Giter Site home page Giter Site logo

slicen / cert-manager-webhook-linode Goto Github PK

View Code? Open in Web Editor NEW
28.0 6.0 19.0 149 KB

Cert-Manager ACME DNS01 Webhook Solver for Linode DNS Manager

License: Apache License 2.0

Dockerfile 2.58% Makefile 5.94% Go 81.81% Mustache 9.66%
cert-manager cert-manager-webhook linode kubernetes letsencrypt

cert-manager-webhook-linode's Introduction

Cert-Manager ACME DNS01 Webhook Solver for Linode DNS Manager

Go Report Card Releases LICENSE

A webhook to use Linode DNS Manager as a DNS01 ACME Issuer for cert-manager.

Installation

helm install cert-manager-webhook-linode \
  --namespace cert-manager \
  https://github.com/slicen/cert-manager-webhook-linode/releases/download/v0.2.0/cert-manager-webhook-linode-v0.2.0.tgz

Usage

Create Linode API Token Secret

kubectl create secret generic linode-credentials \
  --namespace=cert-manager \
  --from-literal=token=<LINODE TOKEN>

Create Issuer

Cluster-wide Linode API Token

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - dns01:
      webhook:
        solverName: linode
        groupName: acme.slicen.me

By default, the Linode API token used will be obtained from the linode-credentials Secret in the same namespace as the webhook.

Per Namespace Linode API Tokens

If you would prefer to use separate Linode API tokens for each namespace (e.g. in a multi-tenant environment):

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: default
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - dns01:
      webhook:
        solverName: linode
        groupName: acme.slicen.me
        config:
          apiKeySecretRef:
            name: linode-credentials
            key: token

Development

Running the test suite

Conformance testing is achieved through Kubernetes emulation via the kubebuilder-tools suite, in conjunction with real calls to the Linode API on an test domain, using a valid API token.

The test configures a cert-manager-dns01-tests TXT entry, attempts to verify its presence, and removes the entry, thereby verifying the Prepare and CleanUp functions.

Run the test suite with:

./scripts/fetch-test-binaries.sh
export LINODE_TOKEN=$(echo -n "<your API token>" | base64 -w 0)
envsubst < testdata/linode/secret.yaml.example > testdata/linode/secret.yaml
TEST_ZONE_NAME=yourdomain.com. make verify

cert-manager-webhook-linode's People

Contributors

cleverunderdog avatar diaphteiros avatar munnerz avatar slicen avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

stephenc rpthms conduit-innovation cleverunderdog yakworks recsyslabs 0xch4z restebanez retsamedoc zeet-dev danielbichuetti jnschaeffer jakescahill cameronclaero azcoigreach stranger-social codestation

cert-manager-webhook-linode's Issues

Error when deploying latest version.

Afterhelm upgrade --install cert-manager-webhook-linode --namespace cert-manager cert-manager-webhook-linode/ --create-namespace got error: cert-manager "msg"="error executing command" "error"="unknown flag: --v"
Chart has been deployed after removing this lines from chart:

# {{- if .Values.deployment.logLevel }}
#             - --v={{ .Values.deployment.logLevel }}
# {{- end }}

add ClusterRoleBinding for cert-manager in RBAC-enabled clusters

Hello,

First of all, many thanks for putting this together. With the new proxy protocol feature in the NodeBalancer, a DNS01 resolver has become my only option for issuing certificates because the HTTP01 resolver requests seem to exceed their TTL.

However, please note that for RBAC-enabled clusters, the service account for cert-manager needs an additional ClusterRoleBinding to manipulate (e.g. "create") linode objects in the api group given by the webhook's groupName setting (e.g. "api.slicen.me" in your example).

Thought you might be interested in adding this feature in a future release. Should be straightforward enough.

Best regards,
Daniil

FAIL github.com/slicen/cert-manager-webhook-linode [build failed]

when i run bash ./scripts/fetch-test-binaries.sh
I got error Message Like this

TEST_ASSET_KUBE_APISERVER=_out/kubebuilder/bin/kube-apiserver \
go test -v
# github.com/slicen/cert-manager-webhook-linode [github.com/slicen/cert-manager-webhook-linode.test]
./main_test.go:20:7: undefined: dns.SetBinariesPath
./main_test.go:20:23: undefined: kubeBuilderBinPath
FAIL	github.com/slicen/cert-manager-webhook-linode [build failed]
make: *** [Makefile:15: verify] Error 2

Any bode can help me please?

Deprecation warnings on Kube 1.26+

There are a few deprecation warnings that will need to be addressed before kubernetes 1.29+ for this webhook to stay alive:

W1028 23:53:58.493424       1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta2 FlowSchema is deprecated in v1.26+, unavailable in v1.29+; use flowcontrol.apiserver.k8s.io/v1beta3 FlowSchema
W1028 23:53:58.493424       1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta2 PriorityLevelConfiguration is deprecated in v1.26+, unavailable in v1.29+; use flowcontrol.apiserver.k8s.io/v1beta3 PriorityLevelConfiguration
W1028 23:53:58.500536       1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta2 FlowSchema is deprecated in v1.26+, unavailable in v1.29+; use flowcontrol.apiserver.k8s.io/v1beta3 FlowSchema
W1028 23:53:58.500639       1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta2 PriorityLevelConfiguration is deprecated in v1.26+, unavailable in v1.29+; use flowcontrol.apiserver.k8s.io/v1beta3 PriorityLevelConfiguration

arm64 Support

Hi @slicen the setup is failed on arm64 architecture that the public image does not include arm64. So I spent little time and rebuild the image (it took 20 mins because cross platform buildx :) ) without any edit or touch with v0.2.0. You can pull and push as a official image.

If anyone needs arm64 image this can be used (it's tested):

helm install cert-manager-webhook-linode --namespace cert-manager --set image.repository=ilhanoguzhan/cert-manager-webhook-linode-arm64 https://github.com/slicen/cert-manager-webhook-linode/releases/download/v0.2.0/cert-manager-webhook-linode-v0.2.0.tgz

Wrong Indention of Webhook on Example ClusterIssuer

Quick note:
Based on the docs from cert-manager: https://cert-manager.io/docs/configuration/acme/dns01/webhook/

the webhook dict key is incorrectly indented.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - dns01:
          webhook:
            solverName: linode
            groupName: acme.slicen.me

Minimal Linode API Token Permissions?

What are the minimal permissions that are required for the token? There's:

Access None  Read Only  Read Write  
Account      
Domains      
Events      
Images      
IPs      
Kubernetes      
Linodes      
Longview      
NodeBalancers      
Object Storage      
StackScripts      
Volumes

I'm guessing it will need read access to domains? Account too?

Pod unable to start, healthz endpoint failure

Pod never enters ready state. Log output:
E1108 11:03:58.888092 1 cmd.go:46] cert-manager "msg"="error executing command" "error"="unknown flag: --v"

Issue can be fixed by setting values to:

    values:
      - deployment:
          logLevel: null

Seems like --v is a no longer supported argument.

Note docker image slicen/cert-manager-webhook-linode:v0.1.0 does work.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.