Skip to content

cnfatal/cert-manager-webhook-alidns

Repository files navigation

ACME webhook for Alibaba Cloud DNS

The ACME issuer type supports an optional 'webhook' solver, which can be used for Alibaba Cloud DNS.

more details: https://cert-manager.io/docs/configuration/acme/dns01/webhook/

Usage

Install webhook from allinone bundle or using helm chart under deploy/cert-manager-webhook-alidns.

# install cert-manager webhook
kubectl apply -f https://raw.githubusercontent.com/cnfatal/cert-manager-webhook-alidns/main/deploy/rendered-manifest.yaml

Obtain an AccessKey pair and create the AccessKey Secret.

# create alidns aksk secret
kubectl -n cert-manager create secret generic alidns-secret --from-literal="access-key=<AccessKey ID>" --from-literal="secret-key=<AccessKey Secret>"

Create the ACME issuer. for more information see https://cert-manager.io/docs/configuration/acme/

cat <<EOF | kubectl create --edit -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-issuer-account-key
    solvers:
    - dns01:
        webhook:
            groupName: dns.aliyun.com
            solverName: alidns-solver
            config:
              regionId: ""                 # optional
              apiKeySecretRef:
                name: alidns-secret
EOF

Note: The acme-staging-v02 api: https://acme-staging-v02.api.letsencrypt.org/directory is only for testing purposes now.

or you can set AccsessKey in webhook configuration directly (use as your own risk):

-              apiKeySecretRef:
-                name: alidns-secret
+              accessKeyID: "<accessKeyID>"
+              accessKeySecret: "<accessKeySecret>"

Issue a certificate(optional)

cat <<EOF | kubectl create --edit -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-tls
spec:
  secretName: example-com-tls
  commonName: example.com
  dnsNames:
  - example.com
  - "*.example.com"
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
EOF

Build

required: golang 1.17 buildah helm

make build
make rendered-manifest.yaml

Running the test suite

update alidns-secret to your own secret

$ TEST_ZONE_NAME=example.com. make test