mirror of
https://github.com/cert-manager/webhook-example.git
synced 2026-03-16 18:02:51 +01:00
A cert-manager sample repository for creating an ACME DNS01 solver webhook
|
|
||
|---|---|---|
| .github/workflows | ||
| deploy/cert-manager-desec-webhook | ||
| solver | ||
| testdata/desec | ||
| .gitignore | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main.go | ||
| main_test.go | ||
| README.md | ||
| renovate.json | ||
Cert Manager DeSEC Webhook
Independently maintained ACME webhook for desec.io DNS API
This solver can be used with desec.io DNS API. The documentation of the API can be found here
Requirements
- go >= 1.26.0
- helm >= v3.0.0
- kubernetes >= 1.25.0
- cert-manager >= 1.19.0
Installation
Using helm from local checkout
helm install \
-n cert-manager \
desec-webhook \
charts/cert-manager-desec-webhook
Using public helm chart
helm install \
-n cert-manager \
--version <release without leading "v"> \
desec-webhook \
oci://ghcr.io/pr0ton11/helm/cert-manager-desec-webhook
Uninstallation
Creating an issuer
Create a secret containing the credentials
apiVersion: v1
kind: Secret
metadata:
name: desec-io-token
namespace: cert-manager
type: Opaque
data:
token: your-key-base64-encoded
We can also then provide a standardised 'testing framework', or set of conformance tests, which allow us to validate that a DNS provider works as expected. Create a 'ClusterIssuer' or 'Issuer' resource as the following:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: mail@example.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
config:
apiKeySecretRef:
key: token
name: desec-io-token
groupName: acme.pr0ton11.github.com
solverName: deSEC
Create a manual certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-cert
namespace: cert-manager
spec:
commonName: example.com
dnsNames:
- example.com
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
secretName: example-cert
Using cert-manager with traefik ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bitwarden
namespace: utils
labels:
app: bitwarden
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/rewrite-target: /$1
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: 'true'
spec:
tls:
- hosts:
- bitwarden.acme.example.com
secretName: bitwarden-crt
rules:
- host: bitwarden.acme.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: bitwarden
port:
number: 80
Creating your own repository
Running the test suite
All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.
Provide a secret.yaml in testdata/desec
apiVersion: v1
kind: Secret
metadata:
name: desec-token
data:
token: your-key-base64-encoded
type: Opaque
Define a TEST_ZONE_NAME matching to your authentication credentials.
$ TEST_ZONE_NAME=example.com. make test