This is a webhook solver for IBM Cloud Internet Service.
The old repo is out of support. that's why we have the new repo.
- cert-manager: tested with 1.13.3 Kubernetes api 1.28.4
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml
# kubectl get pods -n cert-manager
_Notice: The pod will not startup until the steps under configuration is performed (there will be a secret there is not created until the steps are taken, so do not expect it just starts until that is in place )
Assuming your installation has 1. cert-manager running in name-space cert-manager
and 2. accept this webhook will be installed into namespace cert-manager-webhook-ibmcis
, 3. the API groups acme.borup.work
will be used, then it is recommended to install via this pre-defined file .
git clone https://github.com/IBM/cert-manager-webhook-ibmcis.git
cd cert-manager-webhook-ibmcis
kubectl apply -f cert-manager-webhook-ibmcis.yaml
This is just to help me remember how I created the static version of the file and for you to be inspired if you want to try to run it in a different configuration, however I will warn this is not the simplest thing to make it run in a different namespace.
helm template --name-template cert-manager-webhook-ibmcis ./deploy/cert-manager-webhook-ibmcis > cert-manager-webhook-ibmcis.yaml
Only do the steps in this section - customized installation - if you did not do the step in installation.
helm install --name-template cert-manager-webhook-ibmcis ./deploy/cert-manager-webhook-ibmcis
-
(Optional but recommended) Generate a service id (
ibmcloud iam service-id-create cert-manager-webhook-ibmcis-sid -d "Service id that cert-manager-webhook-ibmcis uses"
), grant it "service access" level permission asreader,writer,manager
to the relevant IBM Cloud Internet Service(s) only (example that grants access to specific instance of IBM Cloud Internet Services:ibmcloud iam service-policy-create cert-manager-webhook-ibmcis-sid --service-instance SERVICE_INSTANCE_GUID --roles Reader,Writer,Manager
) -
Generate API-KEY from IBM Cloud (example:
ibmcloud iam service-api-key-create cert-manager-webhook-ibmcis-sid-apikey cert-manager-webhook-ibmcis-sid -d "API key used for cert-manager-webhook-ibmcis to do the DNS01 ACME flow signed certificates"
) -
Create a namespace to run this webhook in, recommend
cert-manager-webhook-ibmcis
. (likekubectl create namespace cert-manager-webhook-ibmcis
) -
Create secret to store the API Token
kubectl --namespace cert-manager-webhook-ibmcis create secret generic \
ibmcis-credentials --from-literal=api-token='<IC_API_KEY>'
- Create a staging issuer Optional If you want to test and avoid rate-limit levels for production lets encryp ise this step (certificate validity is not for production though)
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-staging
namespace: cert-manager-webhook-ibmcis
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
groupName: acme.borup.work
solverName: ibmcis
config:
apiKeySecretRef:
name: ibmcis-credentials
key: api-token
cisCRN:
- "crn:v1:bluemix:public:internet-svcs:global:***::"
selector:
dnsZones:
- 'example.com'
- Create a production issuer
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: cert-manager-webhook-ibmcis
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
webhook:
groupName: acme.borup.work
solverName: ibmcis
config:
apiKeySecretRef:
name: ibmcis-credentials
key: api-token
cisCRN:
- "crn:v1:bluemix:public:internet-svcs:global:***::"
selector:
dnsZones:
- 'example.com'
Or you can create an ClusterIssuer as below :
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
webhook:
groupName: acme.borup.work
solverName: ibmcis
config:
apiKeySecretRef:
name: ibmcis-credentials
key: api-token
cisCRN:
- "crn:v1:bluemix:public:internet-svcs:global:***::"
selector:
dnsZones:
- 'example.com'
Then create the certificate which will use this issuer : https://cert-manager.io/docs/usage/certificate/
Create an certification using Issuer as below :
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com
namespace: cert-manager-webhook-ibmcis
spec:
commonName: example.com
dnsNames:
- example.com
- "*.example.com"
issuerRef:
name: letsencrypt-staging
kind: Issuer
secretName: example-com-tls
Or create an certification using ClusterIssuer as below :
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com
spec:
commonName: example.com
dnsNames:
- example.com
- "*.example.com"
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
secretName: example-com-tls
- Get certificate
Namespace Issuer
kubectl get secret example-com-tls -n cert-manager-webhook-ibmcis
Cluster Issuer
kubectl get secret example-com-tls
See this.
All DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.
It is essential that you configure and run the test suite when creating a DNS01 webhook.
A Go test file for this provider is provided in main_test.go, and has been used for tests (via docker see below section).
Before you can run the test suite, you need to download the test binaries:
mkdir -p __main__/hack
wget -O- https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-1.14.1-linux-amd64.tar.gz | tar xz --strip-components=1 -C __main__/hack
Then modify testdata/ibmcis/config.json
to setup the configs.
Now you can run the test suite with:
TEST_ZONE_NAME=example.com. go test .
#CRN to be used in config.json as cisCRN
#ic resource service-instance borup.work-is -g default --output json | jq .[0].crn
ibmcloud resource service-instance <CIS INSTANCE NAME> -g <RESOURCE GROUP> --output json | jq .[0].crn
docker run -it -v${PWD}:/workspace -w /workspace --env-file .env golang:1.17 /bin/bash
apt update
apt upgrade -y
apt-get install -y bzr
#TEST_ZONE_NAME=example.com. go test .
cat > testdata/ibmcis/config.json <<EOF
{
"cisCRN": [ "crn:v1:bluemix:public:internet-svcs:global:xxxxxxxx::" ]
}
EOF
#export IC_API_KEY=xxxxx
TEST_ZONE_NAME=example.com. go test .