Remove dependency to external-dns (#31)

maboehm · web-flow · commit 17017b49f8ea · 2025-08-07T09:13:49.000+02:00
diff --git a/designate.go b/designate.go
@@ -23,7 +23,7 @@ import (
 	"github.com/gophercloud/gophercloud"
 	"github.com/gophercloud/gophercloud/openstack"
 	log "github.com/sirupsen/logrus"
-	"sigs.k8s.io/external-dns/pkg/tlsutils"
+	"github.com/stackitcloud/designate-certmanager-webhook/tlsutils"
 )
 
 // copies environment variables to new names without overwriting existing values
diff --git a/go.mod b/go.mod
@@ -12,8 +12,8 @@ require (
 	github.com/cert-manager/cert-manager v1.17.2
 	github.com/gophercloud/gophercloud v0.14.0
 	github.com/sirupsen/logrus v1.9.3
+	github.com/stretchr/testify v1.10.0
 	k8s.io/client-go v0.33.3
-	sigs.k8s.io/external-dns v0.17.0
 )
 
 require (
@@ -58,6 +58,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.63.0 // indirect
diff --git a/go.sum b/go.sum
@@ -79,8 +79,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gophercloud/gophercloud v0.14.0 h1:c2Byo+YMxhHlTJ3TPptjQ4dOQ1YknTHDJ/9zClDH+84=
 github.com/gophercloud/gophercloud v0.14.0/go.mod h1:VX0Ibx85B60B5XOrZr6kaNwrmPUzcmMpwxvQ1WQIIWM=
-github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
-github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw=
 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho=
@@ -121,7 +121,6 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg=
 github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
 github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw=
@@ -155,6 +154,8 @@ github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8w
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -290,20 +291,14 @@ gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.33.0 h1:yTgZVn1XEe6opVpP1FylmNrIFWuDqe2H0V8CT5gxfIU=
-k8s.io/api v0.33.0/go.mod h1:CTO61ECK/KU7haa3qq8sarQ0biLq2ju405IZAd9zsiM=
 k8s.io/api v0.33.3 h1:SRd5t//hhkI1buzxb288fy2xvjubstenEKL9K51KBI8=
 k8s.io/api v0.33.3/go.mod h1:01Y/iLUjNBM3TAvypct7DIj0M0NIZc+PzAHCIo0CYGE=
 k8s.io/apiextensions-apiserver v0.32.3 h1:4D8vy+9GWerlErCwVIbcQjsWunF9SUGNu7O7hiQTyPY=
 k8s.io/apiextensions-apiserver v0.32.3/go.mod h1:8YwcvVRMVzw0r1Stc7XfGAzB/SIVLunqApySV5V7Dss=
-k8s.io/apimachinery v0.33.0 h1:1a6kHrJxb2hs4t8EE5wuR/WxKDwGN1FKH3JvDtA0CIQ=
-k8s.io/apimachinery v0.33.0/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
 k8s.io/apimachinery v0.33.3 h1:4ZSrmNa0c/ZpZJhAgRdcsFcZOw1PQU1bALVQ0B3I5LA=
 k8s.io/apimachinery v0.33.3/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
 k8s.io/apiserver v0.32.3 h1:kOw2KBuHOA+wetX1MkmrxgBr648ksz653j26ESuWNY8=
 k8s.io/apiserver v0.32.3/go.mod h1:q1x9B8E/WzShF49wh3ADOh6muSfpmFL0I2t+TG0Zdgc=
-k8s.io/client-go v0.32.6 h1:Q+O+Sd9LKKFnsGZNVX2q1RDILYRpQZX+ea2RoIgjKlM=
-k8s.io/client-go v0.32.6/go.mod h1:yqL9XJ2cTXy3WdJwdeyob3O6xiLwWrh9DP7SeszniW0=
 k8s.io/client-go v0.33.3 h1:M5AfDnKfYmVJif92ngN532gFqakcGi6RvaOF16efrpA=
 k8s.io/client-go v0.33.3/go.mod h1:luqKBQggEf3shbxHY4uVENAxrDISLOarxpTKMiUuujg=
 k8s.io/component-base v0.32.3 h1:98WJvvMs3QZ2LYHBzvltFSeJjEx7t5+8s71P7M74u8k=
@@ -320,8 +315,6 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.1 h1:uOuSLOMBWkJH0
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.1/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
 sigs.k8s.io/controller-runtime v0.20.4 h1:X3c+Odnxz+iPTRobG4tp092+CvBU9UK0t/bRf+n0DGU=
 sigs.k8s.io/controller-runtime v0.20.4/go.mod h1:xg2XB0K5ShQzAgsoujxuKN4LNXR2LfwwHsPj7Iaw+XY=
-sigs.k8s.io/external-dns v0.17.0 h1:lBhJmGWvezR/HZcIAW6j8fVw2LczXFEGs5BluUMmFaM=
-sigs.k8s.io/external-dns v0.17.0/go.mod h1:CTN8maaP4nrMvmC9O00YBUfFIzkDp6Ka9MZvsCZbS38=
 sigs.k8s.io/gateway-api v1.3.0 h1:q6okN+/UKDATola4JY7zXzx40WO4VISk7i9DIfOvr9M=
 sigs.k8s.io/gateway-api v1.3.0/go.mod h1:d8NV8nJbaRbEKem+5IuxkL8gJGOZ+FJ+NvOIltV8gDk=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
diff --git a/tlsutils/tlsconfig.go b/tlsutils/tlsconfig.go
@@ -0,0 +1,86 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tlsutils
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+)
