cert-manager-desec-webhook

ACME webhook for desec.io DNS API

This solver can be used with desec.io DNS API. The documentation of the API can be found here

Requirements

• go => 1.22.0
• helm >= v3.0.0
• kuberentes => 1.25.0
• cert-manager => 1.15.1

Installation

Using helm from local checkout

helm install desec-webhook -n cert-manager deploy/desec-webhook

Using public helm chart

Uninstallation

Creating an issuer

Create a secret containing the credentials

apiVersion: v1
kind: Secret
metadata:
  name: desec-io-token
  namespace: cert-manager
type: Opaque
data:
  token: your-key-base64-encoded

kubectl create secret generic desec-io-token --from-literal "token=<your token>" --namespace cert-manager

We can also then provide a standardised 'testing framework', or set of conformance tests, which allow us to validate that a DNS provider works as expected. Create a 'ClusterIssuer' or 'Issuer' resource as the following:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: mail@example.com

    privateKeySecretRef:
      name: letsencrypt-staging

    solvers:
      - dns01:
          webhook:
            config:
              apiKeySecretRef:
                key: token
                name: desec-io-token
            groupName: de.su541.acme
            solverName: desec

Create a manual certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-cert
  namespace: cert-manager
spec:
  commonName: example.com
  dnsNames:
    - example.com
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  secretName: example-cert

Using cert-manager with traefik ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: bitwarden
  namespace: utils
  labels:
    app: bitwarden
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-staging
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/rewrite-target: /$1
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: 'true'
spec:
  tls:
    - hosts:
        - bitwarden.acme.example.com
      secretName: bitwarden-crt
  rules:
    - host: bitwarden.acme.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: bitwarden
                port:
                  number: 80

Creating your own repository

Running the test suite

All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.

Provide a secret.yaml in testdata/desec

apiVersion: v1
kind: Secret
metadata:
  name: desec-token
data:
  token: your-key-base64-encoded
type: Opaque

Define a TEST_ZONE_NAME matching to your authenticaton creditials.

$ TEST_ZONE_NAME=example.com. make test