| .vscode | ||
| deploy/example-webhook | ||
| testdata/namecheap | ||
| .gitignore | ||
| Dockerfile | ||
| env.sample | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main.go | ||
| main_test.go | ||
| Makefile | ||
| OWNERS | ||
| README.md | ||
cert-manager webhook for Namecheap
-
This is a Frankenstein version of
-
This is as good as any other implementation!
-
I just had to find out, that my local
dnsmasqmessed around. When the webhook is trying to find out the zone of the domain, it just got back some local info. -
The workaround (for me) - is to use a public DNS for the cert-manager.
-
Idea can be found at Techno Tim's Repo
Instructions for use with Let's Encrypt
Thanks to Addison van den Hoeven, from https://github.com/jetstack/cert-manager/issues/646
Use helm to deploy this into your cert-manager namespace:
# Make sure you're in the right context:
# kubectl config use-context mycontext
# cert-manager is by default in the cert-manager context
helm install -n cert-manager namecheap-webhook deploy/cert-manager-webhook-namecheap/
Create the cluster issuers:
helm install --set email=yourname@example.com -n cert-manager letsencrypt-namecheap-issuer deploy/letsencrypt-namecheap-issuer/
Get your local public ip: curl https://ifconfig.co/ip
Go to namecheap and set up your API key (note that you'll need to whitelist the public IP of the k8s cluster to use the webhook), and set the secret:
apiVersion: v1
kind: Secret
metadata:
name: namecheap-credentials
namespace: cert-manager
type: Opaque
stringData:
apiKey: my_api_key_from_namecheap
apiUser: my_username_from_namecheap
#clientIP: 1.2.3.4 # optional, if your setup can't detect the public IP
Now you can create a certificate in staging for testing:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-cert-stage
namespace: default
spec:
secretName: wildcard-cert-stage
commonName: "*.<domain>"
issuerRef:
kind: ClusterIssuer
name: letsencrypt-stage
dnsNames:
- "*.<domain>"
And now validate that it worked:
kubectl get certificates -n default
kubectl describe certificate wildcard-cert-stage
And finally, create your production cert, and it'll be ready to use in the
wildcard-cert-prod secret.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-cert-prod
namespace: default
spec:
secretName: wildcard-cert-prod
commonName: "*.<domain>"
issuerRef:
kind: ClusterIssuer
name: letsencrypt-prod
dnsNames:
- "*.<domain>"
TODO: add simple nginx example to test that it works
Running the test suite
Steps
- Create testdata/namecheap/apikey.yaml and testdata/namecheap/config.json using your credentials.
- Run
TEST_ZONE_NAME=example.com. make test. Note that the domain here should be updated to your own domain name. Also note that this is a full domain name with a.at the end. - You should see all tests passing.
- In case the tests fail: set
useSandboxto false