To install with helm, run:
$ helm repo add cert-manager-webhook-pdns https://zachomedia.github.io/cert-manager-webhook-pdns
$ helm install cert-manager-webhook-pdns cert-manager-webhook-pdns/cert-manager-webhook-pdns
Without helm, run:
$ make rendered-manifest.yaml
$ kubectl apply -f _out/rendered-manifest.yaml
An example issuer:
apiVersion: v1
kind: Secret
metadata:
name: pdns-api-key
type: Opaque
data:
key: APIKEY_BASE64
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: certificates@example.ca
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging-account-key
solvers:
- dns01:
webhook:
groupName: acme.zacharyseguin.ca
solverName: pdns
config:
# Base URL of the PowerDNS server.
host: https://ns1.example.ca
# Reference to the Kubernetes secret containing the API key.
apiKeySecretRef:
name: pdns-api-key
key: key
###
### OPTIONAL
###
# API Key scheme https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
# default: no scheme ""
apiKeyScheme: ""
# Header name for API key
#
# This defaults to X-API-Key when unset but supports customizations
# e.g. Authorization
apiKeyHeaderName: ""
# Server ID for the PowerDNS API.
# When unset, defaults to "localhost".
#
# This should generally be left unset, and used
# only if you have a proxy in front of the PowerDNS API
# that requires a different value.
serverID: localhost
# Request headers when connecting to the PowerDNS API.
# The following headers are set by default, but can be overriden:
# X-API-Key
# Content-Type
headers:
key: value
# CA bundle for TLS connections
# When unset, the default system certificate store is used.
caBundle: BASE64_ENCODED_CA_BUNDLE
# TTL for DNS records
# (in seconds)
ttl: 120
# Timeout for requests to the PDNS api server
# (in seconds)
timeout: 30
# If the server is only allowed to edit certain zones; the
# default is an empty list, allowing everything.
# *IMPORTANT*: Remember the trailing dot to make the zone-name
# fully qualified.
allowed-zones:
- example.com.
- example.org.
- example.net.
And then you can issue a cert:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-example-ca
namespace: default
spec:
secretName: example-com-tls
dnsNames:
- example.ca
- www.example.ca
issuerRef:
name: letsencrypt-staging
kind: Issuer
group: cert-manager.io
You can run the test suite with:
make setup
make test
This requires openssl
, docker
and docker-compose
to be installed.