Skip to content

Commit

Permalink
Add support for LetsEncrypt via domain annotation
Browse files Browse the repository at this point in the history
* Expects root domain to already be created and validated on
DigitalOcean (DO is not a registrar so we assume user has preconfigured
domain)
* Add domain annotation to specify either the root domain or a subdomain
of your choosing to the LoadBalancer service
* Automatically find or generate certificate, and attach to
LoadBalancer
* Automatically generate A-record for your subdomain to point to the
LoadBalancer
  • Loading branch information
nicktate committed Nov 13, 2019
1 parent bc3ec8f commit 413434a
Show file tree
Hide file tree
Showing 5 changed files with 831 additions and 7 deletions.
191 changes: 191 additions & 0 deletions cloud-controller-manager/do/certificates.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,199 @@ limitations under the License.

package do

import (
"context"
"fmt"
"net/http"
"strings"

"github.com/digitalocean/godo"
v1 "k8s.io/api/core/v1"
"k8s.io/klog"
)

const (
// DO Certificate types
certTypeLetsEncrypt = "lets_encrypt"
certTypeCustom = "custom"

// Certificate constants
certPrefix = "do-ccm-"
)

// ensureDomain checks to see if the service contains the annDODomain annotation
// and if it does it verifies the domain exists on the users account
func (l *loadBalancers) ensureDomain(ctx context.Context, service *v1.Service) error {
domain, err := getDomain(service)
if err != nil {
return err
}

if domain != nil {
klog.V(2).Infof("looking up root domain: %s", domain.root)
_, resp, err := l.resources.gclient.Domains.Get(ctx, domain.root)
if err != nil && resp.StatusCode == http.StatusNotFound {
return fmt.Errorf("domain does not exist: %s", domain.root)
} else if err != nil {
return fmt.Errorf("failed to retrieve domain: %s", err)
}
}

return nil
}

// ensureCertificate verifies the existing certificate on the service is still a valid
// DO certificate, clearing if not. If the user also has the annDODomain annotation set,
// it verifies the certificate is valid for the domain, creating a new one if it cannot
// find a existing valid certificate in the account
func (l *loadBalancers) ensureCertificate(ctx context.Context, service *v1.Service) error {
var certificate *godo.Certificate
serviceCertID := getCertificateID(service)

// verify the cert-id is still referencing a valid certificate
if serviceCertID != "" {
klog.V(2).Infof("looking up existing service certificate: %s", serviceCertID)
certificate, _, err := l.resources.gclient.Certificates.Get(ctx, serviceCertID)

if err != nil {
respErr, ok := err.(*godo.ErrorResponse)
if !ok || respErr.Response.StatusCode != http.StatusNotFound {
return fmt.Errorf("failed to get DO certificate for service: %s", err)
}
}

if certificate == nil {
klog.V(2).Infof("service certificate is no longer valid: %s", serviceCertID)
serviceCertID = ""
updateServiceAnnotation(service, annDOCertificateID, serviceCertID)
}
}

domain, err := getDomain(service)
if err != nil {
return err
}

// no domain annotation, no need to ensure certificate for domain
if domain == nil {
return nil
}

// if the current cert represents the domain, save making an extra network request
// this case will arise when certificates are automatically rotated
if certificate != nil {
for _, dnsName := range certificate.DNSNames {
if dnsName == domain.full {
// we found matching certificate, break out of ensureCertificate
return nil
}
}

// the current certificate does not match the current domain. clear it so
// we can either find the matching cert or create a new one below
klog.V(2).Infof("service certificate is not valid for domain[%s]: %s", domain.full, serviceCertID)
certificate = nil
}

certificates, _, err := l.resources.gclient.Certificates.List(ctx, &godo.ListOptions{})
if err != nil {
return fmt.Errorf("failed to retrieve certificates: %s", err)
}

findCert:
for _, cert := range certificates {
for _, dnsName := range cert.DNSNames {
if dnsName == domain.full {
klog.V(2).Infof("found existing certificate for domain[%s]: %s", domain.full, cert.ID)
certificate = &cert
break findCert
}
}
}

if certificate == nil {
certName := getCertificateName(domain.full)
dnsNames := []string{domain.root}

if domain.sub != "" {
dnsNames = append(dnsNames, domain.full)
}

certificateReq := &godo.CertificateRequest{
Name: certName,
DNSNames: dnsNames,
Type: certTypeLetsEncrypt,
}

klog.V(2).Infof("generating new service certificate for domain: %s", domain.full)
certificate, _, err = l.resources.gclient.Certificates.Create(ctx, certificateReq)
if err != nil {
return fmt.Errorf("failed to create certificate: %s", err)
}
}

updateServiceAnnotation(service, annDOCertificateID, certificate.ID)
return nil
}

// ensureDomainARecord ensures that if the service has a annDODomain annotation,
// the domain has an A record for the full subdomain pointing to the loadbalancer
func (l *loadBalancers) ensureDomainARecord(ctx context.Context, service *v1.Service, lb *godo.LoadBalancer) error {
domain, err := getDomain(service)
if err != nil {
return err
}

if domain == nil {
return nil
}

// the do loadbalancer service ensures the root domain associated with the
// certificate has an A record pointing to the LB so we do not need to ensure
if domain.sub == "" {
klog.V(2).Infof("domain has no subdomain, no need to ensure A records: %s", domain.full)
return nil
}

records, _, err := l.resources.gclient.Domains.Records(ctx, domain.root, &godo.ListOptions{})
if err != nil {
return fmt.Errorf("failed to fetch records for domain: %s", err)
}

var domainRecord *godo.DomainRecord
for _, record := range records {
if record.Type != "A" || record.Name != domain.sub {
continue
}

if record.Data != lb.IP {
return fmt.Errorf("domain(%s) record already in use for another ip(%s)", domain.full, record.Data)
}

klog.V(2).Infof("found A record to loadbalancer for domain: %s", domain.full)
domainRecord = &record
break
}

if domainRecord == nil {
domainRecordEditReq := &godo.DomainRecordEditRequest{
Type: "A",
Name: domain.sub,
Data: lb.IP,
TTL: defaultDomainRecordTTL,
}
klog.V(2).Infof("creating new A record to loadbalance for domain: %s", domain.full)
domainRecord, _, err = l.resources.gclient.Domains.CreateRecord(ctx, domain.root, domainRecordEditReq)
if err != nil {
return fmt.Errorf("failed to create domain record: %s", err)
}
}

return nil
}

// getCertificateName returns a prefixed certificate so we know to cleanup
// certificate when a loadbalancer for the given domain is deleted
func getCertificateName(fullDomain string) string {
return fmt.Sprintf("%s%s", certPrefix, strings.ReplaceAll(fullDomain, ".", "-"))
}
Loading

0 comments on commit 413434a

Please sign in to comment.