Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add provider for DNS-01 ACME challenge #1668

Merged
merged 7 commits into from
Feb 28, 2025
Merged

Add provider for DNS-01 ACME challenge #1668

merged 7 commits into from
Feb 28, 2025

Conversation

accuser
Copy link
Contributor

@accuser accuser commented Feb 20, 2025
edited by stgraber
Loading

Preliminary PR for addition of DNS-01 challenge provider.

Example configuration:

config:
  acme.agree_tos: true
  acme.domain: foo.example.net
  acme.email: [email protected]
  acme.challenge: DNS-01
  acme.provider: cloudflare
  acme.provider.environment: |-
    [email protected]
    CLOUDFLARE_API_KEY=XYZ

Closes #1364

@accuser accuser requested a review from stgraber as a code owner February 20, 2025 08:16
@accuser accuser marked this pull request as draft February 20, 2025 08:16
@accuser accuser mentioned this pull request Feb 20, 2025
Closed
@belthesar
Copy link

This looks pretty good! Thank you for doing this! I do have some feedback:

Per @stgraber's feedback here: #1364 (comment) , we should probably consider nestling config in keys specific to the challenge. My intention was to pattern this off of Traefik's config, an example found here: https://doc.traefik.io/traefik/https/acme/#configuration-examples
Given what you've done, I'd probably create a map something like:

acme:
  agree_tos: true
  challenge: "DNS-01"
  dnsChallenge:
    provider: "ProviderName"
    config: |-
      ENVVAR_ONE="value"
      ENVVAR_TWO="value"
    resolvers: "1.1.1.1,1.0.0.1"

This would set up a solid pattern if additional configuration options for challenges become available as well.

@accuser
Copy link
Contributor Author

accuser commented Feb 21, 2025
edited
Loading

I think you're right, but I'd probably fall towards:

config:
  acme.challenge: DNS-01
  acme.dns.provider: cloudflare
  acme.dns.resolvers: "1.1.1.1,1.0.0.1"
  acme.dns.env: |-
      [email protected]
      CLOUDFLARE_API_KEY=XYZ

I'm favouring env for the environment variables, rather than config.

@accuser accuser changed the title Add provider for dns 01 challenge Add provider for DNS-01 ACME challenge Feb 24, 2025
@stgraber
Copy link
Member

Going to take a quick look at this one, for one thing, do a rebase and tweak the commit list :)

@stgraber stgraber force-pushed the add-provider-for-dns-01-challenge branch from 46ea52c to 228473d Compare February 27, 2025 22:50
@github-actions github-actions bot added Documentation Documentation needs updating API Changes to the REST API labels Feb 27, 2025
@stgraber stgraber marked this pull request as ready for review February 27, 2025 22:53
@stgraber stgraber force-pushed the add-provider-for-dns-01-challenge branch 2 times, most recently from 00fa4e4 to 1a4dd43 Compare February 27, 2025 23:05
@stgraber
Copy link
Member

Waiting for #1679 to merge, then this one can get rebased and will be good to merge.
I've just tested it here with a couple of DNS providers and it seems to be working as expected.

stgraber and others added 7 commits February 27, 2025 18:46
@stgraber
gomod: Update dependencies
5719547 
Signed-off-by: Stéphane Graber <[email protected]>
@stgraber
api: acme_dns01
c4ea6d9 
Signed-off-by: Stéphane Graber <[email protected]>
@accuser @stgraber
incusd/cluster/config: Add extra ACME config keys
634f525 
Signed-off-by: Matthew Gibbons <[email protected]>
@accuser @stgraber
incusd/acme: Add DNS-01 support
a12666e 
Signed-off-by: Matthew Gibbons <[email protected]>
@accuser @stgraber
gomod: Update dependencies
1f62701 
Signed-off-by: Matthew Gibbons <[email protected]>
@stgraber
doc: Add resolvers to wordlist
59c1dba 
Signed-off-by: Stéphane Graber <[email protected]>
@stgraber
doc: Update configs
2db43a8 
Signed-off-by: Stéphane Graber <[email protected]>
@stgraber stgraber force-pushed the add-provider-for-dns-01-challenge branch from 1a4dd43 to 2db43a8 Compare February 27, 2025 23:47
@stgraber stgraber enabled auto-merge February 27, 2025 23:47
@stgraber stgraber merged commit 1a28153 into lxc:main Feb 28, 2025
36 checks passed
@accuser accuser deleted the add-provider-for-dns-01-challenge branch February 28, 2025 06:12
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Mar 2, 2025
@tmeijn
build(deps): update lxc/incus to v6.10.0
f990cc6 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [lxc/incus](https://github.com/lxc/incus) | minor | `v6.9.0` -> `v6.10.0` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>lxc/incus (lxc/incus)</summary>

