search

ixoncloud / cert-manager-webhook-cloudns

A Cert-Manager DNS01 provider for the ClouDNS DNS provider.
Apache License 2.0
5 stars 11 forks source link

how do i install this? #2

Open yctn opened 4 years ago

yctn commented 4 years ago

i would like to use cloudns with cert-manager. but how would i install this?

raqbit commented 4 years ago

Before installing cert-manager-cloudns, make sure you have cert-manager installed & running, including the cert-manager Custom Resource Definitions (CRD). You can find how to do this with Helm here: https://cert-manager.io/docs/installation/helm/

You should be able to install cert-manager-webhook-cloudns like this:

  1. Create a secret containing the cloudns API credentials by placing the credentials in files and creating the secret:

    kubectl create secret generic cert-manager-webhook-cloudns-api-secret \
    --from-file .creds/auth_id \
    --from-file .creds/auth_password

  2. Create the manifest:

    Note, this requires helm to be installed.

    make rendered-manifest.yaml

  3. Apply the manifest:

    kubectl apply -f .out/rendered-manifest.yaml

  4. Last but not least, you'll need to setup a cert-manager (Cluster) Issuer to use this solver.

    You can do this using the following config under acme of the (Cluster)Issuer:

    solvers: 
  - dns01: 
    webhook:
      groupName: acme.ixon.cloud
      solverName: cloudns

That should do the trick. I should probably put this in the README :).

yctn commented 4 years ago

Yes that would be nice :) i will try it thanks

yctn commented 4 years ago

serviceaccount/cert-manager-webhook-cloudns created rolebinding.rbac.authorization.k8s.io/cert-manager-webhook-cloudns:webhook-authentication-reader created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook-cloudns:auth-delegator created clusterrole.rbac.authorization.k8s.io/cert-manager-webhook-cloudns:domain-solver created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook-cloudns:domain-solver created clusterrole.rbac.authorization.k8s.io/cert-manager-webhook-cloudns:cloudns-api-secret-access created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook-cloudns:api-secret-access created service/cert-manager-webhook-cloudns created deployment.apps/cert-manager-webhook-cloudns created apiservice.apiregistration.k8s.io/v1alpha1.acme.ixon.cloud created unable to recognize ".out/rendered-manifest.yaml": no matches for kind "Issuer" in version "certmanager.k8s.io/v1alpha1" unable to recognize ".out/rendered-manifest.yaml": no matches for kind "Certificate" in version "certmanager.k8s.io/v1alpha1" unable to recognize ".out/rendered-manifest.yaml": no matches for kind "Issuer" in version "certmanager.k8s.io/v1alpha1" unable to recognize ".out/rendered-manifest.yaml": no matches for kind "Certificate" in version "certmanager.k8s.io/v1alpha1"

what could this be?

raqbit commented 4 years ago

Apparently the cert-manager Custom Resource Definitions (CRDs) are not installed by default if you are using their helm chart.

You'll need to install these manually before applying the cert-manager-webhook-cloudns chart.

Please see this issue: https://github.com/helm/charts/issues/10949

techsaau commented 4 years ago

@Raqbit Is it this still valid? Can you please confirm?

raqbit commented 4 years ago

@Raqbit Is it this still valid? Can you please confirm?

Previous answer Looking at the example on which this application is based, it seems not much has changed protocol-wise. Please tell me if this isn't the case, I am currently sadly not able to test this.

These instructions should work.

carpino commented 2 years ago

Hi, i'm trying to install it followig the instruction in this issue, i only changed step 1 in which i put the credentials in the example file under deploy/secrets and kubectl apply -f it, this is my cluster issuer: 

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: myemail
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-account-key
    solvers:
    - dns01:
        webhook:
          groupName: "acme.ixon.cloud"
          solverName: "cloudns"

and this is the annotation in the ingress: cert-manager.io/cluster-issuer: "letsencrypt-staging" but after that no certificate is created, have I made something wrong or the webhook is not working correctly anymore?

mschirrmeister commented 2 years ago

After applying the manifest the pod is not really coming up. I have the following in the pod logs.

I0318 21:47:44.077779       1 secure_serving.go:116] Serving securely on [::]:443
E0318 21:47:44.099107       1 webhook.go:196] Failed to make webhook authorizer request: the server could not find the requested resource
E0318 21:47:44.100266       1 errors.go:77] the server could not find the requested resource

What resource is it looking for? Any idea on how to fix this?

When I check for the apiservices I see an error.

kubectl get apiservice | grep ixon
v1alpha1.acme.ixon.cloud               default/cert-manager-webhook-cloudns   False (MissingEndpoints)   5m29s

I did install cert-manager the following way.

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.7.1 \
  --set installCRDs=true
mschirrmeister commented 2 years ago

I did some more debugging and found a solution. The MisisngEndpoints from above is obviously only showing up, because the pod is not up.

The first real error seems to be related to versions of some components. My Kubernetes version is v1.23.4+k3s1. Installed via k3sup install --local --k3s-extra-args "--no-deploy servicelb" --k3s-version v1.23.4+k3s1.

After merging the branch update-deps, running a go mod tidy to update the files go.mod and go.sum and building an image, the pod came finally up. With that it showed continuously FlowSchema errors. I fixed that via adding the below (ClusterRole[Binding]) in the rbac.yaml.

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "cert-manager-webhook-cloudns.fullname" . }}:flowcontrol-solver
  labels:
    app: {{ include "cert-manager-webhook-cloudns.name" . }}
    chart: {{ include "cert-manager-webhook-cloudns.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
rules:
  - apiGroups:
      - "flowcontrol.apiserver.k8s.io"
    resources:
      - 'prioritylevelconfigurations'
      - 'flowschemas'
    verbs:
      - 'list'
      - 'watch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "cert-manager-webhook-cloudns.fullname" . }}:flowcontrol-solver
  labels:
    app: {{ include "cert-manager-webhook-cloudns.name" . }}
    chart: {{ include "cert-manager-webhook-cloudns.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "cert-manager-webhook-cloudns.fullname" . }}:flowcontrol-solver
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: {{ include "cert-manager-webhook-cloudns.fullname" . }}
    namespace: {{ .Release.Namespace | quote }}
---

With the above, there are now only some warmings remaining. 

W0321 09:27:52.614714       1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta1 PriorityLevelConfiguration is deprecated in v1.23+, unavailable in v1.26+; use flowcontrol.apiserver.k8s.io/v1beta2 PriorityLevelConfiguration
W0321 09:27:58.590881       1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta1 FlowSchema is deprecated in v1.23+, unavailable in v1.26+; use flowcontrol.apiserver.k8s.io/v1beta2 FlowSchema
mschirrmeister commented 2 years ago

The warnings go away when cert-manager is upgraded to 1.7.1+.