perf: 支持阿里云 ack ingress

.gitignore

@@ -1,9 +1,16 @@
 # IntelliJ project files
+.vscode/
+node_modules/
+npm-debug.log
+yarn-error.log
+yarn.lock
+package-lock.json
+/.idea/
+
 .idea
 *.iml
 out
 gen
-node_modules/
 /test/*.private.*
 
 /*.log

packages/core/api/.gitignore

@@ -0,0 +1,7 @@
+.vscode/
+node_modules/
+npm-debug.log
+yarn-error.log
+yarn.lock
+package-lock.json
+/.idea/

packages/core/executor/.gitignore

@@ -0,0 +1,7 @@
+.vscode/
+node_modules/
+npm-debug.log
+yarn-error.log
+yarn.lock
+package-lock.json
+/.idea/

packages/plugins/plugin-aliyun/.gitignore

@@ -0,0 +1,7 @@
+.vscode/
+node_modules/
+npm-debug.log
+yarn-error.log
+yarn.lock
+package-lock.json
+/.idea/

packages/plugins/plugin-aliyun/package.json

@@ -5,6 +5,8 @@
 	"main": "src/index.js",
 	"type": "module",
 	"dependencies": {
+		"@alicloud/cs20151215": "^3.0.3",
+		"@alicloud/openapi-client": "^0.4.0",
 		"@alicloud/pop-core": "^1.7.10",
 		"@certd/api": "^0.2.0",
 		"dayjs": "^1.9.7",
@@ -12,6 +14,7 @@
 	},
 	"devDependencies": {
 		"@certd/certd": "^0.2.0",
+		"@certd/plugin-common": "^0.2.0",
 		"chai": "^4.2.0",
 		"eslint": "^7.15.0",
 		"eslint-config-standard": "^16.0.2",

packages/plugins/plugin-aliyun/src/plugins/deploy-to-ack-ingress/index.js

@@ -0,0 +1,200 @@
+import { AbstractAliyunPlugin } from '../abstract-aliyun.js'
+import Core from '@alicloud/pop-core'
+import { K8sClient } from '@certd/plugin-common'
+const ROAClient = Core.ROAClient
+
+const define = {
+  name: 'deployCertToAliyunAckIngress',
+  label: '部署到阿里云AckIngress',
+  input: {
+    clusterId: {
+      label: '集群id',
+      component: {
+        placeholder: '集群id'
+      },
+      required: true
+    },
+    secretName: {
+      label: '保密字典Id',
+      component: {
+        placeholder: '保密字典Id'
+      },
+      required: true
+    },
+    regionId: {
+      label: '大区',
+      value: 'cn-shanghai',
+      component: {
+        placeholder: '集群所属大区'
+      },
+      required: true
+    },
+    namespace: {
+      label: '命名空间',
+      value: 'default',
+      component: {
+        placeholder: '命名空间'
+      },
+      required: true
+    },
+    ingressName: {
+      label: 'ingress名称',
+      value: '',
+      component: {
+        placeholder: 'ingress名称'
+      },
+      required: true,
+      helper: '可以传入一个数组'
+    },
+    ingressClass: {
+      label: 'ingress类型',
+      value: 'nginx',
+      component: {
+        placeholder: '暂时只支持nginx类型'
+      },
+      required: true
+    },
+    isPrivateIpAddress: {
+      label: '是否私网ip',
+      value: false,
+      component: {
+        placeholder: '集群连接端点是否是私网ip'
+      },
+      helper: '如果您当前certd运行在同一个私网下，可以选择是。',
+      required: true
+    },
+    accessProvider: {
+      label: 'Access提供者',
+      type: [String, Object],
+      desc: 'access授权',
+      component: {
+        name: 'access-provider-selector',
+        filter: 'aliyun'
+      },
+      required: true
+    }
+  },
+  output: {
+
+  }
+}
+
+export class DeployCertToAliyunAckIngress extends AbstractAliyunPlugin {
+  static define () {
+    return define
+  }
+
+  async execute ({ cert, props, context }) {
+    const accessProvider = this.getAccessProvider(props.accessProvider)
+    const client = this.getClient(accessProvider, props.regionId)
+
+    const kubeConfigStr = await this.getKubeConfig(client, props.clusterId, props.isPrivateIpAddress)
+
+    this.logger.info('kubeconfig已成功获取')
+    const k8sClient = new K8sClient(kubeConfigStr)
+    const ingressType = props.ingressClass || 'qcloud'
+    if (ingressType === 'qcloud') {
+      throw new Error('暂未实现')
+      // await this.patchQcloudCertSecret({ k8sClient, props, context })
+    } else {
+      await this.patchNginxCertSecret({ cert, k8sClient, props, context })
+    }
+
+    await this.sleep(3000) // 停留2秒，等待secret部署完成
+    // await this.restartIngress({ k8sClient, props })
+    return true
+  }
+
+  async restartIngress ({ k8sClient, props }) {
+    const { namespace } = props
+
+    const body = {
+      metadata: {
+        labels: {
+          certd: this.appendTimeSuffix('certd')
+        }
+      }
+    }
+    const ingressList = await k8sClient.getIngressList({ namespace })
+    console.log('ingressList:', ingressList)
+    if (!ingressList || !ingressList.body || !ingressList.body.items) {
+      return
+    }
+    const ingressNames = ingressList.body.items.filter(item => {
+      if (!item.spec.tls) {
+        return false
+      }
+      for (const tls of item.spec.tls) {
+        if (tls.secretName === props.secretName) {
+          return true
+        }
+      }
+      return false
+    }).map(item => {
+      return item.metadata.name
+    })
+    for (const ingress of ingressNames) {
+      await k8sClient.patchIngress({ namespace, ingressName: ingress, body })
+      this.logger.info(`ingress已重启:${ingress}`)
+    }
+  }
+
+  async patchNginxCertSecret ({ cert, k8sClient, props, context }) {
+    const crt = cert.crt
+    const key = cert.key
+    const crtBase64 = Buffer.from(crt).toString('base64')
+    const keyBase64 = Buffer.from(key).toString('base64')
+
+    const { namespace, secretName } = props
+
+    const body = {
+      data: {
+        'tls.crt': crtBase64,
+        'tls.key': keyBase64
+      },
+      metadata: {
+        labels: {
+          certd: this.appendTimeSuffix('certd')
+        }
+      }
+    }
+    let secretNames = secretName
+    if (typeof secretName === 'string') {
+      secretNames = [secretName]
+    }
+    for (const secret of secretNames) {
+      await k8sClient.patchSecret({ namespace, secretName: secret, body })
+      this.logger.info(`CertSecret已更新:${secret}`)
+    }
+  }
+
+  getClient (aliyunProvider, regionId) {
+    return new ROAClient({
+      accessKeyId: aliyunProvider.accessKeyId,
+      accessKeySecret: aliyunProvider.accessKeySecret,
+      endpoint: `https://cs.${regionId}.aliyuncs.com`,
+      apiVersion: '2015-12-15'
+    })
+  }
+
+  async getKubeConfig (client, clusterId, isPrivateIpAddress = false) {
+    const httpMethod = 'GET'
+    const uriPath = `/k8s/${clusterId}/user_config`
+    const queries = {
+      PrivateIpAddress: isPrivateIpAddress
+    }
+    const body = '{}'
+    const headers = {
+      'Content-Type': 'application/json'
+    }
+    const requestOption = {}
+
+    try {
+      const res = await client.request(httpMethod, uriPath, queries, body, headers, requestOption)
+      return res.config
+    } catch (e) {
+      console.error('请求出错：', e)
+      throw e
+    }
+  }
+}

