This is a cert-manager webhook solver for DNSPod.

cert-manager-webhook-dnspod

This is a cert-manager webhook solver for DNSPod.

Prerequisites

Installation

Generate SecretId and SecretKey in Cloud API

$ helm repo add roc https://charts.imroc.cc
$ helm upgrade --install cert-manager-webhook-dnspod roc/cert-manager-webhook-dnspod \
    --namespace 
   
     \
   
    --set clusterIssuer.secretId=
   
     \
   
    --set clusterIssuer.secretKey=

Create Certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-crt
spec:
  secretName: example-crt
  issuerRef:
    name: dnspod
    kind: ClusterIssuer
    group: cert-manager.io
  dnsNames:
  - "example.com"
  - "*.example.com"
Owner
roc
I'm roc
roc
https://github.com/imroc/cert-manager-webhook-dnspod
Comments
  • renew 报错

    renew 报错

    你好, 今天 renew 证书, 报以下错误, 请帮忙看一下如何解决, 谢谢! cert-manager报错:

    "reason": "PresentError",
 "message": "Error presenting challenge: the server is currently unable to handle the request (post dnspod.acme.imroc.cc)",

    cert-manager-webhook-dnspod报错:

    I0430 12:46:46.670500       1 main.go:123] create dnspod client successfully
E0430 12:46:47.333874       1 main.go:204] Failed to get domain id cn.: no domain found in zone cn.

    版本如下:

    image

  • "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist

    安装成功之后,证书能够正常颁发,但是k8s server服务日志里一直在循环报这种错,有解决办法吗:

    10月 19 02:05:58 k3s-master k3s[203492]: I1019 02:05:58.411724  203492 alloc.go:327] "allocated clusterIPs" service="cert-manager/cert-manager-webhook-dnspod" clusterIPs=map[IPv4:10.43.239.218]
10月 19 02:05:58 k3s-master k3s[203492]: I1019 02:05:58.469074  203492 event.go:294] "Event occurred" object="cert-manager/cert-manager-webhook-dnspod" fieldPath="" kind="Deployment" apiVersion="apps/v1" type="Normal" reason="ScalingReplicaSet" message="Scaled up replica set cert-mana>
10月 19 02:05:58 k3s-master k3s[203492]: E1019 02:05:58.515048  203492 available_controller.go:524] v1alpha1.acme.imroc.cc failed with: Operation cannot be fulfilled on apiservices.apiregistration.k8s.io "v1alpha1.acme.imroc.cc": the object has been modified; please apply your changes>
10月 19 02:05:58 k3s-master k3s[203492]: I1019 02:05:58.517278  203492 event.go:294] "Event occurred" object="cert-manager/cert-manager-webhook-dnspod-77586fdc8f" fieldPath="" kind="ReplicaSet" apiVersion="apps/v1" type="Normal" reason="SuccessfulCreate" message="Created pod: cert-man>
10月 19 02:05:58 k3s-master k3s[203492]: I1019 02:05:58.569516  203492 controller.go:611] quota admission added evaluator for: issuers.cert-manager.io
10月 19 02:05:59 k3s-master k3s[203492]: W1019 02:05:59.491333  203492 handler_proxy.go:105] no RequestInfo found in the context
10月 19 02:05:59 k3s-master k3s[203492]: E1019 02:05:59.491417  203492 controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: failed to retrieve openAPI spec, http error: ResponseCode: 503, Body: service unavailable
10月 19 02:05:59 k3s-master k3s[203492]: , Header: map[Content-Type:[text/plain; charset=utf-8] X-Content-Type-Options:[nosniff]]
10月 19 02:05:59 k3s-master k3s[203492]: I1019 02:05:59.491443  203492 controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
10月 19 02:05:59 k3s-master k3s[203492]: W1019 02:05:59.491337  203492 handler_proxy.go:105] no RequestInfo found in the context
10月 19 02:05:59 k3s-master k3s[203492]: E1019 02:05:59.491493  203492 controller.go:113] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: Error, could not get list of group versions for APIService
10月 19 02:05:59 k3s-master k3s[203492]: I1019 02:05:59.492968  203492 controller.go:126] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
10月 19 02:06:01 k3s-master systemd[97538]: run-containerd-runc-k8s.io-da508401a9e63fd060813899b0108af1f976c609aa5914c31042957391251ff1-runc.KlEPgj.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit UNIT has successfully entered the 'dead' state.
10月 19 02:06:01 k3s-master systemd[1]: run-containerd-runc-k8s.io-da508401a9e63fd060813899b0108af1f976c609aa5914c31042957391251ff1-runc.KlEPgj.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit run-containerd-runc-k8s.io-da508401a9e63fd060813899b0108af1f976c609aa5914c31042957391251ff1-runc.KlEPgj.mount has successfully entered the 'dead' state.
10月 19 02:06:02 k3s-master k3s[203492]: E1019 02:06:02.144646  203492 available_controller.go:524] v1alpha1.acme.imroc.cc failed with: failing or missing response from https://10.42.2.27:443/apis/acme.imroc.cc/v1alpha1: bad status from https://10.42.2.27:443/apis/acme.imroc.cc/v1alph>
10月 19 02:06:02 k3s-master k3s[203492]: E1019 02:06:02.149630  203492 available_controller.go:524] v1alpha1.acme.imroc.cc failed with: failing or missing response from https://10.42.2.27:443/apis/acme.imroc.cc/v1alpha1: bad status from https://10.42.2.27:443/apis/acme.imroc.cc/v1alph>
10月 19 02:06:02 k3s-master k3s[203492]: E1019 02:06:02.155627  203492 available_controller.go:524] v1alpha1.acme.imroc.cc failed with: failing or missing response from https://10.42.2.27:443/apis/acme.imroc.cc/v1alpha1: bad status from https://10.42.2.27:443/apis/acme.imroc.cc/v1alph>
10月 19 02:06:03 k3s-master k3s[203492]: E1019 02:06:03.164646  203492 controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
10月 19 02:06:03 k3s-master k3s[203492]: I1019 02:06:03.164696  203492 controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
  • error cleaning up challenge

