add secrets and cluster issuer into chart
This commit is contained in:
Hanfei Shen
parent
0fbc41c5b2
commit
0a4651e413
109
README.md
109
README.md
@ -9,110 +9,13 @@ This is a webhook solver for [DNSPod](https://www.dnspod.cn).
|
||||
|
||||
## Installation
|
||||
|
||||
Generate API ID and API Token from DNSPod (https://support.dnspod.cn/Kb/showarticle/tsid/227/).
|
||||
|
||||
```console
|
||||
$ helm install --name cert-manager-webhook-dnspod ./deploy/example-webhook
|
||||
```
|
||||
|
||||
## Issuer
|
||||
|
||||
1. Generate API ID and API Token from DNSPod (https://support.dnspod.cn/Kb/showarticle/tsid/227/)
|
||||
2. Create secret to store the API Token
|
||||
```console
|
||||
$ kubectl --namespace cert-manager create secret generic \
|
||||
dnspod-credentials --from-literal=api-token='<DNSPOD_API_TOKEN>'
|
||||
```
|
||||
|
||||
3. Grant permission for service-account to get the secret
|
||||
```yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: cert-manager-webhook-dnspod:secret-reader
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
resourceNames: ["dnspod-credentials"]
|
||||
verbs: ["get", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: cert-manager-webhook-dnspod:secret-reader
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: cert-manager-webhook-dnspod:secret-reader
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: cert-manager-webhook-dnspod
|
||||
```
|
||||
|
||||
4. Create a staging issuer *Optional*
|
||||
```yaml
|
||||
apiVersion: certmanager.k8s.io/v1alpha1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: letsencrypt-staging
|
||||
spec:
|
||||
acme:
|
||||
# The ACME server URL
|
||||
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
|
||||
# Email address used for ACME registration
|
||||
email: user@example.com # REPLACE THIS WITH YOUR EMAIL!!!
|
||||
|
||||
# Name of a secret used to store the ACME account private key
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-staging
|
||||
|
||||
solvers:
|
||||
- dns01:
|
||||
webhook:
|
||||
groupName: example.com # REPLACE THIS TO YOUR GROUP
|
||||
solverName: dnspod
|
||||
config:
|
||||
apiID: 12345 # REPLACE WITH API ID FROM DNSPOD!!!
|
||||
apiTokenSecretRef:
|
||||
key: api-token
|
||||
name: dnspod-credentials
|
||||
```
|
||||
|
||||
5. Create a production issuer
|
||||
```yaml
|
||||
apiVersion: certmanager.k8s.io/v1alpha1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: letsencrypt-prod
|
||||
spec:
|
||||
acme:
|
||||
# The ACME server URL
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
|
||||
# Email address used for ACME registration
|
||||
email: user@example.com # REPLACE THIS WITH YOUR EMAIL!!!
|
||||
|
||||
# Name of a secret used to store the ACME account private key
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-prod
|
||||
|
||||
solvers:
|
||||
- dns01:
|
||||
webhook:
|
||||
groupName: example.com # REPLACE THIS TO YOUR GROUP
|
||||
solverName: dnspod
|
||||
config:
|
||||
apiID: 12345 # REPLACE WITH API ID FROM DNSPOD!!!
|
||||
apiTokenSecretRef:
|
||||
key: api-token
|
||||
name: dnspod-credentials
|
||||
```
|
||||
|
||||
## Certificate
|
||||
|
||||
1. Issue a certificate
|
||||
```yaml
|
||||
#TODO
|
||||
$ helm install --name cert-manager-webhook-dnspod ./deploy/example-webhook \
|
||||
--set groupName=<GROUP_NAME> \
|
||||
--set secrets.apiID=<DNSPOD_API_ID>,secrets.apiToken=<DNSPOD_API_TOKEN> \
|
||||
--set clusterIssuer.enabled=true,clusterIssuer.email=<EMAIL_ADDRESS>
|
||||
```
|
||||
|
||||
### Automatically creating Certificates for Ingress resources
|
||||
|
||||
@ -46,3 +46,7 @@ Create chart name and version as used by the chart label.
|
||||
{{- define "example-webhook.servingCertificate" -}}
|
||||
{{ printf "%s-webhook-tls" (include "example-webhook.fullname" .) }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "example-webhook.clusterIssuer" -}}
|
||||
{{ printf "%s-cluster-issuer" (include "example-webhook.fullname" .) }}
|
||||
{{- end -}}
|
||||
|
||||
@ -74,3 +74,37 @@ spec:
|
||||
- {{ include "example-webhook.fullname" . }}
|
||||
- {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}
|
||||
- {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}.svc
|
||||
{{- if .Values.clusterIssuer.enabled -}}
|
||||
---
|
||||
|
||||
apiVersion: certmanager.k8s.io/v1alpha1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: {{ include "example-webhook.clusterIssuer" . }}
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "example-webhook.name" . }}
|
||||
chart: {{ include "example-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
acme:
|
||||
{{- if .Values.clusterIssuer.staging }}
|
||||
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
{{- else }}
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
{{- end }}
|
||||
email: {{ .Values.clusterIssuer.email }}
|
||||
privateKeySecretRef:
|
||||
name: {{ include "example-webhook.fullname" . }}-letsencrypt
|
||||
solvers:
|
||||
- dns01:
|
||||
webhook:
|
||||
groupName: {{ .Values.groupName }}
|
||||
solverName: dnspod
|
||||
config:
|
||||
apiID: {{ required ".Values.secrets.apiID is required" .Values.secrets.apiID }}
|
||||
apiTokenSecretRef:
|
||||
key: api-token
|
||||
name: {{ include "example-webhook.fullname" . }}-secret
|
||||
{{- end -}}
|
||||
|
||||
@ -88,3 +88,41 @@ subjects:
|
||||
kind: ServiceAccount
|
||||
name: {{ .Values.certManager.serviceAccountName }}
|
||||
namespace: {{ .Values.certManager.namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ include "example-webhook.fullname" . }}:secret-reader
|
||||
labels:
|
||||
app: {{ include "example-webhook.name" . }}
|
||||
chart: {{ include "example-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
resourceNames:
|
||||
- {{ include "example-webhook.fullname" . }}-secret
|
||||
verbs:
|
||||
- get
|
||||
- watch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "example-webhook.fullname" . }}:secret-reader
|
||||
labels:
|
||||
app: {{ include "example-webhook.name" . }}
|
||||
chart: {{ include "example-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ include "example-webhook.fullname" . }}:secret-reader
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ include "example-webhook.fullname" . }}
|
||||
|
||||
12
deploy/example-webhook/templates/secret.yaml
Normal file
12
deploy/example-webhook/templates/secret.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "example-webhook.fullname" . }}-secret
|
||||
labels:
|
||||
app: {{ include "example-webhook.name" . }}
|
||||
chart: {{ include "example-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
type: Opaque
|
||||
data:
|
||||
api-token: {{ required ".Values.secrets.apiToken is required" .Values.secrets.apiToken | b64enc | quote }}
|
||||
@ -12,6 +12,15 @@ certManager:
|
||||
namespace: cert-manager
|
||||
serviceAccountName: cert-manager
|
||||
|
||||
#secrets:
|
||||
# apiID:
|
||||
# apiToken:
|
||||
|
||||
clusterIssuer:
|
||||
enabled: false
|
||||
staging: false
|
||||
#email:
|
||||
|
||||
image:
|
||||
repository: qqshfox/cert-manager-webhook-dnspod
|
||||
#tag: latest
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user