The webhook can be installed with Helm as below:
helm repo add ans https://ans-group.github.io/helm-charts
helm repo update
helm install cert-manager-webhook-safedns ans/cert-manager-webhook-safedns
⚠️ Installing via Helm currently requires Kubernetesv1.17.0
and above (due to missing permissions inextension-apiserver-authentication-reader
). this can be worked around by either creating a new role/role binding, or adding the following permissions to theextension-apiserver-authentication-reader
role:
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- list
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- watch
Helm values can be found within the chart repository
The SafeDNS webhook requires an API key with read/write permissions. This should be obtained via the ANS Portal before continuing
First, we'll create a Secret
containing our API key:
kubectl create secret generic safedns-api-key --from-literal=api_key=<API_KEY>
Next, we'll configure a LetsEncrypt Issuer
using the SafeDNS solver
:
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod-safedns
spec:
acme:
email: [email protected]
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- dns01:
webhook:
solverName: safedns
groupName: acme.k8s.ans.io
config:
apiKeySecretRef:
name: safedns-api-key
key: api_key
EOF
Finally, we'll create our certificate:
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-example-com
spec:
dnsNames:
- '*.example.com'
issuerRef:
kind: Issuer
name: letsencrypt-prod-safedns
secretName: wildcard-example-com-tls
EOF
apikey.yml
should first be created in testdata/safedns
(example at testdata/safedns/apikey.sample.yml
) before executing the test suite.
These tests require several binaries, which can be downloaded via scripts/fetch-test-binaries.sh
The test suite is executed via go test
as below:
$ TEST_ZONE_NAME=example.com. go test .