limil/cert-manager-webhook-dnspod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cert-manager-webhook-dnspod/README.md
Hanfei Shen 89277e219f update readme
2019-06-15 22:43:18 +08:00

3.8 KiB
Raw Blame History

DNSPod Webhook for Cert Manager

This is a webhook solver for DNSPod.

Prerequisites

Installation

$ helm install --name cert-manager-webhook-dnspod ./deploy/example-webhook

Issuer

  1. Generate API ID and API Token from DNSPod (https://support.dnspod.cn/Kb/showarticle/tsid/227/)
  2. Create secret to store the API Token
$ kubectl --namespace cert-manager create secret generic \
    dnspod-credentials --from-literal=api-token='<DNSPOD_API_TOKEN>'
  1. Grant permission for service-account to get the secret
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cert-manager-webhook-dnspod:secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["dnspod-credentials"]
  verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: cert-manager-webhook-dnspod:secret-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager-webhook-dnspod:secret-reader
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager-webhook-dnspod
  1. Create a staging issuer Optional
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: user@example.com # REPLACE THIS WITH YOUR EMAIL!!!

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging

    solvers:
    - dns01:
        webhook:
          groupName: example.com # REPLACE THIS TO YOUR GROUP
          solverName: dnspod
          config:
            apiID: 12345 # REPLACE WITH API ID FROM DNSPOD!!!
            apiTokenSecretRef:
              key: api-token
              name: dnspod-credentials
  1. Create a production issuer
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: user@example.com # REPLACE THIS WITH YOUR EMAIL!!!

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod

    solvers:
    - dns01:
        webhook:
          groupName: example.com # REPLACE THIS TO YOUR GROUP
          solverName: dnspod
          config:
            apiID: 12345 # REPLACE WITH API ID FROM DNSPOD!!!
            apiTokenSecretRef:
              key: api-token
              name: dnspod-credentials

Certificate

  1. Issue a certificate
#TODO

Automatically creating Certificates for Ingress resources

See this.

Development

All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.

It is essential that you configure and run the test suite when creating a DNS01 webhook.

An example Go test file has been provided in main_test.go.

Before you can run the test suite, you need to download the test binaries:

$ mkdir __main__
$ wget -O- https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.14.1-darwin-amd64.tar.gz | tar x -
$ mv kubebuilder __main__/hack

Then modify testdata/my-custom-solver/config.json to setup the configs.

Now you can run the test suite with:

$ TEST_ZONE_NAME=example.com go test .