unkeyed · chronark · Sep 12, 2025 · Sep 10, 2025 · Sep 10, 2025 · Sep 10, 2025
@@ -1,6 +1,10 @@
 package ctrl
 
 import (
+	"fmt"
+
+	"github.com/unkeyed/unkey/go/apps/ctrl/services/deployment/backends"
+	"github.com/unkeyed/unkey/go/pkg/assert"
 	"github.com/unkeyed/unkey/go/pkg/clock"
 	"github.com/unkeyed/unkey/go/pkg/tls"
 )
@@ -12,6 +16,22 @@ type S3Config struct {
 	AccessKeySecret string
 }
 
+type CloudflareConfig struct {
+	// Enables DNS-01 challenges using Cloudflare
+	Enabled bool
+
+	// ApiToken is the Cloudflare API token with Zone:Read, DNS:Edit permissions
+	ApiToken string
+}
+
+type AcmeConfig struct {
+	// Enables ACME challenges for TLS certificates
+	Enabled bool
+
+	// Enables DNS-01 challenges using Cloudflare
+	Cloudflare CloudflareConfig
+}
+
 type Config struct {
 	// InstanceID is the unique identifier for this instance of the control plane server
 	InstanceID string
@@ -50,6 +70,8 @@ type Config struct {
 	// MetaldAddress is the full URL of the metald service for VM operations (e.g., "https://metald.example.com:8080")
 	MetaldAddress string
 
+	MetaldBackend string // fallback to either k8's pod or docker, this skips calling metald
+
 	// SPIFFESocketPath is the path to the SPIFFE agent socket for mTLS authentication
 	SPIFFESocketPath string
 
@@ -59,10 +81,24 @@ type Config struct {
 	VaultMasterKeys []string
 	VaultS3         S3Config
 
-	AcmeEnabled bool
+	// --- ACME/Cloudflare Configuration ---
+	Acme AcmeConfig
+
+	DefaultDomain string
 }
 
 func (c Config) Validate() error {
+	// Validate MetaldBackend field
+	if err := backends.ValidateBackendType(c.MetaldBackend); err != nil {
+		return fmt.Errorf("invalid metald backend configuration: %w", err)
+	}
+
+	// Validate Cloudflare configuration if enabled
+	if c.Acme.Enabled && c.Acme.Cloudflare.Enabled {
+		if err := assert.NotEmpty(c.Acme.Cloudflare.ApiToken, "cloudflare API token is required when cloudflare is enabled"); err != nil {
+			return err
+		}
+	}
 
 	return nil
 }
@@ -2,6 +2,7 @@ package ctrl
 
 import (
 	"context"
+	"database/sql"
 	"fmt"
 	"log/slog"
 	"net/http"
@@ -21,6 +22,7 @@ import (
 	"github.com/unkeyed/unkey/go/pkg/otel"
 	"github.com/unkeyed/unkey/go/pkg/otel/logging"
 	"github.com/unkeyed/unkey/go/pkg/shutdown"
+	"github.com/unkeyed/unkey/go/pkg/uid"
 	"github.com/unkeyed/unkey/go/pkg/vault"
 	"github.com/unkeyed/unkey/go/pkg/vault/storage"
 	pkgversion "github.com/unkeyed/unkey/go/pkg/version"
@@ -186,7 +188,14 @@ func Run(ctx context.Context, cfg Config) error {
 	logger.Info("metald client configured", "address", cfg.MetaldAddress, "auth_mode", authMode)
 
 	// Register deployment workflow with Hydra worker
-	deployWorkflow := deployment.NewDeployWorkflow(database, partitionDB, logger, metaldClient)
+	deployWorkflow := deployment.NewDeployWorkflow(deployment.DeployWorkflowConfig{
+		Logger:        logger,
+		DB:            database,
+		PartitionDB:   partitionDB,
+		MetaldBackend: cfg.MetaldBackend,
+		MetalD:        metaldClient,
+		DefaultDomain: cfg.DefaultDomain,
+	})
 	err = hydra.RegisterWorkflow(hydraWorker, deployWorkflow)
 	if err != nil {
 		return fmt.Errorf("unable to register deployment workflow: %w", err)
@@ -257,7 +266,7 @@ func Run(ctx context.Context, cfg Config) error {
 		}
 	}()
 
-	if cfg.AcmeEnabled {
+	if cfg.Acme.Enabled {
 		acmeClient, err := acme.GetOrCreateUser(ctx, acme.UserConfig{
 			DB:          database,
 			Logger:      logger,
@@ -275,10 +284,77 @@ func Run(ctx context.Context, cfg Config) error {
 		})
 		err = acmeClient.Challenge.SetHTTP01Provider(httpProvider)
 		if err != nil {
-			logger.Error("failed to set HTTP-01 provider", "error", err)
 			return fmt.Errorf("failed to set HTTP-01 provider: %w", err)
 		}
 
