Skip to content

Latest commit

 

History

History
98 lines (80 loc) · 2.49 KB

README.md

File metadata and controls

98 lines (80 loc) · 2.49 KB

cert-manager-webhook-safedns

Installing

The webhook can be installed with Helm as below:

  • helm repo add ans https://ans-group.github.io/helm-charts
  • helm repo update
  • helm install cert-manager-webhook-safedns ans/cert-manager-webhook-safedns

⚠️ Installing via Helm currently requires Kubernetes v1.17.0 and above (due to missing permissions in extension-apiserver-authentication-reader). this can be worked around by either creating a new role/role binding, or adding the following permissions to the extension-apiserver-authentication-reader role:

- apiGroups:
  - ""
  resourceNames:
  - extension-apiserver-authentication
  resources:
  - configmaps
  verbs:
  - list
- apiGroups:
  - ""
  resourceNames:
  - extension-apiserver-authentication
  resources:
  - configmaps
  verbs:
  - watch

Helm values can be found within the chart repository

Getting started

The SafeDNS webhook requires an API key with read/write permissions. This should be obtained via the ANS Portal before continuing

First, we'll create a Secret containing our API key:

kubectl create secret generic safedns-api-key --from-literal=api_key=<API_KEY>

Next, we'll configure a LetsEncrypt Issuer using the SafeDNS solver:

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod-safedns
spec:
  acme:
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - dns01:
        webhook:
          solverName: safedns
          groupName: acme.k8s.ans.io
          config:
            apiKeySecretRef:
              name: safedns-api-key
              key: api_key
EOF

Finally, we'll create our certificate:

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-example-com
spec:
  dnsNames:
  - '*.example.com'
  issuerRef:
    kind: Issuer
    name: letsencrypt-prod-safedns
  secretName: wildcard-example-com-tls
EOF

Running the test suite

apikey.yml should first be created in testdata/safedns (example at testdata/safedns/apikey.sample.yml) before executing the test suite. These tests require several binaries, which can be downloaded via scripts/fetch-test-binaries.sh

The test suite is executed via go test as below:

$ TEST_ZONE_NAME=example.com. go test .