Merge pull request #339 from belier-cn/main

feat: add volcengine dns provider and add volcengine live deployer
2025-10-04 21:44:54 +00:00 · 2024-11-14 09:42:26 +08:00
parent b2030caedc c298f8b952
commit 2bacf76664
20 changed files with 1381 additions and 92 deletions
--- a/internal/applicant/applicant.go
+++ b/internal/applicant/applicant.go
@@ -35,6 +35,7 @@ const (
 	configTypeGodaddy     = "godaddy"
 	configTypePdns        = "pdns"
 	configTypeHttpreq     = "httpreq"
+	configTypeVolcengine  = "volcengine"
 )

 const defaultSSLProvider = "letsencrypt"
@@ -188,6 +189,8 @@ func Get(record *models.Record) (Applicant, error) {
 		return NewPdns(option), nil
 	case configTypeHttpreq:
 		return NewHttpreq(option), nil
+	case configTypeVolcengine:
+		return NewVolcengine(option), nil
 	default:
 		return nil, errors.New("unknown config type")
 	}
--- a/internal/applicant/volcengine.go
+++ b/internal/applicant/volcengine.go
@@ -0,0 +1,35 @@
+package applicant
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	volcengineDns "github.com/go-acme/lego/v4/providers/dns/volcengine"
+	"github.com/usual2970/certimate/internal/domain"
+)
+
+type volcengine struct {
+	option *ApplyOption
+}
+
+func NewVolcengine(option *ApplyOption) Applicant {
+	return &volcengine{
+		option: option,
+	}
+}
+
+func (a *volcengine) Apply() (*Certificate, error) {
+	access := &domain.VolcengineAccess{}
+	json.Unmarshal([]byte(a.option.Access), access)
+
+	os.Setenv("VOLC_ACCESSKEY", access.AccessKeyID)
+	os.Setenv("VOLC_SECRETKEY", access.SecretAccessKey)
+	os.Setenv("VOLC_PROPAGATION_TIMEOUT", fmt.Sprintf("%d", a.option.Timeout))
+	dnsProvider, err := volcengineDns.NewDNSProvider()
+	if err != nil {
+		return nil, err
+	}
+
+	return apply(a.option, dnsProvider)
+}
--- a/internal/deployer/deployer.go
+++ b/internal/deployer/deployer.go
@@ -40,6 +40,7 @@ const (
 	targetSSH            = "ssh"
 	targetWebhook        = "webhook"
 	targetK8sSecret      = "k8s-secret"
+	targetVolcengineLive = "volcengine-live"
 )

 type DeployerOption struct {
@@ -150,6 +151,8 @@ func getWithDeployConfig(record *models.Record, cert *applicant.Certificate, dep
 		return NewWebhookDeployer(option)
 	case targetK8sSecret:
 		return NewK8sSecretDeployer(option)
+	case targetVolcengineLive:
+		return NewVolcengineLiveDeployer(option)
 	}
 	return nil, errors.New("unsupported deploy target")
 }
--- a/internal/deployer/volcengine_live.go
+++ b/internal/deployer/volcengine_live.go
@@ -0,0 +1,148 @@
+package deployer
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"regexp"
+	"strings"
+
+	xerrors "github.com/pkg/errors"
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/core/uploader"
+	volcenginelive "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/volcengine-live"
+	"github.com/usual2970/certimate/internal/pkg/utils/cast"
+	"github.com/volcengine/volc-sdk-golang/base"
+	live "github.com/volcengine/volc-sdk-golang/service/live/v20230101"
+)
+
+type VolcengineLiveDeployer struct {
+	option      *DeployerOption
+	infos       []string
+	sdkClient   *live.Live
+	sslUploader uploader.Uploader
+}
+
+func NewVolcengineLiveDeployer(option *DeployerOption) (Deployer, error) {
+	access := &domain.VolcengineAccess{}
+	if err := json.Unmarshal([]byte(option.Access), access); err != nil {
+		return nil, xerrors.Wrap(err, "failed to get access")
+	}
+	client := live.NewInstance()
+	client.SetCredential(base.Credentials{
+		AccessKeyID:     access.AccessKeyID,
+		SecretAccessKey: access.SecretAccessKey,
+	})
+	uploader, err := volcenginelive.New(&volcenginelive.VolcengineLiveUploaderConfig{
+		AccessKeyId:     access.AccessKeyID,
