-
Notifications
You must be signed in to change notification settings - Fork 13
/
cloudflare.go
130 lines (124 loc) · 3.79 KB
/
cloudflare.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
package cloudflare
import (
"context"
"fmt"
"strings"
"github.com/cloudflare/cloudflare-go"
"github.com/robertlestak/cert-manager-sync/pkg/state"
"github.com/robertlestak/cert-manager-sync/pkg/tlssecret"
log "github.com/sirupsen/logrus"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type CloudflareStore struct {
SecretName string
SecretNamespace string
ApiKey string
ApiEmail string
ZoneId string
CertId string
}
func (s *CloudflareStore) GetApiKey(ctx context.Context) error {
gopt := metav1.GetOptions{}
sc, err := state.KubeClient.CoreV1().Secrets(s.SecretNamespace).Get(ctx, s.SecretName, gopt)
if err != nil {
return err
}
if sc.Data["api_key"] == nil {
return fmt.Errorf("api_key not found in secret %s/%s", s.SecretNamespace, s.SecretName)
}
if sc.Data["email"] == nil {
return fmt.Errorf("email not found in secret %s/%s", s.SecretNamespace, s.SecretName)
}
s.ApiKey = string(sc.Data["api_key"])
s.ApiEmail = string(sc.Data["email"])
return nil
}
func (s *CloudflareStore) ParseCertificate(c *tlssecret.Certificate) error {
l := log.WithFields(log.Fields{
"action": "ParseCertificate",
})
l.Debugf("ParseCertificate")
if c.Annotations[state.OperatorName+"/cloudflare-secret-name"] != "" {
s.SecretName = c.Annotations[state.OperatorName+"/cloudflare-secret-name"]
}
if c.Annotations[state.OperatorName+"/cloudflare-zone-id"] != "" {
s.ZoneId = c.Annotations[state.OperatorName+"/cloudflare-zone-id"]
}
if c.Annotations[state.OperatorName+"/cloudflare-cert-id"] != "" {
s.CertId = c.Annotations[state.OperatorName+"/cloudflare-cert-id"]
}
// if secret name is in the format of "namespace/secretname" then parse it
if strings.Contains(s.SecretName, "/") {
s.SecretNamespace = strings.Split(s.SecretName, "/")[0]
s.SecretName = strings.Split(s.SecretName, "/")[1]
}
return nil
}
func (s *CloudflareStore) Update(secret *corev1.Secret) error {
l := log.WithFields(log.Fields{
"action": "Update",
"store": "cloudflare",
"secretName": secret.ObjectMeta.Name,
"secretNamespace": secret.ObjectMeta.Namespace,
})
l.Debugf("Update")
c := tlssecret.ParseSecret(secret)
if err := s.ParseCertificate(c); err != nil {
l.WithError(err).Errorf("ParseCertificate error")
return err
}
if s.SecretNamespace == "" {
s.SecretNamespace = secret.Namespace
}
if s.SecretName == "" {
return fmt.Errorf("secret name not found in certificate annotations")
}
ctx := context.Background()
if err := s.GetApiKey(ctx); err != nil {
l.WithError(err).Errorf("GetApiKey error")
return err
}
client, err := cloudflare.New(s.ApiKey, s.ApiEmail)
if err != nil {
l.WithError(err).Errorf("cloudflare.New error")
return err
}
certRequest := cloudflare.ZoneCustomSSLOptions{
Certificate: string(c.Certificate),
PrivateKey: string(c.Key),
}
origCertId := s.CertId
var sslCert cloudflare.ZoneCustomSSL
if s.CertId != "" {
sslCert, err = client.UpdateSSL(context.Background(), s.ZoneId, s.CertId, certRequest)
if err != nil {
l.WithError(err).Errorf("cloudflare.UpdateZoneCustomSSL error")
return err
}
} else {
sslCert, err = client.CreateSSL(context.Background(), s.ZoneId, certRequest)
if err != nil {
l.WithError(err).Errorf("cloudflare.CreateZoneCustomSSL error")
return err
}
}
s.CertId = sslCert.ID
l.WithField("id", sslCert.ID).Debugf("certificate synced")
if origCertId != s.CertId {
secret.ObjectMeta.Annotations[state.OperatorName+"/cloudflare-cert-id"] = s.CertId
sc := state.KubeClient.CoreV1().Secrets(secret.ObjectMeta.Namespace)
uo := metav1.UpdateOptions{}
_, uerr := sc.Update(
context.Background(),
secret,
uo,
)
if uerr != nil {
l.WithError(uerr).Errorf("secret.Update error")
return uerr
}
}
l.Info("certificate synced")
return nil
}