pref: 调整插件目录，增加一些帮助说明

2026-04-23 19:57:27 +08:00 · 2024-05-27 18:38:41 +08:00
parent dd730f6beb
commit 20bc5aa6c7
164 changed files with 1160 additions and 3573 deletions
@@ -0,0 +1,29 @@
+import { IsAccess, AccessInput } from '@certd/pipeline';
+
+@IsAccess({
+  name: 'aliyun',
+  title: '阿里云授权',
+  desc: '',
+})
+export class AliyunAccess {
+  @AccessInput({
+    title: 'accessKeyId',
+    component: {
+      placeholder: 'accessKeyId',
+    },
+    helper:
+      '注意：证书申请，需要dns解析权限；其他阿里云插件，也需要对应的权限，比如证书上传需要证书管理权限',
+    required: true,
+  })
+  accessKeyId = '';
+  @AccessInput({
+    title: 'accessKeySecret',
+    component: {
+      placeholder: 'accessKeySecret',
+    },
+    required: true,
+  })
+  accessKeySecret = '';
+}
+
+new AliyunAccess();
@@ -0,0 +1 @@
+export * from './aliyun-access';
@@ -0,0 +1,150 @@
+import Core from '@alicloud/pop-core';
+import _ from 'lodash';
+import {
+  CreateRecordOptions,
+  IDnsProvider,
+  IsDnsProvider,
+  RemoveRecordOptions,
+} from '@certd/plugin-cert';
+import { Autowire, ILogger } from '@certd/pipeline';
+import { AliyunAccess } from '../access';
+
+@IsDnsProvider({
+  name: 'aliyun',
+  title: '阿里云',
+  desc: '阿里云DNS解析提供商',
+  accessType: 'aliyun',
+})
+export class AliyunDnsProvider implements IDnsProvider {
+  client: any;
+  @Autowire()
+  access!: AliyunAccess;
+  @Autowire()
+  logger!: ILogger;
+  async onInstance() {
+    const access: any = this.access;
+    this.client = new Core({
+      accessKeyId: access.accessKeyId,
+      accessKeySecret: access.accessKeySecret,
+      endpoint: 'https://alidns.aliyuncs.com',
+      apiVersion: '2015-01-09',
+    });
+  }
+
+  async getDomainList() {
+    const params = {
+      RegionId: 'cn-hangzhou',
+      PageSize: 100,
+    };
+
+    const requestOption = {
+      method: 'POST',
+    };
+
+    const ret = await this.client.request(
+      'DescribeDomains',
+      params,
+      requestOption
+    );
+    return ret.Domains.Domain;
+  }
+
+  async matchDomain(dnsRecord: string) {
+    const list = await this.getDomainList();
+    let domain = null;
+    const domainList = [];
+    for (const item of list) {
+      domainList.push(item.DomainName);
+      if (_.endsWith(dnsRecord, item.DomainName)) {
+        domain = item.DomainName;
+        break;
+      }
+    }
+    if (!domain) {
+      throw new Error(
+        `can not find Domain :${dnsRecord} ,list: ${JSON.stringify(domainList)}`
+      );
+    }
+    return domain;
+  }
+
+  async getRecords(domain: string, rr: string, value: string) {
+    const params: any = {
+      RegionId: 'cn-hangzhou',
+      DomainName: domain,
+      RRKeyWord: rr,
+      ValueKeyWord: undefined,
+    };
+    if (value) {
+      params.ValueKeyWord = value;
+    }
+
+    const requestOption = {
+      method: 'POST',
+    };
+
+    const ret = await this.client.request(
+      'DescribeDomainRecords',
+      params,
+      requestOption
+    );
+    return ret.DomainRecords.Record;
+  }
+
+  async createRecord(options: CreateRecordOptions): Promise<any> {
+    const { fullRecord, value, type } = options;
+    this.logger.info('添加域名解析：', fullRecord, value);
+    const domain = await this.matchDomain(fullRecord);
+    const rr = fullRecord.replace('.' + domain, '');
+
+    const params = {
+      RegionId: 'cn-hangzhou',
+      DomainName: domain,
+      RR: rr,
+      Type: type,
+      Value: value,