+		AccessKeySecret: access.SecretAccessKey,
+	})
+	if err != nil {
+		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
+	}
+	return &VolcengineLiveDeployer{
+		option:      option,
+		infos:       make([]string, 0),
+		sdkClient:   client,
+		sslUploader: uploader,
+	}, nil
+}
+
+func (d *VolcengineLiveDeployer) GetID() string {
+	return fmt.Sprintf("%s-%s", d.option.AccessRecord.GetString("name"), d.option.AccessRecord.Id)
+}
+
+func (d *VolcengineLiveDeployer) GetInfos() []string {
+	return d.infos
+}
+
+func (d *VolcengineLiveDeployer) Deploy(ctx context.Context) error {
+	apiCtx := context.Background()
+	// 上传证书
+	upres, err := d.sslUploader.Upload(apiCtx, d.option.Certificate.Certificate, d.option.Certificate.PrivateKey)
+	if err != nil {
+		return err
+	}
+
+	d.infos = append(d.infos, toStr("已上传证书", upres))
+
+	domains := make([]string, 0)
+	configDomain := d.option.DeployConfig.GetConfigAsString("domain")
+	if strings.HasPrefix(configDomain, "*.") {
+		// 如果是泛域名，获取所有的域名并匹配
+		matchDomains, err := d.getDomainsByWildcardDomain(apiCtx, configDomain)
+		if err != nil {
+			d.infos = append(d.infos, toStr("获取域名列表失败", upres))
+			return xerrors.Wrap(err, "failed to execute sdk request 'live.ListDomainDetail'")
+		}
+		if len(matchDomains) == 0 {
+			return xerrors.Errorf("未查询到匹配的域名: %s", configDomain)
+		}
+		domains = matchDomains
+	} else {
+		domains = append(domains, configDomain)
+	}
+
+	// 部署证书
+	// REF: https://www.volcengine.com/docs/6469/1186278#%E7%BB%91%E5%AE%9A%E8%AF%81%E4%B9%A6d
+	for i := range domains {
+		bindCertReq := &live.BindCertBody{
+			ChainID: upres.CertId,
+			Domain:  domains[i],
+			HTTPS:   cast.BoolPtr(true),
+		}
+		BindCertResp, err := d.sdkClient.BindCert(apiCtx, bindCertReq)
+		if err != nil {
+			return xerrors.Wrap(err, "failed to execute sdk request 'live.BindCert'")
+		} else {
+			d.infos = append(d.infos, toStr(fmt.Sprintf("%s域名的证书已修改", domains[i]), BindCertResp))
+		}
+	}
+
+	return nil
+}
+
+func (d *VolcengineLiveDeployer) getDomainsByWildcardDomain(ctx context.Context, wildcardDomain string) ([]string, error) {
+	pageNum := int32(1)
+	searchTotal := 0
+	domains := make([]string, 0)
+	for {
+		listDomainDetailReq := &live.ListDomainDetailBody{
+			PageNum:  pageNum,
+			PageSize: 1000,
+		}
+		// 查询域名列表
+		// REF: https://www.volcengine.com/docs/6469/1186277#%E6%9F%A5%E8%AF%A2%E5%9F%9F%E5%90%8D%E5%88%97%E8%A1%A8
+		listDomainDetailResp, err := d.sdkClient.ListDomainDetail(ctx, listDomainDetailReq)
+		if err != nil {
+			return domains, err
+		}
+		if listDomainDetailResp.Result.DomainList != nil {
+			for _, item := range listDomainDetailResp.Result.DomainList {
+				if matchWildcardDomain(item.Domain, wildcardDomain) {
+					domains = append(domains, item.Domain)
+				}
+			}
+		}
+		searchTotal += len(listDomainDetailResp.Result.DomainList)
+		if int(listDomainDetailResp.Result.Total) > searchTotal {
+			pageNum++
+		} else {
+			break
+		}
+	}
+
+	return domains, nil
+}
+
+func matchWildcardDomain(domain, wildcardDomain string) bool {
+	if strings.HasPrefix(wildcardDomain, "*.") {
+		if "*."+domain == wildcardDomain {
+			return true
+		}
+		regexPattern := "^([a-zA-Z0-9_-]+)\\." + regexp.QuoteMeta(wildcardDomain[2:]) + "$"
+		regex := regexp.MustCompile(regexPattern)
+		return regex.MatchString(domain)
+	}
+	return domain == wildcardDomain
+}
--- a/internal/domain/access.go
+++ b/internal/domain/access.go
@@ -56,6 +56,11 @@ type PdnsAccess struct {
 	ApiKey string `json:"apiKey"`
 }

+type VolcengineAccess struct {
+	AccessKeyID     string
+	SecretAccessKey string
+}
+
 type HttpreqAccess struct {
 	Endpoint string `json:"endpoint"`
