Merge branch 'main' into feat/cloud-load-balance

internal/applicant/applicant.go

@@ -12,6 +12,8 @@ import (
 	"strings"
 
 	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/utils/x509"
+	"github.com/usual2970/certimate/internal/repository"
 	"github.com/usual2970/certimate/internal/utils/app"
 
 	"github.com/go-acme/lego/v4/certcrypto"
@@ -39,16 +41,19 @@ const defaultSSLProvider = "letsencrypt"
 const (
 	sslProviderLetsencrypt = "letsencrypt"
 	sslProviderZeroSSL     = "zerossl"
+	sslProviderGts         = "gts"
 )
 
 const (
 	zerosslUrl     = "https://acme.zerossl.com/v2/DV90"
 	letsencryptUrl = "https://acme-v02.api.letsencrypt.org/directory"
+	gtsUrl         = "https://dv.acme-v02.api.pki.goog/directory"
 )
 
 var sslProviderUrls = map[string]string{
 	sslProviderLetsencrypt: letsencryptUrl,
 	sslProviderZeroSSL:     zerosslUrl,
+	sslProviderGts:         gtsUrl,
 }
 
 const defaultEmail = "536464346@qq.com"
@@ -75,9 +80,37 @@ type ApplyOption struct {
 }
 
 type ApplyUser struct {
+	Ca           string
 	Email        string
 	Registration *registration.Resource
-	key          crypto.PrivateKey
+	key          string
+}
+
+func newApplyUser(ca, email string) (*ApplyUser, error) {
+	repo := getAcmeAccountRepository()
+	rs := &ApplyUser{
+		Ca:    ca,
+		Email: email,
+	}
+	resp, err := repo.GetByCAAndEmail(ca, email)
+	if err != nil {
+		privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		if err != nil {
+			return nil, err
+		}
+		keyStr, err := x509.PrivateKeyToPEM(privateKey)
+		if err != nil {
+			return nil, err
+		}
+		rs.key = keyStr
+
+		return rs, nil
+	}
+
+	rs.Registration = resp.Resource
+	rs.key = resp.Key
+
+	return rs, nil
 }
 
 func (u *ApplyUser) GetEmail() string {
@@ -89,6 +122,15 @@ func (u ApplyUser) GetRegistration() *registration.Resource {
 }
 
 func (u *ApplyUser) GetPrivateKey() crypto.PrivateKey {
+	rs, _ := x509.ParsePrivateKeyFromPEM(u.key)
+	return rs
+}
+
+func (u *ApplyUser) hasRegistration() bool {
+	return u.Registration != nil
+}
+
+func (u *ApplyUser) getPrivateKeyString() string {
 	return u.key
 }
 
@@ -157,10 +199,13 @@ type SSLProviderConfig struct {
 }
 
 type SSLProviderConfigContent struct {
-	Zerossl struct {
-		EabHmacKey string `json:"eabHmacKey"`
-		EabKid     string `json:"eabKid"`
-	}
+	Zerossl SSLProviderEab `json:"zerossl"`
+	Gts     SSLProviderEab `json:"gts"`
+}
+
+type SSLProviderEab struct {
+	EabHmacKey string `json:"eabHmacKey"`
+	EabKid     string `json:"eabKid"`
 }
 
 func apply(option *ApplyOption, provider challenge.Provider) (*Certificate, error) {
@@ -176,21 +221,16 @@ func apply(option *ApplyOption, provider challenge.Provider) (*Certificate, erro
 		}
 	}
 
-	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, err
-	}
-
 	// Some unified lego environment variables are configured here.
 	// link: https://github.com/go-acme/lego/issues/1867
 	os.Setenv("LEGO_DISABLE_CNAME_SUPPORT", strconv.FormatBool(option.DisableFollowCNAME))
 
-	myUser := ApplyUser{
-		Email: option.Email,
-		key:   privateKey,
+	myUser, err := newApplyUser(sslProvider.Provider, option.Email)
+	if err != nil {
+		return nil, err
 	}
 
-	config := lego.NewConfig(&myUser)
+	config := lego.NewConfig(myUser)
 
 	// This CA URL is configured for a local dev instance of Boulder running in Docker in a VM.
 	config.CADirURL = sslProviderUrls[sslProvider.Provider]
@@ -211,11 +251,13 @@ func apply(option *ApplyOption, provider challenge.Provider) (*Certificate, erro
 	client.Challenge.SetDNS01Provider(provider, challengeOptions...)
 