+
+const defaultMinVersion = 0
+
+// CreateTLSConfig creates tls.Config instance from TLS parameters passed in environment variables with the given prefix
+func CreateTLSConfig(prefix string) (*tls.Config, error) {
+	caFile := os.Getenv(fmt.Sprintf("%s_CA_FILE", prefix))
+	certFile := os.Getenv(fmt.Sprintf("%s_CERT_FILE", prefix))
+	keyFile := os.Getenv(fmt.Sprintf("%s_KEY_FILE", prefix))
+	serverName := os.Getenv(fmt.Sprintf("%s_TLS_SERVER_NAME", prefix))
+	isInsecureStr := strings.ToLower(os.Getenv(fmt.Sprintf("%s_TLS_INSECURE", prefix)))
+	isInsecure := isInsecureStr == "true" || isInsecureStr == "yes" || isInsecureStr == "1"
+	return NewTLSConfig(certFile, keyFile, caFile, serverName, isInsecure, defaultMinVersion)
+}
+
+// NewTLSConfig creates a tls.Config instance from directly passed parameters, loading the ca, cert, and key from disk
+func NewTLSConfig(certPath, keyPath, caPath, serverName string, insecure bool, minVersion uint16) (*tls.Config, error) {
+	if certPath != "" && keyPath == "" || certPath == "" && keyPath != "" {
+		return nil, errors.New("either both cert and key or none must be provided")
+	}
+	var certificates []tls.Certificate
+	if certPath != "" {
+		cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+		if err != nil {
+			return nil, fmt.Errorf("could not load TLS cert: %w", err)
+		}
+		certificates = append(certificates, cert)
+	}
+	// If rootCAs is nil, TLS uses the host's root CA set.
+	var rootCAs *x509.CertPool
+	var err error
+
+	if caPath != "" {
+		rootCAs, err = loadRoots(caPath)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return &tls.Config{
+		MinVersion:         minVersion,
+		Certificates:       certificates,
+		RootCAs:            rootCAs,
+		InsecureSkipVerify: insecure,
+		ServerName:         serverName,
+	}, nil
+}
+
+// loads CA cert
+func loadRoots(caPath string) (*x509.CertPool, error) {
+	roots := x509.NewCertPool()
+	pem, err := os.ReadFile(caPath)
+	if err != nil {
+		return nil, fmt.Errorf("error reading %s: %w", caPath, err)
+	}
+	ok := roots.AppendCertsFromPEM(pem)
+	if !ok {
+		return nil, fmt.Errorf("could not read root certs: %w", err)
+	}
+	return roots, nil
+}
diff --git a/tlsutils/tlsconfig_test.go b/tlsutils/tlsconfig_test.go
@@ -0,0 +1,207 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tlsutils
+
+import (
+	"crypto/tls"
+	"fmt"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var rsaCertPEM = `-----BEGIN CERTIFICATE-----
+MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTIwOTEyMjE1MjAyWhcNMTUwOTEyMjE1MjAyWjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLJ
+hPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wok/4xIA+ui35/MmNa
+rtNuC+BdZ1tMuVCPFZcCAwEAAaNQME4wHQYDVR0OBBYEFJvKs8RfJaXTH08W+SGv
+zQyKn0H8MB8GA1UdIwQYMBaAFJvKs8RfJaXTH08W+SGvzQyKn0H8MAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQEFBQADQQBJlffJHybjDGxRMqaRmDhX0+6v02TUKZsW
+r5QuVbpQhH6u+0UgcW0jp9QwpxoPTLTWGXEWBBBurxFwiCBhkQ+V
+-----END CERTIFICATE-----
+`
+
+var rsaKeyPEM = testingKey(`-----BEGIN RSA TESTING KEY-----
+MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo
+k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G
+6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N
+MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW
+SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T
+xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi
+D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g==
+-----END RSA TESTING KEY-----
+`)
+
+func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") }
+
+func TestCreateTLSConfig(t *testing.T) {
+
+	tests := []struct {
+		title         string
+		prefix        string
+		caFile        string
+		certFile      string
+		keyFile       string
+		isInsecureStr string
+		serverName    string
+		assertions    func(actual *tls.Config, err error)
+	}{
+		{
+			"Provide only CA returns error",
+			"prefix",
+			"",
+			rsaCertPEM,
+			"",
+			"",
+			"",
+			func(actual *tls.Config, err error) {
