mirror of https://github.com/cert-manager/webhook-example.git synced 2025-07-02 14:55:49 +02:00

A cert-manager sample repository for creating an ACME DNS01 solver webhook

Find a file

Ali Orouji 712ad6b3ce update makefile and helm templates		2021-02-18 01:01:09 +03:30
api/v1beta1	add domainzone v1beta1 api	2021-02-15 20:11:48 +03:30
deploy/cert-manager-webhook-sotoon	update makefile and helm templates	2021-02-18 01:01:09 +03:30
scripts	make conformance test pass	2021-02-17 23:54:53 +03:30
testdata/sotoon	make conformance test pass	2021-02-17 23:54:53 +03:30
.gitignore	update makefile and helm templates	2021-02-18 01:01:09 +03:30
Dockerfile	Update Helm chart and Dockerfile	2019-04-29 17:55:46 +01:00
go.mod	update go mod	2021-02-16 21:04:45 +03:30
go.sum	update go mod	2021-02-16 21:04:45 +03:30
LICENSE	Initial commit	2019-04-15 15:23:59 +01:00
main.go	make conformance test pass	2021-02-17 23:54:53 +03:30
main_test.go	make conformance test pass	2021-02-17 23:54:53 +03:30
Makefile	update makefile and helm templates	2021-02-18 01:01:09 +03:30
README.md	make conformance test pass	2021-02-17 23:54:53 +03:30

README.md

SOTOON Webhook for Cert Manager

This is a webhook solver for Sotoon Cloud.

Prerequisites

cert-manager version 0.11.0 or higher (tested with 0.12.0):
- Installing on Kubernetes

Installation

Choose a unique group name to identify your company or organization (for example acme.mycompany.example).

helm install ./deploy/cert-manager-webhook-sotoon \
 --set groupName='<YOUR_UNIQUE_GROUP_NAME>'

If you customized the installation of cert-manager, you may need to also set the certManager.namespace and certManager.serviceAccountName values.

Issuer

Get your API token from Sotoon Panel. The user whose api token is used must have dns-editor role:

Create a secret to store your api token secret:

kubectl create secret generic sotoon-credentials \
  --from-literal=apiToken='<SOTOON_API_TOKEN>'

Grant permission to get the secret to the cert-manager-webhook-sotoon service account:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cert-manager-webhook-sotoon:secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["sotoon-credentials"]
  verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: cert-manager-webhook-sotoon:secret-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager-webhook-sotoon:secret-reader
subjects:
- apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-webhook-sotoon

Create a certificate issuer:

apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: '<YOUR_EMAIL_ADDRESS>'
    privateKeySecretRef:
      name: letsencrypt-account-key
    solvers:
    - dns01:
        webhook:
          groupName: '<YOUR_UNIQUE_GROUP_NAME>'
          solverName: sotoon
          config:
            endpoint: https://api.sotoon.ir
            namespace: <SOTOON_NAMESPACE_OF_YOURS>
            apiTokenSecretRef:
              name: sotoon-credentials
              key: apiToken

Certificate

Issue a certificate:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: example-com
spec:
  dnsNames:
  - example.com
  - *.example.com
  issuerRef:
    name: letsencrypt
  secretName: example-com-tls

Development

All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.

It is essential that you configure and run the test suite when creating a DNS01 webhook.

An example Go test file has been provided in main_test.go.

Before you can run the test suite, you need to download the test binaries:

./scripts/fetch-test-binaries.sh

Then duplicate the .sample files in testdata/sotoon/ and update the configuration with the appropriate SOTOON credentials.

Now you can run the test suite with:

TEST_ZONE_NAME=example.com. go test -v .