This solver can be used with desec.io DNS API. The documentation of the API can be found here
- go => 1.22.0
- helm >= v3.0.0
- kuberentes => 1.25.0
- cert-manager => 1.15.1
helm install desec-webhook -n cert-manager deploy
Create a secret containing the credentials
apiVersion: v1
kind: Secret
metadata:
name: desec-io-secret
namespace: cert-manager
type: Opaque
data:
token: your-key-base64-encoded
We can also then provide a standardised 'testing framework', or set of conformance tests, which allow us to validate that a DNS provider works as expected. Create a 'ClusterIssuer' or 'Issuer' resource as the following:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: mail@example.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
config:
apiKeySecretRef:
key: token
name: desec-io-secret
groupName: acme.example.com
solverName: desec
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-cert
namespace: cert-manager
spec:
commonName: example.com
dnsNames:
- example.com
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
secretName: example-cert
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bitwarden
namespace: utils
labels:
app: bitwarden
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/rewrite-target: /$1
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: 'true'
spec:
tls:
- hosts:
- bitwarden.acme.example.com
secretName: bitwarden-crt
rules:
- host: bitwarden.acme.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: bitwarden
port:
number: 80
All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.
Provide a secret.yaml in testdata/desec
apiVersion: v1
kind: Secret
metadata:
name: desec-token
data:
token: your-key-base64-encoded
type: Opaque
Define a TEST_ZONE_NAME matching to your authenticaton creditials.
$ TEST_ZONE_NAME=example.com. make test