Add support for LetsEncrypt via domain annotation

* Expects root domain to already be created and validated on
DigitalOcean (DO is not a registrar so we assume user has preconfigured
domain)
* Add domain annotation to specify either the root domain or a subdomain
of your choosing to the LoadBalancer service
* Automatically find or generate certificate, and attach to
LoadBalancer
* Automatically generate A-record for your subdomain to point to the
LoadBalancer

Author: nicktate

cloud-controller-manager/do/certificates.go

@@ -16,8 +16,199 @@ limitations under the License.
 
 package do
 
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/digitalocean/godo"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/klog"
+)
+
 const (
 	// DO Certificate types
 	certTypeLetsEncrypt = "lets_encrypt"
 	certTypeCustom      = "custom"
+
+	// Certificate constants
+	certPrefix = "do-ccm-"
 )
+
+// ensureDomain checks to see if the service contains the annDODomain annotation
+// and if it does it verifies the domain exists on the users account
+func (l *loadBalancers) ensureDomain(ctx context.Context, service *v1.Service) error {
+	domain, err := getDomain(service)
+	if err != nil {
+		return err
+	}
+
+	if domain != nil {
+		klog.V(2).Infof("looking up root domain: %s", domain.root)
+		_, resp, err := l.resources.gclient.Domains.Get(ctx, domain.root)
+		if err != nil && resp.StatusCode == http.StatusNotFound {
+			return fmt.Errorf("domain does not exist: %s", domain.root)
+		} else if err != nil {
+			return fmt.Errorf("failed to retrieve domain: %s", err)
+		}
+	}
+
+	return nil
+}
+
+// ensureCertificate verifies the existing certificate on the service is still a valid
+// DO certificate, clearing if not. If the user also has the annDODomain annotation set,
+// it verifies the certificate is valid for the domain, creating a new one if it cannot
+// find a existing valid certificate in the account
+func (l *loadBalancers) ensureCertificate(ctx context.Context, service *v1.Service) error {
+	var certificate *godo.Certificate
+	serviceCertID := getCertificateID(service)
+
+	// verify the cert-id is still referencing a valid certificate
+	if serviceCertID != "" {
+		klog.V(2).Infof("looking up existing service certificate: %s", serviceCertID)
+		certificate, _, err := l.resources.gclient.Certificates.Get(ctx, serviceCertID)
+
+		if err != nil {
+			respErr, ok := err.(*godo.ErrorResponse)
+			if !ok || respErr.Response.StatusCode != http.StatusNotFound {
+				return fmt.Errorf("failed to get DO certificate for service: %s", err)
+			}
+		}
+
+		if certificate == nil {
+			klog.V(2).Infof("service certificate is no longer valid: %s", serviceCertID)
+			serviceCertID = ""
+			updateServiceAnnotation(service, annDOCertificateID, serviceCertID)
+		}
+	}
+
+	domain, err := getDomain(service)
+	if err != nil {
+		return err
+	}
+
+	// no domain annotation, no need to ensure certificate for domain
+	if domain == nil {
+		return nil
+	}
+
+	// if the current cert represents the domain, save making an extra network request
+	// this case will arise when certificates are automatically rotated
+	if certificate != nil {
+		for _, dnsName := range certificate.DNSNames {
+			if dnsName == domain.full {
+				// we found matching certificate, break out of ensureCertificate
+				return nil
+			}
+		}
+
+		// the current certificate does not match the current domain. clear it so
+		// we can either find the matching cert or create a new one below
+		klog.V(2).Infof("service certificate is not valid for domain[%s]: %s", domain.full, serviceCertID)
+		certificate = nil
+	}
+
+	certificates, _, err := l.resources.gclient.Certificates.List(ctx, &godo.ListOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to retrieve certificates: %s", err)
+	}
+
+findCert:
+	for _, cert := range certificates {
+		for _, dnsName := range cert.DNSNames {
+			if dnsName == domain.full {
+				klog.V(2).Infof("found existing certificate for domain[%s]: %s", domain.full, cert.ID)
+				certificate = &cert
+				break findCert
+			}
+		}
+	}
+
+	if certificate == nil {
+		certName := getCertificateName(domain.full)
+		dnsNames := []string{domain.root}
+
+		if domain.sub != "" {
+			dnsNames = append(dnsNames, domain.full)
+		}
+
+		certificateReq := &godo.CertificateRequest{
+			Name:     certName,
+			DNSNames: dnsNames,
+			Type:     certTypeLetsEncrypt,
+		}
+
+		klog.V(2).Infof("generating new service certificate for domain: %s", domain.full)
+		certificate, _, err = l.resources.gclient.Certificates.Create(ctx, certificateReq)
+		if err != nil {
+			return fmt.Errorf("failed to create certificate: %s", err)
+		}
+	}
+
+	updateServiceAnnotation(service, annDOCertificateID, certificate.ID)
+	return nil
+}
+
+// ensureDomainARecord ensures that if the service has a annDODomain annotation,
+// the domain has an A record for the full subdomain pointing to the loadbalancer
+func (l *loadBalancers) ensureDomainARecord(ctx context.Context, service *v1.Service, lb *godo.LoadBalancer) error {
+	domain, err := getDomain(service)
+	if err != nil {
+		return err
+	}
+
+	if domain == nil {
+		return nil
+	}
+
+	// the do loadbalancer service ensures the root domain associated with the
+	// certificate has an A record pointing to the LB so we do not need to ensure
+	if domain.sub == "" {
+		klog.V(2).Infof("domain has no subdomain, no need to ensure A records: %s", domain.full)
+		return nil
+	}
+
+	records, _, err := l.resources.gclient.Domains.Records(ctx, domain.root, &godo.ListOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to fetch records for domain: %s", err)
+	}
+
+	var domainRecord *godo.DomainRecord
+	for _, record := range records {
+		if record.Type != "A" || record.Name != domain.sub {
+			continue
+		}
+
+		if record.Data != lb.IP {
+			return fmt.Errorf("domain(%s) record already in use for another ip(%s)", domain.full, record.Data)
+		}
+
+		klog.V(2).Infof("found A record to loadbalancer for domain: %s", domain.full)
+		domainRecord = &record
+		break
+	}
+
+	if domainRecord == nil {
+		domainRecordEditReq := &godo.DomainRecordEditRequest{
+			Type: "A",
+			Name: domain.sub,
+			Data: lb.IP,
+			TTL:  defaultDomainRecordTTL,
+		}
+		klog.V(2).Infof("creating new A record to loadbalance for domain: %s", domain.full)
+		domainRecord, _, err = l.resources.gclient.Domains.CreateRecord(ctx, domain.root, domainRecordEditReq)
+		if err != nil {
+			return fmt.Errorf("failed to create domain record: %s", err)
+		}
+	}
+
+	return nil
+}
+
+// getCertificateName returns a prefixed certificate so we know to cleanup
+// certificate when a loadbalancer for the given domain is deleted
+func getCertificateName(fullDomain string) string {
+	return fmt.Sprintf("%s%s", certPrefix, strings.ReplaceAll(fullDomain, ".", "-"))
+}