ACME webhook for Abion (cert-manager-webhook-abion)
cert-manager-webhook-abion
is an ACME webhook for cert-manager. It provides an ACME webhook for cert-manager, which
allows to use a DNS-01 challange
with Abion. Internally the cert-manager-webhook-abion uses the
Abion API to communicate with Abion API.
Release History
Refer to the CHANGELOG file.
Building
Build the docker image abiondevelopment/cert-manager-webhook-abion:latest
:
make build
Docker images
Prebuilt docker images can be found on Docker Hub
Compatibility
This webhook has been tested with cert-manager v1.14.4 and minikube v1.32.0 on Darwin 13.3 (arm64). In theory, it
should work on other hardware platforms as well but no steps have been taken to verify this.
Test
Testing with Minikube
-
Build this webhook in Minikube:
minikube start --memory=4G
eval $(minikube docker-env)
make build
-
Install cert-manager with Helm:
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true \
--version v1.14.4 \
--set 'extraArgs={--dns01-recursive-nameservers=8.8.8.8:53\,1.1.1.1:53}'
kubectl get pods --namespace cert-manager --watch
Note!: refer to Name servers in the official documentation according the extraArgs
.
-
Check the state and ensure that all pods are running fine (watch out for any issues regarding the cert-manager-webhook-
pod and its volume mounts):
kubectl describe pods -n cert-manager | less
-
Create the Abion API key secret in same namespace (Replace the with a valid API key. You must have an Abion account to retrieve an API key. Contact Abion for help how to create an account and API key):
kubectl create secret generic abion-credentials \
--namespace cert-manager --from-literal=apiKey='<ABION-API-KEY>'
Note! The Secret
must reside in the same namespace as cert-manager
.
-
Deploy the abion cert-manager-webhook (Set logLevel
to 6 for verbose logs):
The features.apiPriorityAndFairness
argument must be removed or set to false
for Kubernetes older than 1.20.
helm install cert-manager-webhook-abion \
--namespace cert-manager \
--set features.apiPriorityAndFairness=true \
--set image.repository=abiondevelopment/cert-manager-webhook-abion \
--set image.tag=latest \
--set logLevel=2 \
./deploy/cert-manager-webhook-abion
To deploy using the image from Docker Hub (for example using the 1.2.0
tag):
helm install cert-manager-webhook-abion \
--namespace cert-manager \
--set features.apiPriorityAndFairness=true \
--set image.tag=1.2.0 \
--set logLevel=2 \
./deploy/cert-manager-webhook-abion
Check the logs
kubectl get pods --namespace cert-manager --watch
kubectl logs --namespace cert-manager cert-manager-webhook-abion-XYZ
-
Create a staging cluster issuer.
See letsencrypt-staging-clusterissuer.yaml
Don't forget to replace email invalid@example.com
.
kubectl apply -f ./example/issuers/letsencrypt-staging-clusterissuer.yaml
Check status of the Issuer:
kubectl describe clusterissuer letsencrypt-staging
Note: The production Issuer is similar.
-
Issue a Certificate for your domain
Replace dnsNames example.com
in the certif-example-com-clusterissuer.yaml
Create the Certificate:
kubectl apply -f ./example/certificates/certif-example-com-clusterissuer.yaml
Check the status of the Certificate:
kubectl describe certificate example-com
Display the details like the common name and subject alternative names:
kubectl get secret example-com-tls -o yaml
-
Uninstall this webhook:
helm uninstall cert-manager-webhook-abion --namespace cert-manager
kubectl delete secret abion-credentials --namespace cert-manager
Please note that the test is not a typical unit nor integration test. Instead, it invokes the webhook in a Kubernetes-like environment which asks the webhook to send a request the DNS provider (i.e. Abion).
The test creates a TXT
zone record cert-manager-dns01-tests.example.com
with a specific challenge key, verifies the presence of that record via Google DNS. Finally, it removes the entry by calling the cleanup method of the web hook.
As said above, the conformance test is run against the real Abion API. Therefore, you must have an Abion account, a domain (and zone) and an API key.
To run the conformance test you need to update abion-credentials.yaml and replace the <ABION-API-KEY>
with a valid API Key, change the example.com.
zone name with a valid one before you can run the test by executing:
TEST_ZONE_NAME=example.com. make test