ACME Webhook for next layer DNS
This project provides a cert-manager ACME Webhook for next layer DNS and is based on the Example Webhook.
Requirements
- helm >= v3.0.0
- kubernetes >= v1.14.0
- cert-manager >= 0.12.0
Configuration
The following table lists the configurable parameters of the cert-manager chart and their default values.
Parameter | Description | Default |
---|---|---|
groupName |
Group name of the API service. | dns.nextlayer.at |
certManager.namespace |
Namespace where cert-manager is deployed to. | kube-system |
certManager.serviceAccountName |
Service account of cert-manager installation. | cert-manager |
image.repository |
Image repository | registry.nextlayer.at/nextlayer/cert-manager-webhook-nextlayer |
image.tag |
Image tag | latest |
image.pullPolicy |
Image pull policy | Always |
service.type |
API service type | ClusterIP |
service.port |
API service port | 443 |
resources |
CPU/memory resource requests/limits | {} |
nodeSelector |
Node labels for pod assignment | {} |
affinity |
Node affinity for pod assignment | {} |
tolerations |
Node tolerations for pod assignment | [] |
Installation
cert-manager
Follow the instructions using the cert-manager documentation to install it within your cluster.
Webhook
By cloning the repo
git clone https://github.com/nextlayergmbh/cert-manager-webhook-nextlayer.git
cd cert-manager-webhook-nextlayer
helm install --namespace cert-manager cert-manager-webhook-nextlayer ./deploy/cert-manager-webhook-nextlayer
By adding the helm repo
helm repo add nextlayercm https://nextlayergmbh.github.io/cert-manager-webhook-nextlayer/
helm repo update
helm install --namespace cert-manager nextlayercm/cert-manager-webhook-nextlayer
Note: The kubernetes resources used to install the Webhook should be deployed within the same namespace as the cert-manager.
To uninstall the webhook run
helm uninstall --namespace cert-manager cert-manager-webhook-nextlayer
Issuer
Create a ClusterIssuer
or Issuer
resource as following:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected] # REPLACE THIS WITH YOUR EMAIL
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
groupName: dns.nextlayer.at
solverName: nextlayer
config:
APIKey:
Credentials
For accessing the next layer DNS API, you need an API Token which you can request via the next layer support. Currently we don't provide a way to use secrets for you API KEY.
Thanks
Thanks to mecodia GmbH and Stephan Müller whose project served as an example for cert-manager-webhook-nextlayer
.