Skip to content

cgroschupp/cert-manager-webhook-softlayer

Repository files navigation

Softlayer Webhook for Cert Manager

This is a webhook solver for Softlayer.

Docker Repository on Quay

Prerequisites

Installation

helm install --name cert-manager-webhook-softlayer ./deploy/cert-manager-webhook-softlayer

Issuer

  1. Generate Username and API Token from Softlayer
  2. Create secret to store the API Token
kubectl --namespace cert-manager create secret generic \
    softlayer-credentials --from-literal=api-token='<SOFTLAYER_API_TOKEN>'
  1. Grant permission for service-account to get the secret
  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: cert-manager-webhook-softlayer:secret-reader
  rules:
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["softlayer-credentials"]
    verbs: ["get", "watch"]
  ---
  apiVersion: rbac.authorization.k8s.io/v1beta1
  kind: RoleBinding
  metadata:
    name: cert-manager-webhook-softlayer:secret-reader
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: cert-manager-webhook-softlayer:secret-reader
  subjects:
    - apiGroup: ""
      kind: ServiceAccount
      name: cert-manager-webhook-softlayer
  1. Create a staging issuer Optional
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging

    solvers:
    - dns01:
        webhook:
          groupName: acme.groschupp.org
          solverName: softlayer
          config:
            username: 12345 # REPLACE WITH USERNAME FROM SOFTLAYER!!!
            apiKeySecretRef:
              key: api-token
              name: softlayer-credentials
  1. Create a production issuer
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod

    solvers:
    - dns01:
        webhook:
          groupName: acme.groschupp.org
          solverName: softlayer
          config:
            username: 12345 # REPLACE WITH USERNAME FROM SOFTLAYER!!!
            apiKeySecretRef:
              key: api-token
              name: softlayer-credentials

Certificate

  1. Issue a certificate
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: example-com
spec:
  commonName: example-com
  dnsNames:
  - example-com
  issuerRef:
    name: letsencrypt-staging
  secretName: example-com-tls

Automatically creating Certificates for Ingress resources

See this.

Development

All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.

It is essential that you configure and run the test suite when creating a DNS01 webhook.

An example Go test file has been provided in main_test.go.

Before you can run the test suite, you need to download the test binaries:

mkdir -p __main__/hack
wget -O- https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.14.1-linux-amd64.tar.gz | tar xz --strip-components=1 -C __main__/hack

Then modify testdata/softlayer/config.json to setup the configs.

Now you can run the test suite with:

TEST_ZONE_NAME=example.com. go test .