refactor: plugins

packages/plugins/plugin-aliyun/src/plugin/deploy-to-ack-ingress/index.ts

@@ -0,0 +1,213 @@
+import { AbstractPlugin, IsTask, RunStrategy, TaskInput, TaskOutput, TaskPlugin, utils } from "@certd/pipeline";
+import Core from "@alicloud/pop-core";
+import { AliyunAccess } from "../../access";
+import { K8sClient } from "@certd/plugin-util";
+import { appendTimeSuffix } from "../../utils";
+
+const ROAClient = Core.ROAClient;
+@IsTask(() => {
+  return {
+    name: "DeployCertToAliyunAckIngress",
+    title: "部署到阿里云AckIngress",
+    input: {
+      clusterId: {
+        title: "集群id",
+        component: {
+          placeholder: "集群id",
+        },
+      },
+      secretName: {
+        title: "保密字典Id",
+        component: {
+          placeholder: "保密字典Id",
+        },
+        required: true,
+      },
+      regionId: {
+        title: "大区",
+        value: "cn-shanghai",
+        component: {
+          placeholder: "集群所属大区",
+        },
+        required: true,
+      },
+      namespace: {
+        title: "命名空间",
+        value: "default",
+        component: {
+          placeholder: "命名空间",
+        },
+        required: true,
+      },
+      ingressName: {
+        title: "ingress名称",
+        value: "",
+        component: {
+          placeholder: "ingress名称",
+        },
+        required: true,
+        helper: "可以传入一个数组",
+      },
+      ingressClass: {
+        title: "ingress类型",
+        value: "nginx",
+        component: {
+          placeholder: "暂时只支持nginx类型",
+        },
+        required: true,
+      },
+      isPrivateIpAddress: {
+        title: "是否私网ip",
+        value: false,
+        component: {
+          placeholder: "集群连接端点是否是私网ip",
+        },
+        helper: "如果您当前certd运行在同一个私网下，可以选择是。",
+        required: true,
+      },
+      cert: {
+        title: "域名证书",
+        helper: "请选择前置任务输出的域名证书",
+        component: {
+          name: "pi-output-selector",
+        },
+        required: true,
+      },
+      accessId: {
+        title: "Access授权",
+        helper: "阿里云授权AccessKeyId、AccessKeySecret",
+        component: {
+          name: "pi-access-selector",
+          type: "aliyun",
+        },
+        required: true,
+      },
+    },
+    output: {},
+    default: {
+      strategy: {
+        runStrategy: RunStrategy.SkipWhenSucceed,
+      },
+    },
+  };
+})
+export class DeployCertToAliyunAckIngressPlugin extends AbstractPlugin implements TaskPlugin {
+  async execute(input: TaskInput): Promise<TaskOutput> {
+    console.log("开始部署证书到阿里云cdn");
+    const { regionId, ingressClass, clusterId, isPrivateIpAddress, cert } = input;
+    const access = (await this.accessService.getById(input.accessId)) as AliyunAccess;
+    const client = this.getClient(access, regionId);
+    const kubeConfigStr = await this.getKubeConfig(client, clusterId, isPrivateIpAddress);
+
+    this.logger.info("kubeconfig已成功获取");
+    const k8sClient = new K8sClient(kubeConfigStr);
+    const ingressType = ingressClass || "qcloud";
+    if (ingressType === "qcloud") {
+      throw new Error("暂未实现");
+      // await this.patchQcloudCertSecret({ k8sClient, props, context })
+    } else {
+      await this.patchNginxCertSecret({ cert, k8sClient, input });
+    }
+
+    await utils.sleep(3000); // 停留2秒，等待secret部署完成
+    // await this.restartIngress({ k8sClient, props })
+    return {};
+  }
+
+  async restartIngress(options: { k8sClient: any; input: TaskInput }) {
+    const { k8sClient, input } = options;
+    const { namespace } = input;
+
+    const body = {
+      metadata: {
+        labels: {
+          certd: appendTimeSuffix("certd"),
+        },
+      },
+    };
+    const ingressList = await k8sClient.getIngressList({ namespace });
+    console.log("ingressList:", ingressList);
+    if (!ingressList || !ingressList.body || !ingressList.body.items) {
+      return;
+    }
+    const ingressNames = ingressList.body.items
+      .filter((item: any) => {
+        if (!item.spec.tls) {
+          return false;
+        }
+        for (const tls of item.spec.tls) {
+          if (tls.secretName === input.secretName) {
+            return true;
+          }
+        }
+        return false;
+      })
+      .map((item: any) => {
+        return item.metadata.name;
+      });
+    for (const ingress of ingressNames) {
+      await k8sClient.patchIngress({ namespace, ingressName: ingress, body });
+      this.logger.info(`ingress已重启:${ingress}`);
+    }
+  }
+
+  async patchNginxCertSecret(options: { cert: any; k8sClient: any; input: TaskInput }) {
+    const { cert, k8sClient, input } = options;
+    const crt = cert.crt;
+    const key = cert.key;
+    const crtBase64 = Buffer.from(crt).toString("base64");
+    const keyBase64 = Buffer.from(key).toString("base64");
+
+    const { namespace, secretName } = input;
+
+    const body = {
+      data: {
+        "tls.crt": crtBase64,
+        "tls.key": keyBase64,
+      },
+      metadata: {
+        labels: {
+          certd: appendTimeSuffix("certd"),
+        },
+      },
+    };
+    let secretNames = secretName;
+    if (typeof secretName === "string") {
+      secretNames = [secretName];
+    }
+    for (const secret of secretNames) {
+      await k8sClient.patchSecret({ namespace, secretName: secret, body });
+      this.logger.info(`CertSecret已更新:${secret}`);
+    }
+  }
+
+  getClient(aliyunProvider: any, regionId: string) {
+    return new ROAClient({
+      accessKeyId: aliyunProvider.accessKeyId,
+      accessKeySecret: aliyunProvider.accessKeySecret,
+      endpoint: `https://cs.${regionId}.aliyuncs.com`,
+      apiVersion: "2015-12-15",
+    });
+  }
+
+  async getKubeConfig(client: any, clusterId: string, isPrivateIpAddress = false) {
+    const httpMethod = "GET";
+    const uriPath = `/k8s/${clusterId}/user_config`;
+    const queries = {
+      PrivateIpAddress: isPrivateIpAddress,
+    };
+    const body = "{}";
+    const headers = {
+      "Content-Type": "application/json",
+    };
+    const requestOption = {};
+
+    try {
+      const res = await client.request(httpMethod, uriPath, queries, body, headers, requestOption);
+      return res.config;
+    } catch (e) {
+      console.error("请求出错：", e);
+      throw e;
+    }
+  }
+}

