[pve-devel] [common 1/9] Add dynamic plugin lookup for ACME
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Oct 22 11:17:17 CEST 2019
On October 21, 2019 12:12 pm, Wolfgang Link wrote:
> comment inline
>
> On 10/18/19 11:22 AM, Fabian Grünbichler wrote:
>> note: the comment here is not just for this patch, but also references
>> stuff that comes in later patches..
>>
>> On October 14, 2019 1:08 pm, Wolfgang Link wrote:
>>> The dynamic approach reduces failure if new plugins will included.
>>> ---
>>> src/PVE/ACME.pm | 4 ++++
>>> src/PVE/ACME/Challenge.pm | 8 ++++++++
>>> src/PVE/ACME/StandAlone.pm | 4 ++++
>>> 3 files changed, 16 insertions(+)
>>>
>>> diff --git a/src/PVE/ACME.pm b/src/PVE/ACME.pm
>>> index 38a14a5..da4cbcc 100644
>>> --- a/src/PVE/ACME.pm
>>> +++ b/src/PVE/ACME.pm
>>> @@ -17,6 +17,9 @@ use LWP::UserAgent;
>>>
>>> use Crypt::OpenSSL::RSA;
>>>
>>> +use PVE::ACME::Challenge;
>>> +use PVE::ACME::StandAlone;
>>> +
>>> use PVE::Certificate;
>>> use PVE::Tools qw(
>>> file_set_contents
>>> @@ -24,6 +27,7 @@ file_get_contents
>>> );
>>>
>>> Crypt::OpenSSL::RSA->import_random_seed();
>>> +PVE::ACME::StandAlone->register();
>>>
>>> my $LETSENCRYPT_STAGING = 'https://acme-staging-v02.api.letsencrypt.org/directory';
>>>
>>> diff --git a/src/PVE/ACME/Challenge.pm b/src/PVE/ACME/Challenge.pm
>>> index 40d32b6..786666c 100644
>>> --- a/src/PVE/ACME/Challenge.pm
>>> +++ b/src/PVE/ACME/Challenge.pm
>>> @@ -3,6 +3,14 @@ package PVE::ACME::Challenge;
>>> use strict;
>>> use warnings;
>>>
>>> +use base qw(PVE::SectionConfig);
>> this would be the only SectionConfig that is not actually a config..
>>
>> after some off-list discussion with Thomas, how about the following:
>>
>> move PVE::ACME::Challenge and PVE::ACME::StandAlone to pve-manager, or a
>> new pve-acme package (the latter could be combined with PVE::ACME, and
>> some parts of what is currently in pve-manager, and your new
>> package/repo)
>>
>> make the challenge plugins a real SectionConfig:
>>
>> standalone: http80
>> port 80
>>
>> dns: ovh1
>> api ovh
>> data encode_text("KEY1=foobar\nKEY2=foobaz")
>> nodes node1
>>
>> dns: ovh2
>> api ovh
>> data encode_text("KEY1=barfoo\nKEY2=foobaz")
>> nodes node2
>>
>> for PVE, store that section config file in
>>
>> /etc/pve/priv/acme/plugins.cfg
>
> I agree.
>
> It the ovh1/ovh2 the name of the definition like in storage.cfg?
yes. the string before the colon is the section type/plugin, the string
after is the ID of that specific section/plugin instance, just like in
storage.cfg
> Nodes should be a node list or '*' to indicate to use wildcards certificate.
I'd skip wildcard certificates for now (unless you explicitly want to
include them in your v1?) and just use the same definition like for
storages: either a list of nodes, or all nodes if absent.
for wild-card certificates we'd need more changes anyway:
- not stored under /etc/pve/local
- which nodes should use it (-> flag in node config?)
- which node(s) should renew it
- the code to order/renew needs to support it
- ... ?
>> (moving the definition together with the rest of general ACME code to a
>> new package would allow PMG to re-use most of it with just a different
>> high-level client and file location)
>>
>> the GUI could have a mapping of the most important plugins and their
>> config KEYs, with a fallback to just "edit whole data as textfield" or
>> "edit whole data as key-value pairs". this would still allow adding your
>> own acme.sh dnsapi compatible plugins, and would avoid having to import
>> the full key-value schema into our section config.
> We could get the plugins dynamically on call.
> The keys are not extractable because some plugins do not notate them.
my (or actually mostly Thomas' ;)) suggestion would be the following:
for the most important plugins, ship their known keys + description +
validation in pve-manager (just for the GUI), so that we can display
proper fields for those keys in addition to a general free-form key ->
value entry with arbitrary values. this is just a usability improvement.
the API just takes a single multi-line string and does not care about
the format at all. for storing/retrieving the keys and their values, we
don't need to know anything about their count, names, schema, ... since
we just pass them along to the acme.sh plugin anyway..
>> the node config's acme key would then just reference the concrete plugin
>> instance (but see later patches for another issue regarding this), which
>> would be available cluster-wide, but also allow different plugin
>> instances for each node..
>>
>>> +
>>> +my $defaultData = {};
>>> +
>>> +sub private {
>>> + return $defaultData;
>>> +}
>>> +
>>> sub supported_challenge_types {
>>> return {};
>>> }
>>> diff --git a/src/PVE/ACME/StandAlone.pm b/src/PVE/ACME/StandAlone.pm
>>> index f48d638..3766862 100644
>>> --- a/src/PVE/ACME/StandAlone.pm
>>> +++ b/src/PVE/ACME/StandAlone.pm
>>> @@ -8,6 +8,10 @@ use HTTP::Response;
>>>
>>> use base qw(PVE::ACME::Challenge);
>>>
>>> +sub type {
>>> + return 'standalone';
>>> +}
>>> +
>>> sub supported_challenge_types {
>>> return { 'http-01' => 1 };
>>> }
>>> --
>>> 2.20.1
>>>
>>>
>>> _______________________________________________
>>> pve-devel mailing list
>>> pve-devel at pve.proxmox.com
>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>>
>>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
>
More information about the pve-devel
mailing list