+		// Set up Cloudflare DNS-01 challenge provider if enabled
+		if cfg.Acme.Cloudflare.Enabled {
+			cloudflareProvider, err := providers.NewCloudflareProvider(providers.CloudflareProviderConfig{
+				DB:            database,
+				Logger:        logger,
+				APIToken:      cfg.Acme.Cloudflare.ApiToken,
+				DefaultDomain: cfg.DefaultDomain,
+			})
+			if err != nil {
+				logger.Error("failed to create Cloudflare DNS provider", "error", err)
+				return fmt.Errorf("failed to create Cloudflare DNS provider: %w", err)
+			}
+
+			err = acmeClient.Challenge.SetDNS01Provider(cloudflareProvider)
+			if err != nil {
+				logger.Error("failed to set DNS-01 provider", "error", err)
+				return fmt.Errorf("failed to set DNS-01 provider: %w", err)
+			}
+
+			logger.Info("Cloudflare DNS-01 challenge provider configured")
+
+			if cfg.DefaultDomain != "" {
+				wildcardDomain := "*." + cfg.DefaultDomain
+
+				// Check if we already have a challenge or certificate for the wildcard domain
+				_, err := db.Query.FindDomainByDomain(ctx, database.RO(), wildcardDomain)
+				if err != nil && !db.IsNotFound(err) {
+					logger.Error("Failed to check existing wildcard domain", "error", err, "domain", wildcardDomain)
+				} else if db.IsNotFound(err) {
+					now := time.Now().UnixMilli()
+					domainID := uid.New("domain")
+
+					// Insert domain record
+					err = db.Query.InsertDomain(ctx, database.RW(), db.InsertDomainParams{
+						ID:          domainID,
+						WorkspaceID: "unkey", // Default workspace for wildcard cert
+						Domain:      wildcardDomain,
+						CreatedAt:   now,
+						UpdatedAt:   sql.NullInt64{Valid: true, Int64: now},
+						Type:        db.DomainsTypeCustom,
+					})
+					if err != nil {
+						logger.Error("Failed to create wildcard domain", "error", err, "domain", wildcardDomain)
+					} else {
+						// Insert challenge record
+						expiresAt := time.Now().Add(90 * 24 * time.Hour).UnixMilli() // 90 days
+
+						err = db.Query.InsertAcmeChallenge(ctx, database.RW(), db.InsertAcmeChallengeParams{
+							WorkspaceID:   "unkey",
+							DomainID:      domainID,
+							Token:         "",
+							Authorization: "",
+							Status:        db.AcmeChallengesStatusWaiting,
+							Type:          db.AcmeChallengesTypeDNS01, // Use DNS-01 for wildcard
+							CreatedAt:     now,
+							UpdatedAt:     sql.NullInt64{Valid: true, Int64: now},
+							ExpiresAt:     expiresAt,
+						})
+						if err != nil {
+							logger.Error("Failed to create wildcard challenge", "error", err, "domain", wildcardDomain)
+						} else {
+							logger.Info("Created wildcard domain and challenge", "domain", wildcardDomain)
+						}
+					}
+				}
+			}
+		}
+
 		// Register deployment workflow with Hydra worker
 		acmeWorkflows := acme.NewCertificateChallenge(acme.CertificateChallengeConfig{
 			DB:          database,
@@ -296,19 +372,28 @@ func Run(ctx context.Context, cfg Config) error {
 		go func() {
 			logger.Info("Starting cert worker")
 
+			// HTTP-01 challenges are always available (we always set up HTTP provider)
+			supportedTypes := []db.AcmeChallengesType{db.AcmeChallengesTypeHTTP01}
+
+			// DNS-01 challenges require Cloudflare to be enabled
+			if cfg.Acme.Cloudflare.Enabled {
+				supportedTypes = append(supportedTypes, db.AcmeChallengesTypeDNS01)
+			}
+
 			registerErr := hydraEngine.RegisterCron("*/5 * * * *", "start-certificate-challenges", func(ctx context.Context, payload hydra.CronPayload) error {
-				challenges, err := db.Query.ListExecutableChallenges(ctx, database.RO())
+				executableChallenges, err := db.Query.ListExecutableChallenges(ctx, database.RO(), supportedTypes)
 				if err != nil {
 					logger.Error("Failed to start workflow", "error", err)
 					return err
 				}
 
-				logger.Info("Starting certificate challenges", "count", len(challenges))
+				logger.Info("Starting certificate challenges",
+					"executable_challenges", len(executableChallenges),
+					"supported_types", supportedTypes)
 
-				for _, challenge := range challenges {
+				for _, challenge := range executableChallenges {
 					executionID, err := hydraEngine.StartWorkflow(ctx, "certificate_challenge",
 						acme.CertificateChallengeRequest{
-							ID:          challenge.ID,
 							WorkspaceID: challenge.WorkspaceID,
 							Domain:      challenge.Domain,
 						},
@@ -333,6 +418,7 @@ func Run(ctx context.Context, cfg Config) error {
 			}
 		}()
 	}
+
 	// Start Hydra worker
 	go func() {
 		logger.Info("Starting Hydra workflow worker")

