Skip to content

AbsaOSS/cert-manager-webhook-externaldns

BranchesTags

Repository files navigation

cert-manager-webhook-externaldns

This project aims to provide cert-manager webhook plugin. This plugin on challenge request creates DNSEndpoint object, which is supposed to be picked by either external-dns or CoreDNS CRD plugin

Installation

First check the supported version and if necessary adjust the versions of k8s and cert-manager: https://cert-manager.io/docs/installation/supported-releases/.

This custom cert-manager webook assumes the DNSEndpoint crd and external-dns controller to be present in the cluster and be configured properly to create TXT records. Also the custom dns server should be reachable to be able to respond to the DNS01 challenge (either deployed in the same cluster - check the "coredns variant" section) or configured in externaldns-controller.

# we assume k8s cluster at version 1.23 or higher
k3d cluster create --no-lb --k3s-arg "--disable=traefik,servicelb,metrics-server,local-storage@server:*" --image docker.io/rancher/k3s:v1.23.7-k3s1
# install cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.yaml
# install the webhook
kubectl apply -f manifest/

Usage

# create a new issuer that uses the new webhook and ask for a certificate
kubectl apply -f manifest/example

Example issuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: <enter your email address>
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-staging
    solvers:
    - dns01:
        webhook:
          groupName: acme.example.com
          solverName: externaldns 
          config:
            labels:
              cert-manager: "true"

external-dns variant

Run external-dns with source set to crd and optionally label filters

coredns variant

Example Corefile for CoreDNS

zone example.net
k8s_crd {
  resources DNSEndpoint
  filter cert-manager=true
}

Development

# after cloning the repo run
tilt up

# it assumes a k3s cluster to be up and running

About

A cert-manager webhook completing DNS01 challenge by using External DNS

Resources

Readme
Activity
Custom properties

Stars

6 stars

Watchers

7 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages