{"id":22772691,"url":"https://github.com/akyriako/cert-manager-webhook-opentelekomcloud","last_synced_at":"2025-04-14T21:48:51.387Z","repository":{"id":230562537,"uuid":"779199298","full_name":"akyriako/cert-manager-webhook-opentelekomcloud","owner":"akyriako","description":"ACME DNS01 solver webhook for Open Telekom Cloud DNS","archived":false,"fork":false,"pushed_at":"2024-04-22T05:33:33.000Z","size":289,"stargazers_count":2,"open_issues_count":2,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-04-22T06:36:22.919Z","etag":null,"topics":["acme","cert-manager","cert-manager-webhook","cert-manager-webhook-opentelekomcloud","dns","golang","kubernetes","lets-encrypt","letsencrypt","opentelekomcloud","t-systems","webhook"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"cert-manager/webhook-example","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/akyriako.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2024-03-29T09:11:07.000Z","updated_at":"2024-04-30T07:22:04.847Z","dependencies_parsed_at":"2024-04-23T12:19:06.071Z","dependency_job_id":null,"html_url":"https://github.com/akyriako/cert-manager-webhook-opentelekomcloud","commit_stats":null,"previous_names":["akyriako/cert-manager-webhook-opentelekomcloud"],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/akyriako%2Fcert-manager-webhook-opentelekomcloud","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/akyriako%2Fcert-manager-webhook-opentelekomcloud/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/akyriako%2Fcert-manager-webhook-opentelekomcloud/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/akyriako%2Fcert-manager-webhook-opentelekomcloud/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/akyriako","download_url":"https://codeload.github.com/akyriako/cert-manager-webhook-opentelekomcloud/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248968001,"owners_count":21191060,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acme","cert-manager","cert-manager-webhook","cert-manager-webhook-opentelekomcloud","dns","golang","kubernetes","lets-encrypt","letsencrypt","opentelekomcloud","t-systems","webhook"],"created_at":"2024-12-11T17:09:22.090Z","updated_at":"2025-04-14T21:48:51.348Z","avatar_url":"https://github.com/akyriako.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ACME webhook for Open Telekom Cloud DNS\n\n[Cert-manager](https://cert-manager.io/) DNS providers are integrations with various DNS (Domain Name System) service \nproviders that allow cert-manager, a Kubernetes add-on, to automate the management of SSL/TLS certificates. \nDNS providers enable cert-manager to automatically perform challenges to prove domain ownership and obtain certificates \nfrom certificate authorities like [Let's Encrypt](https://letsencrypt.org/).\n\nBy configuring cert-manager with the compatible Open Telekom Cloud DNS provider, using this webhook, you can set up \nautomatic certificate issuance and renewal for your Open Telekom Cloud CCE workloads without manual intervention. \nThis automation is crucial for securing web applications and services deployed on CCE clusters.\n\n## Installation\n\nThis webhook is installed exclusively via [Helm](https://helm.sh/). \n\n\u003e [!NOTE]\n\u003e If you dont't have a Kubernetes cluster in place, this project\n\u003e comes with \"batteries included\"; a [Dev Container](https://containers.dev) (a `.devcontainer.json` specifications file that can be \n\u003e found in the repo and will be discussed in a later chapter) will instruct any IDE that supports Dev Containers, to set up \n\u003e an isolated containerized Kubernetes environment for you along with all necessary tooling (cert-manager, Helm etc.)