packages/plugins/plugin-aliyun/test/plugins/deploy-to-ack-ingress-nginx.test.js

@@ -0,0 +1,67 @@
+import pkg from 'chai'
+import { DeployCertToAliyunAckIngress } from '../../src/plugins/deploy-to-ack-ingress/index.js'
+import { Certd } from '@certd/certd'
+import { createOptions } from '../../../../../test/options.js'
+import { K8sClient } from '@certd/plugin-common'
+
+const { expect } = pkg
+
+async function getOptions () {
+  const options = createOptions()
+  options.args.test = false
+  options.cert.email = 'xiaojunnuo@qq.com'
+  options.cert.domains = ['*.docmirror.cn']
+  const certd = new Certd(options)
+  const cert = await certd.readCurrentCert()
+  const context = {}
+  const deployOpts = {
+    accessProviders: options.accessProviders,
+    cert,
+    props: {
+      accessProvider: 'aliyun-yonsz-prod',
+      regionId: 'cn-shanghai',
+      clusterId: 'c9e107ca518314f70973636965037fc00',
+      secretName: 'default-ingress-secret1638601684896',
+      namespace: 'default',
+      ingressClass: 'nginx'
+    },
+    context
+  }
+  return { options, deployOpts }
+}
+
+describe('DeployCertToAliyunAckIngressNginx', function () {
+  it('#getAliyunSecrets', async function () {
+    this.timeout(50000)
+    const { options, deployOpts } = await getOptions()
+    const plugin = new DeployCertToAliyunAckIngress(options)
+    const ackClient = plugin.getClient(options.accessProviders[deployOpts.props.accessProvider], deployOpts.props.regionId)
+    const kubeConfig = await plugin.getKubeConfig(ackClient, deployOpts.props.clusterId, false)
+
+    const k8sClient = new K8sClient(kubeConfig)
+    const secrets = await k8sClient.getSecret({ namespace: 'default' })
+
+    console.log('secrets:', secrets)
+  })
+  it('#getAliyunIngreses', async function () {
+    this.timeout(50000)
+    const { options, deployOpts } = await getOptions()
+    const plugin = new DeployCertToAliyunAckIngress(options)
+    const ackClient = plugin.getClient(options.accessProviders[deployOpts.props.accessProvider], deployOpts.props.regionId)
+    const kubeConfig = await plugin.getKubeConfig(ackClient, deployOpts.props.clusterId, false)
+
+    const k8sClient = new K8sClient(kubeConfig)
+    const list = await k8sClient.getIngressList({ namespace: 'default' })
+
+    console.log('list:', list)
+  })
+  it('#execute', async function () {
+    this.timeout(5000)
+
+    const { options, deployOpts } = await getOptions()
+    const plugin = new DeployCertToAliyunAckIngress(options)
+
+    const ret = await plugin.doExecute(deployOpts)
+    console.log('success', ret)
+  })
+})

