Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kaelzhang/cert-manager-webhook-dnspod

Cert-manager webhook for DNSPod
https://github.com/kaelzhang/cert-manager-webhook-dnspod

acme cert-manager cert-manager-webhook dnspod dnspod-provider-solver letsencrypt webhook

Last synced: 2 months ago
JSON representation

Cert-manager webhook for DNSPod

Host: GitHub
URL: https://github.com/kaelzhang/cert-manager-webhook-dnspod
Owner: kaelzhang
License: apache-2.0
Created: 2019-12-05T06:06:01.000Z (about 5 years ago)
Default Branch: master
Last Pushed: 2022-05-15T13:34:18.000Z (over 2 years ago)
Last Synced: 2024-04-15T12:32:56.511Z (9 months ago)
Topics: acme, cert-manager, cert-manager-webhook, dnspod, dnspod-provider-solver, letsencrypt, webhook
Language: Go
Homepage:
Size: 91.8 KB
Stars: 12
Watchers: 3
Forks: 4
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Cert-Manager ACME webhook for DNSPod

Cert-manager webhook for DNSPod is a ACME webhook for [cert-manager](https://cert-manager.io) allowing users to use [DNSPod](https://www.dnspod.cn) for DNS01 challenge.

This is a **permanent** fork of [qqshfox/cert-manager-webhook-dnspod](https://github.com/qqshfox/cert-manager-webhook-dnspod) which is lack of maintainence.

Features
- Updated to cert-manager 1.1.0
- Updated to client-go 0.19.4
- No hardcoding in helm chart

Tested on production environment of
- Kubernetes 1.18.3

## Prerequisites

- A DNSPod [APP ID and API Token](https://support.dnspod.cn/Kb/showarticle/tsid/227/)
- A valid domain configured on DNSPod
- A Kubernetes cluster (v1.18+ recommended)
- Have [cert-manager](https://github.com/jetstack/cert-manager): >= 1.1.0 [installed](https://cert-manager.io/docs/installation/kubernetes/) within your kubernetes cluster.
- [Helm 3 installed](https://helm.sh/docs/intro/install/) on your local computer

## Installation

### Prepare for DNSPod

Create secret to store the API Token

```sh
kubectl --namespace cert-manager create secret generic \
dnspod-credentials --from-literal=api-token=''
```

### Install `cert-manager-webhook-dnspod`

Clone this repository:

```
git clone https://github.com/kaelzhang/cert-manager-webhook-dnspod.git
```

You need to create a `values.yaml` file to override the default value of `groupName` for the helm chart.

```yaml
# The `groupName` here should be same as the value in cluster issuer below
groupName:
```

```
helm install cert-manager-webhook-dnspod ./charts \
--namespace cert-manager \
-f values.yaml
```

### Issuer

Create a production issuer (And you could create a staging letsencrypt issuer instead if necessary)

Create a `cluster-issuer.yaml` file with the following content:

```yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory

# Email address used for ACME registration
email:

# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod

solvers:
- dns01:
webhook:
groupName:
solverName: dnspod
config:
apiID:
apiTokenSecretRef:
key: api-token
name: dnspod-credentials
```

And run:

```
kubectl create -f cluster-issuer.yaml
```

### Certificate

#### Use Ingress to create the Certificate resource (Recommended)

A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources.

This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you without your concern. A small sub-component of cert-manager, ingress-shim, is responsible for this.

For details, see [here](https://cert-manager.io/docs/usage/ingress/)

Create a `ingress.yaml` file with the following content:

```yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-ingress
namespace: default
annotations:
# Should be the same as metadata.name of the cluster issuer
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- 'example.com'
# Pick any name as you wish
secretName: example-com-tls
rules:
- host: example.com
http:
paths:
- path: /
backend:
serviceName: backend-service
servicePort: 80
```

And run:

```
kubectl create -f ingress.yaml
```

#### Define the Certificate resource explicitly (Alternative)

If you don't use Ingress, you could define the certificate resource your own

Create a `certificate.yaml`:

```yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
# You could replace this name to your own
# Pick any name as you wish
name: example-com # for example.com
spec:
# Pick any name as you wish
secretName: example-com-tls
renewBefore: 240h
dnsNames:
- 'example.com'
issuerRef:
# The cluster issuer defined above
name: letsencrypt-prod
kind: ClusterIssuer
```

And run:

```
kubectl create -f certificate.yaml
```

### Check the result:

If the certificate is ready, you could see the following result:

```
$ kubectl get certificate

NAME READY SECRET AGE
example-com True example-com-tls 2m1s
```

****

> For contributors

## Development

Before you can run the test suite, you need to download the test binaries:

```sh
wget -O- https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.14.1-darwin-amd64.tar.gz | tar x -
```

Then rename `testdata/my-custom-solver.example` as `testdata/my-custom-solver` and fulfill the values of DNSPod appId (``) and apiToken (``).

Now we could run tests in debug mode with dlv

```sh
# You should change GROUP_NAME and TEST_ZONE_NAME to your own ones
GROUP_NAME=yourdomain.com \
TEST_ZONE_NAME=yourdomain.com. \
dlv test . -- -test.v
```

Or just run tests

```sh
GROUP_NAME=yourdomain.com \
TEST_ZONE_NAME=yourdomain.com. \
go test -v
```