cert-manager Webhook for Exoscale is cert-manager-webhook allowing users to use Exoscale DNS for DNS01 challenge. Based on Example Webhook.
Once everything is set up, install Exoscale Webhook:
git clone https://github.com/exoscale/cert-manager-webhook-exoscale.git
cd cert-manager-webhook-exoscale
helm install exoscale-webhook ./deploy/exoscale-webhookThe manifest is generated from Helm (make rendered-manifest.yaml)
Kubectl
kubectl apply -f https://raw.githubusercontent.com/exoscale/cert-manager-webhook-exoscale/master/deploy/exoscale-webhook-kustomize/deploy.yamlKustomization file
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- github.com/exoscale.cert-manager-webhook-exoscale/deploy/exoscale-webhook-kustomizeNote: official cert-manager documentation is available here.
In the following examples we will create a new certificate for domain example.com.
Both cert-manager and cert-manager-webhook-exoscale should be already running in the cluster as described in the previous chapter.
First step is to create a secret containing the Exoscale API credentials. Create the secret.yaml file with the following content:
Note: static credentials can be configured as environment variables but it is not recommended for production use.
apiVersion: v1
stringData:
EXOSCALE_API_KEY: <YOUR-EXOSCALE-API-KEY>
EXOSCALE_API_SECRET: <YOUR-EXOSCAL-API-SECRET>
kind: Secret
metadata:
name: exoscale-secret
type: OpaqueThe IAM role policy of your key should allow at least the following operations for your domain: list-dns-domains, list-dns-domain-records, get-dns-domain-record, create-dns-domain-record and delete-dns-domain-record
Here is an example of the minimal policy required for the IAM role:
{
"default-service-strategy": "deny",
"services": {
"dns": {
"type": "rules",
"rules": [
{
"expression": "resources.dns_domain.unicode_name != \"example.com\"",
"action": "deny"
},
{
"expression": "parameters.has('type') && parameters.type != 'TXT'",
"action": "deny"
},
{
"expression": "resources.has('dns_domain_record') && resources.dns_domain_record.has('type') && resources.dns_domain_record.type != 'TXT'",
"action": "deny"
},
{
"expression": "operation in ['list-dns-domains', 'list-dns-domain-records', 'get-dns-domain-record', 'create-dns-domain-record', 'delete-dns-domain-record']",
"action": "allow"
}
]
}
}
}And run:
kubectl create -f secret.yamlTo create a cert-manager Issuer, create a issuer.yaml file with the following content:
Note: following example uses staging letsencrypt server and dummy email address, make sure to update those for production use.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: exoscale-issuer
spec:
acme:
email: my-user@example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: exoscale-private-key-secret
solvers:
- dns01:
webhook:
groupName: acme.exoscale.com
solverName: exoscale
config:
apiKeyRef:
key: EXOSCALE_API_KEY
name: exoscale-secret
apiSecretRef:
key: EXOSCALE_API_SECRET
name: exoscale-secretThen run:
kubectl create -f issuer.yamlNow create the certificate.yaml file with the following content:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com
spec:
dnsNames:
- example.com
issuerRef:
name: exoscale-issuer
secretName: example-com-tlsAnd run:
kubectl create -f certificate.yamlAfter a bit certificate should be in the ready state:
$ kubectl get certificate example-com
NAME READY SECRET AGE
example-com True example-com-tls 0m52sTo see more detailed logs, set one or both environment variables to any value:
EXOSCALE_DEBUG: shows debug logs;EXOSCALE_API_TRACE: prints API requests/responses.Easiest way to set them is through helm (exposed as env.debug and env.trace):
helm install exoscale-webhook ./deploy/exoscale-webhook --set env.debug=1 --set env.trace=1Before running the test, you need:
example.com)EXOSCALE_API_KEY and EXOSCALE_API_SECRET in the environmentIn order to run the integration tests, run:
TEST_ZONE_NAME=example.com. make integration-test