Merge pull request #1 from rpcpool/triton-rewrite

Support for ZeroSSL and NS1

Author: James Belchamber

.devcontainer/devcontainer.json

@@ -0,0 +1,14 @@
+{
+    "name": "Certificator",
+    "image": "docker.io/golang:latest",
+    "features": {
+        "ghcr.io/devcontainers/features/common-utils": {
+            "installZsh": true,
+            "installOhMyZsh": true,
+            "installOhMyZshConfig": true,
+            "configureZshAsDefaultShell": true,
+            "upgradePackages": true
+        },
+    "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {}
+    }
+}

.env.dev

@@ -0,0 +1,64 @@
+name: Build and Publish
+
+on:
+  push:
+    branches:
+      - master
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build_and_publish:
+    name: Build and Publish
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: "1.24.4"
+          check-latest: false
+
+      - name: Build Executable
+        run: |
+          CGO_ENABLED=0 go build -o certificator ./cmd/certificator
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/main.yml

@@ -1,29 +1,7 @@
-# ===========
-# Build stage
-# ===========
-FROM golang:1.16.3-alpine3.13 AS builder
-
-WORKDIR /code
-
-# Pre-install dependencies to cache them as a separate image layer
-COPY go.mod go.sum ./
-RUN go mod download
-
-# Build
-COPY . /code
-RUN go build -o certificator ./cmd/certificator
-
-# ===========
-# Final stage
-# ===========
-FROM alpine:3.13.0
+FROM alpine:latest
 
 WORKDIR /app
-RUN apk --no-cache add curl
-
-COPY ./fixtures /app/fixtures
-COPY ./domains.yml /app/fixtures/domains.yml
 
-COPY --from=builder /code/certificator .
+COPY certificator /app/certificator
 
-CMD [ "./certificator" ]
+CMD [ "/app/certificator" ]

.travis.yml

@@ -1,79 +1,7 @@
-# certificator
+# Triton Certificator
 
-The tool that requests certificates from ACME supporting CA, solves DNS challenges, and stores certificates in Vault.
+This is a fork of [vinted's certificator](https://github.com/vinted/certificator) tool with customisations made to support our specific use-case, which has removed upstream features, which we have not (yet) attempted to upstream.
 
-## Usage
+As such this repository has been stripped down, removing various upstream tests which are no longer valid. These can be reintroduced if they are fixed, but there's no value to keeping them while they are not.
 
-1. Add domains that need certificates to domains.yml file
-1. Set necessary environment variables (see [configuration](#Configuration))
-1. Run certificator
-1. Find certificates in Vault
-
-## Configuration
-
-Certificator reads most configuration parameters from environment variables.
-They are defined in [pkg/config/config.go](pkg/config/config.go) Config struct
-
-Configuration variables:
-- `ACME_ACCOUNT_EMAIL` - email used in certificate retrieval process. **Required**
-- `ACME_DNS_CHALLENGE_PROVIDER` - DNS challenge provider. Available providers can be found [here](https://go-acme.github.io/lego/dns/#dns-providers). **Required**
-- `ACME_DNS_PROPAGATION_REQUIREMENT` - if set to true, requires complete DNS record propagation before stating that challenge is solved. Default: true
-- `ACME_REREGISTER_ACCOUNT` - if set to true, allows registering an account with CA. This should be set to true for the first use. When credentials are stored in Vault, you can set this to false to avoid accidental registrations. Default: false
-- `ACME_SERVER_URL` - ACME directory location. Default: https://acme-staging-v02.api.letsencrypt.org/directory
-- `VAULT_APPROLE_ROLE_ID` - role ID for Vault approle authentication method. **Required in prod env**
-- `VAULT_APPROLE_SECRET_ID` - secret ID for Vault approle authentication method. **Required in prod env**
-- `VAULT_KV_STORAGE_PATH` - path in Vault KV storage where certificator stores certificates and account data. Default: secret/data/certificator/
-- `VAULT_ADDR` sets vault address, example: "http://localhost:8200". **Required**
-- `LOG_FORMAT` - logging format, supported formats - JSON and LOGFMT. Default: JSON
-- `LOG_LEVEL` - logging level, supported levels - DEBUG, INFO, WARN, ERROR, FATAL. Default: INFO.
-- `DNS_ADDRESS` - DNS server address that is used to check challenge DNS record propagation. Default: 127.0.0.1:53
-- `ENVIRONMENT` - sets an environment where the certificator is running. If the environment is dev it uses token set in `VAULT_DEV_ROOT_TOKEN_ID` env variable to authenticate in Vault. If the environment is prod it uses an approle authentication method. Default: prod
-- `CERTIFICATOR_DOMAINS_FILE` - path to a file where domains are defined. Default: /code/domains.yml
-- `CERTIFICATOR_RENEW_BEFORE_DAYS` - set how many validity days should certificate have remaining before renewal. Default: 30
-
-#### CNAME
-
-- `LEGO_EXPERIMENTAL_CNAME_SUPPORT` boolean value which enables CNAME support. When `true`, it tries to resolve `_acme-challenge.<YOUR_DOMAIN>` and if it finds a CNAME record for that request it solves the challenge for the CNAME record value. Example:
-
-```
-If it finds this record:
-CNAME _acme_challenge.test.com -> test.com.challenges.test.com
-it creates TXT record in challenges.test.com zone:
-TXT test.com.challenges.test.com -> <CHALLENGE_VALUE>
-CA will verify domain ownership following the same scheme
-```
-
-This allows giving this tool a token with access rights limited to a single DNS zone.
-
-#### Domains file
-
-Domains that the certificator should retrieve certificates for should be defined in this file in YAML format. An example file is in [domains.yml](domains.yml).
-
-Every item in the array under the `domains` key results in a certificate. The first domain in an array item is used for the CommonName field of the certificate, all other domains are added using the Subject Alternate Names extension. Domains in a single array item are separated by commas. The first domain is also used as a key in the Vault KV store.
-
-## Tests
-
-This project contains unit and integration tests. To run them follow the instructions
-
-#### Integration tests
-
-Files related to integration tests lie in directory `test`.
-It relies on several components: pebble, vault, challtestsrv.
-
-Steps to run it:
-
-1. Build container that runs tests:
-`docker-compose build tester`
-1. Run tests:
-    - only integration tests:
-    `docker-compose run --rm tester go test ./test/...`
-    - all tests:
-    `docker-compose run --rm tester go test ./...`
-1. Check results
-1. Bring down testing infrastructure
-`docker-compose down`
-
-#### Unit tests
-
-Unit tests can be run without any dependencies, simply execute:
-`go test ./pkg/...`
+We have also added a devcontainer and a workflow for building the application container ready for use in nomad.

Dockerfile

@@ -46,7 +46,7 @@ func main() {
 		logger.Fatal(err)
 	}
 
-	acmeClient, err := acme.NewClient(cfg.Acme.AccountEmail, cfg.Acme.ServerURL,
+	acmeClient, err := acme.NewClient(cfg.Acme.AccountEmail, cfg.Acme.ServerURL, cfg.Acme.EABKid, cfg.Acme.EABHmacKey,
 		cfg.Acme.ReregisterAccount, vaultClient, logger)
 	if err != nil {
 		logger.Fatal(err)