded configuration: %v\n", cfg) accessToken, err := c.loadSecretData(cfg.AccessToken, ch.ResourceNamespace) secretKey, err := c.loadSecretData(cfg.SecretToken, ch.ResourceNamespace) @@ -118,14 +120,14 @@ func (c *aliDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error { _, zoneName, err := c.getHostedZone(ch.ResolvedZone) if err != nil { - return fmt.Errorf("alicloud: %v", err) + return fmt.Errorf("alicloud: error getting hosted zones: %v", err) } recordAttributes := c.newTxtRecord(zoneName, ch.ResolvedFQDN, ch.Key) _, err = c.aliDNSClient.AddDomainRecord(recordAttributes) if err != nil { - return fmt.Errorf("alicloud: API call failed: %v", err) + return fmt.Errorf("alicloud: error adding domain record: %v", err) } return nil } @@ -139,7 +141,7 @@ func (c *aliDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error { func (c *aliDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error { records, err := c.findTxtRecords(ch.ResolvedZone, ch.ResolvedFQDN) if err != nil { - return fmt.Errorf("alicloud: %v", err) + return fmt.Errorf("alicloud: error finding txt records: %v", err) } _, _, err = c.getHostedZone(ch.ResolvedZone) @@ -153,7 +155,7 @@ func (c *aliDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error { request.RecordId = rec.RecordId _, err = c.aliDNSClient.DeleteDomainRecord(request) if err != nil { - return fmt.Errorf("alicloud: %v", err) + return fmt.Errorf("alicloud: error deleting domain record: %v", err) } } } @@ -206,7 +208,7 @@ func (c *aliDNSProviderSolver) getHostedZone(resolvedZone string) (string, strin response, err := c.aliDNSClient.DescribeDomains(request) if err != nil { - return "", "", fmt.Errorf("API call failed: %v", err) + return "", "", fmt.Errorf("alicloud: error describing domains: %v", err) } domains = append(domains, response.Domains.Domain...) @@ -254,7 +256,7 @@ func (c *aliDNSProviderSolver) findTxtRecords(domain string, fqdn string) ([]ali result, err := c.aliDNSClient.DescribeDomainRecords(request) if err != nil { - return records, fmt.Errorf("API call has failed: %v", err) + return records, fmt.Errorf("alicloud: error describing domain records: %v", err) } recordName := c.extractRecordName(fqdn, zoneName) From 9f22395377490827bb7975869bf8a10984c88e0f Mon Sep 17 00:00:00 2001 From: Artem Miroshnychenko Date: Mon, 19 Oct 2020 17:13:23 +0300 Subject: [PATCH 3/4] fix: typo --- deploy/alidns-webhook/templates/rbac.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/alidns-webhook/templates/rbac.yaml b/deploy/alidns-webhook/templates/rbac.yaml index 6145088..7a96639 100644 --- a/deploy/alidns-webhook/templates/rbac.yaml +++ b/deploy/alidns-webhook/templates/rbac.yaml @@ -26,6 +26,7 @@ rules: - 'secrets' verbs: - 'get' +--- # Bind the previously created role to the webhook service account to allow reading from secrets in a cert-manager namespace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding From 2d190f257c3609a79cd2145cff31904b53edc8b3 Mon Sep 17 00:00:00 2001 From: Artem Miroshnychenko Date: Mon, 19 Oct 2020 19:16:19 +0300 Subject: [PATCH 4/4] fix: rbac rolebinding namespace fix --- deploy/alidns-webhook/templates/rbac.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/alidns-webhook/templates/rbac.yaml b/deploy/alidns-webhook/templates/rbac.yaml index 7a96639..20388c4 100644 --- a/deploy/alidns-webhook/templates/rbac.yaml +++ b/deploy/alidns-webhook/templates/rbac.yaml @@ -46,7 +46,7 @@ subjects: - apiGroup: "" kind: ServiceAccount name: {{ include "alidns-webhook.fullname" . }} - namespace: {{ .Values.certManager.namespace }} + namespace: {{ .Release.Namespace }} --- # Grant the webhook permission to read the ConfigMap containing the Kubernetes # apiserver's requestheader-ca-certificate.