heungheung · damithkothalawala · May 4, 2024 · May 4, 2024 · May 4, 2024 · May 4, 2024
diff --git a/README.rst b/README.rst
@@ -17,6 +17,7 @@ To use this authenticator you will need:
 * a registered domain name, configured with the OCI DNS servers
 * that domain name created in OCI (via the console, the CLI, or the API)
 * an OCI account with adequate permission to Create / Update / Delete DNS entries in that domain
+* or instance principal setup on the target instance with the same permissions
 
 Installation
 ------------
@@ -75,7 +76,10 @@ This plug-in supports the following arguments on certbot's command line:
 
 ``--dns-oci-propagation-seconds``       Amount of time to allow for the DNS change to propagate
                                         before asking the ACME server to verify the DNS record.
-                                        (Default: 15)
+                                        (Default: 60)
+
+``--dns-oci-instance-principal``        Use instance principal for authentication.
+                                        (Optional) set this to 'y' to use instance principal
 ======================================= ========================================================
 
 
@@ -91,6 +95,15 @@ To acquire a TEST certificate for demosite.ociateam.com:
      --authenticator dns-oci -d demosite.ociateam.com
 
 
+To acquire a TEST certificate for demosite.ociateam.com using instance principal:
+
+.. code-block:: bash
+
+    certbot --test-cert certonly \
+     --logs-dir logs --work-dir work --dns-oci-instance-principal=y \
+     --authenticator dns-oci -d demosite.ociateam.com
+
+
 To acquire a *real* certificate for demosite.ociateam.com:
 
 .. code-block:: bash
@@ -99,3 +112,11 @@ To acquire a *real* certificate for demosite.ociateam.com:
      --logs-dir logs --work-dir work --config-dir config \
      --authenticator dns-oci -d demosite.ociateam.com
 
+
+To acquire a *real* certificate for demosite.ociateam.com using instance principal:
+
+.. code-block:: bash
+
+    certbot certonly \
+     --logs-dir logs --work-dir work --dns-oci-instance-principal=y \
+     --authenticator dns-oci -d demosite.ociateam.com
diff --git a/certbot_dns_oci/dns_oci.py b/certbot_dns_oci/dns_oci.py
@@ -24,13 +24,22 @@ def __init__(self, *args, **kwargs):
         # self.credentials = None
 
     @classmethod
-    def add_parser_arguments(cls, add, **kwargs):  # pylint: disable=arguments-differ
+    def add_parser_arguments(cls, add):  # pylint: disable=arguments-differ
         super(Authenticator, cls).add_parser_arguments(
-            add, default_propagation_seconds=15
+            add, default_propagation_seconds=60
         )
         # TODO: implement these:
         add('config', help="OCI CLI Configuration file.")
         add('profile', help="OCI configuration profile (in OCI configuration file)")
+        # Add argument for instance principal
+        add('instance-principal',help="Use instance principal for authentication.")
+
+    def validate_options(self):
+        # Validate options to ensure that conflicting arguments are not provided together
+        if self.conf('instance-principal') and self.conf('config'):
+            raise errors.PluginError(
+                "Conflicting arguments: '--dns-oci-instance-principal' and '--dns-oci-config' cannot be provided together."
+            )
 
     def more_info(self):  # pylint: disable=missing-docstring,no-self-use
         return (
@@ -39,11 +48,17 @@ def more_info(self):  # pylint: disable=missing-docstring,no-self-use
         )
 
     def _setup_credentials(self):
-        # implement profile - full implementation of config file is WIP
-        oci_config_profile = 'DEFAULT'
-        if self.conf('profile') is not None:
-            oci_config_profile = self.conf('profile')
-        self.credentials = oci.config.from_file(profile_name=oci_config_profile)
+        # Validate options
+        self.validate_options()
+
+        if self.conf('instance-principal') is None:
+            self.credentials = oci.config.from_file()
+
+            oci_config_profile = 'DEFAULT'
+            if self.conf('profile') is not None:
+                    oci_config_profile = self.conf('profile')
+                    self.credentials = oci.config.from_file(profile_name=oci_config_profile)
+
 
     def _perform(self, domain, validation_name, validation):
         self._get_ocidns_client().add_txt_record(
@@ -56,7 +71,10 @@ def _cleanup(self, domain, validation_name, validation):
         )
 
     def _get_ocidns_client(self):
-        return _OCIDNSClient(self.credentials)
+        if self.conf('instance-principal') is not None:
+            return _OCIDNSClient(None)
+        else:
+            return _OCIDNSClient(self.credentials)
 
 
 class _OCIDNSClient:
@@ -67,11 +85,18 @@ class _OCIDNSClient:
     In Other Words: thar be dragons
     """
 
-    def __init__(self, oci_config):
-        logger.debug("creating OCI DnsClient")
-        # this is where you would add code to handle Resource, Instance, or non-default configs
-        config = oci.config.from_file()
-        self.dns_client = oci.dns.DnsClient(oci_config)
+    def __init__(self, oci_config=None):
+        if oci_config is not None:
+            logger.debug("creating OCI DnsClient Using Config File")
+            # this is where you would add code to handle Resource, Instance, or non-default configs
+            config = oci.config.from_file()
+            self.dns_client = oci.dns.DnsClient(oci_config)
+        else:
+            logger.debug("creating OCI DnsClient Using Instance Principal")
+            # this is where you would add code to handle Resource, Instance, or non-default configs
+            signer = oci.auth.signers.InstancePrincipalsSecurityTokenSigner()
+            self.dns_client = oci.dns.DnsClient(config={}, signer=signer)
+
 
     def add_txt_record(self, domain, record_name, record_content, record_ttl):
         """
@@ -89,7 +114,7 @@ def add_txt_record(self, domain, record_name, record_content, record_ttl):
         # first find the domain
         zone_ocid, zone_name = self._find_managed_zone(domain, record_name)
         if zone_name is None:
-            raise errors.PluginError("Domain not known")
+            raise errors.PluginError("Domain not known. Please Make sure the domain is in OCI DNS and You have the correct permissions.")
         logger.debug("Found domain %s with OCID %s", zone_name, zone_ocid)
 
         # NOTE: the OCI SDK will treat:

diff --git a/setup.py b/setup.py
@@ -1,7 +1,7 @@
 from setuptools import setup
 from setuptools import find_packages
 
-version = "0.1.0"
+version = "0.1.1"
 
 install_requires = [
     "acme>=1.31.0",