cert-manager ACME DNS01 webhook provider for joker.com.
The following components needs to be already installed on a Kubernetes cluster:
At joker.com you need to enable Dynamic DNS to get credentials for API access. You can find the documentation here.
- Create a Kubernetes secret which will hold your joker DynDNS authentication credentials (base64 representation):
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: joker-credentials
namespace: kube-system
data:
username: <joker Username>
password: <joker Password>
EOF
- Grant permission to get the secret to
cert-manager-webhook-joker
service account:
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook-joker:secret-reader
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["joker-credentials"]
verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager-webhook-joker:secret-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook-joker:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-joker
EOF
- Clone the github repository:
git clone https://github.com/4nx/cert-manager-webhook-joker.git
- Install the Helm chart with:
helm upgrade --install cert-manager-webhook-joker --namespace cert-manager deploy/cert-manager-webhook-joker
- Create a certificate issuer with the letsencrypt staging ca for testing purposes (you must insert your e-mail address):
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging-dns01
spec:
acme:
# Change to your letsencrypt email
email: <your email>
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging-account-key
solvers:
- dns01:
webhook:
groupName: acme.yourcompany.com
solverName: joker
config:
baseURL: https://svc.joker.com/nic/replace
dnsType: TXT
userNameSecretRef:
name: joker-credentials
key: username
passwordSecretRef:
name: joker-credentials
key: password
EOF
- Issue a test certificate (replace the test urls in here):
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-tls
spec:
secretName: example-com-tls
commonName: example.com
dnsNames:
- example.com
- "*.example.com"
issuerRef:
name: letsencrypt-staging-dns01
kind: ClusterIssuer
EOF
All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.
It is essential that you configure and run the test suite when creating a DNS01 webhook.
Before you can run the test suite, you need to download the test binaries:
./scripts/fetch-test-binaries.sh
Then duplicate the .sample files in testdata/joker/ and update the configuration with the appropriate Joker.com credentials.
Now you can run the test suite with:
TEST_ZONE_NAME=example.com. go test .