packages/plugins/plugin-aliyun/src/plugin/index.ts

@@ -1 +1,3 @@
 export * from "./deploy-to-cdn";
+export * from "./deploy-to-ack-ingress";
+export * from "./upload-to-aliyun";

packages/plugins/plugin-aliyun/src/plugin/upload-to-aliyun/index.ts

@@ -0,0 +1,90 @@
+import { AbstractPlugin, IsTask, RunStrategy, TaskInput, TaskOutput, TaskPlugin } from "@certd/pipeline";
+import dayjs from "dayjs";
+import Core from "@alicloud/pop-core";
+import RPCClient from "@alicloud/pop-core";
+import { AliyunAccess } from "../../access";
+import { appendTimeSuffix, checkRet, ZoneOptions } from "../../utils";
+
+@IsTask(() => {
+  return {
+    name: "uploadCertToAliyun",
+    title: "上传证书到阿里云",
+    desc: "",
+    input: {
+      name: {
+        title: "证书名称",
+        helper: "证书上传后将以此参数作为名称前缀",
+      },
+      regionId: {
+        title: "大区",
+        value: "cn-hangzhou",
+        component: {
+          name: "a-select",
+          vModel: "value",
+          options: ZoneOptions,
+        },
+        required: true,
+      },
+      cert: {
+        title: "域名证书",
+        helper: "请选择前置任务输出的域名证书",
+        component: {
+          name: "pi-output-selector",
+        },
+        required: true,
+      },
+      accessId: {
+        title: "Access授权",
+        helper: "阿里云授权AccessKeyId、AccessKeySecret",
+        component: {
+          name: "pi-access-selector",
+          type: "aliyun",
+        },
+        required: true,
+      },
+    },
+    output: {
+      aliyunCertId: {
+        title: "上传成功后的阿里云CertId",
+      },
+    },
+    default: {
+      strategy: {
+        runStrategy: RunStrategy.SkipWhenSucceed,
+      },
+    },
+  };
+})
+export class UploadCertToAliyun extends AbstractPlugin implements TaskPlugin {
+  async execute(input: TaskInput): Promise<TaskOutput> {
+    console.log("开始部署证书到阿里云cdn");
+    const access = (await this.accessService.getById(input.accessId)) as AliyunAccess;
+    const client = this.getClient(access);
+    const { name, cert } = input;
+    const certName = appendTimeSuffix(name);
+    const params = {
+      RegionId: input.regionId || "cn-hangzhou",
+      Name: certName,
+      Cert: cert.crt,
+      Key: cert.key,
+    };
+
+    const requestOption = {
+      method: "POST",
+    };
+
+    const ret = (await client.request("CreateUserCertificate", params, requestOption)) as any;
+    checkRet(ret);
+    this.logger.info("证书上传成功：aliyunCertId=", ret.CertId);
+    return { aliyunCertId: ret.CertId };
+  }
+
+  getClient(aliyunProvider: AliyunAccess) {
+    return new Core({
+      accessKeyId: aliyunProvider.accessKeyId,
+      accessKeySecret: aliyunProvider.accessKeySecret,
+      endpoint: "https://cas.aliyuncs.com",
+      apiVersion: "2018-07-13",
+    });
+  }
+}