cert-manager Webhook for Scaleway DNS

cert-manager Webhook for Scaleway DNS is a ACME webhook for cert-manager allowing users to use Scaleway DNS for DNS01 challenge.

Getting started

Prerequisites

• A Scaleway Access Key and a Scaleway Secret Key
• A valid domain configured on Scaleway DNS
• A Kubernetes cluster (v1.29+ recommended)
• Helm 3 installed on your computer
• cert-manager deployed on the cluster

Installing

Attention: starting from 0.1.0 the chart’s name is now named scaleway-certmanager-webhook, if upgrading from an older version you might want to add --set nameOverride=scaleway-webhook

• Add scaleway’s helm chart repository:

helm repo add scaleway https://helm.scw.cloud/
helm repo update

• Install the chart

helm install scaleway-certmanager-webhook scaleway/scaleway-certmanager-webhook

• Alternatively, you can install the webhook with default credentials with:

helm install scaleway-certmanager-webhook scaleway/scaleway-certmanager-webhook --set secret.accessKey=<YOUR-ACCESS-KEY> --set secret.secretKey=<YOUR-SECRET_KEY>

The Scaleway Webhook is now installed!

Refer to the chart’s documentation for more configuration options.

Alternatively, you may use the provided bundle for a basic install in the cert-manager namespace:
kubectl apply -f https://raw.githubusercontent.com/scaleway/cert-manager-webhook-scaleway/main/deploy/bundle.yaml

How to use it

Note: It uses the cert-manager webhook system. Everything after the issuer is configured is just cert-manager. You can find out more in their documentation.

Now that the webhook is installed, here is how to use it.
Let’s say you need a certificate for example.com (should be registered in Scaleway DNS).

First step is to create a secret containing the Scaleway Access and Secret keys. Create the scaleway-secret.yaml file with the following content:
(Only needed if you don’t have default credentials as seen above).

apiVersion: v1
stringData:
  SCW_ACCESS_KEY: <YOUR-SCALEWAY-ACCESS-KEY>
  SCW_SECRET_KEY: <YOUR-SCALEWAY-SECRET-KEY>
kind: Secret
metadata:
  name: scaleway-secret
type: Opaque

And run:

kubectl create -f scaleway-secret.yaml

Next step is to create a cert-manager Issuer. Create a issuer.yaml file with the following content:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: my-scaleway-issuer
spec:
  acme:
    email: my-user@example.com
    # this is the acme staging URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # for production use this URL instead
    # server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: my-scaleway-private-key-secret
    solvers:
    - dns01:
        webhook:
          groupName: acme.scaleway.com
          solverName: scaleway
          config:
            # Only needed if you don't have default credentials as seen above.
            accessKeySecretRef:
              key: SCW_ACCESS_KEY
              name: scaleway-secret
            secretKeySecretRef:
              key: SCW_SECRET_KEY
              name: scaleway-secret

And run:

kubectl create -f issuer.yaml

Finally, you can now create the Certificate object for example.com. Create a certificate.yaml file with the following content:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com
spec:
  dnsNames:
  - example.com
  issuerRef:
    name: my-scaleway-issuer
  secretName: example-com-tls

And run:

kubectl create -f certificate.yaml

After some seconds, you should see the certificate as ready:

$ kubectl get certificate example-com
NAME          READY   SECRET            AGE
example-com   True    example-com-tls   1m12s

Your certificate is now available in the example-com-tls secret!

Integration testing

Before running the test, you need:

• A valid domain on Scaleway DNS (here example.com)
• The variables SCW_ACCESS_KEY and SCW_SECRET_KEY valid and in the environment

In order to run the integration tests, run:

TEST_ZONE_NAME=example.com make test