cert-manager-webhook-selectel
Cert-manager ACME DNS webhook provider for Selectel.
Contents
Issuing certificate in DNS Hosting (actual)
Installing
To install with helm from helm-repository, run:
$ helm repo add selectel https://selectel.github.io/cert-manager-webhook-selectel
$ helm repo update
$ helm install cert-manager-webhook-selectel selectel/cert-manager-webhook-selectel -n cert-manager
Or install with helm from git-repository, run:
$ git clone https://github.com/selectel/cert-manager-webhook-selectel.git
$ cd cert-manager-webhook-selectel/deploy/cert-manager-webhook-selectel
$ helm install cert-manager-webhook-selectel . -n cert-manager
Setup credentials
Create secret and fill authentication data.
apiVersion: v1
kind: Secret
metadata:
name: selectel-dns-credentials
namespace: cert-manager
type: Opaque
stringData:
username: KEYSTONE_USER
password: KEYSTONE_PASSWORD
account_id: ACCOUNT_ID
project_id: SELECTEL_PROJECT_ID
KEYSTONE_USER - Name of the service user. To get the name, in the top right corner of the Control panel, go to the account menu ⟶ Profile and Settings ⟶ User management ⟶ the Service users tab ⟶ copy the name of the required user. Learn more about Service users.
KEYSTONE_PASSWORD - Password of the service user.
ACCOUNT_ID - Selectel account ID. The account ID is in the top right corner of the Control panel. Learn more about Registration.
SELECTEL_PROJECT_ID - Unique identifier of the associated Cloud Platform project. To get the project ID, in the Control panel, go to Cloud Platform ⟶ project name ⟶ copy the ID of the required project. Learn more about Cloud Platform projects.
Setup issuer
An example issuer:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: certmaster@selectel.ru
privateKeySecretRef:
name: letsencrypt-staging-account-key
solvers:
- dns01:
webhook:
groupName: acme.selectel.ru
solverName: selectel
config:
dnsSecretRef:
name: selectel-dns-credentials
# Optional config, shown with default values
# all times in seconds
ttl: 120 # Default: 60
timeout: 60 # Default 40
Issuing certificate
Issuing certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: sel-letsencrypt-crt
namespace: cert-manager
spec:
# Setup secret name
secretName: example-com-tls
commonName: example.com
issuerRef:
name: letsencrypt-staging
kind: Issuer
# Setup names of zones
dnsNames:
- example.com
- www.example.com
Issuing certificate in DNS Hosting (legacy)
Legacy version
Cert-manager webhook provider for Selectel supporting two versions API.
They are not compatible. They utilize different API and work with zones live on different authoritative servers.
Zone created in v2 API not available via v1 api.
Installing (legacy)
To install with helm from helm-repository, run:
$ helm repo add selectel https://selectel.github.io/cert-manager-webhook-selectel
$ helm repo update
$ helm install cert-manager-webhook-selectel selectel/cert-manager-webhook-selectel -n cert-manager --version 1.2.5
Or install with helm from git-repository, run:
$ git clone https://github.com/selectel/cert-manager-webhook-selectel.git --branch cert-manager-webhook-selectel-1.2.5
$ cd cert-manager-webhook-selectel/deploy/cert-manager-webhook-selectel
$ helm install cert-manager-webhook-selectel . -n cert-manager
Setup credentials (legacy)
Create secret and fill APITOKEN_FROM_MY_SELECTEL_RU.
apiVersion: v1
kind: Secret
metadata:
name: selectel-api-key
namespace: cert-manager
type: Opaque
stringData:
token: APITOKEN_FROM_MY_SELECTEL_RU
APITOKEN_FROM_MY_SELECTEL_RU - Selectel Token (API Key). For obtain Selectel Token read here.
Setup issuer (legacy)
An example issuer:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: certmaster@selectel.ru
privateKeySecretRef:
name: letsencrypt-staging-account-key
solvers:
- dns01:
webhook:
groupName: acme.selectel.ru
solverName: selectel
config:
apiKeySecretRef:
name: selectel-api-key
key: token
# Optional config, shown with default values
# all times in seconds
ttl: 120
timeout: 30
propagationTimeout: 120
pollingInterval: 2
Issuing certificate (legacy)
Issuing certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: sel-letsencrypt-crt
namespace: cert-manager
spec:
# Setup secret name
secretName: example-com-tls
commonName: example.com
issuerRef:
name: letsencrypt-staging
kind: Issuer
# Setup names of zones
dnsNames:
- example.com
- www.example.com
Development guide
Running the test suite
You can run the test suite with:
- Go to
https://my.selectel.ru/profile/users_management/users
, get one or create new user.
- Fill in the appropriate values in
testdata/selectel/dns-credentials.yml
and testdata/selectel/config.json
.
- Insert values
testdata/selectel/dns-credentials.yml
.
- Check that
metadata.name
in testdata/selectel/dns-credentials.yml
equals value in testdata/selectel/config.json
for key dnsSecretRef.name
.
- Run tests
$ TEST_ZONE_NAME=example.com. make test