Cert-Manager dns01
webhook for CoreDNS using ETCD plugin.
See https://cert-manager.io/docs/configuration/acme/dns01/webhook/ for more information.
- Create a secret containing your etcd credentials in the same namespace than the webhook
kubectl create secret generic etcd-credentials \
--from-literal=etcd-username='ETCD-USERNAME' \
--from-literal=etcd-password='ETCD-PASSWORD' \
-n cert-manager
- Create RBAC configuration to access secret
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook-coredns:secret-reader
namespace: cert-manager
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["etcd-credentials"]
verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager-webhook-coredns:secret-reader
namespace: cert-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook-coredns:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-coredns
- Create a
ClusterIssuer
orIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: nxthdr-acme
spec:
acme:
email: admin@nxthdr.dev
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: nxthdr-acme
solvers:
- dns01:
webhook:
groupName: acme.nxthdr.dev
solverName: coredns-solver
config:
coreDNSPrefix: /skydns
etcdEndpoints: "http://[2a06:de00:50:1:ff00::11]:2379"
etcdUsernameRef:
name: etcd-credentials
key: etcd-username
etcdPasswordRef:
name: etcd-credentials
key: etcd-password
- Finally, install the Cert-Manager webhook for CoreDNS. Choose a unique group name to identify your company or organization (for example
acme.mycompany.example
). In this example it is installed in thecert-manager
namespace.
helm upgrade --install \
cert-manager-webhook-coredns \
-n cert-manager \
--set groupName='<YOUR_UNIQUE_GROUP_NAME>' \
deploy/cert-manager-webhook-coredns/
All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.
It is essential that you configure and run the test suite when creating a DNS01 webhook.
An example Go test file has been provided in main_test.go.
Before you can run the test suite, you need to duplicate the .sample
files in testdata/coredns-solver/
and update the configuration with the appropriate ETCD credentials.
You can run the test suite with:
$ TEST_ZONE_NAME=example.com. make test
The example file has a number of areas you must fill in and replace with your own options in order for tests to pass.