diff --git a/README.md b/README.md index e8440f3..42eac62 100644 --- a/README.md +++ b/README.md @@ -9,110 +9,13 @@ This is a webhook solver for [DNSPod](https://www.dnspod.cn). ## Installation +Generate API ID and API Token from DNSPod (https://support.dnspod.cn/Kb/showarticle/tsid/227/). + ```console -$ helm install --name cert-manager-webhook-dnspod ./deploy/example-webhook -``` - -## Issuer - -1. Generate API ID and API Token from DNSPod (https://support.dnspod.cn/Kb/showarticle/tsid/227/) -2. Create secret to store the API Token -```console -$ kubectl --namespace cert-manager create secret generic \ - dnspod-credentials --from-literal=api-token='' -``` - -3. Grant permission for service-account to get the secret -```yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: cert-manager-webhook-dnspod:secret-reader -rules: -- apiGroups: [""] - resources: ["secrets"] - resourceNames: ["dnspod-credentials"] - verbs: ["get", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: cert-manager-webhook-dnspod:secret-reader -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cert-manager-webhook-dnspod:secret-reader -subjects: - - apiGroup: "" - kind: ServiceAccount - name: cert-manager-webhook-dnspod -``` - -4. Create a staging issuer *Optional* -```yaml -apiVersion: certmanager.k8s.io/v1alpha1 -kind: Issuer -metadata: - name: letsencrypt-staging -spec: - acme: - # The ACME server URL - server: https://acme-staging-v02.api.letsencrypt.org/directory - - # Email address used for ACME registration - email: user@example.com # REPLACE THIS WITH YOUR EMAIL!!! - - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-staging - - solvers: - - dns01: - webhook: - groupName: example.com # REPLACE THIS TO YOUR GROUP - solverName: dnspod - config: - apiID: 12345 # REPLACE WITH API ID FROM DNSPOD!!! - apiTokenSecretRef: - key: api-token - name: dnspod-credentials -``` - -5. Create a production issuer -```yaml -apiVersion: certmanager.k8s.io/v1alpha1 -kind: Issuer -metadata: - name: letsencrypt-prod -spec: - acme: - # The ACME server URL - server: https://acme-v02.api.letsencrypt.org/directory - - # Email address used for ACME registration - email: user@example.com # REPLACE THIS WITH YOUR EMAIL!!! - - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-prod - - solvers: - - dns01: - webhook: - groupName: example.com # REPLACE THIS TO YOUR GROUP - solverName: dnspod - config: - apiID: 12345 # REPLACE WITH API ID FROM DNSPOD!!! - apiTokenSecretRef: - key: api-token - name: dnspod-credentials -``` - -## Certificate - -1. Issue a certificate -```yaml -#TODO +$ helm install --name cert-manager-webhook-dnspod ./deploy/example-webhook \ + --set groupName= \ + --set secrets.apiID=,secrets.apiToken= \ + --set clusterIssuer.enabled=true,clusterIssuer.email= ``` ### Automatically creating Certificates for Ingress resources diff --git a/deploy/example-webhook/templates/_helpers.tpl b/deploy/example-webhook/templates/_helpers.tpl index d3c474b..def739c 100644 --- a/deploy/example-webhook/templates/_helpers.tpl +++ b/deploy/example-webhook/templates/_helpers.tpl @@ -46,3 +46,7 @@ Create chart name and version as used by the chart label. {{- define "example-webhook.servingCertificate" -}} {{ printf "%s-webhook-tls" (include "example-webhook.fullname" .) }} {{- end -}} + +{{- define "example-webhook.clusterIssuer" -}} +{{ printf "%s-cluster-issuer" (include "example-webhook.fullname" .) }} +{{- end -}} diff --git a/deploy/example-webhook/templates/pki.yaml b/deploy/example-webhook/templates/pki.yaml index 89b6a23..b9acda2 100644 --- a/deploy/example-webhook/templates/pki.yaml +++ b/deploy/example-webhook/templates/pki.yaml @@ -74,3 +74,37 @@ spec: - {{ include "example-webhook.fullname" . }} - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }} - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}.svc +{{- if .Values.clusterIssuer.enabled -}} +--- + +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: {{ include "example-webhook.clusterIssuer" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "example-webhook.name" . }} + chart: {{ include "example-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + acme: +{{- if .Values.clusterIssuer.staging }} + server: https://acme-staging-v02.api.letsencrypt.org/directory +{{- else }} + server: https://acme-v02.api.letsencrypt.org/directory +{{- end }} + email: {{ .Values.clusterIssuer.email }} + privateKeySecretRef: + name: {{ include "example-webhook.fullname" . }}-letsencrypt + solvers: + - dns01: + webhook: + groupName: {{ .Values.groupName }} + solverName: dnspod + config: + apiID: {{ required ".Values.secrets.apiID is required" .Values.secrets.apiID }} + apiTokenSecretRef: + key: api-token + name: {{ include "example-webhook.fullname" . }}-secret +{{- end -}} diff --git a/deploy/example-webhook/templates/rbac.yaml b/deploy/example-webhook/templates/rbac.yaml index efec523..37de100 100644 --- a/deploy/example-webhook/templates/rbac.yaml +++ b/deploy/example-webhook/templates/rbac.yaml @@ -88,3 +88,41 @@ subjects: kind: ServiceAccount name: {{ .Values.certManager.serviceAccountName }} namespace: {{ .Values.certManager.namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "example-webhook.fullname" . }}:secret-reader + labels: + app: {{ include "example-webhook.name" . }} + chart: {{ include "example-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - {{ include "example-webhook.fullname" . }}-secret + verbs: + - get + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ include "example-webhook.fullname" . }}:secret-reader + labels: + app: {{ include "example-webhook.name" . }} + chart: {{ include "example-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "example-webhook.fullname" . }}:secret-reader +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "example-webhook.fullname" . }} diff --git a/deploy/example-webhook/templates/secret.yaml b/deploy/example-webhook/templates/secret.yaml new file mode 100644 index 0000000..589c5c4 --- /dev/null +++ b/deploy/example-webhook/templates/secret.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "example-webhook.fullname" . }}-secret + labels: + app: {{ include "example-webhook.name" . }} + chart: {{ include "example-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + api-token: {{ required ".Values.secrets.apiToken is required" .Values.secrets.apiToken | b64enc | quote }} diff --git a/deploy/example-webhook/values.yaml b/deploy/example-webhook/values.yaml index 2a0042b..3bf78b0 100644 --- a/deploy/example-webhook/values.yaml +++ b/deploy/example-webhook/values.yaml @@ -12,6 +12,15 @@ certManager: namespace: cert-manager serviceAccountName: cert-manager +#secrets: +# apiID: +# apiToken: + +clusterIssuer: + enabled: false + staging: false + #email: + image: repository: qqshfox/cert-manager-webhook-dnspod #tag: latest