support acme (let's encrypt) (close #2)

doc/controllers.md

@@ -18,6 +18,7 @@
     - [EurekaServiceRegistry](#eurekaserviceregistry)
     - [ZookeeperServiceRegistry](#zookeeperserviceregistry)
     - [NacosServiceRegistry](#nacosserviceregistry)
+    - [AutoCertManager](#autocertmanager)
   - [Common Types](#common-types)
     - [tracing.Spec](#tracingspec)
     - [zipkin.Spec](#zipkinspec)
@@ -29,6 +30,7 @@
     - [httppipeline.Filter](#httppipelinefilter)
     - [easemonitormetrics.Kafka](#easemonitormetricskafka)
     - [nacos.ServerSpec](#nacosserverspec)
+    - [autocertmanager.DomainSpec](#autocertmanagerdomainspec)
 
 As the [architecture diagram](./architecture.png) shows, the controller is the core entity to control kinds of working. There are two kinds of controllers overall:
 
@@ -301,6 +303,36 @@ servers:
 | username     | string                                | The username of client       | No                 |
 | password     | string                                | The password of client       | No                 |
 
+### AutoCertManager
+
+AutoCertManager automatically manage HTTPS certificates. The config looks like:
+
+```yaml
+kind: AutoCertManager
+name: autocert
+email: [email protected]
+directoryURL: https://acme-v02.api.letsencrypt.org/directory
+renewBefore: 720h
+enableHTTP01: true
+enableTLSALPN01: true
+enableDNS01: true
+domains:
+  - name: "*.megaease.com"
+    dnsProvider:
+      name: alidns
+      zone: megaease.com
+```
+
+| Name            | Type                                       | Description                                                                          | Required                           |
+| --------------- | ------------------------------------------ | ------------------------------------------------------------------------------------ | ---------------------------------- |
+| email           | string                                     | An email address for CA account                                                      | Yes                                |
+| directoryURL    | string                                     | The endpoint of the CA directory                                                     | No (default to use Let's Encrypt)  |
+| renewBefore     | string                                     | A certificate will be renewed before this duration of its expire time                | No (default 720 hours)             |
+| enableHTTP01    | bool                                       | Enable HTTP-01 challenge (Easegress need to be accessable at port 80 when true)      | No (default true)                  |
+| enableTLSALPN01 | bool                                       | Enable TLS-ALPN-01 challenge (Easegress need to be accessable at port 443 when true) | No (default true)                  |
+| enableDNS01     | bool                                       | Enable DNS-01 challenge                                                              | No (default true)                  |
+| domains         | [][DomainSpec](#autocertmanagerdomainspec) | Domains to be managed                                                                | Yes                                |
+
 ## Common Types
 
 ### tracing.Spec
@@ -394,3 +426,26 @@ The self-defining specification of each filter references to [filters](./filters
 | port        | uint16 | The port                                     | Yes      |
 | scheme      | string | The scheme of protocol (support http, https) | No       |
 | contextPath | string | The context path                             | No       |
+
+### autocertmanager.DomainSpec
+
+| Name        | Type              | Description               | Required                             |
+| ----------- | ----------------- | --------------------------| ------------------------------------ |
+| name        | string            | The name of the domain    | Yes                                  |
+| dnsProvider | map[string]string | DNS provider information  | No (Yes if `name` is a wildcard one) |
+
+The fields in `dnsProvider` vary from DNS providers, but `name` and `zone` are required for all DNS providers.
+Below table list other required fields for each supported DNS provider:
+
+| DNS Provider Name | Required Fields                                                     |
+| ----------------- | ------------------------------------------------------------------- |
+| alidns            | accessKeyId, accessKeySecret                                        |
+| azure             | tenantId, clientId, clientSecret, subscriptionId, resourceGroupName |
+| cloudflare        | apiToken                                                            |
+| digitalocean      | apiToken                                                            |
+| dnspod            | apiToken                                                            |
+| duckdns           | apiToken                                                            |
+| google            | project                                                             |
+| hetzner           | authApiToken                                                        |
+| route53           | accessKeyId, secretAccessKey, awsProfile                            |
+| vultr             | apiToken                                                            |

go.mod

@@ -23,6 +23,17 @@ require (
 	github.com/hashicorp/golang-lru v0.5.4
 	github.com/json-iterator/go v1.1.11
 	github.com/klauspost/compress v1.13.6
+	github.com/libdns/alidns v1.0.2-x2
+	github.com/libdns/azure v0.2.0
+	github.com/libdns/cloudflare v0.1.0
+	github.com/libdns/digitalocean v0.0.0-20210310230526-186c4ebd2215
+	github.com/libdns/dnspod v0.0.3
+	github.com/libdns/duckdns v0.1.1
+	github.com/libdns/googleclouddns v1.0.1
+	github.com/libdns/hetzner v0.0.1
+	github.com/libdns/libdns v0.2.1
+	github.com/libdns/route53 v1.1.2
+	github.com/libdns/vultr v0.0.0-20211122184636-cd4cb5c12e51
 	github.com/lucas-clemente/quic-go v0.24.0
 	github.com/megaease/easemesh-api v1.3.3
 	github.com/megaease/grace v1.0.0
@@ -50,8 +61,8 @@ require (
 	go.etcd.io/etcd/client/v3 v3.5.0
 	go.etcd.io/etcd/server/v3 v3.5.0
 	go.uber.org/zap v1.19.0
-	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
-	golang.org/x/net v0.0.0-20211101193420-4a448f8816b3 // indirect
+	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
+	golang.org/x/net v0.0.0-20211118161319-6a13c67c3ce4
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	golang.org/x/sys v0.0.0-20211030160813-b3129d9d1021
 	gopkg.in/yaml.v2 v2.4.0