Docker>> cert-manager-webhook-dnspod>> 返回
项目作者: kaelzhang

项目描述 :
Cert-manager webhook for DNSPod
高级语言: Go
项目地址: git://github.com/kaelzhang/cert-manager-webhook-dnspod.git
创建时间: 2019-12-05T06:06:01Z
项目社区:https://github.com/kaelzhang/cert-manager-webhook-dnspod
开源协议:Apache License 2.0
下载


Cert-Manager ACME webhook for DNSPod

Cert-manager webhook for DNSPod is a ACME webhook for cert-manager allowing users to use DNSPod for DNS01 challenge.

This is a permanent fork of qqshfox/cert-manager-webhook-dnspod which is lack of maintainence.

Features

  • Updated to cert-manager 1.1.0
  • Updated to client-go 0.19.4
  • No hardcoding in helm chart

Tested on production environment of

  • Kubernetes 1.18.3

Prerequisites

Installation

Prepare for DNSPod

Create secret to store the API Token

  1. kubectl --namespace cert-manager create secret generic \
  2.   dnspod-credentials --from-literal=api-token='<DNSPOD_API_TOKEN>'

Install cert-manager-webhook-dnspod

Clone this repository:

  1. git clone https://github.com/kaelzhang/cert-manager-webhook-dnspod.git

You need to create a values.yaml file to override the default value of groupName for the helm chart.

  1. # The `groupName` here should be same as the value in cluster issuer below
  2. groupName: <your group name>
  1. helm install cert-manager-webhook-dnspod ./charts \
  2.   --namespace cert-manager \
  3.   -f values.yaml

Issuer

Create a production issuer (And you could create a staging letsencrypt issuer instead if necessary)

Create a cluster-issuer.yaml file with the following content:

  1. apiVersion: cert-manager.io/v1
  2. kind: ClusterIssuer
  3. metadata:
  4.   name: letsencrypt-prod
  5. spec:
  6.   acme:
  7.     # The ACME server URL
  8.     server: https://acme-v02.api.letsencrypt.org/directory
  10.     # Email address used for ACME registration
  11.     email: <your email>
  13.     # Name of a secret used to store the ACME account private key
  14.     privateKeySecretRef:
  15.       name: letsencrypt-prod
  17.     solvers:
  18.     - dns01:
  19.         webhook:
  20.           groupName: <your group name>
  21.           solverName: dnspod
  22.           config:
  23.             apiID: <your dnspod api id>
  24.             apiTokenSecretRef:
  25.               key: api-token
  26.               name: dnspod-credentials

And run:

  1. kubectl create -f cluster-issuer.yaml

Certificate

Use Ingress to create the Certificate resource (Recommended)

A common use-case for cert-manager is requesting TLS signed certificates to secure your ingress resources.

This can be done by simply adding annotations to your Ingress resources and cert-manager will facilitate creating the Certificate resource for you without your concern. A small sub-component of cert-manager, ingress-shim, is responsible for this.

For details, see here

Create a ingress.yaml file with the following content:

  1. apiVersion: extensions/v1beta1
  2. kind: Ingress
  3. metadata:
  4.   name: demo-ingress
  5.   namespace: default
  6.   annotations:
  7.     # Should be the same as metadata.name of the cluster issuer
  8.     cert-manager.io/cluster-issuer: "letsencrypt-prod"
  9. spec:
  10.   tls:
  11.   - hosts:
  12.     - 'example.com'
  13.     # Pick any name as you wish
  14.     secretName: example-com-tls
  15.   rules:
  16.   - host: example.com
  17.     http:
  18.       paths:
  19.       - path: /
  20.         backend:
  21.           serviceName: backend-service
  22.           servicePort: 80

And run:

  1. kubectl create -f ingress.yaml

Define the Certificate resource explicitly (Alternative)

If you don’t use Ingress, you could define the certificate resource your own

Create a certificate.yaml:

  1. apiVersion: cert-manager.io/v1
  2. kind: Certificate
  3. metadata:
  4.   # You could replace this name to your own
  5.   # Pick any name as you wish
  6.   name: example-com # for example.com
  7. spec:
  8.   # Pick any name as you wish
  9.   secretName: example-com-tls
  10.   renewBefore: 240h
  11.   dnsNames:
  12.     - 'example.com'
  13.   issuerRef:
  14.     # The cluster issuer defined above
  15.     name: letsencrypt-prod
  16.     kind: ClusterIssuer

And run:

  1. kubectl create -f certificate.yaml

Check the result:

If the certificate is ready, you could see the following result:

  1. $ kubectl get certificate
  3. NAME          READY  SECRET           AGE
  4. example-com   True   example-com-tls  2m1s

For contributors

Development

Before you can run the test suite, you need to download the test binaries:

  1. wget -O- https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.14.1-darwin-amd64.tar.gz | tar x -

Then rename testdata/my-custom-solver.example as testdata/my-custom-solver and fulfill the values of DNSPod appId (<your-dnspod-api-id>) and apiToken (<your-dnspod-api-token-base64>).

Now we could run tests in debug mode with dlv

  1. # You should change GROUP_NAME and TEST_ZONE_NAME to your own ones
  2. GROUP_NAME=yourdomain.com \
  3. TEST_ZONE_NAME=yourdomain.com. \
  4. dlv test . -- -test.v

Or just run tests

  1. GROUP_NAME=yourdomain.com \
  2. TEST_ZONE_NAME=yourdomain.com. \
  3. go test -v