### [`v6.10.0`](https://github.com/lxc/incus/releases/tag/v6.10.0): Incus 6.10

[Compare Source](lxc/incus@v6.9.0...v6.10.0)

#### What's Changed

-   incusd/instance/drivers/qmp: Handle missing log directory by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1604
-   incus-user: keep track of socket path used to connect to the server by [@&#8203;bboozzoo](https://github.com/bboozzoo) in lxc/incus#1607
-   incus-user: unify logging, support --verbose and --debug by [@&#8203;bboozzoo](https://github.com/bboozzoo) in lxc/incus#1606
-   Add project support to profiles in preseed init by [@&#8203;megheaiulian](https://github.com/megheaiulian) in lxc/incus#1608
-   incusd/network/ovn: Fix bad route check by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1616
-   incus/file/pull: Ensure we have a leading / in all paths by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1617
-   incus/file/pull: Read files in chunks by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1623
-   doc/installing: mention incus group on NixOS by [@&#8203;dawidd6](https://github.com/dawidd6) in lxc/incus#1622
-   incus/file/pull: Actually make read buffer 1MiB by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1624
-   Translations update from Hosted Weblate by [@&#8203;weblate](https://github.com/weblate) in lxc/incus#1639
-   incusd/device/disk: Allow virtiofsd on non-x86 by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1638
-   Translations update from Hosted Weblate by [@&#8203;weblate](https://github.com/weblate) in lxc/incus#1640
-   Translations update from Hosted Weblate by [@&#8203;weblate](https://github.com/weblate) in lxc/incus#1642
-   incusd/instance/drivers/qemu: Add IOMMU device by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1644
-   incus/file: Remove unused function by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1645
-   Translations update from Hosted Weblate by [@&#8203;weblate](https://github.com/weblate) in lxc/incus#1646
-   incus/network/info (ovn): Fix object not found. by [@&#8203;rxtom](https://github.com/rxtom) in lxc/incus#1628
-   incusd/instance/drivers: Improve NUMA balancing by [@&#8203;lnutimura](https://github.com/lnutimura) in lxc/incus#1626
-   incusd/network/bridge: Fix deletion of tunnels and dummy devices by [@&#8203;montag451](https://github.com/montag451) in lxc/incus#1627
-   incus/file: Move from path to filepath by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1647
-   Added LZ4 support for incus import by [@&#8203;Spitfireap](https://github.com/Spitfireap) in lxc/incus#1611
-   Add `vrf` parameter for routed-nic devices by [@&#8203;ibot3](https://github.com/ibot3) in lxc/incus#1615
-   Translations update from Hosted Weblate by [@&#8203;weblate](https://github.com/weblate) in lxc/incus#1648
-   Translations update from Hosted Weblate by [@&#8203;weblate](https://github.com/weblate) in lxc/incus#1651
-   Move generators to the cmd package by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1652
-   Fix incorrect volume group naming when `vg_name` is not specified by [@&#8203;presztak](https://github.com/presztak) in lxc/incus#1653
-   Rename incus-generate and incus-doc by [@&#8203;breml](https://github.com/breml) in lxc/incus#1654
-   Implement `smbios11` config keys by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1655
-   Fix instance copy error when using '--refresh' flag by [@&#8203;presztak](https://github.com/presztak) in lxc/incus#1658
-   Fix docs for load balancer create backend by [@&#8203;gwenya](https://github.com/gwenya) in lxc/incus#1661
-   incusd/instance/utils: Only check uid/gid for containers by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1662
-   incusd/main_nsexec: Fix change_namespaces fallback to handle multiple… by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1664