+				assert.Contains(t, err.Error(), "either both cert and key or none must be provided")
+			},
+		},
+		{
+			"Invalid cert and key returns error",
+			"prefix",
+			"",
+			"invalid-cert",
+			"invalid-key",
+			"",
+			"",
+			func(actual *tls.Config, err error) {
+				assert.Contains(t, err.Error(), "could not load TLS cert")
+			},
+		},
+		{
+			"Valid cert and key return a valid tls.Config with a certificate",
+			"prefix",
+			"",
+			rsaCertPEM,
+			rsaKeyPEM,
+			"",
+			"server-name",
+			func(actual *tls.Config, err error) {
+				require.NoError(t, err)
+				assert.Equal(t, "server-name", actual.ServerName)
+				assert.NotNil(t, actual.Certificates[0])
+				assert.False(t, actual.InsecureSkipVerify)
+				assert.Equal(t, actual.MinVersion, uint16(defaultMinVersion))
+			},
+		},
+		{
+			"Invalid CA file returns error",
+			"prefix",
+			"invalid-ca-content",
+			"",
+			"",
+			"",
+			"",
+			func(actual *tls.Config, err error) {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), "could not read root certs")
+			},
+		},
+		{
+			"Invalid CA file path returns error",
+			"prefix",
+			"ca-path-does-not-exist",
+			"",
+			"",
+			"",
+			"server-name",
+			func(actual *tls.Config, err error) {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), "error reading /path/does/not/exist")
+			},
+		},
+		{
+			"Complete config with CA, cert, and key returns valid tls.Config",
+			"prefix",
+			rsaCertPEM,
+			rsaCertPEM,
+			rsaKeyPEM,
+			"",
+			"server-name",
+			func(actual *tls.Config, err error) {
+				require.NoError(t, err)
+				assert.Equal(t, "server-name", actual.ServerName)
+				assert.NotNil(t, actual.Certificates[0])
+				assert.NotNil(t, actual.RootCAs)
+				assert.False(t, actual.InsecureSkipVerify)
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.title, func(t *testing.T) {
+			// setup
+			dir := t.TempDir()
+
+			if tc.caFile != "" {
+				path := fmt.Sprintf("%s/caFile", dir)
+				writeToFile(path, tc.caFile)
+				t.Setenv(fmt.Sprintf("%s_CA_FILE", tc.prefix), path)
+			}
+
+			if tc.caFile == "ca-path-does-not-exist" {
+				t.Setenv(fmt.Sprintf("%s_CA_FILE", tc.prefix), "/path/does/not/exist")
+			}
+
+			if tc.certFile != "" {
+				path := fmt.Sprintf("%s/certFile", dir)
+				writeToFile(path, tc.certFile)
+				t.Setenv(fmt.Sprintf("%s_CERT_FILE", tc.prefix), path)
+			}
+
+			if tc.keyFile != "" {
+				path := fmt.Sprintf("%s/keyFile", dir)
+				writeToFile(path, tc.keyFile)
+				t.Setenv(fmt.Sprintf("%s_KEY_FILE", tc.prefix), path)
+			}
+
+			if tc.serverName != "" {
+				t.Setenv(fmt.Sprintf("%s_TLS_SERVER_NAME", tc.prefix), tc.serverName)
+			}
+
+			if tc.isInsecureStr != "" {
+				t.Setenv(fmt.Sprintf("%s_INSECURE", tc.prefix), tc.isInsecureStr)
+			}
+
+			// test
+			actual, err := CreateTLSConfig(tc.prefix)
+			tc.assertions(actual, err)
+		})
+	}
+
+}
+
+func writeToFile(filename string, content string) error {
+	file, fileErr := os.Create(filename)
+	if fileErr != nil {
+		_ = fmt.Errorf("failed to create file: %w", fileErr)
+	}
+	defer file.Close()
+	_, writeErr := file.WriteString(content)
+	if writeErr != nil {
+		_ = fmt.Errorf("failed to write to file: %s", filename)
+	}
+	return nil
+}
diff --git a/tlsutils/tlsutils.go b/tlsutils/tlsutils.go
@@ -0,0 +1,5 @@
+// package tlsutils was copied from
+// https://github.com/kubernetes-sigs/external-dns/tree/0e7c3af22109aefa8664bfcd5ae6593247078ee3/pkg/tlsutils in order
+// to avoid a dependency on the external-dns package for this helper, which is not really tied to external-dns and
+// unlikely to ever change.
+package tlsutils

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ import (`
`23`	`23`	`"github.com/gophercloud/gophercloud"`
`24`	`24`	`"github.com/gophercloud/gophercloud/openstack"`
`25`	`25`	`log "github.com/sirupsen/logrus"`
`26`		`- "sigs.k8s.io/external-dns/pkg/tlsutils"`
	`26`	`+ "github.com/stackitcloud/designate-certmanager-webhook/tlsutils"`
`27`	`27`	`)`
`28`	`28`
`29`	`29`	`// copies environment variables to new names without overwriting existing values`