[pve-devel] [common 1/9] Add dynamic plugin lookup for ACME

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Oct 18 11:22:50 CEST 2019


note: the comment here is not just for this patch, but also references 
stuff that comes in later patches..

On October 14, 2019 1:08 pm, Wolfgang Link wrote:
> The dynamic approach reduces failure if new plugins will included.
> ---
>  src/PVE/ACME.pm            | 4 ++++
>  src/PVE/ACME/Challenge.pm  | 8 ++++++++
>  src/PVE/ACME/StandAlone.pm | 4 ++++
>  3 files changed, 16 insertions(+)
> 
> diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
> index 38a14a5..da4cbcc 100644
> --- a/src/PVE/ACME.pm
> +++ b/src/PVE/ACME.pm
> @@ -17,6 +17,9 @@ use LWP::UserAgent;
>  
>  use Crypt::OpenSSL::RSA;
>  
> +use PVE::ACME::Challenge;
> +use PVE::ACME::StandAlone;
> +
>  use PVE::Certificate;
>  use PVE::Tools qw(
>  file_set_contents
> @@ -24,6 +27,7 @@ file_get_contents
>  );
>  
>  Crypt::OpenSSL::RSA->import_random_seed();
> +PVE::ACME::StandAlone->register();
>  
>  my $LETSENCRYPT_STAGING = 'https://acme-staging-v02.api.letsencrypt.org/directory';
>  
> diff --git a/src/PVE/ACME/Challenge.pm b/src/PVE/ACME/Challenge.pm
> index 40d32b6..786666c 100644
> --- a/src/PVE/ACME/Challenge.pm
> +++ b/src/PVE/ACME/Challenge.pm
> @@ -3,6 +3,14 @@ package PVE::ACME::Challenge;
>  use strict;
>  use warnings;
>  
> +use base qw(PVE::SectionConfig);

this would be the only SectionConfig that is not actually a config..

after some off-list discussion with Thomas, how about the following:

move PVE::ACME::Challenge and PVE::ACME::StandAlone to pve-manager, or a 
new pve-acme package (the latter could be combined with PVE::ACME, and 
some parts of what is currently in pve-manager, and your new 
package/repo)

make the challenge plugins a real SectionConfig:

standalone: http80
  port 80

dns: ovh1
  api ovh
  data encode_text("KEY1=foobar\nKEY2=foobaz")
  nodes node1

dns: ovh2
  api ovh
  data encode_text("KEY1=barfoo\nKEY2=foobaz")
  nodes node2

for PVE, store that section config file in

/etc/pve/priv/acme/plugins.cfg

(moving the definition together with the rest of general ACME code to a 
new package would allow PMG to re-use most of it with just a different 
high-level client and file location)

the GUI could have a mapping of the most important plugins and their 
config KEYs, with a fallback to just "edit whole data as textfield" or 
"edit whole data as key-value pairs". this would still allow adding your 
own acme.sh dnsapi compatible plugins, and would avoid having to import 
the full key-value schema into our section config.

the node config's acme key would then just reference the concrete plugin 
instance (but see later patches for another issue regarding this), which 
would be available cluster-wide, but also allow different plugin 
instances for each node..

> +
> +my $defaultData = {};
> +
> +sub private {
> +    return $defaultData;
> +}
> +
>  sub supported_challenge_types {
>      return {};
>  }
> diff --git a/src/PVE/ACME/StandAlone.pm b/src/PVE/ACME/StandAlone.pm
> index f48d638..3766862 100644
> --- a/src/PVE/ACME/StandAlone.pm
> +++ b/src/PVE/ACME/StandAlone.pm
> @@ -8,6 +8,10 @@ use HTTP::Response;
>  
>  use base qw(PVE::ACME::Challenge);
>  
> +sub type {
> +    return 'standalone';
> +}
> +
>  sub supported_challenge_types {
>      return { 'http-01' => 1 };
>  }
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 




More information about the pve-devel mailing list