Skip to content

abiondevelopment/cert-manager-webhook-abion

Repository files navigation

ACME webhook for Abion (cert-manager-webhook-abion)

cert-manager-webhook-abion is an ACME webhook for cert-manager. It provides an ACME webhook for cert-manager, which allows to use a DNS-01 challange with Abion. Internally the cert-manager-webhook-abion uses the Abion API to communicate with Abion API.

Release History

Refer to the CHANGELOG file.

Building

Build the docker image abiondevelopment/cert-manager-webhook-abion:latest:

make build

Docker images

Prebuilt docker images can be found on Docker Hub

Compatibility

This webhook has been tested with cert-manager v1.14.4 and minikube v1.32.0 on Darwin 13.3 (arm64). In theory, it should work on other hardware platforms as well but no steps have been taken to verify this.

Test

Testing with Minikube

  1. Build this webhook in Minikube:

    minikube start --memory=4G 
    eval $(minikube docker-env) 
    make build 
    
  2. Install cert-manager with Helm:

    helm repo add jetstack https://charts.jetstack.io
    
    helm install cert-manager jetstack/cert-manager \
        --namespace cert-manager \
        --create-namespace \
        --set installCRDs=true \
        --version v1.14.4 \
        --set 'extraArgs={--dns01-recursive-nameservers=8.8.8.8:53\,1.1.1.1:53}'
    
    kubectl get pods --namespace cert-manager --watch
    

    Note!: refer to Name servers in the official documentation according the extraArgs.

  3. Check the state and ensure that all pods are running fine (watch out for any issues regarding the cert-manager-webhook- pod and its volume mounts):

    kubectl describe pods -n cert-manager | less
    
  4. Create the Abion API key secret in same namespace (Replace the with a valid API key. You must have an Abion account to retrieve an API key. Contact Abion for help how to create an account and API key):

    kubectl create secret generic abion-credentials \
       --namespace cert-manager --from-literal=apiKey='<ABION-API-KEY>'
    

    Note! The Secret must reside in the same namespace as cert-manager.

  5. Deploy the abion cert-manager-webhook (Set logLevel to 6 for verbose logs):

    The features.apiPriorityAndFairness argument must be removed or set to false for Kubernetes older than 1.20.

    helm install cert-manager-webhook-abion \
       --namespace cert-manager \
       --set features.apiPriorityAndFairness=true \
       --set image.repository=abiondevelopment/cert-manager-webhook-abion \
       --set image.tag=latest \
       --set logLevel=2 \
       ./deploy/cert-manager-webhook-abion 
    

    To deploy using the image from Docker Hub (for example using the 1.2.0 tag):

    helm install cert-manager-webhook-abion \
        --namespace cert-manager \
        --set features.apiPriorityAndFairness=true \
        --set image.tag=1.2.0 \
        --set logLevel=2 \
        ./deploy/cert-manager-webhook-abion
    

    Check the logs

    kubectl get pods --namespace cert-manager --watch
    kubectl logs --namespace cert-manager cert-manager-webhook-abion-XYZ
    
  6. Create a staging cluster issuer.

    See letsencrypt-staging-clusterissuer.yaml

    Don't forget to replace email [email protected].

    kubectl apply -f ./example/issuers/letsencrypt-staging-clusterissuer.yaml
    

    Check status of the Issuer:

    kubectl describe clusterissuer letsencrypt-staging
    

    Note: The production Issuer is similar.

  7. Issue a Certificate for your domain

    Replace dnsNames example.com in the certif-example-com-clusterissuer.yaml

    Create the Certificate:

    kubectl apply -f ./example/certificates/certif-example-com-clusterissuer.yaml
    

    Check the status of the Certificate:

    kubectl describe certificate example-com
    

    Display the details like the common name and subject alternative names:

    kubectl get secret example-com-tls -o yaml
    
  8. Uninstall this webhook:

    helm uninstall cert-manager-webhook-abion --namespace cert-manager
    kubectl delete secret abion-credentials --namespace cert-manager
    

Conformance test

Please note that the test is not a typical unit nor integration test. Instead, it invokes the webhook in a Kubernetes-like environment which asks the webhook to send a request the DNS provider (i.e. Abion). The test creates a TXT zone record cert-manager-dns01-tests.example.com with a specific challenge key, verifies the presence of that record via Google DNS. Finally, it removes the entry by calling the cleanup method of the web hook.

As said above, the conformance test is run against the real Abion API. Therefore, you must have an Abion account, a domain (and zone) and an API key.

To run the conformance test you need to update abion-credentials.yaml and replace the <ABION-API-KEY> with a valid API Key, change the example.com. zone name with a valid one before you can run the test by executing:

TEST_ZONE_NAME=example.com. make test

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published