 	// New users will need to register
-	reg, err := getReg(client, sslProvider)
-	if err != nil {
-		return nil, fmt.Errorf("failed to register: %w", err)
+	if !myUser.hasRegistration() {
+		reg, err := getReg(client, sslProvider, myUser)
+		if err != nil {
+			return nil, fmt.Errorf("failed to register: %w", err)
+		}
+		myUser.Registration = reg
 	}
-	myUser.Registration = reg
 
 	domains := strings.Split(option.Domain, ";")
 	request := certificate.ObtainRequest{
@@ -237,7 +279,16 @@ func apply(option *ApplyOption, provider challenge.Provider) (*Certificate, erro
 	}, nil
 }
 
-func getReg(client *lego.Client, sslProvider *SSLProviderConfig) (*registration.Resource, error) {
+type AcmeAccountRepository interface {
+	GetByCAAndEmail(ca, email string) (*domain.AcmeAccount, error)
+	Save(ca, email, key string, resource *registration.Resource) error
+}
+
+func getAcmeAccountRepository() AcmeAccountRepository {
+	return repository.NewAcmeAccountRepository()
+}
+
+func getReg(client *lego.Client, sslProvider *SSLProviderConfig, user *ApplyUser) (*registration.Resource, error) {
 	var reg *registration.Resource
 	var err error
 	switch sslProvider.Provider {
@@ -247,6 +298,12 @@ func getReg(client *lego.Client, sslProvider *SSLProviderConfig) (*registration.
 			Kid:                  sslProvider.Config.Zerossl.EabKid,
 			HmacEncoded:          sslProvider.Config.Zerossl.EabHmacKey,
 		})
+	case sslProviderGts:
+		reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+			TermsOfServiceAgreed: true,
+			Kid:                  sslProvider.Config.Gts.EabKid,
+			HmacEncoded:          sslProvider.Config.Gts.EabHmacKey,
+		})
 
 	case sslProviderLetsencrypt:
 		reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
@@ -259,6 +316,18 @@ func getReg(client *lego.Client, sslProvider *SSLProviderConfig) (*registration.
 		return nil, err
 	}
 
+	repo := getAcmeAccountRepository()
+
+	resp, err := repo.GetByCAAndEmail(sslProvider.Provider, user.GetEmail())
+	if err == nil {
+		user.key = resp.Key
+		return resp.Resource, nil
+	}
+
+	if err := repo.Save(sslProvider.Provider, user.GetEmail(), user.getPrivateKeyString(), reg); err != nil {
+		return nil, fmt.Errorf("failed to save registration: %w", err)
+	}
+
 	return reg, nil
 }
 

internal/deployer/deployer.go

@@ -19,6 +19,7 @@ const (
 	targetAliyunCDN      = "aliyun-cdn"
 	targetAliyunESA      = "aliyun-dcdn"
 	targetTencentCDN     = "tencent-cdn"
+	targetTencentCLB     = "tencent-clb"
 	targetTencentCOS     = "tencent-cos"
 	targetHuaweiCloudCDN = "huaweicloud-cdn"
 	targetHuaweiCloudELB = "huaweicloud-elb"
@@ -107,6 +108,8 @@ func getWithDeployConfig(record *models.Record, cert *applicant.Certificate, dep
 		return NewAliyunESADeployer(option)
 	case targetTencentCDN:
 		return NewTencentCDNDeployer(option)
+	case targetTencentCLB:
+		return NewTencentCLBDeployer(option)
 	case targetTencentCOS:
 		return NewTencentCOSDeployer(option)
 	case targetHuaweiCloudCDN:

internal/deployer/k8s_secret.go

@@ -4,12 +4,15 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"strings"
 
