Skip to content

cert-manager webhook to use ACME DNS01 solver with desec.io

License

Notifications You must be signed in to change notification settings

su541/cert-manager-desec-webhook

 
 

Repository files navigation

cert-manager project logo

ACME webhook for desec.io DNS API

This solver can be used with desec.io DNS API. The documentation of the API can be found here

Requirements

Installation

Using helm from local checkout

helm install desec-webhook -n cert-manager deploy

Using public helm chart

Uninstallation

Creating an issuer

Create a secret containing the credentials

apiVersion: v1
kind: Secret
metadata:
  name: desec-io-secret
  namespace: cert-manager
type: Opaque
data:
  token: your-key-base64-encoded

We can also then provide a standardised 'testing framework', or set of conformance tests, which allow us to validate that a DNS provider works as expected. Create a 'ClusterIssuer' or 'Issuer' resource as the following:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: mail@example.com

    privateKeySecretRef:
      name: letsencrypt-staging

    solvers:
      - dns01:
          webhook:
            config:
              apiKeySecretRef:
                key: token
                name: desec-io-secret
            groupName: acme.example.com
            solverName: desec

Create a manual certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-cert
  namespace: cert-manager
spec:
  commonName: example.com
  dnsNames:
    - example.com
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  secretName: example-cert

Using cert-manager with traefik ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: bitwarden
  namespace: utils
  labels:
    app: bitwarden
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-staging
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/rewrite-target: /$1
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: 'true'
spec:
  tls:
    - hosts:
        - bitwarden.acme.example.com
      secretName: bitwarden-crt
  rules:
    - host: bitwarden.acme.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: bitwarden
                port:
                  number: 80

Creating your own repository

Running the test suite

All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.

Provide a secret.yaml in testdata/desec

apiVersion: v1
kind: Secret
metadata:
  name: desec-token
data:
  token: your-key-base64-encoded
type: Opaque

Define a TEST_ZONE_NAME matching to your authenticaton creditials.

$ TEST_ZONE_NAME=example.com. make test

About

cert-manager webhook to use ACME DNS01 solver with desec.io

Topics

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Languages

  • Go 76.5%
  • Makefile 11.2%
  • Mustache 9.8%
  • Dockerfile 2.5%