+      // Line: 'oversea' // 海外
+    };
+
+    const requestOption = {
+      method: 'POST',
+    };
+
+    try {
+      const ret = await this.client.request(
+        'AddDomainRecord',
+        params,
+        requestOption
+      );
+      this.logger.info('添加域名解析成功:', value, value, ret.RecordId);
+      return ret.RecordId;
+    } catch (e: any) {
+      if (e.code === 'DomainRecordDuplicate') {
+        return;
+      }
+      this.logger.info('添加域名解析出错', e);
+      throw e;
+    }
+  }
+  async removeRecord(options: RemoveRecordOptions): Promise<any> {
+    const { fullRecord, value, record } = options;
+    const params = {
+      RegionId: 'cn-hangzhou',
+      RecordId: record,
+    };
+
+    const requestOption = {
+      method: 'POST',
+    };
+
+    const ret = await this.client.request(
+      'DeleteDomainRecord',
+      params,
+      requestOption
+    );
+    this.logger.info('删除域名解析成功:', fullRecord, value, ret.RecordId);
+    return ret.RecordId;
+  }
+}
+
+new AliyunDnsProvider();
@@ -0,0 +1 @@
+import './aliyun-dns-provider';
@@ -0,0 +1,3 @@
+export * from './access/index';
+export * from './dns-provider/index';
+export * from './plugin/index';
@@ -0,0 +1,258 @@
+import {
+  AbstractTaskPlugin,
+  IAccessService,
+  ILogger,
+  IsTaskPlugin,
+  RunStrategy,
+  TaskInput,
+  utils,
+} from '@certd/pipeline';
+// @ts-ignore
+import { ROAClient } from '@alicloud/pop-core';
+import { AliyunAccess } from '../../access';
+import { K8sClient } from '@certd/plugin-util';
+import { appendTimeSuffix } from '../../utils';
+import { CertInfo } from '@certd/plugin-cert';
+
+@IsTaskPlugin({
+  name: 'DeployCertToAliyunAckIngress',
+  title: '部署到阿里云AckIngress',
+  input: {},
+  output: {},
+  default: {
+    strategy: {
+      runStrategy: RunStrategy.SkipWhenSucceed,
+    },
+  },
+})
+export class DeployCertToAliyunAckIngressPlugin extends AbstractTaskPlugin {
+  @TaskInput({
+    title: '集群id',
+    component: {
+      placeholder: '集群id',
+    },
+  })
+  clusterId!: string;
+
+  @TaskInput({
+    title: '保密字典Id',
+    component: {
+      placeholder: '保密字典Id',
+    },
+    required: true,
+  })
+  secretName!: string | string[];
+
+  @TaskInput({
+    title: '大区',
+    value: 'cn-shanghai',
+    component: {
+      placeholder: '集群所属大区',
+    },
+    required: true,
+  })
+  regionId!: string;
+
+  @TaskInput({
+    title: '命名空间',
+    value: 'default',
+    component: {
+      placeholder: '命名空间',
+    },
+    required: true,
+  })
+  namespace!: string;
+  @TaskInput({
+    title: 'ingress名称',
+    value: '',
+    component: {
+      placeholder: 'ingress名称',
+    },
+    required: true,
+    helper: '可以传入一个数组',
+  })
+  ingressName!: string;
+  @TaskInput({
+    title: 'ingress类型',
+    value: 'nginx',
+    component: {
+      placeholder: '暂时只支持nginx类型',
+    },
+    required: true,
+  })
+  ingressClass!: string;
+  @TaskInput({
+    title: '是否私网ip',
+    value: false,
+    component: {
+      placeholder: '集群连接端点是否是私网ip',
+    },
+    helper: '如果您当前certd运行在同一个私网下，可以选择是。',
+    required: true,
+  })
+  isPrivateIpAddress!: boolean;
+  @TaskInput({
+    title: '域名证书',
+    helper: '请选择前置任务输出的域名证书',
+    component: {
+      name: 'pi-output-selector',
+    },
+    required: true,
+  })
+  cert!: CertInfo;
+  @TaskInput({
+    title: 'Access授权',
+    helper: '阿里云授权AccessKeyId、AccessKeySecret',
+    component: {
