diff --git a/Makefile b/Makefile index 07149fc..8db5fbe 100644 --- a/Makefile +++ b/Makefile @@ -35,4 +35,4 @@ rendered-manifest.yaml: pdns-webhook \ --set image.repository=$(IMAGE_NAME) \ --set image.tag=$(IMAGE_TAG) \ - deploy/example-webhook > "$(OUT)/rendered-manifest.yaml" + deploy/pdns-webhook > "$(OUT)/rendered-manifest.yaml" diff --git a/README.md b/README.md index 1fc5031..db140fd 100644 --- a/README.md +++ b/README.md @@ -1,54 +1,34 @@ -# ACME webhook example +### Deployment -The ACME issuer type supports an optional 'webhook' solver, which can be used -to implement custom DNS01 challenge solving logic. +Deploy the custom pdns apiextenion using the helm chart in depploy. -This is useful if you need to use cert-manager with a DNS provider that is not -officially supported in cert-manager core. - -## Why not in core? - -As the project & adoption has grown, there has been an influx of DNS provider -pull requests to our core codebase. As this number has grown, the test matrix -has become un-maintainable and so, it's not possible for us to certify that -providers work to a sufficient level. - -By creating this 'interface' between cert-manager and DNS providers, we allow -users to quickly iterate and test out new integrations, and then packaging -those up themselves as 'extensions' to cert-manager. - -We can also then provide a standardised 'testing framework', or set of -conformance tests, which allow us to validate the a DNS provider works as -expected. - -## Creating your own webhook - -Webhook's themselves are deployed as Kubernetes API services, in order to allow -administrators to restrict access to webhooks with Kubernetes RBAC. - -This is important, as otherwise it'd be possible for anyone with access to your -webhook to complete ACME challenge validations and obtain certificates. - -To make the set up of these webhook's easier, we provide a template repository -that can be used to get started quickly. - -### Creating your own repository - -### Running the test suite - -All DNS providers **must** run the DNS01 provider conformance testing suite, -else they will have undetermined behaviour when used with cert-manager. - -**It is essential that you configure and run the test suite when creating a -DNS01 webhook.** - -An example Go test file has been provided in [main_test.go](https://github.com/jetstack/cert-manager-webhook-example/blob/master/main_test.go). - -You can run the test suite with: - -```bash -$ TEST_ZONE_NAME=example.com. make test +This is how i deployed it. +``` +oc project cert-manager +oc apply -f rendered-manifest.yaml ``` -The example file has a number of areas you must fill in and replace with your -own options in order for tests to pass. +### Example Issuer using the staging letsencypt api. + +``` +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: dns-acme-issuer +spec: + acme: + email: user@example.com + server: https://acme-staging-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: acme-account-secret + solvers: + - dns01: + webhook: + groupName: acme.powerdns.com + solverName: powerdns + config: + server: "http://powerdnsserverurl:80" + apikey: supersecret +``` + + diff --git a/deploy/example-webhook/.helmignore b/deploy/pdns-webhook/.helmignore similarity index 100% rename from deploy/example-webhook/.helmignore rename to deploy/pdns-webhook/.helmignore diff --git a/deploy/example-webhook/Chart.yaml b/deploy/pdns-webhook/Chart.yaml similarity index 100% rename from deploy/example-webhook/Chart.yaml rename to deploy/pdns-webhook/Chart.yaml diff --git a/deploy/example-webhook/templates/NOTES.txt b/deploy/pdns-webhook/templates/NOTES.txt similarity index 100% rename from deploy/example-webhook/templates/NOTES.txt rename to deploy/pdns-webhook/templates/NOTES.txt diff --git a/deploy/example-webhook/templates/_helpers.tpl b/deploy/pdns-webhook/templates/_helpers.tpl similarity index 100% rename from deploy/example-webhook/templates/_helpers.tpl rename to deploy/pdns-webhook/templates/_helpers.tpl diff --git a/deploy/example-webhook/templates/apiservice.yaml b/deploy/pdns-webhook/templates/apiservice.yaml similarity index 100% rename from deploy/example-webhook/templates/apiservice.yaml rename to deploy/pdns-webhook/templates/apiservice.yaml diff --git a/deploy/example-webhook/templates/deployment.yaml b/deploy/pdns-webhook/templates/deployment.yaml similarity index 100% rename from deploy/example-webhook/templates/deployment.yaml rename to deploy/pdns-webhook/templates/deployment.yaml diff --git a/deploy/example-webhook/templates/pki.yaml b/deploy/pdns-webhook/templates/pki.yaml similarity index 100% rename from deploy/example-webhook/templates/pki.yaml rename to deploy/pdns-webhook/templates/pki.yaml diff --git a/deploy/example-webhook/templates/rbac.yaml b/deploy/pdns-webhook/templates/rbac.yaml similarity index 100% rename from deploy/example-webhook/templates/rbac.yaml rename to deploy/pdns-webhook/templates/rbac.yaml diff --git a/deploy/example-webhook/templates/service.yaml b/deploy/pdns-webhook/templates/service.yaml similarity index 100% rename from deploy/example-webhook/templates/service.yaml rename to deploy/pdns-webhook/templates/service.yaml diff --git a/deploy/example-webhook/values.yaml b/deploy/pdns-webhook/values.yaml similarity index 100% rename from deploy/example-webhook/values.yaml rename to deploy/pdns-webhook/values.yaml diff --git a/rendered-manifest.yaml b/rendered-manifest.yaml new file mode 100644 index 0000000..d6040d1 --- /dev/null +++ b/rendered-manifest.yaml @@ -0,0 +1,273 @@ +--- +# Source: