|
1 | | -<p align="center"> |
2 | | - <img src="https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png" height="256" width="256" alt="cert-manager project logo" /> |
3 | | -</p> |
| 1 | +# cert-manager-webhook-exoscale |
4 | 2 |
|
5 | | -# ACME webhook example |
| 3 | +A cert-manager webhook solver implementation for [Exoscale DNS](https://www.exoscale.com/dns/). |
6 | 4 |
|
7 | | -The ACME issuer type supports an optional 'webhook' solver, which can be used |
8 | | -to implement custom DNS01 challenge solving logic. |
| 5 | +## Installation |
9 | 6 |
|
10 | | -This is useful if you need to use cert-manager with a DNS provider that is not |
11 | | -officially supported in cert-manager core. |
| 7 | +Make sure that cert-manager is installed before installing the webhook. |
| 8 | +For more information, consult the [cert-manager documentation](https://cert-manager.io/docs/installation/). |
12 | 9 |
|
13 | | -## Why not in core? |
| 10 | +Use helm to install the webhook: |
14 | 11 |
|
15 | | -As the project & adoption has grown, there has been an influx of DNS provider |
16 | | -pull requests to our core codebase. As this number has grown, the test matrix |
17 | | -has become un-maintainable and so, it's not possible for us to certify that |
18 | | -providers work to a sufficient level. |
| 12 | +<!-- x-release-please-start-version --> |
19 | 13 |
|
20 | | -By creating this 'interface' between cert-manager and DNS providers, we allow |
21 | | -users to quickly iterate and test out new integrations, and then packaging |
22 | | -those up themselves as 'extensions' to cert-manager. |
23 | | - |
24 | | -We can also then provide a standardised 'testing framework', or set of |
25 | | -conformance tests, which allow us to validate that a DNS provider works as |
26 | | -expected. |
27 | | - |
28 | | -## Creating your own webhook |
29 | | - |
30 | | -Webhook's themselves are deployed as Kubernetes API services, in order to allow |
31 | | -administrators to restrict access to webhooks with Kubernetes RBAC. |
32 | | - |
33 | | -This is important, as otherwise it'd be possible for anyone with access to your |
34 | | -webhook to complete ACME challenge validations and obtain certificates. |
35 | | - |
36 | | -To make the set up of these webhook's easier, we provide a template repository |
37 | | -that can be used to get started quickly. |
38 | | - |
39 | | -### Creating your own repository |
40 | | - |
41 | | -### Running the test suite |
42 | | - |
43 | | -All DNS providers **must** run the DNS01 provider conformance testing suite, |
44 | | -else they will have undetermined behaviour when used with cert-manager. |
45 | | - |
46 | | -**It is essential that you configure and run the test suite when creating a |
47 | | -DNS01 webhook.** |
48 | | - |
49 | | -An example Go test file has been provided in [main_test.go](https://github.com/cert-manager/webhook-example/blob/master/main_test.go). |
50 | | - |
51 | | -You can run the test suite with: |
| 14 | +```shell |
| 15 | +helm install cert-manager-webhook-exoscale --namespace cert-manager \ |
| 16 | + oci://ghcr.io/glasskube/charts/cert-manager-webhook-exoscale \ |
| 17 | + --version 0.1.0 \ |
| 18 | + --set groupName=acme.mycompany.com |
| 19 | +``` |
52 | 20 |
|
53 | | -```bash |
54 | | -$ TEST_ZONE_NAME=example.com. make test |
| 21 | +<!-- x-release-please-end --> |
| 22 | + |
| 23 | +The value used for `groupName` **must** be unique in your cluster. |
| 24 | +For all available configuration values, check out the [`values.yaml`](./deploy/cert-manager-webhook-exoscale/values.yaml). |
| 25 | + |
| 26 | +## Usage |
| 27 | + |
| 28 | +With cert-manager and the webhook installed, you can reference the solver in an `Issuer` or `ClusterIssuer` to use it: |
| 29 | + |
| 30 | +```yaml |
| 31 | +apiVersion: cert-manager.io/v1 |
| 32 | +kind: ClusterIssuer |
| 33 | +metadata: |
| 34 | + name: exoscale-example |
| 35 | +spec: |
| 36 | + acme: |
| 37 | + # Rest of the acme spec |
| 38 | + # ... |
| 39 | + solvers: |
| 40 | + - dns01: |
| 41 | + webhook: |
| 42 | + # Replace this with the groupName used during installation |
| 43 | + groupName: acme.mycompany.com |
| 44 | + solverName: exoscale |
| 45 | + config: |
| 46 | + apiKey: |
| 47 | + fromSecret: |
| 48 | + name: exoscale-api |
| 49 | + key: apiKey |
| 50 | + apiSecret: |
| 51 | + fromSecret: |
| 52 | + name: exoscale-api |
| 53 | + key: apiSecret |
| 54 | + # UUID of the Exoscale Domain (optional) |
| 55 | + # If omitted, the controller will select the correct zone |
| 56 | + # automatically |
| 57 | + domainId: ... |
55 | 58 | ``` |
56 | 59 |
|
57 | | -The example file has a number of areas you must fill in and replace with your |
58 | | -own options in order for tests to pass. |
| 60 | +Check out the full example at [`examples/cluster-issuer`](./examples/cluster-issuer). |
| 61 | + |
| 62 | +It is recommended to use secret references for the API key and secrets. |
| 63 | +For `ClusterIssuer`s, the secret must be in the namespace where the webhook was installed. |
| 64 | +By default, the webhook controller has permission to read all secrets in that namespace, although that can be restricted using helm values. |
| 65 | +For `Issuer`s, the secret must be in the same namespace as the `Issuer`. |
| 66 | +By default, the webhook controller usually **does not** have permission to read that secret, so you have to allow it explicitly. |
0 commit comments