\n\n### Configuration \n\nConfigure the Chart by setting the following parameters:\n\n- `groupName`: sets environment variable `GROUP_NAME`, defaults to `acme.opentelekomcloud.com`\n- `debug`: sets environment variable `OS_DEBUG`, defaults to `false`. When `true`, raises `klog` verbosity to `4`. It must be **boolean**\n- `credentialsSecretRef`: a reference to the Kubernetes `Secret` that will hold the OTC access \u0026 secret keys, defaults to `cert-manager-webhook-opentelekomcloud-creds`\n- `opentelekomcloud.accessKey`: the access key in plain text, **not required**\n- `opentelekomcloud.secretKey`: the secret key in plain text, **not required**\n\n\u003e [!NOTE]\n\u003e The remaining chart variables are, besides self-explanatory, the same that used already by [cert-manager/webhook-example](https://github.com/cert-manager/webhook-example) \n\n### One-step\n\nIf `opentelekomcloud.accessKey` and `opentelekomcloud.secretKey` are **both set**, the chart will **automatically**:\n\n- create the `credentialsSecretRef` secret\n- encode `opentelekomcloud.accessKey` and `opentelekomcloud.secretKey` in base64\n- populate secret's `data` with the encoded values of `opentelekomcloud.accessKey` and `opentelekomcloud.secretKey`\n\n```bash\nhelm repo add cmw-otc https://akyriako.github.io/cert-manager-webhook-opentelekomcloud/\nhelm repo update\n\nhelm upgrade --install $CHART_RELEASE_NAME cmw-otc/cert-manager-webhook-opentelekomcloud \\\n  --set opentelekomcloud.accessKey=$OS_ACCESS_KEY \\\n  --set opentelekomcloud.secretKey=$OS_SECRET_KEY \\\n  --namespace cert-manager\n```\n\nIf additionally `debug` parameter is set to `true`, `--set debug=true`, the helm chart will add to the deployment of the\ncontainer an additional argument to increase logging verbosity:\n\n```yaml\n      containers:\n        - name: {{ .Chart.Name }}\n          image: \"{{ .Values.image.repository }}:{{ .Values.image.tag }}\"\n          imagePullPolicy: {{ .Values.image.pullPolicy }}\n          args:\n            - --tls-cert-file=/tls/tls.crt\n            - --tls-private-key-file=/tls/tls.key\n            {{- if eq .Values.debug true }}\n            - --v=4\n            {{- end }}\n```\n\nor you can alternatively override the [values.yaml](deploy%2Fcert-manager-webhook-opentelekomcloud%2Fvalues.yaml) and\nset there the parameters.\n\n### Two-steps\n\nIf for any reason the **one-step** installation is not fit for your deployment pipeline, you can split the installation \nin two steps:\n\nFirst create and deploy a `Secret` manifest, that would match the name of `credentialsSecretRef` value:\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  name: cert-manager-webhook-opentelekomcloud-creds\n  namespace: cert-manager\ntype: Opaque\ndata:\n  accessKey: \"\u003cACCESS_KEY_in_Base64\u003e\"\n  secretKey: \"\u003cSECRET_KEY_in_Base64\u003e\"\n```\n\nDeploy the secret with `kubectl`\n\nand then deploy the webhook:\n\n```bash\nhelm repo add cmw-otc https://akyriako.github.io/cert-manager-webhook-opentelekomcloud/\nhelm repo update\n\nhelm upgrade --install $CHART_RELEASE_NAME cmw-otc/cert-manager-webhook-opentelekomcloud \\\n  --namespace cert-manager\n```\n\n## Usage\n\n### Issuers \u0026 ClusterIssuers\n\n`Issuers`, and `ClusterIssuers`, are Kubernetes resources that represent certificate authorities (CAs) that are able to \ngenerate signed certificates by honoring certificate signing requests. All cert-manager certificates require a \nreferenced issuer that is in a ready condition to attempt to honor the request. The former is namespaced-scoped while the\nlatter is cluster-wide.