    error cleaning up challenge

    Always trying to cleaning up dns challenge after generated certs, even if the dns record is successfully removed.

    Logs are filled up with the follow error message: E0826 09:36:38.149573 1 sync.go:282] cert-manager/challenges/finalizer "msg"="error cleaning up challenge" "error"="dnspod API call has failed: [TencentCloudSDKError] Code=ResourceNotFound.NoDataOfRecord, Message=记录列表为空。, RequestId=2781a7f8-3d0c-43e5-8b09-e07f7547b847" "dnsName"="chiyuki.studio" "resource_kind"="Challenge" "resource_name"="cert-chiyuki-studio-msfcc-3859969589-3025972435" "resource_namespace"="traefik" "resource_version"="v1" "type"="DNS-01"

  • please remove confidential info from log

    please remove confidential info from log

    This line will log secret id and secret key.https://github.com/imroc/cert-manager-webhook-dnspod/blob/9d6f1593ec1cb694ffdc47fa14d726c9889d2acf/main.go#L124

    could you please remove it?

  • Error presenting challenge

    Error presenting challenge

    I specified my clusterIssuer in values.yaml and deployed it by

    $ helm install dnspod-hooker roc/cert-manager-webhook-dnspod --namespace cert-manager -f values.yaml
$ cat values.yaml
....
clusterIssuer:
  enabled: true
  name: dnspod
  ttl: 600
  staging: false
  secretId: <A Number>
  secretKey: <My Secret Key>
  email: <My Email>
....

    But when I try to issue a certificate by following, I failed.

    apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-cert
  namespace: prod
spec:
  secretName: wildcard-cert
  issuerRef:
    name: dnspod
    kind: ClusterIssuer
  dnsNames:
  - "*.jerrita.cn"

    Here's detail for this challenge.

    Spec:
  Authorization URL:  https://acme-v02.api.letsencrypt.org/acme/authz-v3/53147134200
  Dns Name:           jerrita.cn
  Issuer Ref:
    Kind:  ClusterIssuer
    Name:  dnspod
  Key:     C70GxiBffL7og1f9NkP0SpcMRW4UJHoxxRvPXXHOoPA
  Solver:
    dns01:
      Webhook:
        Config:
          Secret Id:  257754
          Secret Key Ref:
            Key:      secret-key
            Name:     dnspod-hooker-cert-manager-webhook-dnspod-secret
          Ttl:        600
        Group Name:   acme.jerrita.cn
        Solver Name:  dnspod
  Token:              ITuoHBla960WGR6lWMSONGEJpZtZhWRQhPr1a7auEb0
  Type:               DNS-01
  URL:                https://acme-v02.api.letsencrypt.org/acme/chall-v3/53147134200/m88caQ
  Wildcard:           true
Status:
  Presented:   false
  Processing:  true
  Reason:      error decoding solver config: json: cannot unmarshal number into Go struct field customDNSProviderConfig.secretId of type string
  State:       pending
Events:
  Type     Reason        Age                    From          Message
  ----     ------        ----                   ----          -------
  Normal   Started       7m54s                  cert-manager  Challenge scheduled for processing
  Warning  PresentError  2m45s (x7 over 7m53s)  cert-manager  Error presenting challenge: error decoding solver config: json: cannot unmarshal number into Go struct field customDNSProviderConfig.secretId of type string

    How to solve it?

