This is an implementation of a Cert-Manager webhook for implementing DNS01 acme verification with TransIP as a DNS provider.
- go >= 1.13.0
- helm >= v3.0.0
- kubernetes >= v1.14.0
- cert-manager >= 0.12.0
Follow the instructions using the cert-manager documentation to install it within your cluster.
helm repo add cert-manager-webhook-transip https://demeester.dev/cert-manager-webhook-transip
# Replace the groupName value with your desired domain
helm install --namespace cert-manager cert-manager-webhook-transip cert-manager-webhook-transip/cert-manager-webhook-transiphelm install --namespace cert-manager cert-manager-webhook-transip charts/cert-manager-webhook-transipNote: The kubernetes resources used to install the Webhook should be deployed within the same namespace as the cert-manager.
To uninstall the webhook run
helm uninstall --namespace cert-manager cert-manager-webhook-transipCreate a ClusterIssuer or Issuer resource as following:
(Keep in Mind that the Example uses the Staging URL from Let's Encrypt. Look at Getting Start for using the normal Let's Encrypt URL.)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: mail@example.com # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
webhook:
groupName: acme.transip.nl
solverName: transip
config:
accountName: your-transip-username
ttl: 300
privateKeySecretRef:
name: transip-secret
key: privateKeyIn order to access the TransIP API, the webhook needs an API token in te form of a private key. You can generate a key pair using the control panel
If you choose another name for the secret than transip-secret, you must install the chart with a modified secretName value. Policies ensure that no other secrets can be read by the webhook. Also modify the value of secretName in the [Cluster]Issuer.
you can create the secret from filename
kubectl -n cert-manager create secret generic transip-credentials --from-file=privateKeyThe secret for the example above will look like this:
apiVersion: v1
kind: Secret
metadata:
name: transip-secret
namespace: cert-manager
type: Opaque
data:
privateKey: your-key-base64-encodedFinally you can create certificates, for example:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-cert
namespace: cert-manager
spec:
commonName: example.com
dnsNames:
- example.com
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
secretName: example-certAll DNS providers must run the DNS01 provider conformance testing suite, else they will have undetermined behaviour when used with cert-manager.
It is essential that you configure and run the test suite when creating a DNS01 webhook.
First, you need to have an Transip account with a domain name regisred to it. next to an account you also need to generate an api token for it.
Then you need to replace the parameters accountName and privateKey at testdata/cert-manager-webhook-transip/config.json file with actual ones.
You can then run the test suite with:
# then run the tests
TEST_ZONE_NAME=example.com. make testTo build new Docker image for multiple architectures and push it to hub:
docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 -t demeesterdev/cert-manager-webhook-transip:1.2.0 . --pushTo compile and publish new Helm chart version:
helm package charts/cert-manager-webhook-transip
git checkout gh-pages
helm repo index . --url https://demeester.dev/cert-manager-webhook-transip/