 	Mode     string `json:"mode"`
--- a/internal/pkg/core/uploader/providers/volcengine-live/volcengine_live.go
+++ b/internal/pkg/core/uploader/providers/volcengine-live/volcengine_live.go
@@ -0,0 +1,116 @@
+package volcenginelive
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	xerrors "github.com/pkg/errors"
+	"github.com/usual2970/certimate/internal/pkg/core/uploader"
+	"github.com/usual2970/certimate/internal/pkg/utils/cast"
+	"github.com/usual2970/certimate/internal/pkg/utils/x509"
+	live "github.com/volcengine/volc-sdk-golang/service/live/v20230101"
+)
+
+type VolcengineLiveUploaderConfig struct {
+	AccessKeyId     string `json:"accessKeyId"`
+	AccessKeySecret string `json:"accessKeySecret"`
+}
+
+type VolcengineLiveUploader struct {
+	config    *VolcengineLiveUploaderConfig
+	sdkClient *live.Live
+}
+
+var _ uploader.Uploader = (*VolcengineLiveUploader)(nil)
+
+func New(config *VolcengineLiveUploaderConfig) (*VolcengineLiveUploader, error) {
+	if config == nil {
+		return nil, errors.New("config is nil")
+	}
+
+	client := live.NewInstance()
+	client.SetAccessKey(config.AccessKeyId)
+	client.SetSecretKey(config.AccessKeySecret)
+
+	return &VolcengineLiveUploader{
+		config:    config,
+		sdkClient: client,
+	}, nil
+}
+
+func (u *VolcengineLiveUploader) Upload(ctx context.Context, certPem string, privkeyPem string) (res *uploader.UploadResult, err error) {
+	// 解析证书内容
+	certX509, err := x509.ParseCertificateFromPEM(certPem)
+	if err != nil {
+		return nil, err
+	}
+	// 查询证书列表，避免重复上传
+	// REF: https://www.volcengine.com/docs/6469/1186278#%E6%9F%A5%E8%AF%A2%E8%AF%81%E4%B9%A6%E5%88%97%E8%A1%A8
+	listCertReq := &live.ListCertV2Body{}
+	listCertResp, err := u.sdkClient.ListCertV2(ctx, listCertReq)
+	if err != nil {
+		return nil, xerrors.Wrap(err, "failed to execute sdk request 'live.ListCertV2'")
+	}
+
+	if listCertResp.Result.CertList != nil {
+		for _, certDetail := range listCertResp.Result.CertList {
+
+			describeCertDetailSecretReq := &live.DescribeCertDetailSecretV2Body{
+				ChainID: cast.StringPtr(certDetail.ChainID),
+			}
+			// 查询证书详细信息
+			// REF: https://www.volcengine.com/docs/6469/1186278#%E6%9F%A5%E7%9C%8B%E8%AF%81%E4%B9%A6%E8%AF%A6%E6%83%85
+			describeCertDetailSecretResp, detailErr := u.sdkClient.DescribeCertDetailSecretV2(ctx, describeCertDetailSecretReq)
+			if detailErr != nil {
+				continue
+			}
+			var isSameCert bool
+			certificate := strings.Join(describeCertDetailSecretResp.Result.SSL.Chain, "\n\n")
+			if certificate == certPem {
+				isSameCert = true
+			} else {
+				cert, err := x509.ParseCertificateFromPEM(certificate)
+				if err != nil {
+					continue
+				}
+
+				isSameCert = x509.EqualCertificate(cert, certX509)
+			}
+			// 如果已存在相同证书，直接返回已有的证书信息
+			if isSameCert {
+				return &uploader.UploadResult{
+					CertId:   certDetail.ChainID,
+					CertName: certDetail.CertName,
+				}, nil
+			}
+		}
+	}
+
+	// 生成新证书名（需符合火山引擎命名规则）
+	var certId, certName string
+	certName = fmt.Sprintf("certimate-%d", time.Now().UnixMilli())
+	// 上传新证书
+	// REF: https://www.volcengine.com/docs/6469/1186278#%E6%B7%BB%E5%8A%A0%E8%AF%81%E4%B9%A6
+	createCertReq := &live.CreateCertBody{
+		CertName:    &certName,
+		UseWay:      "https",
+		ProjectName: cast.StringPtr("default"),
+		Rsa: live.CreateCertBodyRsa{
+			Prikey: privkeyPem,
+			Pubkey: certPem,
+		},
+	}
+	createCertResp, err := u.sdkClient.CreateCert(ctx, createCertReq)
+	if err != nil {
+		return nil, xerrors.Wrap(err, "failed to execute sdk request 'live.CreateCert'")
+	}
+
+	certId = *createCertResp.Result.ChainID
+	return &uploader.UploadResult{
+		CertId:   certId,
+		CertName: certName,
+	}, nil
+}