Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/baarde/cert-manager-webhook-ovh

OVH Webhook for Cert Manager
https://github.com/baarde/cert-manager-webhook-ovh

acme cert-manager cert-manager-webhook ovh

Last synced: 2 months ago
JSON representation

OVH Webhook for Cert Manager

Host: GitHub
URL: https://github.com/baarde/cert-manager-webhook-ovh
Owner: baarde
License: apache-2.0
Created: 2020-01-15T14:34:16.000Z (almost 5 years ago)
Default Branch: main
Last Pushed: 2023-09-28T17:53:00.000Z (over 1 year ago)
Last Synced: 2024-08-01T13:27:03.960Z (5 months ago)
Topics: acme, cert-manager, cert-manager-webhook, ovh
Language: Go
Size: 306 KB
Stars: 92
Watchers: 10
Forks: 63
Open Issues: 8
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-ccamel - baarde/cert-manager-webhook-ovh - OVH Webhook for Cert Manager (Go)

README

# OVH Webhook for Cert Manager

This is a webhook solver for [OVH](http://www.ovh.com).

## Prerequisites

* [cert-manager](https://github.com/jetstack/cert-manager) version 1.5.3 or higher:
- [Installing on Kubernetes](https://cert-manager.io/docs/installation/kubernetes/#installing-with-helm)

## Installation

Choose a unique group name to identify your company or organization (for example `acme.mycompany.example`).

```bash
helm install cert-manager-webhook-ovh ./deploy/cert-manager-webhook-ovh \
--set groupName=''
```

If you customized the installation of cert-manager, you may need to also set the `certManager.namespace` and `certManager.serviceAccountName` values.

## Issuer

1. [Create a new OVH API key](https://docs.ovh.com/gb/en/customer/first-steps-with-ovh-api/) with the following rights:
* `GET /domain/zone/*`
* `PUT /domain/zone/*`
* `POST /domain/zone/*`
* `DELETE /domain/zone/*`

2. Create a secret to store your application secret:

```bash
kubectl create secret generic ovh-credentials \
--from-literal=applicationSecret=''
```

3. Grant permission to get the secret to the `cert-manager-webhook-ovh` service account:

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook-ovh:secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["ovh-credentials"]
verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager-webhook-ovh:secret-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook-ovh:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-ovh
```

4. Create a certificate issuer:

```yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: ''
privateKeySecretRef:
name: letsencrypt-account-key
solvers:
- dns01:
webhook:
groupName: ''
solverName: ovh
config:
endpoint: ovh-eu
applicationKey: ''
applicationSecretRef:
key: applicationSecret
name: ovh-credentials
consumerKey: ''
```

## Certificate

Issue a certificate:

```yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com
spec:
dnsNames:
- "example.com"
- "*.example.com"
issuerRef:
name: letsencrypt
secretName: example-com-tls
```

## Development

All DNS providers **must** run the DNS01 provider conformance testing suite,
else they will have undetermined behaviour when used with cert-manager.

**It is essential that you configure and run the test suite when creating a
DNS01 webhook.**

An example Go test file has been provided in [main_test.go](main_test.go).

Before you can run the test suite, you need to duplicate the `.sample` files in `testdata/ovh/` and update the configuration with the appropriate OVH credentials.

You can run the test suite with:

```bash
$ TEST_ZONE_NAME=example.com. make test
```