  • Issuing certificate as Secret does not exist

    Issuing certificate as Secret does not exist

    k8s v1.26.0 cert-manager v1.10.1

    1672729547999

    kubectl describe certificates
Name:         apisix-crt
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2023-01-03T07:02:49Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
          .:
          k:{"type":"Ready"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:observedGeneration:
            f:reason:
            f:status:
            f:type:
    Manager:      cert-manager-certificates-readiness
    Operation:    Update
    Subresource:  status
    Time:         2023-01-03T07:02:49Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:conditions:
          k:{"type":"Issuing"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:observedGeneration:
            f:reason:
            f:status:
            f:type:
    Manager:      cert-manager-certificates-trigger
    Operation:    Update
    Subresource:  status
    Time:         2023-01-03T07:02:49Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:dnsNames:
        f:issuerRef:
          .:
          f:group:
          f:kind:
          f:name:
        f:secretName:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2023-01-03T07:02:49Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:nextPrivateKeySecretName:
    Manager:         cert-manager-certificates-key-manager
    Operation:       Update
    Subresource:     status
    Time:            2023-01-03T07:02:50Z
  Resource Version:  3913908
  UID:               5d17353e-f1af-48cb-9398-02da4c05038b
Spec:
  Dns Names:
    apisix.yappam.com
    *.apisix.yappam.com
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       dnspod
  Secret Name:  apisix-crt
Status:
  Conditions:
    Last Transition Time:        2023-01-03T07:02:49Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2023-01-03T07:02:49Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
  Next Private Key Secret Name:  apisix-crt-l4fvj
Events:
  Type    Reason     Age   From                                       Message
  ----    ------     ----  ----                                       -------
  Normal  Issuing    8s    cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal  Generated  7s    cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "apisix-crt-l4fvj"
  Normal  Requested  6s    cert-manager-certificates-request-manager  Created new CertificateRequest resource "apisix-crt-2xqvn"
  • Error presenting challenge: the server is currently unable to handle the request (post dnspod.acme.imroc.cc)

    Error presenting challenge: the server is currently unable to handle the request (post dnspod.acme.imroc.cc)

    Status: Presented: false Processing: true Reason: the server is currently unable to handle the request (post dnspod.acme.imroc.cc) State: pending Events: Type Reason Age From Message

    Normal Started 2m36s cert-manager-challenges Challenge scheduled for processing Warning PresentError 5s (x6 over 2m30s) cert-manager-challenges Error presenting challenge: the server is currently unable to handle the request (post dnspod.acme.imroc.cc)

  • 能否支持 cnameStrategy=None的配置

    能否支持 cnameStrategy=None的配置

    防止 *.domain.com 泛解析设置成 ddns.domain.com 的时候,干扰证书申请的时候的解析。 默认的时候,会 拉取 _acme-challenge.domain.com 的 cname记录。导致不会读取 _acme-challenge.domain.com的txt记录,变成读取 ddns.domain.com的txt记录去了。 看了下 cert-manager的文档,需要添加 cnameStrategy=None 来配置下?

  • Wrong type of secretId was set in clusterissuers.cert-manager.io/dnspod config

    Wrong type of secretId was set in clusterissuers.cert-manager.io/dnspod config

    I followed the steps in https://imroc.cc/k8s/trick/cert-manager-webhook-dnspod/ , but got an error below.

    error decoding solver config: json: cannot unmarshal number into Go struct field customDNSProviderConfig.secretId of type string

    And found the value of secretId in clusterissuers.cert-manager.io/dnspod is not a string type.

