retrieve token from secret

go.mod

@@ -10,6 +10,7 @@ require (
 	golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a // indirect
 	golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 // indirect
 	k8s.io/apiextensions-apiserver v0.0.0-20190413053546-d0acb7a76918
+	k8s.io/apimachinery v0.0.0-20190413052414-40a3f73b0fa2
 	k8s.io/client-go v11.0.0+incompatible
 )
 

go.sum

@@ -220,6 +220,7 @@ github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQ
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.4.3 h1:RE1xgDvH7imwFD45h+u2SgIfERHlS2yNG4DObb5BSKU=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
@@ -413,6 +414,7 @@ modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I=
 sigs.k8s.io/controller-runtime v0.0.0-20190222182021-68ae79ea094a/go.mod h1:HFAYoOh6XMV+jKF1UjFwrknPbowfyHEHHRdJMf2jMX8=
 sigs.k8s.io/structured-merge-diff v0.0.0-20190302045857-e85c7b244fd2 h1:9r5DY45ef9LtcA6BnkhW8MPV7OKAfbf2AUwUhq3LeRk=
 sigs.k8s.io/structured-merge-diff v0.0.0-20190302045857-e85c7b244fd2/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
+sigs.k8s.io/testing_frameworks v0.1.1 h1:cP2l8fkA3O9vekpy5Ks8mmA0NW/F7yBdXf8brkWhVrs=
 sigs.k8s.io/testing_frameworks v0.1.1/go.mod h1:VVBKrHmJ6Ekkfz284YKhQePcdycOzNH9qL6ht1zEr/U=
 sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=

main.go

@@ -7,11 +7,13 @@ import (
 	"strings"
 
 	extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
-	//"k8s.io/client-go/kubernetes"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 
 	"github.com/jetstack/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
 	"github.com/jetstack/cert-manager/pkg/acme/webhook/cmd"
+	certmanager_v1alpha1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
 	"github.com/jetstack/cert-manager/pkg/issuer/acme/dns/util"
 
 	"github.com/decker502/dnspod-go"
@@ -49,7 +51,7 @@ type customDNSProviderSolver struct {
 	// 3. uncomment the relevant code in the Initialize method below
 	// 4. ensure your webhook's service account has the required RBAC role
 	//    assigned to it for interacting with the Kubernetes APIs you need.
-	//client kubernetes.Clientset
+	client *kubernetes.Clientset
 
 	dnspod map[int]*dnspod.Client
 }
@@ -75,7 +77,7 @@ type customDNSProviderConfig struct {
 	// `issuer.spec.acme.dns01.providers.webhook.config` field.
 
 	APIID             int                                    `json:"apiID"`
-	APIToken string `json:"apiToken"`
+	APITokenSecretRef certmanager_v1alpha1.SecretKeySelector `json:"apiTokenSecretRef"`
 	TTL               *int                                   `json:"ttl"`
 }
 
@@ -102,7 +104,10 @@ func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
 
 	// TODO: do something more useful with the decoded configuration
 	fmt.Printf("Decoded configuration %v", cfg)
-	dnspodClient := c.getDNSPod(cfg)
+	dnspodClient, err := c.getDNSPod(ch, cfg)
+	if err != nil {
+		return err
+	}
 
 	// TODO: add code that sets a record in the DNS provider's console
 	domainID, err := getDomainID(dnspodClient, ch.ResolvedZone)
@@ -133,7 +138,10 @@ func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
 
 	// TODO: do something more useful with the decoded configuration
 	fmt.Printf("Decoded configuration %v", cfg)
-	dnspodClient := c.getDNSPod(cfg)
+	dnspodClient, err := c.getDNSPod(ch, cfg)
+	if err != nil {
+		return err
+	}
 
 	// TODO: add code that deletes a record from the DNS provider's console
 	domainID, err := getDomainID(dnspodClient, ch.ResolvedZone)
@@ -173,12 +181,12 @@ func (c *customDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stop
 	///// UNCOMMENT THE BELOW CODE TO MAKE A KUBERNETES CLIENTSET AVAILABLE TO
 	///// YOUR CUSTOM DNS PROVIDER
 
-	//cl, err := kubernetes.NewForConfig(kubeClientConfig)
-	//if err != nil {
-	//	return err
-	//}
-	//
-	//c.client = cl
+	cl, err := kubernetes.NewForConfig(kubeClientConfig)
+	if err != nil {
+		return err
+	}
+
+	c.client = cl
 
 	///// END OF CODE TO MAKE KUBERNETES CLIENTSET AVAILABLE
 
@@ -187,17 +195,29 @@ func (c *customDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stop
 	return nil
 }
 
-func (c *customDNSProviderSolver) getDNSPod(cfg customDNSProviderConfig) *dnspod.Client {
+func (c *customDNSProviderSolver) getDNSPod(ch *v1alpha1.ChallengeRequest, cfg customDNSProviderConfig) (*dnspod.Client, error) {
 	apiID := cfg.APIID
 	dnspodClient, ok := c.dnspod[apiID]
 	if !ok {
-		key := fmt.Sprintf("%d,%s", cfg.APIID, cfg.APIToken)
+		ref := cfg.APITokenSecretRef
+
+		secret, err := c.client.CoreV1().Secrets(ch.ResourceNamespace).Get(ref.Name, metav1.GetOptions{})
+		if err != nil {
+			return nil, err
+		}
+
+		apiToken, ok := secret.Data[ref.Key]
+		if !ok {
+			return nil, fmt.Errorf("no api token for %q in secret '%s/%s'", ref.Name, ref.Key, ch.ResourceNamespace)
+		}
+
+		key := fmt.Sprintf("%d,%s", cfg.APIID, apiToken)
 		params := dnspod.CommonParams{LoginToken: key, Format: "json"}
 		dnspodClient = dnspod.NewClient(params)
 		c.dnspod[cfg.APIID] = dnspodClient
 	}
 
-	return dnspodClient
+	return dnspodClient, nil
 }
 
 // loadConfig is a small helper function that decodes JSON configuration into

testdata/my-custom-solver/config.json

@@ -1,5 +1,8 @@
 {
   "apiID": 12345,
-  "apiToken": "abcdefg1234567",
+  "apiTokenSecretRef": {
+    "Name": "dnspod-credentials",
+    "Key": "api-token"
+  },
   "ttl": 600
 }