pdns-webhook/templates/rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pdns-webhook + labels: + app: pdns-webhook + chart: pdns-webhook-0.1.0 + release: pdns-webhook + heritage: Helm +--- +# Source: pdns-webhook/templates/rbac.yaml +# Grant cert-manager permission to validate using our apiserver +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pdns-webhook:domain-solver + labels: + app: pdns-webhook + chart: pdns-webhook-0.1.0 + release: pdns-webhook + heritage: Helm +rules: + - apiGroups: + - acme.powerdns.com + resources: + - '*' + verbs: + - 'create' +--- +# Source: pdns-webhook/templates/rbac.yaml +# apiserver gets the auth-delegator role to delegate auth decisions to +# the core apiserver +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: pdns-webhook:auth-delegator + labels: + app: pdns-webhook + chart: pdns-webhook-0.1.0 + release: pdns-webhook + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - apiGroup: "" + kind: ServiceAccount + name: pdns-webhook + namespace: cert-manager +--- +# Source: pdns-webhook/templates/rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: pdns-webhook:domain-solver + labels: + app: pdns-webhook + chart: pdns-webhook-0.1.0 + release: pdns-webhook + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pdns-webhook:domain-solver +subjects: + - apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: cert-manager +--- +# Source: pdns-webhook/templates/rbac.yaml +# Grant the webhook permission to read the ConfigMap containing the Kubernetes +# apiserver's requestheader-ca-certificate. +# This ConfigMap is automatically created by the Kubernetes apiserver. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pdns-webhook:webhook-authentication-reader + namespace: kube-system + labels: + app: pdns-webhook + chart: pdns-webhook-0.1.0 + release: pdns-webhook + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - apiGroup: "" + kind: ServiceAccount + name: pdns-webhook + namespace: cert-manager +--- +# Source: pdns-webhook/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: pdns-webhook + labels: + app: pdns-webhook + chart: pdns-webhook-0.1.0 + release: pdns-webhook + heritage: Helm +spec: + type: ClusterIP + ports: + - port: 443 + targetPort: 8043 + protocol: TCP + name: https + selector: + app: pdns-webhook + release: pdns-webhook +--- +# Source: pdns-webhook/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pdns-webhook + labels: + app: pdns-webhook + chart: pdns-webhook-0.1.0 + release: pdns-webhook + heritage: Helm +spec: + replicas: + selector: + matchLabels: + app: pdns-webhook + release: pdns-webhook + template: + metadata: + labels: + app: pdns-webhook + release: pdns-webhook + spec: + serviceAccountName: pdns-webhook + containers: + - name: pdns-webhook + image: "quay.io/tidawson/pdns-webhook:latest" + imagePullPolicy: Always + args: + - --tls-cert-file=/tls/tls.crt + - --tls-private-key-file=/tls/tls.key + - --secure-port=8043 + - --audit-log-path=- + - -v=5 + env: + - name: GROUP_NAME + value: "acme.powerdns.com" + ports: + - name: https + containerPort: 8043 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: 8043 + readinessProbe: + httpGet: + scheme: HTTPS + path: /healthz + port: 8043 + volumeMounts: + - name: certs + mountPath: /tls + readOnly: true + resources: + {} + volumes: + - name: certs + secret: + secretName: pdns-webhook-webhook-tls +--- +# Source: pdns-webhook/templates/apiservice.yaml +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.acme.powerdns.com + labels: + app: pdns-webhook + chart: pdns-webhook-0.1.0 + release: pdns-webhook + heritage: Helm + annotations: + cert-manager.io/inject-ca-from: "cert-manager/pdns-webhook-webhook-tls" +spec: + group: acme.powerdns.com + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: pdns-webhook + namespace: cert-manager + version: v1alpha1 +--- +# Source: pdns-webhook/templates/pki.yaml +# Generate a CA Certificate used to sign certificates for the webhook +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: pdns-webhook-ca + namespace: "cert-manager" + labels: + app: pdns-webhook + chart: pdns-webhook-0.1.0 + release: pdns-webhook + heritage: Helm +spec: + secretName: pdns-webhook-ca + duration: 43800h # 5y + issuerRef: + name: pdns-webhook-selfsign + commonName: "ca.example-webhook.cert-manager" + isCA: true +--- +# Source: pdns-webhook/templates/pki.yaml +# Finally, generate a serving certificate for the webhook to use +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: pdns-webhook-webhook-tls + namespace: "cert-manager" + labels: + app: pdns-webhook + chart: pdns-webhook-0.1.0 + release: pdns-webhook + heritage: Helm +spec: + secretName: pdns-webhook-webhook-tls + duration: 8760h # 1y + issuerRef: + name: pdns-webhook-ca + dnsNames: + - pdns-webhook + - pdns-webhook.cert-manager + - pdns-webhook.cert-manager.svc +--- +# Source: pdns-webhook/templates/pki.yaml +# Create a selfsigned Issuer, in order to create a root CA certificate for +# signing webhook serving certificates +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: pdns-webhook-selfsign + namespace: "cert-manager" + labels: + app: pdns-webhook + chart: pdns-webhook-0.1.0 + release: pdns-webhook + heritage: Helm +spec: + selfSigned: {} +--- +# Source: pdns-webhook/templates/pki.yaml +# Create an Issuer that uses the above generated CA certificate to issue certs +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: pdns-webhook-ca + namespace: "cert-manager" + labels: + app: pdns-webhook + chart: pdns-webhook-0.1.0 + release: pdns-webhook + heritage: Helm +spec: + ca: + secretName: pdns-webhook-ca