packages/plugins/plugin-common/.eslintrc

@@ -0,0 +1,14 @@
+{
+  "extends": "standard",
+  "env": {
+    "mocha": true
+  },
+  "overrides": [
+    {
+      "files": ["*.test.js", "*.spec.js"],
+      "rules": {
+        "no-unused-expressions": "off"
+      }
+    }
+  ]
+}

packages/plugins/plugin-common/.gitignore

@@ -0,0 +1,7 @@
+.vscode/
+node_modules/
+npm-debug.log
+yarn-error.log
+yarn.lock
+package-lock.json
+/.idea/

packages/plugins/plugin-common/package.json

@@ -0,0 +1,23 @@
+{
+	"name": "@certd/plugin-common",
+	"version": "0.2.0",
+	"description": "",
+	"main": "src/index.js",
+	"type": "module",
+	"dependencies": {
+		"kubernetes-client": "^9.0.0"
+	},
+	"devDependencies": {
+		"@certd/certd": "^0.2.0",
+		"chai": "^4.2.0",
+		"eslint": "^7.15.0",
+		"eslint-config-standard": "^16.0.2",
+		"eslint-plugin-import": "^2.22.1",
+		"eslint-plugin-node": "^11.1.0",
+		"eslint-plugin-promise": "^4.2.1",
+		"mocha": "^8.2.1"
+	},
+	"author": "Greper",
+	"license": "MIT",
+	"gitHead": "5fbd7742665c0a949333d805153e9b6af91c0a71"
+}

packages/plugins/plugin-common/src/index.js

@@ -0,0 +1 @@
+export { K8sClient } from './lib/k8s.client.js'

packages/plugins/plugin-common/src/lib/k8s.client.js

@@ -87,6 +87,11 @@ export class K8sClient {
     })
   }
 
+  async getIngressList (opts) {
+    const namespace = opts.namespace || 'default'
+    return await this.client.apis.extensions.v1beta1.namespaces(namespace).ingresses.get()
+  }
+
   async getIngress (opts) {
     const namespace = opts.namespace || 'default'
     const ingressName = opts.ingressName

packages/plugins/plugin-host/.gitignore

@@ -0,0 +1,7 @@
+.vscode/
+node_modules/
+npm-debug.log
+yarn-error.log
+yarn.lock
+package-lock.json
+/.idea/

packages/plugins/plugin-tencent/.gitignore

@@ -0,0 +1,7 @@
+.vscode/
+node_modules/
+npm-debug.log
+yarn-error.log
+yarn.lock
+package-lock.json
+/.idea/

packages/plugins/plugin-tencent/package.json

@@ -13,6 +13,7 @@
 	},
 	"devDependencies": {
 		"@certd/certd": "^0.2.0",
+		"@certd/plugin-common": "^0.2.0",
 		"chai": "^4.2.0",
 		"eslint": "^7.15.0",
 		"eslint-config-standard": "^16.0.2",

packages/plugins/plugin-tencent/src/plugins/deploy-to-tke-ingress/index.js

@@ -1,6 +1,6 @@
 import { AbstractTencentPlugin } from '../abstract-tencent.js'
 import tencentcloud from 'tencentcloud-sdk-nodejs'
-import { K8sClient } from '../../utils/util.k8s.client.js'
+import { K8sClient } from '@certd/plugin-common'
 export class DeployCertToTencentTKEIngress extends AbstractTencentPlugin {
   /**
    * 插件定义

packages/ui/certd-server/.gitignore

@@ -0,0 +1,7 @@
+.vscode/
+node_modules/
+npm-debug.log
+yarn-error.log
+yarn.lock
+package-lock.json
+/.idea/

packages/ui/certd-ui/.gitignore

@@ -0,0 +1,7 @@
+.vscode/
+node_modules/
+npm-debug.log
+yarn-error.log
+yarn.lock
+package-lock.json
+/.idea/