limil/cert-manager-webhook-dnspod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add secrets and cluster issuer into chart

Browse Source
This commit is contained in:
Hanfei Shen 2019-12-29 23:57:09 +08:00
parent 0fbc41c5b2
commit 0a4651e413
6 changed files with 103 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
README.md
View File

@ -9,110 +9,13 @@ This is a webhook solver for [DNSPod](https://www.dnspod.cn).
## Installation ## Installation
Generate API ID and API Token from DNSPod (https://support.dnspod.cn/Kb/showarticle/tsid/227/).
```console ```console
$ helm install --name cert-manager-webhook-dnspod ./deploy/example-webhook $ helm install --name cert-manager-webhook-dnspod ./deploy/example-webhook \
``` --set groupName=<GROUP_NAME> \
--set secrets.apiID=<DNSPOD_API_ID>,secrets.apiToken=<DNSPOD_API_TOKEN> \
## Issuer --set clusterIssuer.enabled=true,clusterIssuer.email=<EMAIL_ADDRESS>
1. Generate API ID and API Token from DNSPod (https://support.dnspod.cn/Kb/showarticle/tsid/227/)
2. Create secret to store the API Token
```console
$ kubectl --namespace cert-manager create secret generic \
dnspod-credentials --from-literal=api-token='<DNSPOD_API_TOKEN>'
```
3. Grant permission for service-account to get the secret
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook-dnspod:secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["dnspod-credentials"]
verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: cert-manager-webhook-dnspod:secret-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook-dnspod:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-dnspod
```
4. Create a staging issuer *Optional*
```yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: user@example.com # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
groupName: example.com # REPLACE THIS TO YOUR GROUP
solverName: dnspod
config:
apiID: 12345 # REPLACE WITH API ID FROM DNSPOD!!!
apiTokenSecretRef:
key: api-token
name: dnspod-credentials
```
5. Create a production issuer
```yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: user@example.com # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
webhook:
groupName: example.com # REPLACE THIS TO YOUR GROUP
solverName: dnspod
config:
apiID: 12345 # REPLACE WITH API ID FROM DNSPOD!!!
apiTokenSecretRef:
key: api-token
name: dnspod-credentials
```
## Certificate
1. Issue a certificate
```yaml
#TODO
``` ```
### Automatically creating Certificates for Ingress resources ### Automatically creating Certificates for Ingress resources

4
deploy/example-webhook/templates/_helpers.tpl
View File

@ -46,3 +46,7 @@ Create chart name and version as used by the chart label.
{{- define "example-webhook.servingCertificate" -}} {{- define "example-webhook.servingCertificate" -}}
{{ printf "%s-webhook-tls" (include "example-webhook.fullname" .) }} {{ printf "%s-webhook-tls" (include "example-webhook.fullname" .) }}
{{- end -}} {{- end -}}
{{- define "example-webhook.clusterIssuer" -}}
{{ printf "%s-cluster-issuer" (include "example-webhook.fullname" .) }}
{{- end -}}

34
deploy/example-webhook/templates/pki.yaml
View File

@ -74,3 +74,37 @@ spec:
- {{ include "example-webhook.fullname" . }} - {{ include "example-webhook.fullname" . }}
- {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }} - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}
- {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}.svc - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}.svc
{{- if .Values.clusterIssuer.enabled -}}
---
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: {{ include "example-webhook.clusterIssuer" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
acme:
{{- if .Values.clusterIssuer.staging }}
server: https://acme-staging-v02.api.letsencrypt.org/directory
{{- else }}
server: https://acme-v02.api.letsencrypt.org/directory
{{- end }}
email: {{ .Values.clusterIssuer.email }}
privateKeySecretRef:
name: {{ include "example-webhook.fullname" . }}-letsencrypt
solvers:
- dns01:
webhook:
groupName: {{ .Values.groupName }}
solverName: dnspod
config:
apiID: {{ required ".Values.secrets.apiID is required" .Values.secrets.apiID }}
apiTokenSecretRef:
key: api-token
name: {{ include "example-webhook.fullname" . }}-secret
{{- end -}}

38
deploy/example-webhook/templates/rbac.yaml
View File

@ -88,3 +88,41 @@ subjects:
kind: ServiceAccount kind: ServiceAccount
name: {{ .Values.certManager.serviceAccountName }} name: {{ .Values.certManager.serviceAccountName }}
namespace: {{ .Values.certManager.namespace }} namespace: {{ .Values.certManager.namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "example-webhook.fullname" . }}:secret-reader
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- {{ include "example-webhook.fullname" . }}-secret
verbs:
- get
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ include "example-webhook.fullname" . }}:secret-reader
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "example-webhook.fullname" . }}:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "example-webhook.fullname" . }}

12
deploy/example-webhook/templates/secret.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "example-webhook.fullname" . }}-secret
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
type: Opaque
data:
api-token: {{ required ".Values.secrets.apiToken is required" .Values.secrets.apiToken | b64enc | quote }}

9
deploy/example-webhook/values.yaml
View File

@ -12,6 +12,15 @@ certManager:
namespace: cert-manager namespace: cert-manager
serviceAccountName: cert-manager serviceAccountName: cert-manager
#secrets:
# apiID:
# apiToken:
clusterIssuer:
enabled: false
staging: false
#email:
image: image:
repository: qqshfox/cert-manager-webhook-dnspod repository: qqshfox/cert-manager-webhook-dnspod
#tag: latest #tag: latest