\n\n```yaml\napiVersion: cert-manager.io/v1\nkind: ClusterIssuer\nmetadata:\n  name: opentelekomcloud-letsencrypt-staging\n  namespace: cert-manager\nspec:\n  acme:\n    email: user@example.com\n    server: https://acme-staging-v02.api.letsencrypt.org/directory\n    privateKeySecretRef:\n      name: opentelekomcloud-letsencrypt-staging-tls-key\n    solvers:\n    - dns01:\n        webhook:\n          groupName: acme.opentelekomcloud.com\n          solverName: opentelekomcloud\n          config:\n            region: \"eu-de\"\n            accessKeySecretRef:\n              name: cert-manager-webhook-opentelekomcloud-creds\n              key: accessKey\n            secretKeySecretRef:\n              name: cert-manager-webhook-opentelekomcloud-creds\n              key: secretKey\n```\n\n- `groupName` can be set in the respective chart parameter, otherwise defaults to `acme.opentelekomcloud.com`\n- `solverName` should be `opentelekomcloud`, it is **not configurable**\n- `region`, although configurable and required, it can only be set to `eu-de`\n- `accessKeySecretRef` and `secretKeySecretRef` can be set in chart parameter `credentialsSecretRef`, if not defaults to `cert-manager-webhook-opentelekomcloud-creds`\n\nDeploy the manifest above with `kubectl`.\n\n### Certificate\n\nIn cert-manager, the `Certificate` resource represents a human readable definition of a certificate request. \ncert-manager uses this input to generate a private key and `CertificateRequest` resource in order to obtain a signed \ncertificate from an `Issuer` or `ClusterIssuer`. The signed certificate and private key are then stored in the \nspecified Secret resource. cert-manager will ensure that the certificate is auto-renewed before it expires and re-issued\nif requested.\n\n\u003e [!CAUTION]\n\u003e In order to issue any certificates, you'll need to configure an `Issuer` or `ClusterIssuer` resource first. **Nevertheless**,\n\u003e at the time of this writing, cert-manager webhooks seems to have a known bug working with `Issuers` in this scenario \n\u003e and you are strongly recommended to create a `ClusterIssuer` instead, until it is officially solved.\n\n```yaml\napiVersion: cert-manager.io/v1\nkind: Certificate\nmetadata:\n  name: certificate-subdomain-example-com\n  namespace: cert-manager\nspec:\n  dnsNames:\n  - '*.subdomain.example.com'\n  issuerRef:\n    kind: ClusterIssuer\n    name: opentelekomcloud-letsencrypt-staging\n  secretName: certificate-subdomain-example-com-tls\n```\n\nDeploy the manifest above with `kubectl`.\n\n## Development\n\nAs mentioned already in the preface, this project is harnessing the versatilly of [Dev Containers](https://containers.dev) \nto provide to you, on any IDE that supports Dev Containers, an isolated containerized Kubernetes environment \nalong with all necessary tooling (Cert-Manager, Helm, K9s, Dive etc.) so you can start directly developing without \nwasting time and energy on how to jumpstart yet another project's environment and dependencies.\n\n### Dev Container\n\n\u003e [!NOTE]\n\u003e Although you can use any IDE that supports Dev Containers, the extensions and features added on the base image are \n\u003e tailored for Visual Studio Code.\n\n#### Extensions \u0026 Features\n\nA Dev Container will be created, with all the necessary prerequisites to get you started developing immediately. A\ncontainer, based on `mcr.microsoft.com/devcontainers/go:1.21-bullseye` will be spawned with the following features pre-installed:\n\n- Golang 1.21\n- Tooltitude for Go (Free License)\n- Git, GitHub Actions, GitHub CLI, Git Graph\n- Docker in Docker\n- Kubectl, Helm, Helmfile, K9s, KinD, Dive\n- [Bridge to Kubernetes](https://learn.microsoft.com/en-us/visualstudio/bridge/overview-bridge-to-kubernetes) Visual Studio Code Extension\n- Resource Monitor\n\nA `postCreateCommand` (**.devcontainer/setup.sh**) will provision:\n\n- A containerized **Kubernetes cluster** with 1 control and 3 worker nodes **and** a private registry, using KinD (cluster manifest is in **.devcontainer/cluster.yaml**)\n- A fully functional installation of Cert-Manager \n\n### Installation\n\nIn order to test the changes on a Kubernetes cluster, you need to build a new image, push the image to the container\nregistry of your choice and recreate the manifests that Helm will deploy to the Kubernetes cluster:\n\nFor building new image, execute:\n\n```shell\nmake docker-build\n```\n\nFor pushing the new image to a container registry, execute:\n\n```shell\nmake docker-push\n```\n\nFor creating the manifests out of the helm template, execute:\n\n```shell\nmake rendered-manifest.yaml\n```\n\n\u003e [!NOTE]\n\u003e Before executing the above target, you have to make sure that you have set the values of the following environment\n\u003e variables: `OS_ACCESS_KEY` and `OS_SECRET_KEY`.