Giter VIP home page Giter VIP logo

cert-manager-webhook-ibmcis's Introduction

IBM Cloud Internet Service Webhook for Cert Manager

This is a webhook solver for IBM Cloud Internet Service.

The old repo is out of support. that's why we have the new repo.

Docker Repository on Quay

Prerequisites

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml
 # kubectl get pods -n cert-manager

Installation

_Notice: The pod will not startup until the steps under configuration is performed (there will be a secret there is not created until the steps are taken, so do not expect it just starts until that is in place )

Assuming your installation has 1. cert-manager running in name-space cert-manager and 2. accept this webhook will be installed into namespace cert-manager-webhook-ibmcis, 3. the API groups acme.borup.work will be used, then it is recommended to install via this pre-defined file .

git clone https://github.com/IBM/cert-manager-webhook-ibmcis.git
cd cert-manager-webhook-ibmcis
kubectl apply -f cert-manager-webhook-ibmcis.yaml

How cert-manager-webhook-ibmcis.yaml is created (information)

This is just to help me remember how I created the static version of the file and for you to be inspired if you want to try to run it in a different configuration, however I will warn this is not the simplest thing to make it run in a different namespace.

helm template --name-template cert-manager-webhook-ibmcis ./deploy/cert-manager-webhook-ibmcis > cert-manager-webhook-ibmcis.yaml

Customized installation

Only do the steps in this section - customized installation - if you did not do the step in installation.

helm install --name-template cert-manager-webhook-ibmcis ./deploy/cert-manager-webhook-ibmcis

Issuer

  1. (Optional but recommended) Generate a service id (ibmcloud iam service-id-create cert-manager-webhook-ibmcis-sid -d "Service id that cert-manager-webhook-ibmcis uses"), grant it "service access" level permission as reader,writer,manager to the relevant IBM Cloud Internet Service(s) only (example that grants access to specific instance of IBM Cloud Internet Services: ibmcloud iam service-policy-create cert-manager-webhook-ibmcis-sid --service-instance SERVICE_INSTANCE_GUID --roles Reader,Writer,Manager )

  2. Generate API-KEY from IBM Cloud (example: ibmcloud iam service-api-key-create cert-manager-webhook-ibmcis-sid-apikey cert-manager-webhook-ibmcis-sid -d "API key used for cert-manager-webhook-ibmcis to do the DNS01 ACME flow signed certificates")

  3. Create a namespace to run this webhook in, recommend cert-manager-webhook-ibmcis. (like kubectl create namespace cert-manager-webhook-ibmcis)

  4. Create secret to store the API Token

kubectl --namespace cert-manager-webhook-ibmcis create secret generic \
    ibmcis-credentials --from-literal=api-token='<IC_API_KEY>'
  1. Create a staging issuer Optional If you want to test and avoid rate-limit levels for production lets encryp ise this step (certificate validity is not for production though)
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: cert-manager-webhook-ibmcis
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging

    solvers:
    - dns01:
        webhook:
          groupName: acme.borup.work
          solverName: ibmcis
          config:
            apiKeySecretRef:
              name: ibmcis-credentials
              key: api-token
            cisCRN:
              - "crn:v1:bluemix:public:internet-svcs:global:***::"
      selector:
        dnsZones:
        - 'example.com'
  1. Create a production issuer
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager-webhook-ibmcis
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod

    solvers:
    - dns01:
        webhook:
          groupName: acme.borup.work
          solverName: ibmcis
          config:
            apiKeySecretRef:
              name: ibmcis-credentials
              key: api-token
            cisCRN:
              - "crn:v1:bluemix:public:internet-svcs:global:***::"
      selector:
        dnsZones:
        - 'example.com'

Or you can create an ClusterIssuer as below :

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod

    solvers:
    - dns01:
        webhook:
          groupName: acme.borup.work
          solverName: ibmcis
          config:
            apiKeySecretRef:
              name: ibmcis-credentials
              key: api-token
            cisCRN:
              - "crn:v1:bluemix:public:internet-svcs:global:***::"
      selector:
        dnsZones:
        - 'example.com'

Certificate

Then create the certificate which will use this issuer : https://cert-manager.io/docs/usage/certificate/

Create an certification using Issuer as below :

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com
  namespace: cert-manager-webhook-ibmcis
spec:
  commonName: example.com
  dnsNames:
  - example.com
  - "*.example.com"
  issuerRef:
    name: letsencrypt-staging
    kind: Issuer
  secretName: example-com-tls

Or create an certification using ClusterIssuer as below :

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com
spec:
  commonName: example.com
  dnsNames:
  - example.com
  - "*.example.com"
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  secretName: example-com-tls
  1. Get certificate

Namespace Issuer

kubectl get secret example-com-tls -n cert-manager-webhook-ibmcis

Cluster Issuer

kubectl get secret example-com-tls

Automatically creating Certificates for Ingress resources

See this.

