Cert-Manager ACME DNS01 Webhook Solver for CIVO DNS

This solver can be used when you want to use cert-manager with CIVO DNS.

Installation

cert-manager

Follow the instructions using the cert-manager documentation to install it within your cluster.

cert-manager-webhook-civo

helm install cert-manager-webhook-civo oci://ghcr.io/okteto/cert-manager-webhook-civo [--version 0.5.4]

From local checkout

helm install --namespace cert-manager cert-manager-webhook-civo chart/cert-manager-webhook-civo

Note: The kubernetes resources used to install the Webhook should be deployed within the same namespace as the cert-manager.

Uninstalling

To uninstall the webhook run

helm uninstall --namespace cert-manager cert-manager-webhook-civo

Usage

Credentials

In order to access the CIVO API, the webhook needs an API token.

kubectl create secret generic civo-secret --from-literal=key=<YOUR_CIVO_TOKEN>

Create Issuer

Create a ClusterIssuer or Issuer resource as following:

Cluster-wide Issuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    
    # Email address used for ACME registration
    email: [email protected] # REPLACE THIS WITH YOUR EMAIL
    
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging

    solvers:
    - dns01:
        webhook:
          solverName: "civo"
          groupName: civo.webhook.okteto.com
          config:
            secretName: civo-secret
            secretKey: key

By default, the CIVO API token used will be obtained from the secret in the same namespace as the webhook.

Per Namespace API Tokens

If you would prefer to use separate API tokens for each namespace (e.g. in a multi-tenant environment):

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: default
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    
    # Email address used for ACME registration
    email: [email protected] # REPLACE THIS WITH YOUR EMAIL
    
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging

    solvers:
    - dns01:
        webhook:
          solverName: "civo"
          groupName: civo.webhook.okteto.com
          config:
            secretName: civo-secret
            secretKey: key

By default, the webhook doesn't have permissions to read secrets on all namespaces. To enable this, you'll need to provide your own service account.

Create a certificate

Create your certificate resource as follows:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-cert
  namespace: cert-manager
spec:
  commonName: example.com
  dnsNames:
  - example.com # REPLACE THIS WITH YOUR DOMAIN
  issuerRef:
   name: letsencrypt-staging
   kind: ClusterIssuer
  secretName: example-cert

Development

Prerequisites

• Admin access to a cluster. We recommend you launch one on CIVO.
• okteto CLI
• kubectl installed and configured to talk to your cluster

Launch your Development Environment

1. Deploy the latest version of cert-manager and cert-manager-webhook-civo as per the instructions above.
2. Run okteto up from the root of this repo. This will deploy your pre-configured remote development environment, and keep your file system synchronized automatically.
3. Run make on the remote terminal to start the webhook. This will build the webhook, start it with the required configuration, and hot reload it whenever a file is changed.
4. Code away!

Contributing

If you want to get involved, we'd love to receive a pull request, issues, or an offer to help. Open an issue to get started!

Maintainers:

• Ramiro Berrelleza
• Pablo Chico de Guzman

Please see the contribution guidelines