Related tags
Web Applications cert-manager-webhook-dnspod
Minimal go library to relay webhook events back to an arbitrary service.

hookrelay Minimal go library to relay webhook events back to an arbitrary service. With the use of a primary HTTP mux router, we are able to register

Nov 3, 2021
Simple bookmark manager built with Go
 Simple bookmark manager built with Go

Shiori This project is now maintained by Dean Jackson (@deanishe). The awesome original author, @RadhiFadlillah, unfortunately no longer has the time

Jan 1, 2023
Self-hosted video-hosting website and video archival manager for Niconico, Bilibili, and Youtube
 Self-hosted video-hosting website and video archival manager for Niconico, Bilibili, and Youtube

Self-hosted video-hosting website and video archival manager for Niconico, Bilibili, and Youtube

Jan 1, 2023
listmonk is a standalone high performance, self-hosted newsletter and mailing list manager with a modern dashboard. Single binary app.
 listmonk is a standalone high performance, self-hosted newsletter and mailing list manager with a modern dashboard. Single binary app.

listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary. It uses a PostgreSQL database as its data store.

Jan 1, 2023
listmonk is a standalone, self-hosted, newsletter and mailing list manager
 listmonk is a standalone, self-hosted, newsletter and mailing list manager

listmonk is a standalone, self-hosted, newsletter and mailing list manager. It is fast, feature-rich, and packed into a single binary. It uses a Postg

Aug 15, 2022
ArchMark is a bookmark manager that archives the bookmarked page using Monolith.
ArchMark is a bookmark manager that archives the bookmarked page using Monolith.

ArchMark ArchMark is a bookmark manager that archives the bookmarked page using Monolith. It consists of the main web proccess as well as a worker tha

Jun 21, 2022
staticfiles is an asset manager for a web applications written in Go.

Overview staticfiles is an asset manager for a web applications written in Go. It collects asset files (CSS, JS, images, etc.) from a different locati

Dec 7, 2022
📚 Task Manager App for CVWO Application (Backend)
 📚 Task Manager App for CVWO Application (Backend)

Task Manager App for CVWO Application 2022 Task The task for this project is to build a fullstack task manager app, and was done over the winter break

Jan 3, 2023
Televarr - A Manager for IPTV Playlists
 Televarr - A Manager for IPTV Playlists

Televarr BETA VERSION HAS BEEN RELEASED! A Manager for IPTV Playlists Televarr c

Oct 26, 2022
cert-manager webhook & CoreDNS plugin for solving DNS01 challenge on self-hosted authoritative DNS server.
 cert-manager webhook & CoreDNS plugin for solving DNS01 challenge on self-hosted authoritative DNS server.

cert-manager webhook & CoreDNS plugin This repo exists for a niche case scenario in which we are running cert-manager on one or multiple Kubernetes cl

Feb 4, 2022
Cert-manager ACME DNS webhook provider for DnsMadeEasy.

cert-manager-webhook-dnsmadeasy Cert-manager ACME DNS01 challenge wehook provider for DNS Made Easy. Installing To install with helm, run: $ helm repo

Apr 28, 2022
Wordle-solver - A simple solver for Wordle puzzles that uses letter- and word-frequencies to narrow down possible guesses

Wordle Solver A simple solver for Wordle puzzles that uses letter- and word-freq

Jan 9, 2022
Wordle-solver - Wordle solver with golang

wordle-solver Recommends guesses for https://www.powerlanguage.co.uk/wordle/ How

Feb 11, 2022
ddns DNSPod

README 通过DNS API实现 DDNS 功能,目前支持的DNS服务商有 DNSPod 等 打包命令 CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o linux-amd64-ddns main.go CGO_ENABLED=0 GOOS=wi

Dec 24, 2021
A Kubernetes operator that allows for automatic provisioning and distribution of cert-manager certs across namespaces

cached-certificate-operator CachedCertificate Workflow When a CachedCertificate is created or updated the operator does the following: Check for a val

Sep 6, 2022
webhook is a lightweight incoming webhook server to run shell commands
 webhook is a lightweight incoming webhook server to run shell commands

What is webhook? webhook is a lightweight configurable tool written in Go, that allows you to easily create HTTP endpoints (hooks) on your server, whi

Jan 5, 2023
A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
 A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers

k8s-vault-webhook is a Kubernetes admission webhook which listen for the events related to Kubernetes resources for injecting secret directly from sec

Oct 15, 2022
Kubernetes webhook development (validating admission webhook) tutorial using kubewebhook

pod-exec-guard-kubewebhook-tutorial Introduction This is a tutorial that shows how to develop a Kubernetes admission webhook. To explain this, the tut

Aug 26, 2022
Tcpdump-webhook - Toy Sidecar Injection with Mutating Webhook

tcpdump-webhook A simple demonstration of Kubernetes Mutating Webhooks. Injects

Feb 8, 2022
Webhook-server - Webhook Server for KubeDB resources

webhook-server Webhook Server for KubeDB resources Installation To install KubeD

Feb 22, 2022