{"id":24864852,"url":"https://github.com/bizflycloud/bizflycloud-certmanager-dns-webhook","last_synced_at":"2025-03-26T18:43:30.804Z","repository":{"id":64305442,"uuid":"383090622","full_name":"bizflycloud/bizflycloud-certmanager-dns-webhook","owner":"bizflycloud","description":"DNS Webhook for cert-manager to work with Bizfly Cloud DNS","archived":false,"fork":false,"pushed_at":"2023-03-29T01:50:03.000Z","size":135,"stargazers_count":2,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-31T23:56:12.230Z","etag":null,"topics":["acme","bizflycloud","cert-manager","cert-manager-webhook","certificate","letsencrypt"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bizflycloud.png","metadata":{"files":{"readme":"README.en-GB.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-07-05T09:47:52.000Z","updated_at":"2023-11-28T08:37:39.000Z","dependencies_parsed_at":"2024-06-20T05:44:05.911Z","dependency_job_id":"1e6b15d4-38a3-49b8-aac9-94f46b5b8b5e","html_url":"https://github.com/bizflycloud/bizflycloud-certmanager-dns-webhook","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bizflycloud%2Fbizflycloud-certmanager-dns-webhook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bizflycloud%2Fbizflycloud-certmanager-dns-webhook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bizflycloud%2Fbizflycloud-certmanager-dns-webhook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bizflycloud%2Fbizflycloud-certmanager-dns-webhook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bizflycloud","download_url":"https://codeload.github.com/bizflycloud/bizflycloud-certmanager-dns-webhook/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245717586,"owners_count":20661140,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acme","bizflycloud","cert-manager","cert-manager-webhook","certificate","letsencrypt"],"created_at":"2025-01-31T23:56:14.030Z","updated_at":"2025-03-26T18:43:30.781Z","avatar_url":"https://github.com/bizflycloud.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# BizflyCloud Cert-manager DNS webhook\n\nCert-manager ACME DNS webhook provider for BizflyCloud DNS.\n\n## Introduction\n\nBizflyCloud Cert-manager DNS  is a webhook run in kubernetes to provide connect between cert-manager and Bizfly Cloud provider DNS.\n\n## Why need to use BizflyCloud Cert-manager DNS webhook\n\nAs you know Let's encrypt use 2 method to provide certificate which is ACME HTTP01 and DNS01.\n\nTHis web hook will automaticly create DNS01 challenge solver in BizflyCloud DNS and apply the certificate to your ingress.\n\n## Install\n\n### Install cert manager\n\nInstall cert manager using this document here: \u003chttps://cert-manager.io/docs/installation/kubernetes/\u003e\n\n**Note**: If you customized the installation of cert-manager, you may need to also set the certManager.namespace and certManager.serviceAccountName values.\n\n### Install webhook\n\n#### Option 1\n\nInstall bizflycloud-certmanager-dns-webhook using helm\n\n**Note**: Choose a unique group name to identify your company or organization (for example `acme.mycompany.example`).\n\nChange your authentication value in `./deploy/bizflycloud-certmanager-dns-webhook/values.yaml`\n\n```bash\nhelm install \u003cdeploy name\u003e ./deploy/bizflycloud-certmanager-dns-webhook \n```\n\n#### Option 2\n\nInstall bizflycloud-certmanager-dns-webhook using manifest.\n\n**Notes**: Webhook's themselves are deployed as Kubernetes API services, in order to allow administrators to restrict access to webhooks with Kubernetes RBAC.\n\nThis is important, as otherwise it'd be possible for anyone with access to your webhook to complete ACME challenge validations and obtain certificates.