mirror of
https://github.com/cert-manager/webhook-example.git
synced 2026-03-17 02:12:51 +01:00
A cert-manager sample repository for creating an ACME DNS01 solver webhook
| .github/workflows | ||
| deploy/cert-manager-desec-webhook | ||
| solver | ||
| testdata/desec | ||
| .gitignore | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main.go | ||
| main_test.go | ||
| README.md | ||
| renovate.json | ||
Cert Manager DeSEC Webhook
Independently maintained ACME webhook for the desec.io DNS API. API docs: https://desec.readthedocs.io/en/latest/
Requirements
- go >= 1.26.0
- helm >= v3.0.0
- kubernetes >= 1.25.0
- cert-manager >= 1.19.0
Supported architectures
- linux/amd64
- linux/arm64
Installation
Using helm from local checkout
helm install \
-n cert-manager \
desec-webhook \
deploy/cert-manager-desec-webhook
Using public helm chart
helm install \
-n cert-manager \
--version <release without leading "v"> \
desec-webhook \
oci://ghcr.io/pr0ton11/helm/cert-manager-desec-webhook
Creating an issuer
Create a secret containing the credentials
apiVersion: v1
kind: Secret
metadata:
name: desec-io-token
namespace: cert-manager
type: Opaque
data:
token: your-key-base64-encoded
We can also then provide a standardised 'testing framework', or set of conformance tests, which allow us to validate that a DNS provider works as expected. Create a 'ClusterIssuer' or 'Issuer' resource as the following:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: mail@example.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
config:
apiKeySecretRef:
key: token
name: desec-io-token
groupName: acme.pr0ton11.github.com
solverName: desec
Create a manual certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-cert
namespace: cert-manager
spec:
commonName: example.com
dnsNames:
- example.com
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
secretName: example-cert
Using cert-manager with traefik ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bitwarden
namespace: utils
labels:
app: bitwarden
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/rewrite-target: /$1
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: 'true'
spec:
tls:
- hosts:
- bitwarden.acme.example.com
secretName: bitwarden-crt
rules:
- host: bitwarden.acme.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: bitwarden
port:
number: 80
Running the test suite
All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.
Provide a secret.yaml in testdata/desec
apiVersion: v1
kind: Secret
metadata:
name: desec-token
data:
token: your-key-base64-encoded
type: Opaque
Define a TEST_ZONE_NAME matching to your authentication credentials.
$ TEST_ZONE_NAME=example.com. make test