telyn / cert-manager-webhook-ovh

OVH Webhook for Cert Manager

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

OVH Webhook for Cert Manager

This is a webhook solver for OVH.

Prerequisites

Installation

Choose a unique group name to identify your company or organization (for example acme.mycompany.example).

helm install <HELMNAME> ./deploy/cert-manager-webhook-ovh \
 --set groupName='<YOUR_UNIQUE_GROUP_NAME>' -n <NAMESPACE>

If you customized the installation of cert-manager, you may need to also set the certManager.namespace and certManager.serviceAccountName values.

Issuer

  1. Create a new OVH API key with the following rights:

    • GET /domain/zone/*
    • PUT /domain/zone/*
    • POST /domain/zone/*
    • DELETE /domain/zone/*
  2. Create a secret to store your application secret:

Creating single secret in your NAMESPACE causes issues (cert-manager/cert-manager#650) that's why add it twice (possibly I could resolve it better)

```bash
kubectl create secret generic ovh-credentials --from-literal=applicationSecret='<OVH_APPLICATION_SECRET>'
```

```bash
kubectl create secret generic ovh-credentials -n <NAMESPACE> --from-literal=applicationSecret='<OVH_APPLICATION_SECRET>'
```
  1. Grant permission to get the secret to the cert-manager-webhook-ovh service account:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: cert-manager-webhook-ovh:secret-reader
      namespace: <NAMESPACE>
    rules:
    - apiGroups: [""]
      resources: ["secrets"]
      resourceNames: ["ovh-credentials"]
      verbs: ["get", "watch"]
    ---
    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: RoleBinding
    metadata:
      name: cert-manager-webhook-ovh:secret-reader
      namespace: <NAMESPACE>
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: cert-manager-webhook-ovh:secret-reader
    subjects:
    - apiGroup: ""
      kind: ServiceAccount
      namespace: <NAMESPACE>
      name: <HELMNAME>-cert-manager-webhook-ovh
  2. Create a certificate issuer:

    apiVersion: cert-manager.io/v1alpha2
    kind: Issuer
    metadata:
      name: letsencrypt
      namespace: <NAMESPACE>
    spec:
      acme:
        server: https://acme-v02.api.letsencrypt.org/directory
        email: '<YOUR_EMAIL_ADDRESS>'
        privateKeySecretRef:
          name: letsencrypt-account-key
        solvers:
        - dns01:
            webhook:
              groupName: '<YOUR_UNIQUE_GROUP_NAME>'
              solverName: ovh
              config:
                endpoint: ovh-eu
                applicationKey: '<OVH_APPLICATION_KEY>'
                applicationSecretRef:
                  key: applicationSecret
                  name: ovh-credentials
                consumerKey: '<OVH_CONSUMER_KEY>'

Certificate

NOT NEEDED SINCE CERT-MANAGER WILL GENERATE ITSELF

Issue a certificate:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: example-com
spec:
  dnsNames:
  - example.com
  - '*.example.com'
  issuerRef:
    name: letsencrypt
  secretName: example-com-tls

Development

All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.

It is essential that you configure and run the test suite when creating a DNS01 webhook.

An example Go test file has been provided in main_test.go.

Before you can run the test suite, you need to download the test binaries:

./scripts/fetch-test-binaries.sh

Then duplicate the .sample files in testdata/ovh/ and update the configuration with the appropriate OVH credentials.

Now you can run the test suite with:

TEST_ZONE_NAME=example.com. go test .

About

OVH Webhook for Cert Manager

License:Apache License 2.0


Languages

Language:Go 77.5%Language:Mustache 11.6%Language:Shell 4.0%Language:Makefile 3.5%Language:Dockerfile 3.4%