traefik-certmanager/main.py

161 lines
5.9 KiB
Python
Raw Permalink Normal View History

2023-11-22 06:33:00 +01:00
import json
import logging
import os
import re
import signal
import sys
import threading
2022-10-09 23:18:29 +02:00
from unicodedata import name
from kubernetes import client, config, watch
from kubernetes.client.rest import ApiException
CERT_GROUP = "cert-manager.io"
CERT_VERSION = "v1"
CERT_KIND = "Certificate"
CERT_PLURAL = "certificates"
CERT_ISSUER_NAME = os.getenv("ISSUER_NAME", "letsencrypt")
CERT_ISSUER_KIND = os.getenv("ISSUER_KIND", "ClusterIssuer")
CERT_CLEANUP = os.getenv("CERT_CLEANUP", "false").lower() in ("yes", "true", "t", "1")
2023-11-22 06:33:00 +01:00
PATCH_SECRETNAME = os.getenv("PATCH_SECRETNAME", "false").lower() in ("yes", "true", "t", "1")
2022-10-09 23:18:29 +02:00
def safe_get(obj, keys, default=None):
"""
Get a value from the give dict. The key is in json format, i.e. seperated by a period.
"""
v = obj
for k in keys.split("."):
if k not in v:
return default
v = v[k]
return v
def create_certificate(crds, namespace, secretname, routes):
"""
Create a certificate request for certmanager based on the IngressRoute
"""
try:
secret = crds.get_namespaced_custom_object(CERT_GROUP, CERT_VERSION, namespace, CERT_PLURAL, secretname)
2023-11-22 06:33:00 +01:00
logging.info(f"{secretname} : certificate request already exists.")
2022-10-09 23:18:29 +02:00
return
except ApiException as e:
pass
for route in routes:
if route.get("kind") == "Rule" and "Host" in route.get("match"):
2023-11-22 06:33:00 +01:00
hostmatch = re.findall(r"Host\(([^\)]*)\)", route["match"])
hosts = re.findall(r'`([^`]*?)`', ",".join(hostmatch))
logging.info(f"{secretname} : requesting a new certificate for {', '.join(hosts)}")
2022-10-09 23:18:29 +02:00
body = {
"apiVersion": f"{CERT_GROUP}/{CERT_VERSION}",
"kind": CERT_KIND,
"metadata": {
"name": secretname
},
"spec": {
"dnsNames": hosts,
"secretName": secretname,
"issuerRef": {
"name": CERT_ISSUER_NAME,
"kind": CERT_ISSUER_KIND
}
}
}
try:
crds.create_namespaced_custom_object(CERT_GROUP, CERT_VERSION, namespace, CERT_PLURAL, body)
except ApiException as e:
2023-11-22 06:33:00 +01:00
logging.exception("Exception when calling CustomObjectsApi->create_namespaced_custom_object:", e)
2022-10-09 23:18:29 +02:00
def delete_certificate(crds, namespace, secretname):
"""
Delete a certificate request for certmanager based on the IngressRoute.
"""
if CERT_CLEANUP:
2023-11-22 06:33:00 +01:00
logging.info(f"{secretname} : removing certificate")
2022-10-09 23:18:29 +02:00
try:
crds.delete_namespaced_custom_object(CERT_GROUP, CERT_VERSION, namespace, CERT_PLURAL, secretname)
except ApiException as e:
2023-11-22 06:33:00 +01:00
logging.exception("Exception when calling CustomObjectsApi->delete_namespaced_custom_object:", e)
2022-10-09 23:18:29 +02:00
2023-11-22 06:33:00 +01:00
def watch_crd(group, version, plural):
2022-10-09 23:18:29 +02:00
"""
Watch Traefik IngressRoute CRD and create/delete certificates based on them
"""
#config.load_kube_config()
config.load_incluster_config()
crds = client.CustomObjectsApi()
resource_version = ""
2023-11-22 06:33:00 +01:00
logging.info(f"Watching {group}/{version}/{plural}")
2022-10-09 23:18:29 +02:00
while True:
stream = watch.Watch().stream(crds.list_cluster_custom_object,
2023-11-22 06:33:00 +01:00
group=group, version=version, plural=plural,
2022-10-09 23:18:29 +02:00
resource_version=resource_version)
for event in stream:
t = event["type"]
obj = event["object"]
# Configure where to resume streaming.
resource_version = safe_get(obj, "metadata.resourceVersion", resource_version)
# get information about IngressRoute
namespace = safe_get(obj, "metadata.namespace")
2023-11-22 06:33:00 +01:00
name = safe_get(obj, "metadata.name")
2022-10-09 23:18:29 +02:00
secretname = safe_get(obj, "spec.tls.secretName")
routes = safe_get(obj, 'spec.routes')
2023-11-22 06:33:00 +01:00
# create or delete certificate based on event type
if t == 'ADDED':
# if no secretName is set, add one to the IngressRoute
if not secretname and PATCH_SECRETNAME:
logging.info(f"{namespace}/{name} : no secretName found in IngressRoute, patch to add one")
patch = { "spec": { "tls": { "secretName": name }}}
crds.patch_namespaced_custom_object(group, version, namespace, plural, name, patch)
secretname = name
if secretname:
2022-10-09 23:18:29 +02:00
create_certificate(crds, namespace, secretname, routes)
2023-11-22 06:33:00 +01:00
else:
logging.info(f"{namespace}/{name} : no secretName found in IngressRoute, skipping adding")
elif t == 'DELETED':
if secretname:
2022-10-09 23:18:29 +02:00
delete_certificate(crds, namespace, secretname)
2023-11-22 06:33:00 +01:00
else:
logging.info(f"{namespace}/{name} : no secretName found in IngressRoute, skipping delete")
elif t == 'MODIFIED':
if secretname:
create_certificate(crds, namespace, secretname, routes)
else:
logging.info(f"{namespace}/{name} : no secretName found in IngressRoute, skipping modify")
else:
logging.info(f"{namespace}/{name} : unknown event type: {t}")
logging.debug(json.dumps(obj, indent=2))
def exit_gracefully(signum, frame):
logging.info(f"Shutting down gracefully on {signum}")
sys.exit(0)
def main():
signal.signal(signal.SIGINT, exit_gracefully)
signal.signal(signal.SIGTERM, exit_gracefully)
2024-12-22 18:17:37 +01:00
# new traefik CRD
th1 = threading.Thread(target=watch_crd, args=("traefik.io", "v1alpha1", "ingressroutes"), daemon=True)
2023-11-22 06:33:00 +01:00
th1.start()
# wait for threads to finish
2024-12-22 19:02:34 +01:00
while th1.is_alive():
2023-11-22 06:33:00 +01:00
th1.join(0.1)
2022-10-09 23:18:29 +02:00
if __name__ == '__main__':
2023-11-22 06:33:00 +01:00
logging.basicConfig(level=logging.INFO)
2022-10-09 23:18:29 +02:00
main()