Development

All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.

It is essential that you configure and run the test suite when creating a DNS01 webhook.

A Go test file for this provider is provided in main_test.go, and has been used for tests (via docker see below section).

Before you can run the test suite, you need to download the test binaries:

mkdir -p __main__/hack
wget -O- https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.14.1-linux-amd64.tar.gz | tar xz --strip-components=1 -C __main__/hack

Then modify testdata/ibmcis/config.json to setup the configs.

Now you can run the test suite with:

TEST_ZONE_NAME=example.com. go test .

Test via Docker (Mac test binaries not described in above section)

#CRN to be used in config.json as cisCRN
#ic resource service-instance borup.work-is -g default --output json | jq .[0].crn
ibmcloud resource service-instance <CIS INSTANCE NAME> -g <RESOURCE GROUP> --output json | jq .[0].crn 
docker run -it -v${PWD}:/workspace -w /workspace  --env-file .env golang:1.17 /bin/bash
apt update
apt upgrade -y
apt-get install -y bzr 
#TEST_ZONE_NAME=example.com. go test .
cat > testdata/ibmcis/config.json <<EOF
{
    "cisCRN": [ "crn:v1:bluemix:public:internet-svcs:global:xxxxxxxx::" ]
}
EOF

#export IC_API_KEY=xxxxx

TEST_ZONE_NAME=example.com. go test .

cert-manager-webhook-ibmcis's People

Contributors

cgroschupp avatar diaphteiros avatar hughhuangzh avatar jb-dk avatar jcho02 avatar johnwalicki avatar munnerz avatar stevemar avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

hughhuangzh roneymathew ghas-results ghas-results ghas-results jcho02 aditijadhav38

cert-manager-webhook-ibmcis's Issues

Support for certificate manager 1.8.0 and above

on certificate manager 1.11.0 are getting the following error. API key is working with certificate manager 1.7.1
E0615 06:02:58.910840 1 sync.go:282] cert-manager/challenges/finalizer "msg"="error cleaning up challenge" "error"="Request failed with status code: 400, BXNIM0415E: Transaction-Id:[YnB3N2g-2f1f059a6f4742d8a06965a7dd88ecb4] Provided API key could not be found" "dnsName"="" "resource_kind"="Challenge" "resource_name"="r" "resource_namespace"="" "resource_version"="v1" "type"="DNS-01"
And It's getting into a loop. which will not delete Challenge

Modify default timeouts for livenessProbe and readinessProbe

Currently livenessProbe and readinessProbe have set timeoutSeconds to default kubernetes value: 1.
We got information from IBM support, that they recommend to set this value to higher number because sometimes network packets are lost and they are resent after 1 second. Because of that, pods can be restarted because probes will fail because of timeout.
It would be good to set it to 3 or 5 seconds.

port binding error on OpenShift

deployment.yaml specifies port 443. This results in a binding error on OpenShift. It is better to use a port like 9443. The container already accepts argument --secure-port

Failed to list/watch v1beta2 resource

I have multiple clusters and in one of them I had cert-manager v1.1.0 in one cluster and cert-manager v1.5.3 in other cluster. I also used unofficial version of this plugin: https://github.com/jb-dk/cert-manager-webhook-ibmcis

I removed old plugin, updated cert-manager to v1.7.3 and installed this plugin in all clusters. It looks that issuing new certificates works correctly but in cert-manager-webhook-ibmcis container there are such logs printed regularly:

1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: the server could not find the requested resource
1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: the server could not find the requested resource
1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: the server could not find the requested resource
1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: the server could not find the requested resource

The same occurs on cert-manager v1.9.1. I do not know if this causes any issues in certificate generation, but I found such thing in cert-manager docs for v1.6 version:

Following their deprecation in version 1.4, the cert-manager API versions v1alpha2, v1alpha3, and v1beta1 are no longer served.

See: https://cert-manager.io/docs/installation/upgrading/upgrading-1.5-1.6
This does not mention v1beta2 but maybe this was removed too or this was not present in cert-manager in the first place? I could not find mention of v1beta2 in official docs.

I think that this should be investigated and removed in this is not needed.

Version cert-manager-webhook-ibmcis

Recently a new version of cert-manager-webhook-ibmcis was prepared but there is no versioning for this plugin. This makes it harder for developers to manage their environments since I either can install the newest version possible of cert-manager-webhook-ibmcis or download this repo and revert some commits to apply older version if I'm using older cert-manager version.

Lack of versioning also makes it harder to check if there is a newer version available. I propose to tag git repository each time when new version is released and also prepare release in github. Version in Chart.yaml could also be updated after each release and the artifacts could be published to public repositories too, like https://artifacthub.io/

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.