+      name: 'pi-access-selector',
+      type: 'aliyun',
+    },
+    required: true,
+  })
+  accessId!: string;
+
+  accessService!: IAccessService;
+  logger!: ILogger;
+
+  async onInstance(): Promise<void> {
+    this.accessService = this.ctx.accessService;
+    this.logger = this.ctx.logger;
+  }
+  async execute(): Promise<void> {
+    console.log('开始部署证书到阿里云cdn');
+    const { regionId, ingressClass, clusterId, isPrivateIpAddress, cert } =
+      this;
+    const access = (await this.accessService.getById(
+      this.accessId
+    )) as AliyunAccess;
+    const client = this.getClient(access, regionId);
+    const kubeConfigStr = await this.getKubeConfig(
+      client,
+      clusterId,
+      isPrivateIpAddress
+    );
+
+    this.logger.info('kubeconfig已成功获取');
+    const k8sClient = new K8sClient(kubeConfigStr);
+    const ingressType = ingressClass || 'qcloud';
+    if (ingressType === 'qcloud') {
+      throw new Error('暂未实现');
+      // await this.patchQcloudCertSecret({ k8sClient, props, context })
+    } else {
+      await this.patchNginxCertSecret({ cert, k8sClient });
+    }
+
+    await utils.sleep(3000); // 停留2秒，等待secret部署完成
+    // await this.restartIngress({ k8sClient, props })
+  }
+
+  async restartIngress(options: { k8sClient: any }) {
+    const { k8sClient } = options;
+    const { namespace } = this;
+
+    const body = {
+      metadata: {
+        labels: {
+          certd: appendTimeSuffix('certd'),
+        },
+      },
+    };
+    const ingressList = await k8sClient.getIngressList({ namespace });
+    console.log('ingressList:', ingressList);
+    if (!ingressList || !ingressList.body || !ingressList.body.items) {
+      return;
+    }
+    const ingressNames = ingressList.body.items
+      .filter((item: any) => {
+        if (!item.spec.tls) {
+          return false;
+        }
+        for (const tls of item.spec.tls) {
+          if (tls.secretName === this.secretName) {
+            return true;
+          }
+        }
+        return false;
+      })
+      .map((item: any) => {
+        return item.metadata.name;
+      });
+    for (const ingress of ingressNames) {
+      await k8sClient.patchIngress({ namespace, ingressName: ingress, body });
+      this.logger.info(`ingress已重启:${ingress}`);
+    }
+  }
+
+  async patchNginxCertSecret(options: { cert: any; k8sClient: any }) {
+    const { cert, k8sClient } = options;
+    const crt = cert.crt;
+    const key = cert.key;
+    const crtBase64 = Buffer.from(crt).toString('base64');
+    const keyBase64 = Buffer.from(key).toString('base64');
+
+    const { namespace, secretName } = this;
+
+    const body = {
+      data: {
+        'tls.crt': crtBase64,
+        'tls.key': keyBase64,
+      },
+      metadata: {
+        labels: {
+          certd: appendTimeSuffix('certd'),
+        },
+      },
+    };
+    let secretNames: any = secretName;
+    if (typeof secretName === 'string') {
+      secretNames = [secretName];
+    }
+    for (const secret of secretNames) {
+      await k8sClient.patchSecret({ namespace, secretName: secret, body });
+      this.logger.info(`CertSecret已更新:${secret}`);
+    }
+  }
+
+  getClient(aliyunProvider: any, regionId: string) {
+    return new ROAClient({
+      accessKeyId: aliyunProvider.accessKeyId,
+      accessKeySecret: aliyunProvider.accessKeySecret,
+      endpoint: `https://cs.${regionId}.aliyuncs.com`,