\n\nThe last one will create a yaml file that will contain all required manifests, `rendered-manifest.yaml`, in folder `_out`:\nYou can then deploy them in your Kubernetes cluster using `kubectl`:\n\n```shell\nkubectl apply -f _out/rendered-manifest.yaml\n```\n\n### Extend\n\n#### Webhook Configuration\n\nIf you need to extend the webhook configuration via environment variables, you should extend struct `config`\nwhich can be found in [main.go](main.go):\n\n```go\ntype config struct {\n\tGroupName string `env:\"GROUP_NAME\" envDefault:\"acme.opentelekomcloud.com\"`\n\tDebug     bool   `env:\"OS_DEBUG\" envDefault:\"false\"`\n}\n```\n\n\u003e [!CAUTION]\n\u003e No sensitive information (either in plain or encoded text) should be added here for any reason.\n\nConsequently, you might need to change the chart template values so they acknowledge and use the new parameters in the manifests.\n\n#### DNS Solver Configuration\n\nIf you need to extend the configuration of the solver, extending its API Specs, you should extend struct `OpenTelekomCloudDnsProviderConfig`\nwhich can be found in [config.go](pkg%2Fdns%2Fconfig.go):\n\n```go\ntype OpenTelekomCloudDnsProviderConfig struct {\n\t// These fields will be set by users in the\n\t// `issuer.spec.acme.dns01.providers.webhook.config` field.\n\tRegion             string                    `json:\"region,required\"`\n\tAccessKeySecretRef *corev1.SecretKeySelector `json:\"accessKeySecretRef,omitempty\"`\n\tSecretKeySecretRef *corev1.SecretKeySelector `json:\"secretKeySecretRef,omitempty\"`\n}\n```\n\n\u003e [!CAUTION]\n\u003e No sensitive information (either in plain or encoded text) should be added here for any reason.\n\nConsequently, you might need to change the chart template values so they acknowledge and use the new parameters in the manifests.\n\n#### Secrets\n\nIf you need to extend the secrets \u0026 credentials of the solver, you should extend struct `OpenTelekomCloudDnsProviderSecrets`\nwhich can be found in [config.go](pkg%2Fdns%2Fconfig.go):\n\n```go\ntype OpenTelekomCloudDnsProviderSecrets struct {\n\tAccessKey string `env:\"OS_ACCESS_KEY,required\"`\n\tSecretKey string `env:\"OS_SECRET_KEY,required\"`\n}\n```\n\nConsequently, you might need to change the chart template values so they acknowledge and use the new parameters in the manifests.\n\n\u003e [!TIP]\n\u003e Access \u0026 Secret keys are enough to create an Open Telekom Cloud Provider Client and a DNS Service Client. User, Password,\n\u003e Domain or Tenant identifiers are not needed for the DNS Solver to work. \n\n### Conformance Testing\n\nAll DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour \nwhen used with cert-manager.\n\n```bash\n$ OS_DEBUG=true OS_ACCESS_KEY={AccessKey} OS_SECRET_KEY={SecretKey} TEST_ZONE_NAME=example.com. make test\n```\n\u003e [!NOTE]\n\u003e Fill in the values of `OS_ACCESS_KEY` and `OS_SECRET_KEY`. Replace `example.com.` with your own (sub)domain.\n\u003e Make sure not to forget the trailing `.` in the `TEST_ZONE_NAME` value. You can omit any variable already defined\n\u003e in your session's environment variables.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fakyriako%2Fcert-manager-webhook-opentelekomcloud","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fakyriako%2Fcert-manager-webhook-opentelekomcloud","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fakyriako%2Fcert-manager-webhook-opentelekomcloud/lists"}