+	corev1 "k8s.io/api/core/v1"
 	k8sMetaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 
 	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/utils/x509"
 )
 
 type K8sSecretDeployer struct {
@@ -43,7 +46,7 @@ func (d *K8sSecretDeployer) Deploy(ctx context.Context) error {
 		return err
 	}
 
-	d.infos = append(d.infos, toStr("kubeClient 创建成功", nil))
+	d.infos = append(d.infos, toStr("kubeClient create success.", nil))
 
 	namespace := getDeployString(d.option.DeployConfig, "namespace")
 	if namespace == "" {
@@ -65,36 +68,61 @@ func (d *K8sSecretDeployer) Deploy(ctx context.Context) error {
 		namespace = "tls.key"
 	}
 
-	// 获取 Secret 实例
-	secret, err := client.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, k8sMetaV1.GetOptions{})
+	certificate, err := x509.ParseCertificateFromPEM(d.option.Certificate.Certificate)
 	if err != nil {
-		return fmt.Errorf("failed to get k8s secret: %w", err)
+		return fmt.Errorf("failed to parse certificate: %w", err)
 	}
 
-	// 更新 Secret Data
-	secret.Data[secretDataKeyForCrt] = []byte(d.option.Certificate.Certificate)
-	secret.Data[secretDataKeyForKey] = []byte(d.option.Certificate.PrivateKey)
-	_, err = client.CoreV1().Secrets(namespace).Update(context.TODO(), secret, k8sMetaV1.UpdateOptions{})
+	secretPayload := corev1.Secret{
+		TypeMeta: k8sMetaV1.TypeMeta{
+			Kind:       "Secret",
+			APIVersion: "v1",
+		},
+		ObjectMeta: k8sMetaV1.ObjectMeta{
+			Name: secretName,
+			Annotations: map[string]string{
+				"certimate/domains":             d.option.Domain,
+				"certimate/alt-names":           strings.Join(certificate.DNSNames, ","),
+				"certimate/common-name":         certificate.Subject.CommonName,
+				"certimate/issuer-organization": strings.Join(certificate.Issuer.Organization, ","),
+			},
+		},
+		Type: corev1.SecretType("kubernetes.io/tls"),
+	}
+
+	secretPayload.Data = make(map[string][]byte)
+	secretPayload.Data[secretDataKeyForCrt] = []byte(d.option.Certificate.Certificate)
+	secretPayload.Data[secretDataKeyForKey] = []byte(d.option.Certificate.PrivateKey)
+
+	// 获取 Secret 实例
+	_, err = client.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, k8sMetaV1.GetOptions{})
+	if err != nil {
+		_, err = client.CoreV1().Secrets(namespace).Create(context.TODO(), &secretPayload, k8sMetaV1.CreateOptions{})
+		if err != nil {
+			return fmt.Errorf("failed to create k8s secret: %w", err)
+		} else {
+			d.infos = append(d.infos, toStr("Certificate has been created in K8s Secret", nil))
+			return nil
+		}
+	}
+
+	// 更新 Secret 实例
+	_, err = client.CoreV1().Secrets(namespace).Update(ctx, &secretPayload, k8sMetaV1.UpdateOptions{})
 	if err != nil {
 		return fmt.Errorf("failed to update k8s secret: %w", err)
 	}
 
-	d.infos = append(d.infos, toStr("证书已更新到 K8s Secret", nil))
+	d.infos = append(d.infos, toStr("Certificate has been updated to K8s Secret", nil))
 
 	return nil
 }
 
 func (d *K8sSecretDeployer) createClient(access *domain.KubernetesAccess) (*kubernetes.Clientset, error) {
-	kubeConfig, err := clientcmd.Load([]byte(access.KubeConfig))
+	kubeConfig, err := clientcmd.NewClientConfigFromBytes([]byte(access.KubeConfig))
 	if err != nil {
 		return nil, err
 	}
-
-	clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
-		&clientcmd.ClientConfigLoadingRules{ExplicitPath: ""},
-		&clientcmd.ConfigOverrides{CurrentContext: kubeConfig.CurrentContext},
-	)
-	config, err := clientConfig.ClientConfig()
+	config, err := kubeConfig.ClientConfig()
 	if err != nil {
 		return nil, err
 	}