-   Check if disk is remote when migrating with an extra disk by [@&#8203;presztak](https://github.com/presztak) in lxc/incus#1669
-   incusd/instance/edk2: Look for bios.bin in /usr/share/seabios by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1672
-   Replace ast.Package with types.Package by [@&#8203;breml](https://github.com/breml) in lxc/incus#1665
-   list/format: provide more information on error by [@&#8203;rxtom](https://github.com/rxtom) in lxc/incus#1666
-   Add additional validation when joining a new cluster member by [@&#8203;presztak](https://github.com/presztak) in lxc/incus#1680
-   Upgrade flosch/pongo2 to v6 by [@&#8203;nanjj](https://github.com/nanjj) in lxc/incus#1677
-   incusd/resources: Prevent concurrent runs and cache data for 10s by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1681
-   Fix importing from older backups by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1683
-   fix: Don't attempt to download signatures for oci by [@&#8203;m2Giles](https://github.com/m2Giles) in lxc/incus#1685
-   Ensure directories have 755 permissions in `incus file push -p` command by [@&#8203;presztak](https://github.com/presztak) in lxc/incus#1687
-   devcontainer: Update Go to 1.23 by [@&#8203;breml](https://github.com/breml) in lxc/incus#1689
-   Make "Code generated" comments for generate-database Go conformant by [@&#8203;breml](https://github.com/breml) in lxc/incus#1690
-   Disclaimer internal tool for generate-database and generate-config by [@&#8203;breml](https://github.com/breml) in lxc/incus#1694
-   Truncate the block file during custom volume migration by [@&#8203;presztak](https://github.com/presztak) in lxc/incus#1696
-   Rework virtiofsd uid/gid map handling by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1692
-   Remove unused arguments and parameters by [@&#8203;presztak](https://github.com/presztak) in lxc/incus#1699
-   generate-database: Use deferred func to map errors & make generated code self-sufficient by [@&#8203;breml](https://github.com/breml) in lxc/incus#1695
-   incus/top: Fix handling of all-projects by [@&#8203;stgraber](https://github.com/stgraber) in lxc/incus#1701
-   Ceph refactor by [@&#8203;MadnessASAP](https://github.com/MadnessASAP) in lxc/incus#1538
-   incus/file: Port remaining functions to SFTP by [@&#8203;HassanAlsamahi](https://github.com/HassanAlsamahi) in lxc/incus#1649
-   Add filtering to all API collections by [@&#8203;gwenya](https://github.com/gwenya) in lxc/incus#1679
-   Add provider for DNS-01 ACME challenge by [@&#8203;accuser](https://github.com/accuser) in lxc/incus#1668

#### New Contributors

-   [@&#8203;bboozzoo](https://github.com/bboozzoo) made their first contribution in lxc/incus#1607
-   [@&#8203;dawidd6](https://github.com/dawidd6) made their first contribution in lxc/incus#1622
-   [@&#8203;rxtom](https://github.com/rxtom) made their first contribution in lxc/incus#1628
-   [@&#8203;lnutimura](https://github.com/lnutimura) made their first contribution in lxc/incus#1626
-   [@&#8203;ibot3](https://github.com/ibot3) made their first contribution in lxc/incus#1615
-   [@&#8203;gwenya](https://github.com/gwenya) made their first contribution in lxc/incus#1661
-   [@&#8203;accuser](https://github.com/accuser) made their first contribution in lxc/incus#1668

**Full Changelog**: lxc/incus@v6.9.0...v6.10.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xODIuMyIsInVwZGF0ZWRJblZlciI6IjM5LjE4Mi4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stgraber stgraber stgraber approved these changes

Assignees
No one assigned
Labels
API Changes to the REST API Documentation Documentation needs updating
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ACME - Add support for DNS-01 validation
3 participants
@accuser @belthesar @stgraber