+      apiVersion: '2015-12-15',
+    });
+  }
+
+  async getKubeConfig(
+    client: any,
+    clusterId: string,
+    isPrivateIpAddress = false
+  ) {
+    const httpMethod = 'GET';
+    const uriPath = `/k8s/${clusterId}/user_config`;
+    const queries = {
+      PrivateIpAddress: isPrivateIpAddress,
+    };
+    const body = '{}';
+    const headers = {
+      'Content-Type': 'application/json',
+    };
+    const requestOption = {};
+
+    try {
+      const res = await client.request(
+        httpMethod,
+        uriPath,
+        queries,
+        body,
+        headers,
+        requestOption
+      );
+      return res.config;
+    } catch (e) {
+      console.error('请求出错：', e);
+      throw e;
+    }
+  }
+}
+
+new DeployCertToAliyunAckIngressPlugin();
@@ -0,0 +1,120 @@
+import {
+  AbstractTaskPlugin,
+  IAccessService,
+  ILogger,
+  IsTaskPlugin,
+  RunStrategy,
+  TaskInput,
+} from '@certd/pipeline';
+import dayjs from 'dayjs';
+import Core from '@alicloud/pop-core';
+import RPCClient from '@alicloud/pop-core';
+import { AliyunAccess } from '../../access';
+
+@IsTaskPlugin({
+  name: 'DeployCertToAliyunCDN',
+  title: '部署证书至阿里云CDN',
+  desc: '依赖证书申请前置任务，自动部署域名证书至阿里云CDN',
+  default: {
+    strategy: {
+      runStrategy: RunStrategy.SkipWhenSucceed,
+    },
+  },
+})
+export class DeployCertToAliyunCDN extends AbstractTaskPlugin {
+  @TaskInput({
+    title: 'CDN加速域名',
+    helper: '你在阿里云上配置的CDN加速域名，比如:certd.docmirror.cn',
+    required: true,
+  })
+  domainName!: string;
+
+  @TaskInput({
+    title: '证书名称',
+    helper: '上传后将以此名称作为前缀备注',
+  })
+  certName!: string;
+
+  @TaskInput({
+    title: '域名证书',
+    helper: '请选择前置任务输出的域名证书',
+    component: {
+      name: 'pi-output-selector',
+    },
+    required: true,
+  })
+  cert!: string;
+
+  @TaskInput({
+    title: 'Access授权',
+    helper: '阿里云授权AccessKeyId、AccessKeySecret',
+    component: {
+      name: 'pi-access-selector',
+      type: 'aliyun',
+    },
+    required: true,
+  })
+  accessId!: string;
+
+  accessService!: IAccessService;
+  logger!: ILogger;
+
+  async onInstance() {
+    this.accessService = this.ctx.accessService;
+    this.logger = this.ctx.logger;
+  }
+  async execute(): Promise<void> {
+    console.log('开始部署证书到阿里云cdn');
+    const access = (await this.accessService.getById(
+      this.accessId
+    )) as AliyunAccess;
+    const client = this.getClient(access);
+    const params = await this.buildParams();
+    await this.doRequest(client, params);
+    console.log('部署完成');
+  }
+
+  getClient(access: AliyunAccess) {
+    return new Core({
+      accessKeyId: access.accessKeyId,
+      accessKeySecret: access.accessKeySecret,
+      endpoint: 'https://cdn.aliyuncs.com',
+      apiVersion: '2018-05-10',
+    });
+  }
+
+  async buildParams() {
+    const CertName =
+      (this.certName ?? 'certd') + '-' + dayjs().format('YYYYMMDDHHmmss');
+    const cert: any = this.cert;
+    return {
+      RegionId: 'cn-hangzhou',
+      DomainName: this.domainName,
+      ServerCertificateStatus: 'on',
+      CertName: CertName,
+      CertType: 'upload',
+      ServerCertificate: cert.crt,
+      PrivateKey: cert.key,
+    };
+  }
+
+  async doRequest(client: RPCClient, params: any) {
+    const requestOption = {
+      method: 'POST',
+    };
+    const ret: any = await client.request(
+      'SetDomainServerCertificate',
+      params,