internal/deployer/tencent_clb.go

@@ -0,0 +1,117 @@
+package deployer
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
+	ssl "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl/v20191205"
+
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/utils/rand"
+)
+
+type TencentCLBDeployer struct {
+	option     *DeployerOption
+	credential *common.Credential
+	infos      []string
+}
+
+func NewTencentCLBDeployer(option *DeployerOption) (Deployer, error) {
+	access := &domain.TencentAccess{}
+	if err := json.Unmarshal([]byte(option.Access), access); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal tencent access: %w", err)
+	}
+
+	credential := common.NewCredential(
+		access.SecretId,
+		access.SecretKey,
+	)
+
+	return &TencentCLBDeployer{
+		option:     option,
+		credential: credential,
+		infos:      make([]string, 0),
+	}, nil
+}
+
+func (d *TencentCLBDeployer) GetID() string {
+	return fmt.Sprintf("%s-%s", d.option.AccessRecord.GetString("name"), d.option.AccessRecord.Id)
+}
+
+func (d *TencentCLBDeployer) GetInfo() []string {
+	return d.infos
+}
+
+func (d *TencentCLBDeployer) Deploy(ctx context.Context) error {
+	// 上传证书
+	certId, err := d.uploadCert()
+	if err != nil {
+		return fmt.Errorf("failed to upload certificate: %w", err)
+	}
+	d.infos = append(d.infos, toStr("上传证书", certId))
+
+	if err := d.deploy(certId); err != nil {
+		return fmt.Errorf("failed to deploy: %w", err)
+	}
+
+	return nil
+}
+
+func (d *TencentCLBDeployer) uploadCert() (string, error) {
+	cpf := profile.NewClientProfile()
+	cpf.HttpProfile.Endpoint = "ssl.tencentcloudapi.com"
+
+	client, _ := ssl.NewClient(d.credential, "", cpf)
+
+	request := ssl.NewUploadCertificateRequest()
+
+	request.CertificatePublicKey = common.StringPtr(d.option.Certificate.Certificate)
+	request.CertificatePrivateKey = common.StringPtr(d.option.Certificate.PrivateKey)
+	request.Alias = common.StringPtr(d.option.Domain + "_" + rand.RandStr(6))
+	request.Repeatable = common.BoolPtr(false)
+
+	response, err := client.UploadCertificate(request)
+	if err != nil {
+		return "", fmt.Errorf("failed to upload certificate: %w", err)
+	}
+
+	return *response.Response.CertificateId, nil
+}
+
+func (d *TencentCLBDeployer) deploy(certId string) error {
+	cpf := profile.NewClientProfile()
+	cpf.HttpProfile.Endpoint = "ssl.tencentcloudapi.com"
+	// 实例化要请求产品的client对象,clientProfile是可选的
+	client, _ := ssl.NewClient(d.credential, getDeployString(d.option.DeployConfig, "region"), cpf)
+
+	// 实例化一个请求对象,每个接口都会对应一个request对象
+	request := ssl.NewDeployCertificateInstanceRequest()
+
+	request.CertificateId = common.StringPtr(certId)
+	request.ResourceType = common.StringPtr("clb")
+	request.Status = common.Int64Ptr(1)
+
+	clbId := getDeployString(d.option.DeployConfig, "clbId")
+	lsnId := getDeployString(d.option.DeployConfig, "lsnId")
+	domain := getDeployString(d.option.DeployConfig, "domain")
+
+	if(domain == ""){
+		// 未开启SNI，只需要精确到监听器
+		request.InstanceIdList = common.StringPtrs([]string{fmt.Sprintf("%s|%s", clbId, lsnId)})
+	}else{
+		// 开启SNI，需要精确到域名，支持泛域名
+		request.InstanceIdList = common.StringPtrs([]string{fmt.Sprintf("%s|%s|%s", clbId, lsnId, domain)})
+	}
+	
+
+	// 返回的resp是一个DeployCertificateInstanceResponse的实例，与请求对象对应
+	resp, err := client.DeployCertificateInstance(request)
+	if err != nil {
+		return fmt.Errorf("failed to deploy certificate: %w", err)
+	}
+	d.infos = append(d.infos, toStr("部署证书", resp.Response))
+	return nil
+}