@@ -51,7 +51,6 @@ func (w *CertificateChallenge) Name() string {
 
 // CertificateChallengeRequest defines the input for the certificate challenge workflow
 type CertificateChallengeRequest struct {
-	ID          uint64 `json:"id"`
 	WorkspaceID string `json:"workspace_id"`
 	Domain      string `json:"domain"`
 }
@@ -64,29 +63,27 @@ type EncryptedCertificate struct {
 
 // Run executes the complete build and deployment workflow
 func (w *CertificateChallenge) Run(ctx hydra.WorkflowContext, req *CertificateChallengeRequest) error {
-	w.logger.Info("starting lets-encrypt challenge", "workspace_id", req.WorkspaceID, "domain", req.Domain)
+	w.logger.Info("starting certificate challenge", "workspace_id", req.WorkspaceID, "domain", req.Domain)
 
-	dom, err := hydra.Step(ctx, "find-domain", func(stepCtx context.Context) (db.Domain, error) {
-		return db.Query.FindDomainByDomain(ctx.Context(), w.db.RO(), req.Domain)
+	dom, err := hydra.Step(ctx, "resolve-domain", func(stepCtx context.Context) (db.Domain, error) {
+		return db.Query.FindDomainByDomain(stepCtx, w.db.RO(), req.Domain)
 	})
 	if err != nil {
-		w.logger.Error("failed to find domain", "error", err)
 		return err
 	}
 
-	err = hydra.StepVoid(ctx, "claim-challenge", func(stepCtx context.Context) error {
+	err = hydra.StepVoid(ctx, "acquire-challenge", func(stepCtx context.Context) error {
 		return db.Query.UpdateAcmeChallengeTryClaiming(stepCtx, w.db.RW(), db.UpdateAcmeChallengeTryClaimingParams{
 			DomainID:  dom.ID,
 			Status:    db.AcmeChallengesStatusPending,
 			UpdatedAt: sql.NullInt64{Int64: time.Now().UnixMilli(), Valid: true},
 		})
 	})
 	if err != nil {
-		w.logger.Error("failed to claim challenge", "error", err)
 		return err
 	}
 
-	cert, err := hydra.Step(ctx, "get-and-encrypt-cert", func(stepCtx context.Context) (EncryptedCertificate, error) {
+	cert, err := hydra.Step(ctx, "obtain-certificate", func(stepCtx context.Context) (EncryptedCertificate, error) {
 		// A certificate request can be either
 		// A: We have a new domain WITHOUT a certificate
 		// B: We have to renew a existing certificate
@@ -97,7 +94,6 @@ func (w *CertificateChallenge) Run(ctx hydra.WorkflowContext, req *CertificateCh
 				Status:    db.AcmeChallengesStatusFailed,
 				UpdatedAt: sql.NullInt64{Valid: true, Int64: time.Now().UnixMilli()},
 			})
-			w.logger.Error("failed to obtain certificate", "error", err)
 			return EncryptedCertificate{}, err
 		}
 
@@ -129,7 +125,6 @@ func (w *CertificateChallenge) Run(ctx hydra.WorkflowContext, req *CertificateCh
 			})
 		}
 		if err != nil {
-			w.logger.Error("failed to renew/issue certificate", "error", err)
 			return EncryptedCertificate{}, err
 		}
 
@@ -153,11 +148,10 @@ func (w *CertificateChallenge) Run(ctx hydra.WorkflowContext, req *CertificateCh
 		}, nil
 	})
 	if err != nil {
-		w.logger.Error("failed to get and store certs in vault", "error", err)
 		return err
 	}
 
-	err = hydra.StepVoid(ctx, "store-cert", func(stepCtx context.Context) error {
+	err = hydra.StepVoid(ctx, "persist-certificate", func(stepCtx context.Context) error {
 		now := time.Now().UnixMilli()
 		return pdb.Query.InsertCertificate(stepCtx, w.partitionDB.RW(), pdb.InsertCertificateParams{
 			WorkspaceID:         dom.WorkspaceID,
@@ -169,19 +163,18 @@ func (w *CertificateChallenge) Run(ctx hydra.WorkflowContext, req *CertificateCh
 		})
 	})
 	if err != nil {
-		w.logger.Error("failed to store cert in vault", "error", err)
 		return err
 	}
 
-	err = hydra.StepVoid(ctx, "set-expires-at", func(stepCtx context.Context) error {
-		return db.Query.UpdateAcmeChallengeExpiresAt(stepCtx, w.db.RW(), db.UpdateAcmeChallengeExpiresAtParams{
+	err = hydra.StepVoid(ctx, "complete-challenge", func(stepCtx context.Context) error {
+		return db.Query.UpdateAcmeChallengeVerifiedWithExpiry(stepCtx, w.db.RW(), db.UpdateAcmeChallengeVerifiedWithExpiryParams{
+			Status:    db.AcmeChallengesStatusVerified,
 			ExpiresAt: cert.ExpiresAt,
-			ID:        0, //        "TODO: I need the challenge id"
-
+			UpdatedAt: sql.NullInt64{Valid: true, Int64: time.Now().UnixMilli()},
+			DomainID:  dom.ID,
 		})
 	})
 	if err != nil {
-		w.logger.Error("failed to store expires at", "error", err)
 		return err
 	}