Cert-Manager ClouDNS DNS01 Provider
A Cert-Manager DNS01 provider for ClouDNS.
Originally published by IXON at ixoncloud/cert-manager-webhook-cloudns.
Partially rewritten to allow for multiple credentail sets, also including the sub-auth-id patch provided by Tristan971 in #8.
Configuration
The rewrite provides the possibility to configure the Issuer
in the Issuer
or ClusterIssuer
yaml.
Parameters are provided in the spec.acme.solvers[].dns01.webhook.config
section.
Name |
Required |
Description |
authIdTokenSecretRef |
yes |
The auth-id or sub-auth-id of the user to be used (name the name of the secret, key the name of the entry (key)) |
authPassKeySecretRef |
yes |
The password of the user given above. (name the name of the secret, key the name of the entry (key)) |
authIdType |
no, default: auth-id |
change to sub-auth-id to use a sub-user (created via Reseller) |
ttl |
no, default: 60 |
ClouDNS TTL |
httpTimeout |
no, default: 30 seconds |
ClouDNS API request timeout |
The groupName
defaults to acme.kle.li
but may be overwritten by providing a GROUP_NAME
env to the pod.
Example config
Utilising 2 different auth methodes (sub-auth-id
and defaulting to auth-id
), users and leaving ou / setting all optional parameters.
Secrets go in the same secret (or must be permittet seperately, default only allows accessing cert-manager-webhook-cloudns-v2-api-secret
).
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
email: contact@example.com
privateKeySecretRef:
name: letsencrypt-staging
server: https://acme-staging-v02.api.letsencrypt.org/directory
solvers:
- dns01:
webhook:
config:
authIdTokenSecretRef:
key: example-authId
name: cert-manager-webhook-cloudns-v2-api-secret
authPassKeySecretRef:
key: example-authPass
name: cert-manager-webhook-cloudns-v2-api-secret
authIdType: "sub-auth-id"
ttl: 60
httpTimeout: 15
groupName: acme.kle.li
solverName: cloudns-v2
selector:
dnsNames:
- example.com
- "*.example.com"
- dns01:
webhook:
config:
authIdTokenSecretRef:
key: test-authId
name: cert-manager-webhook-cloudns-v2-api-secret
authPassKeySecretRef:
key: test-authPass
name: cert-manager-webhook-cloudns-v2-api-secret
groupName: acme.kle.li
solverName: cloudns-v2
selector:
dnsNames:
- test.net
- "*.test.net"
Development (The testing part still needs reimplementing (old one relies on ENV))
The testdata/config.json
file is there because the DNS01 provider conformance testing suite wants to mock the requests away, and needs a folder to load the data from.
Environment Options
Name |
Required |
Description |
GROUP_NAME |
yes |
Used to organise cert-manager providers, this is usually a domain |
CLOUDNS_AUTH_ID_FILE |
yes |
Path to file which contains ClouDNS Auth ID |
CLOUDNS_AUTH_ID_TYPE |
no, default: auth-id |
change to sub-auth-id to use a sub-user (created via Reseller) |
CLOUDNS_AUTH_PASSWORD_FILE |
yes |
Path to file which contains ClouDNS Auth password |
CLOUDNS_TTL |
no, default: 60 |
ClouDNS TTL |
CLOUDNS_HTTP_TIMEOUT |
no, default: 30 seconds |
ClouDNS API request timeout |
# Get kubebuilder
./scripts/fetch-test-binaries.sh
# Run testing suite
TEST_ZONE_NAME=<domain> CLOUDNS_AUTH_ID_FILE=.creds/auth_id CLOUDNS_AUTH_PASSWORD_FILE=.creds/auth_password CLOUDNS_AUTH_ID_TYPE=sub-auth-id make verify
# Cleanup after testing (esp. needed when tests have failed)
remove `~/.cache/kubebuilder-envtest/*`