internal/domain/acme_accounts.go

@@ -0,0 +1,17 @@
+package domain
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/registration"
+)
+
+type AcmeAccount struct {
+	Id       string
+	Ca       string
+	Email    string
+	Resource *registration.Resource
+	Key      string
+	Created  time.Time
+	Updated  time.Time
+}

internal/pkg/utils/x509/x509.go

@@ -1,6 +1,7 @@
 package x509
 
 import (
+	"crypto/ecdsa"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
@@ -46,3 +47,35 @@ func EqualCertificate(a, b *x509.Certificate) bool {
 		a.Issuer.SerialNumber == b.Issuer.SerialNumber &&
 		a.Subject.SerialNumber == b.Subject.SerialNumber
 }
+
+// 将 ECDSA 私钥转换为 PEM 格式的字符串。
+func PrivateKeyToPEM(privateKey *ecdsa.PrivateKey) (string, error) {
+	data, err := x509.MarshalECPrivateKey(privateKey)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal EC private key: %w", err)
+	}
+
+	block := &pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: data,
+	}
+
+	return string(pem.EncodeToMemory(block)), nil
+}
+
+// 从 PEM 编码的私钥字符串解析并返回一个 ECDSA 私钥对象。
+func ParsePrivateKeyFromPEM(privateKeyPem string) (*ecdsa.PrivateKey, error) {
+	pemData := []byte(privateKeyPem)
+
+	block, _ := pem.Decode(pemData)
+	if block == nil {
+		return nil, fmt.Errorf("failed to decode PEM block")
+	}
+
+	privateKey, err := x509.ParseECPrivateKey(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse private key: %w", err)
+	}
+
+	return privateKey, nil
+}

internal/repository/acme_account.go

@@ -0,0 +1,71 @@
+package repository
+
+import (
+	"fmt"
+
+	"github.com/go-acme/lego/v4/registration"
+	"github.com/pocketbase/dbx"
+	"github.com/pocketbase/pocketbase/models"
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/utils/app"
+	"golang.org/x/sync/singleflight"
+)
+
+type AcmeAccountRepository struct{}
+
+func NewAcmeAccountRepository() *AcmeAccountRepository {
+	return &AcmeAccountRepository{}
+}
+
+var g singleflight.Group
+
+func (r *AcmeAccountRepository) GetByCAAndEmail(ca, email string) (*domain.AcmeAccount, error) {
+	resp, err, _ := g.Do(fmt.Sprintf("acme_account_%s_%s", ca, email), func() (interface{}, error) {
+		resp, err := app.GetApp().Dao().FindFirstRecordByFilter("acme_accounts", "ca={:ca} && email={:email}", dbx.Params{"ca": ca, "email": email})
+		if err != nil {
+			return nil, err
+		}
+		return resp, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if resp == nil {
+		return nil, fmt.Errorf("acme account not found")
+	}
+
+	record, ok := resp.(*models.Record)
+	if !ok {
+		return nil, fmt.Errorf("acme account not found")
+	}
+
+	resource := &registration.Resource{}
+	if err := record.UnmarshalJSONField("resource", resource); err != nil {
+		return nil, err
+	}
+
+	return &domain.AcmeAccount{
+		Id:       record.GetString("id"),
+		Ca:       record.GetString("ca"),
+		Email:    record.GetString("email"),
+		Key:      record.GetString("key"),
+		Resource: resource,
+		Created:  record.GetTime("created"),
+		Updated:  record.GetTime("updated"),
+	}, nil
+}
+
+func (r *AcmeAccountRepository) Save(ca, email, key string, resource *registration.Resource) error {
+	collection, err := app.GetApp().Dao().FindCollectionByNameOrId("acme_accounts")
+	if err != nil {
+		return err
+	}
+
+	record := models.NewRecord(collection)
+	record.Set("ca", ca)
+	record.Set("email", email)
+	record.Set("key", key)
+	record.Set("resource", resource)
+	return app.GetApp().Dao().Save(record)
+}