+      requestOption
+    );
+    this.checkRet(ret);
+    this.logger.info('设置cdn证书成功:', ret.RequestId);
+  }
+
+  checkRet(ret: any) {
+    if (ret.code != null) {
+      throw new Error('执行失败：' + ret.Message);
+    }
+  }
+}
+new DeployCertToAliyunCDN();
@@ -0,0 +1,3 @@
+export * from './deploy-to-cdn/index';
+export * from './deploy-to-ack-ingress/index';
+export * from './upload-to-aliyun/index';
@@ -0,0 +1,117 @@
+import {
+  AbstractTaskPlugin,
+  IAccessService,
+  IsTaskPlugin,
+  RunStrategy,
+  TaskInput,
+  TaskOutput,
+} from '@certd/pipeline';
+import Core from '@alicloud/pop-core';
+import { AliyunAccess } from '../../access';
+import { appendTimeSuffix, checkRet, ZoneOptions } from '../../utils';
+import { Logger } from 'log4js';
+
+@IsTaskPlugin({
+  name: 'uploadCertToAliyun',
+  title: '上传证书到阿里云',
+  desc: '',
+  default: {
+    strategy: {
+      runStrategy: RunStrategy.SkipWhenSucceed,
+    },
+  },
+})
+export class UploadCertToAliyun extends AbstractTaskPlugin {
+  @TaskInput({
+    title: '证书名称',
+    helper: '证书上传后将以此参数作为名称前缀',
+  })
+  name!: string;
+
+  @TaskInput({
+    title: '大区',
+    value: 'cn-hangzhou',
+    component: {
+      name: 'a-select',
+      vModel: 'value',
+      options: ZoneOptions,
+    },
+    required: true,
+  })
+  regionId!: string;
+
+  @TaskInput({
+    title: '域名证书',
+    helper: '请选择前置任务输出的域名证书',
+    component: {
+      name: 'pi-output-selector',
+    },
+    required: true,
+  })
+  cert!: any;
+
+  @TaskInput({
+    title: 'Access授权',
+    helper: '阿里云授权AccessKeyId、AccessKeySecret',
+    component: {
+      name: 'pi-access-selector',
+      type: 'aliyun',
+    },
+    required: true,
+  })
+  accessId!: string;
+
+  @TaskOutput({
+    title: '上传成功后的阿里云CertId',
+  })
+  aliyunCertId!: string;
+
+  accessService!: IAccessService;
+  logger!: Logger;
+
+  async onInstance() {
+    this.accessService = this.ctx.accessService;
+    this.logger = this.ctx.logger;
+  }
+
+  async execute(): Promise<void> {
+    console.log('开始部署证书到阿里云cdn');
+    const access = (await this.accessService.getById(
+      this.accessId
+    )) as AliyunAccess;
+    const client = this.getClient(access);
+    const certName = appendTimeSuffix(this.name);
+    const params = {
+      RegionId: this.regionId || 'cn-hangzhou',
+      Name: certName,
+      Cert: this.cert.crt,
+      Key: this.cert.key,
+    };
+
+    const requestOption = {
+      method: 'POST',
+    };
+
+    const ret = (await client.request(
+      'CreateUserCertificate',
+      params,
+      requestOption
+    )) as any;
+    checkRet(ret);
+    this.logger.info('证书上传成功：aliyunCertId=', ret.CertId);
+
+    //output
+    this.aliyunCertId = ret.CertId;
+  }
+
+  getClient(aliyunProvider: AliyunAccess) {
+    return new Core({
+      accessKeyId: aliyunProvider.accessKeyId,
+      accessKeySecret: aliyunProvider.accessKeySecret,
+      endpoint: 'https://cas.aliyuncs.com',
+      apiVersion: '2018-07-13',
+    });
+  }
+}
+//注册插件
+new UploadCertToAliyun();
@@ -0,0 +1,15 @@
+import dayjs from 'dayjs';
+
+export const ZoneOptions = [{ value: 'cn-hangzhou' }];
+export function appendTimeSuffix(name: string) {
+  if (name == null) {
+    name = 'certd';
+  }
+  return name + '-' + dayjs().format('YYYYMMDD-HHmmss');
+}
+
+export function checkRet(ret: any) {
+  if (ret.code != null) {
+    throw new Error('执行失败：' + ret.Message);
+  }
+}