\n\nInstall using the file `./manifest/bundle.yaml`\n\nChange your groupname match ClusterIssuer in these deployment:\n\n```yaml\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n  name: bizflycloud-webhook:domain-solver\n  labels:\n    app: bizflycloud-webhook\nrules:\n  - apiGroups:\n      - acme.mycompany.com\n    resources:\n      - '*'\n    verbs:\n      - 'create'\n```\n\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n  name: bizflycloud-webhook\n  namespace: cert-manager\n  labels:\n    app: bizflycloud-webhook\nspec:\n  selector:\n    matchLabels:\n      app: bizflycloud-webhook\n  template:\n    metadata:\n      labels:\n        app: bizflycloud-webhook\n    spec:\n      serviceAccountName: bizflycloud-webhook\n      containers:\n        - name: bizflycloud-webhook\n          image: cr-hn-1.vccloud.vn/31ff9581861a4d0ea4df5e7dda0f665d/bizflycloud-certmanager-dns-webhook:latest\n          imagePullPolicy: Always\n          args:\n            - --tls-cert-file=/tls/tls.crt\n            - --tls-private-key-file=/tls/tls.key\n          env:\n            - name: GROUP_NAME\n              value: \"acme.mycompany.com\"\n```\n\n```yaml\napiVersion: apiregistration.k8s.io/v1\nkind: APIService\nmetadata:\n  name: v1alpha1.acme.mycompany.com\n  labels:\n    app: bizflycloud-webhook\n  annotations:\n    cert-manager.io/inject-ca-from: \"cert-manager/bizflycloud-webhook-webhook-tls\"\nspec:\n  group: acme.mycompany.com\n  groupPriorityMinimum: 1000\n  versionPriority: 15\n  service:\n    name: bizflycloud-webhook\n    namespace: cert-manager\n  version: v1alpha1\n```\n\n## Example\n\nAfter install cert-manager and bizflycloud-certmanager-dns-webhook\n\n1. Create 2 service for demo:\n\n    echo1.yaml\n\n    ```yaml\n    apiVersion: v1\n    kind: Service\n    metadata:\n    name: echo1\n    spec:\n    ports:\n    - port: 80\n        targetPort: 5678\n    selector:\n        app: echo1\n    ---\n    apiVersion: apps/v1\n    kind: Deployment\n    metadata:\n    name: echo1\n    spec:\n    selector:\n        matchLabels:\n        app: echo1\n    replicas: 2\n    template:\n        metadata:\n        labels:\n            app: echo1\n        spec:\n        containers:\n        - name: echo1\n            image: hashicorp/http-echo\n            args:\n            - \"-text=echo1\"\n            ports:\n            - containerPort: 5678\n    ```\n\n    echo2.yaml\n\n    ```yaml\n    apiVersion: v1\n    kind: Service\n    metadata:\n    name: echo2\n    spec:\n    ports:\n    - port: 80\n        targetPort: 5678\n    selector:\n        app: echo2\n    ---\n    apiVersion: apps/v1\n    kind: Deployment\n    metadata:\n    name: echo2\n    spec:\n    selector:\n        matchLabels:\n        app: echo2\n    replicas: 1\n    template:\n        metadata:\n        labels:\n            app: echo2\n        spec:\n        containers:\n        - name: echo2\n            image: hashicorp/http-echo\n            args:\n            - \"-text=echo2\"\n            ports:\n            - containerPort: 5678\n    ```\n\n2. Install nginx-ingress-controller\n    Follow this link: \u003chttps://engineering.bizflycloud.vn/cai-dat-nginx-ingress-controller-cho-kubernetes/\u003e\n\n    After that, use BizflyCloud DNS service to create record for your domain and sub-domain.