MEDIUM: Add ACME dns-01 challenge support

With this commit, dataplaneapi can use libdns to resolve dns-01
challenges for HAProxy. To use it, make sure you are using master-worker
mode, configure HAProxy's acme section to use dns-01 challenge with the
appropriate acme-provider (dns challenge provider) and acme-vars.

The list of supported DNS providers is in acme/dns01-providers.txt.

Author: oliwer

.aspell.yml

@@ -43,6 +43,7 @@ allowed:
   - const
   - cpu
   - crd
+  - crl
   - cronjob
   - crt
   - cve
@@ -125,9 +126,11 @@ allowed:
   - ktls
   - kubebuilder
   - kubernetes
+  - libdns
   - lifecycle
   - linter
   - linters
+  - logrus
   - lowercased
   - lookups
   - lts
@@ -146,6 +149,8 @@ allowed:
   - mutexes
   - namespace
   - namespaces
+  - newcert
+  - ocsp
   - oidc
   - omitempty
   - openapi
@@ -199,6 +204,7 @@ allowed:
   - tls
   - tooltip
   - tsconfig
+  - txt
   - typings
   - ubuntu
   - uniq

acme/constructor.go

@@ -0,0 +1,36 @@
+// Code generated from 'constructor.tmpl'; DO NOT EDIT.
+
+package acme
+
+import (
+	"fmt"
+
+	jsoniter "github.com/json-iterator/go"
+{{- range $mod := .}}
+	"{{$mod}}"
+{{- end}}
+)
+
+func NewDNSProvider(name string, params map[string]any) (DNSProvider, error) {
+	var prov DNSProvider
+
+	switch name {
+{{- range $mod := .}}
+	case "{{basename $mod}}":
+		prov = &{{basename $mod}}.Provider{}
+{{- end}}
+	default:
+		return nil, fmt.Errorf("invalid DNS provider name: '%s'", name)
+	}
+
+	jsoni := jsoniter.ConfigCompatibleWithStandardLibrary
+	js, err := jsoni.Marshal(params)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal params for DNS provider %s: %w", name, err)
+	}
+	if err = jsoni.Unmarshal(js, prov); err != nil {
+		return nil, fmt.Errorf("invalid params for DNS provider %s: %w", name, err)
+	}
+
+	return prov, nil
+}

acme/constructor.tmpl

@@ -0,0 +1,21 @@
+github.com/libdns/azure
+github.com/libdns/cloudflare
+github.com/libdns/cloudns
+github.com/libdns/digitalocean
+github.com/haproxytech/dataplaneapi/acme/exec
+github.com/libdns/gandi
+github.com/libdns/godaddy
+github.com/libdns/googleclouddns
+github.com/libdns/hetzner
+github.com/libdns/infomaniak
+github.com/libdns/inwx
+github.com/libdns/ionos
+github.com/libdns/linode
+github.com/libdns/namecheap
+github.com/libdns/netcup
+github.com/libdns/ovh
+github.com/libdns/porkbun
+github.com/libdns/rfc2136
+//github.com/libdns/route53  req. go1.25
+github.com/libdns/scaleway
+github.com/libdns/vultr/v2

acme/dns01-providers.txt

@@ -0,0 +1,142 @@
+// Copyright 2025 HAProxy Technologies
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package acme
+
+//go:generate go run gen_constructor.go -i dns01-providers.txt -t constructor.tmpl -o constructor.go
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/libdns/libdns"
+)
+
+// TTL of the temporary DNS record used for DNS-01 validation.
+const DefaultTTL = 30 * time.Second
+
+// DNSProvider defines the operations required for dns-01 challenges.
+type DNSProvider interface {
+	libdns.RecordAppender
+	libdns.RecordDeleter
+}
+
+// A DNS01Solver uses a DNSProvider to actually solve the challenge.
+type DNS01Solver struct {
+	provider DNSProvider
+	TTL      time.Duration
+}
+
+func NewDNS01Solver(name string, params map[string]any, ttl ...time.Duration) (*DNS01Solver, error) {
+	prov, err := NewDNSProvider(name, params)
+	if err != nil {
+		return nil, err
+	}
+
+	recordTTL := DefaultTTL
+	if len(ttl) > 0 {
+		recordTTL = ttl[0]
+	}
+
+	return &DNS01Solver{provider: prov, TTL: recordTTL}, nil
+}
+
+// Present creates the DNS TXT record for the given ACME challenge.
+func (s *DNS01Solver) Present(ctx context.Context, domain, zone, keyAuth string) error {
+	rec := makeRecord(domain, keyAuth, s.TTL)
+
+	if zone == "" {
+		zone = guessZone(domain)
+	} else {
+		zone = rooted(zone)
+	}
+
+	results, err := s.provider.AppendRecords(ctx, zone, []libdns.Record{rec})
+	if err != nil {
+		return fmt.Errorf("adding temporary record for zone %q: %w", zone, err)
+	}
+	if len(results) != 1 {
+		return fmt.Errorf("expected one record, got %d: %v", len(results), results)
+	}
+
+	return nil
+}
+
+// CleanUp deletes the DNS TXT record created in Present().
+func (s *DNS01Solver) CleanUp(ctx context.Context, domain, zone, keyAuth string) error {
+	rr := makeRecord(domain, keyAuth, s.TTL)
+
+	if zone == "" {
+		zone = guessZone(domain)
+	} else {
+		zone = rooted(zone)
+	}
+
+	_, err := s.provider.DeleteRecords(ctx, zone, []libdns.Record{rr})
+	if err != nil {
+		return fmt.Errorf("deleting temporary record for name %q in zone %q: %w", zone, rr, err)
+	}
+
+	return nil
+}
+
+// Assemble a TXT Record suited for DNS-01 challenges.
+func makeRecord(fqdn, keyAuth string, ttl time.Duration) libdns.RR {
+	return libdns.RR{
+		Type: "TXT",
+		Name: "_acme-challenge." + trimWildcard(fqdn),
+		Data: keyAuth,
+		TTL:  ttl,
+	}
+}
+
+// Extract the root zone for a domain in case the user did not provide it.
+//
+// This simplistic algorithm will only work for simple cases.  The correct
+// way to do this would be to do an SOA request on the FQDN, but since
+// dataplaneapi may not use the right resolvers (as configured in haproxy.cfg)
+// it is better to avoid doing any DNS request.
+func guessZone(fqdn string) string {
+	fqdn = trimWildcard(fqdn)
+	parts := make([]string, 0, 8)
+	strings.SplitSeq(fqdn, ".")(func(part string) bool {
+		if part != "" {
+			parts = append(parts, part)
+		}
+		return true
+	})
+
+	n := len(parts)
+	if n < 3 {
+		return rooted(fqdn)
+	}
+	return rooted(strings.Join(parts[n-2:], "."))
+}
+
+// Remove the wildcard from a domain so it can be used in a record name.
+func trimWildcard(fqdn string) string {
+	fqdn = strings.TrimSpace(fqdn)
+	return strings.TrimPrefix(fqdn, "*.")
+}
+
+// Ensures a domain name has its final dot (the root zone).
+func rooted(domain string) string {
+	if !strings.HasSuffix(domain, ".") {
+		domain += "."
+	}
+	return domain
+}