cert-manager automates the management and issuance of TLS certificates in Kubernetes clusters. It ensures that certificates are valid and updates them when necessary.
A certificate authority resource, such as ClusterIssuer, must be declared in the cluster to start the certificate issuance procedure. It is used to generate signed certificates by honoring certificate signing requests.
For some DNS providers, there are no predefined CusterIssuer resources. Fortunately, cert-manager allows you to write your own ClusterIssuer.
This solver allows you to use cert-manager with the Regru API. Documentation on the Regru API is available here.
You must check access to the Regru API from your IP(s). You should use this command:
curl "https://api.reg.ru/api/regru2/zone/get_resource_records?input_data=%7B%22username%22%3A%22USER_NAME%22%2C%22password%22%3A%22PASSWORD_STRING%22%2C%22domains%22%3A%5B%7B%22dname%22%3A%22ZONE_NAME%22%7D%5D%2C%22output_content_type%22%3A%22plain%22%7D&input_format=json"
where USER_NAME
and PASSWORD_STRING
are your credentials to access the Regru API, and ZONE_NAME
is your domain.
If you doesn't have access, you get an error:
{
"charset" : "utf-8",
"error_code" : "ACCESS_DENIED_FROM_IP",
"error_params" : {
"command_name" : "zone/get_resource_records"
},
"error_text" : "Access to API from this IP denied",
"messagestore" : null,
"result" : "error"
}
You need to add your IP(s) to the whitelist in your personal account.
ATTENTION! You should not delete the cert-manager if you are already using it.
Use the following command from the official documentation to install cert-manager in your Kubernetes cluster:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/VERSION/cert-manager.yaml
- where
VERSION
is necessary version (for example, v1.10.1 )
git clone https://github.com/flant/cert-manager-webhook-regru.git
Edit the values.yaml
file in the cloned repository and enter the appropriate values in the fields zone
, image
, user
, password
. Example:
issuer:
image: ghcr.io/flant/cluster-issuer-regru:1.0.1
user: [email protected]
password: my_password
You must also specify your namespace with the cert-manager
.
certManager:
namespace: my-namespace-cert-manager
serviceAccountName: cert-manager
Here, user
and password
are credentials you use to authenticate with REG.RU.
Next, run the following commands for the install webhook.
cd cert-manager-webhook-regru
helm install -n my-namespace-cert-manager regru-webhook ./helm
Create the ClusterIssuer.yaml
file with the following contents:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: regru-dns
spec:
acme:
# Email address used for ACME registration. REPLACE THIS WITH YOUR EMAIL!!!
email: [email protected]
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: cert-manager-letsencrypt-private-key
solvers:
- dns01:
webhook:
config:
regruPasswordSecretRef:
name: regru-password
key: REGRU_PASSWORD
# groupName should be the same as `groupName.name` in `values.yaml` file.
groupName: acme.regru.ru
solverName: regru-dns
and create the resource:
kubectl create -f ClusterIssuer.yaml
This secret resource is automatically installed by helm chart. So you do not need to create manually.
You have to provide a user
and password
for the webhook so that it can access the HTTP API.
Note that we use regru-password
as the secret reference name in the ClusterIssuer
example above. If you use a different name for the secret, make sure to edit the value of regruPasswordSecretRef.name
.
The secret for the above example would be as follows:
apiVersion: v1
kind: Secret
metadata:
name: regru-password
data:
REGRU_PASSWORD: {{ .Values.issuer.password | b64enc | quote }}
type: Opaque
Create the certificate.yaml
file with the following contents:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: changeme
namespace: changeme
spec:
secretName: changeme
issuerRef:
name: regru-dns
kind: ClusterIssuer
dnsNames:
- *.my-domain-test.ru
Please feel free to contact us if you have any questions.
You're also welcome to follow @flant_com to stay informed about all our Open Source initiatives.
Apache License 2.0, see LICENSE.