ACME/cert-manager-webhook-sthome
ACME/cert-manager-webhook-sthome
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
75 Commits 1 Branch 0 Tags 648 KiB
Go 91.6%
Makefile 3.4%
Shell 1.9%
Smarty 1.8%
Dockerfile 1.3%
main
Go to file
Chris 15444ff59c Version step
2024-05-28 23:20:31 +02:00
_backup Added wait.go 2024-04-09 18:10:06 +02:00
.vscode Improved makefile. Running from git bash 2024-04-16 20:56:58 +02:00
cmd Reverted nameservers in values.yaml to reflect default. This is assumed to be the situation for cert-manager, this no use applying the local dns first for webhook. Must investigate further. 2024-04-12 22:40:43 +02:00
config Updated shell messages, added dir 2024-04-14 21:47:12 +02:00
deploy/sthome-webhook Version step 2024-05-28 23:20:31 +02:00
pkg Version step 2024-05-28 23:20:31 +02:00
testdata/sthome-solver Image pushed to docker hub 2024-03-21 21:14:46 +02:00
tests Updating versioning 2024-03-28 22:42:48 +02:00
.gitignore Added bash, kerberos and bind-tools to dockerfile. Updated for shell execution. 2024-04-01 01:12:14 +02:00
Dockerfile Before golang kerberos attempt 2024-05-08 15:08:06 +02:00
go.mod Starting trying out nsupdate calls from Go 2024-05-11 21:47:02 +02:00
go.sum Starting trying out nsupdate calls from Go 2024-05-11 21:47:02 +02:00
icon.png Fixed .gitignore 2024-03-24 17:45:14 +02:00
main_test.go Updating versioning 2024-03-28 22:42:48 +02:00
main.go Shell scripts are now copied to workdir in container and executed from there. 2024-04-18 20:23:50 +02:00
Makefile Updated Makefile and solver_local 2024-04-21 21:06:49 +02:00
README.md Renamed solver files 2024-03-24 13:35:27 +02:00
version.txt Version step 2024-05-28 23:20:31 +02:00

README.md

== Development in progess ==

cert-manager Webhook for sthome private DNS

cert-manager Webhook for sthome private DNS is a ACME webhook for cert-manager allowing sthome users to use local DNS for DNS01 challenge.

Getting started

Prerequisites

Installing

  • Clone this repository:
git clone https://github.com/stuurmcp/cert-manager-webhook-sthome.git
  • Run:
helm install sthome-webhook deploy/sthome-webhook

How to use it

Note: It uses the cert-manager webhook system. Everything after the issuer is configured is just cert-manager. You can find out more from their documentation.

Now that the webhook is installed, here is how to use it.

But first, Issuers and ClusterIssuers are Kubernetes resources that represent certificate authorities (CAs) capable of generating signed certificates. An Issuer is limited to a single namespace while a ClusterIssuer can issue certificates for a whole cluster.

Let's say you need a certificate for radarr.sthome.net (should be registered in sthome DNS).

First, create a base64 CA bundle: Obtain CA bundle in .pem format, then execute the following on shell command line:

cat /path/to/pem/file/ca.pem | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n//g' | base64 -w0

Replace <cabundle> in .yaml examples below with generated base64 line

Create a cert-manager Issuer. Create a sthome-issuer.yaml file with the following content:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: sthome-issuer
spec:
  acme:
    email: my-user@sthome.net
    # acme URL
    server: https://upd.sthome.net/acme-v02.api
    
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: sthome-private-key-secret
    
    # Private ca's cert bundle in base64
    caBundle: <cabundle>
    solvers:
    - dns01:
        webhook:
          groupName: webhook.acme.cert-manager.io
          solverName: sthome

Run:

kubectl create -f sthome-issuer.yaml

Check the status of the Issuer.

kubectl describe issuer sthome-issuer

Should you need to delete the Issuer, run the following command:

kubectl delete issuer sthome-issuer

Alternatively, to create a ClusterIssuer , create a sthome-clusterissuer.yaml file with the following content:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: sthome-clusterissuer
spec:
  acme:
    # Your ACME server URL.
    server: https://upd.sthome.lan/acme-v02.api

    # Replace this email address with your own, however currently not used
    email: my-user@sthome.net

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: sthome-acme

    # Private ca's cert bundle in base64
    caBundle: <cabundle>

    solvers:
      - dns01:
          webhook:
            groupName: webhook.acme.cert-manager.io
            solverName: sthome
            #config:
            #  usernameSecretKeyRef:
            #    name: sthome-credentials
            #    key: username
            #  passwordSecretKeyRef:
            #    name: sthome-credentials
            #    key: password

To deploy the Cluster Issuer configuration file, run the following command:

kubectl apply -f sthome-clusterissuer.yaml

Check the status of the Cluster Issuer.

kubectl describe clusterissuer sthome-clusterissuer

Should you need to delete the Cluster Issuer, run the following command:

kubectl delete clusterissuer sthome-clusterissuer

Create the Certificate object for radarr.sthome.net. Create a certificate.yaml file with the following content:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: radarr-sthome-net
spec:
  dnsNames:
  - radarr.sthome.net
  issuerRef:
    name: sthome-issuer
  secretName: radarr-sthome-net-tls

Run:

kubectl create -f certificate.yaml

The certificate should ready after a few seconds:

$ kubectl get certificate radarr-sthome-net
NAME          READY   SECRET                  AGE
example-com   True    radarr-sthome-net-tls   2m21s

The certificate is now available in the radarr-sthome-net-tls secret

Integration testing

Before running the test, you need:

  • A valid domain on sthome DNS (here radarr.sthome.net)
  • The variables STH_ACCESS_KEY and STH_SECRET_KEY valid and in the environment

In order to run the integration tests, run:

TEST_ZONE_NAME=radarr.sthome.net make test