\n\n    the Ipv4 value is your Loadbalancer IP created by nginx-ingress above\n\n    ![dns](https://raw.githubusercontent.com/lmq1999/123/master/image.png)\n\n3. Create ClusterIssuer/Issuer\n\n    ```yaml\n    apiVersion: cert-manager.io/v1alpha2\n    kind: ClusterIssuer\n    metadata:\n    name: letsencrypt-prod\n    namespace: cert-manager\n    spec:\n    acme:\n        # Change to your letsencrypt email\n        email: example@example.com\n        server: https://acme-v02.api.letsencrypt.org/directory\n        privateKeySecretRef:\n        name: letsencrypt-prod\n        solvers:\n        - dns01:\n            webhook:\n            groupName: acme.mycompany.com\n            solverName: bizflycloud\n    ```\n\n4. Create nginx ingress\n\n    ```yaml\n    apiVersion: networking.k8s.io/v1beta1\n    kind: Ingress\n    metadata:\n    name: echo-ingress\n    annotations:\n        cert-manager.io/cluster-issuer: \"letsencrypt-prod\"\n    spec:\n    tls:\n    - hosts:\n        - echo1.example.com\n        - echo2.example.com\n        secretName: echo-tls\n    rules:\n    - host: echo1.example.com\n        http:\n        paths:\n        - backend:\n            serviceName: echo1\n            servicePort: 80\n    - host: echo2.example.com\n        http:\n        paths:\n        - backend:\n            serviceName: echo2\n            servicePort: 80\n    ```\n\n5. Wait a couple of minutes for the Let’s Encrypt production server to issue the certificate\n\n6. Verify\n\n```bash\nquanlm@quanlm-desktop:~$ curl https://echo2.quanlm1999-testz.tk/\necho2\n```\n\nUsing `curl -v` to see TLS handshake\n\n```bash\nquanlm@quanlm-desktop:~$ curl https://echo2.quanlm1999-testz.tk/ -v\n*   Trying 14.225.0.197:443...\n* TCP_NODELAY set\n* Connected to echo2.quanlm1999-testz.tk (14.225.0.197) port 443 (#0)\n* ALPN, offering h2\n* ALPN, offering http/1.1\n* successfully set certificate verify locations:\n*   CAfile: /etc/ssl/certs/ca-certificates.crt\n  CApath: /etc/ssl/certs\n* TLSv1.3 (OUT), TLS handshake, Client hello (1):\n* TLSv1.3 (IN), TLS handshake, Server hello (2):\n* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):\n* TLSv1.3 (IN), TLS handshake, Certificate (11):\n* TLSv1.3 (IN), TLS handshake, CERT verify (15):\n* TLSv1.3 (IN), TLS handshake, Finished (20):\n* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):\n* TLSv1.3 (OUT), TLS handshake, Finished (20):\n* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384\n* ALPN, server accepted to use h2\n* Server certificate:\n*  subject: CN=echo1.quanlm1999-testz.tk\n*  start date: Jul  8 03:30:37 2021 GMT\n*  expire date: Oct  6 03:30:36 2021 GMT\n*  subjectAltName: host \"echo2.quanlm1999-testz.tk\" matched cert's \"echo2.quanlm1999-testz.tk\"\n*  issuer: C=US; O=Let's Encrypt; CN=R3\n*  SSL certificate verify ok.\n* Using HTTP2, server supports multi-use\n* Connection state changed (HTTP/2 confirmed)\n* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n* Using Stream ID: 1 (easy handle 0x557cad710e10)\n\u003e GET / HTTP/2\n\u003e Host: echo2.quanlm1999-testz.tk\n\u003e user-agent: curl/7.68.0\n\u003e accept: */*\n\u003e \n* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):\n* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):\n* old SSL session ID is stale, removing\n* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!\n\u003c HTTP/2 200 \n\u003c date: Thu, 08 Jul 2021 08:47:54 GMT\n\u003c content-type: text/plain; charset=utf-8\n\u003c content-length: 6\n\u003c x-app-name: http-echo\n\u003c x-app-version: 0.2.3\n\u003c strict-transport-security: max-age=15724800; includeSubDomains\n\u003c \necho2\n* Connection #0 to host echo2.quanlm1999-testz.tk left intact\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbizflycloud%2Fbizflycloud-certmanager-dns-webhook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbizflycloud%2Fbizflycloud-certmanager-dns-webhook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbizflycloud%2Fbizflycloud-certmanager-dns-webhook/lists"}